01-09-2008 09:45 AM - edited 07-03-2021 03:11 PM
I am having some difficulties setting up public wifi for a customer. They currently are using AP1121G access points to provide wifi for corporate users. They would like to add a public SSID to allow visitors to access the internet only (no access to the corporate network).
There are no issues creating the new SSID and VLAN, but blocking access to the corporate network is causing issues with DHCP for the public wifi users. A Catalyst 3560 is providing layer 2 and 3 routing for the corporate LAN. On that Catalyst I have added an access list to block traffic from the public wifi VLAN to the internal networks, while permitting traffic to the internet. This ACL is applied to the public wifi VLAN.
access-list 103 deny ip 192.168.70.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 192.168.70.0 0.0.0.255 any
int vlan70
ip access-group 103 in
where VLAN70 (192.168.70.0 /24) is the public wifi subnet, and VLAN10 (192.168.10.0 /24) is the corporate network.
This works fine except to for one issue: The public wifi clients can't get a DHCP address assignment (if they have a static address in the 192.168.70.0 network, everything works fine). Apparently the ACL is blocking traffic from the clients to the DHCP server (which is the Catalyst switch - interface VLAN70 is assigned address 192.168.70.1).
In short, how do I design an ACL that will block access to the internal network, but allow access to the internet and allow clients to request/receive a DHCP address from the Catalyst switch?
I have also tried using the AP1121G as a DHCP server for the public wifi, but could not get it to work.
Any suggestions? Thanks in advance for any replies.
01-16-2008 09:06 AM
Can you post the complete configuration on the AP and the switch? I think the issue is with the configuration. Once we have a look at the complete configuration we should be able to narrow down and resolve the issue.
01-16-2008 09:52 AM
An edited config for the WAP and the switch are attached. I have removed the password info and some parts of the config that I believe are not relevant (QOS settings, static routes, BGP, OSPF, the configs for switch ports used by other devices).
To clarify:
VLAN30 is the native VLAN used for device management.
VLAN10 is the VLAN used for the corporate LAN.
VLAN70 is the VLAN to be used for the public wifi.
Thank you in advance for any assistance.
02-20-2008 10:53 AM
Did you get an offline answer yet?
We use Cisco WAPs, but have Nortel switch gear. On our Nortel stuff, a DHCP proxy must be set up to route DHCP requests (broadcasts) because broadcasts don;t go between networks unless there is a Layer 3 device configured to do so.
Again, I can't help with the actual commands because I don't have Cisco gear, but hopefully the concept will help.
We do the same thing with a public wifi VLAN, and assign that VLAN an IP address on the core switch. Then, on that core switch, I set up a DHCP proxy to forward all DHCP requests to the DHCP server on the corporate LAN. It is assumed that even though an ACL blocks all other traffic, DHCP requests are passed.
03-04-2008 08:35 AM
maybe can consider to set the DHCP on the AP instead of the 3560? Clients will definitely get IP addresses first before being filtered by the Core 3560.
Cheers ^^
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide