cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
514
Views
15
Helpful
6
Replies

2 Separate SSID on Cisco 9115 EWC

Taiga2022
Beginner
Beginner

Hi, 

I have little to no experience with cisco EWC.

I want to create a 2 separate SSIDs which are Internal and Guest.

I think in EWC, Guest settings is included. 

I want to use the same LAN subnet for both SSIDs. 

And I don't want the Guest Wifi to access the Internal network.

In default settings for Guest and Internal SSIDs, can they ping each other if they are in the same subnet?

If I configure an ACL at Guest interface on access point to block the guest to use the Internal network, will it solve the problem?

Thank you advance for your help.

6 Replies 6

Flavio Miranda
Advisor
Advisor

Hi

 You can not do that. You need to use different vlans. 

Care to elaborate more?

Thank you.

 If you put  all your clients under the same vlan, you can not configure an Access List blocking traffic between them.  If you use two vlans, then you can configure an Access List inbound or outbound deny or permiting the traffic.

 Does not make sense you separate the traffic on the Wireless interface and then, put them together on the wired interface.  From the security perspective, you are wasting your time.

 

 

 

 

 

Arshad Safrulla
VIP Advocate VIP Advocate
VIP Advocate

Technically there are multiple ways you can achieve this, however considering the security issues this will bring not recommended at all. It is always better and recommended to go with dedicated VLAN for guest and another for internal usage. 

But if you want to deploy, you can consider using Flexconnect ACL's with P2P drop or Per user VLAN's by using a Radius server for your Guest SSID.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Gibraltar 16.10.x - Peer-to-Peer Client Support [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

The method that I mention in the question is doable, right?

Configure Port ACL and apply it on Guest WLAN Interface and deny every traffic to Internal network.

 

Also could you explain more about Peer-to-peer blocking? 

P2P feature is well explained in below link, config guide you can refer to the code you are running

What is Peer 2 Peer blocking in Cisco WLC? ~ Network & Security Consultant (kareemccie.com)

 

You need to use Flex ACL's. noy WLAN ACL's.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers