Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
15
Helpful
6
Replies

2 Separate SSID on Cisco 9115 EWC

Taiga2022
Level 1
Level 1

‎05-24-2022 05:49 AM - edited ‎05-24-2022 06:18 AM

Hi, 

I have little to no experience with cisco EWC.

I want to create a 2 separate SSIDs which are Internal and Guest.

I think in EWC, Guest settings is included. 

I want to use the same LAN subnet for both SSIDs. 

And I don't want the Guest Wifi to access the Internal network.

In default settings for Guest and Internal SSIDs, can they ping each other if they are in the same subnet?

If I configure an ACL at Guest interface on access point to block the guest to use the Internal network, will it solve the problem?

Thank you advance for your help.

0 Helpful
6 Replies 6

Flavio Miranda
VIP
VIP

‎05-24-2022 06:13 AM

Hi

 You can not do that. You need to use different vlans. 

0 Helpful

Taiga2022
Level 1
Level 1
In response to Flavio Miranda

‎05-24-2022 06:46 AM

Care to elaborate more?

Thank you.

0 Helpful

Flavio Miranda
VIP
VIP
In response to Taiga2022

‎05-24-2022 06:59 AM - edited ‎05-24-2022 07:16 AM

 If you put  all your clients under the same vlan, you can not configure an Access List blocking traffic between them.  If you use two vlans, then you can configure an Access List inbound or outbound deny or permiting the traffic.

 Does not make sense you separate the traffic on the Wireless interface and then, put them together on the wired interface.  From the security perspective, you are wasting your time.

 

 

 

 

 

Arshad Safrulla
VIP Alumni
VIP Alumni

‎05-24-2022 06:42 AM

Technically there are multiple ways you can achieve this, however considering the security issues this will bring not recommended at all. It is always better and recommended to go with dedicated VLAN for guest and another for internal usage. 

But if you want to deploy, you can consider using Flexconnect ACL's with P2P drop or Per user VLAN's by using a Radius server for your Guest SSID.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Gibraltar 16.10.x - Peer-to-Peer Client Support [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Taiga2022
Level 1
Level 1
In response to Arshad Safrulla

‎05-24-2022 06:48 AM - edited ‎05-24-2022 06:49 AM

The method that I mention in the question is doable, right?

Configure Port ACL and apply it on Guest WLAN Interface and deny every traffic to Internal network.

 

Also could you explain more about Peer-to-peer blocking? 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to Taiga2022

‎05-24-2022 07:14 AM

P2P feature is well explained in below link, config guide you can refer to the code you are running

What is Peer 2 Peer blocking in Cisco WLC? ~ Network & Security Consultant (kareemccie.com)

 

You need to use Flex ACL's. noy WLAN ACL's.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card