Cisco Aironet 2800 Guest WLAN configuration AIR-AP2802I-B-K9C

JP5097 · ‎08-30-2021

Setup Guest WLAN with no access to internal network. Could it done through WLAN> VLAN & Firewall option?

Karsten Iwen · ‎08-30-2021

Yes, that is one way to do it. I prefer to terminate the Guest-VLAN on a Firewall interface where the internal L3-Switch doesn't have an IP in that VLAN.

JP5097 · ‎08-30-2021

Hi Karsten,

Thanks for prompt response. I applied firewall rule using the Access Point GUI (Guest WLAN Config > VLAN & Firewall) to deny any Guest WLAN access to the internal LAN, but also blocks the internet access. It seems that rule blocks also the default gateway which is the Access Point 192.168.2.100 within the internal LAN

This is the scenario:

Cisco Access Point: 192.168.2.100

Guest WLAN: 192.168.3.0

Internal LAN: 192.168.2.0

DHCP pool: DHCP server created in AP

Firewall rule in AP:

ACL Direction: Ingress

Action: Deny

Protocol: Any

Source IP/Mask: 192.168.3.0/ 255.255.255.0

Port: Any

Dest. IP/ Mask: 192.168.2.0 / 255.255.255.0

Port: Any

Thanks

Karsten Iwen · ‎08-30-2021

Ok, this is what you have denied. But what did you allow?

JP5097 · ‎08-30-2021

I tried to add rule to grant access (protocol:any) from Guest WLAN network (192.168.3.x) to only the gateway IP (Cisco AP) 192.168.10.200, but it does not allow to do it for a specific IP, only for the network segment, error "invalid mask for the entered" . See attachment for details

Karsten Iwen · ‎08-30-2021

It's the wrong mask for a single IP. It has to be 255.255.255.255. And you need an allow rule to access the internet (any) after denying the access to the internal network.