Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2337
Views
0
Helpful
9
Replies

Guest Internet Access

Go to solution
joseph.steve
Level 1
Level 1

‎10-29-2011 12:54 AM - edited ‎07-03-2021 09:00 PM

I am running a 5508 WLC with 10 Access Point. we need to allow Internet Access to Guest. 10MB DSL Internet is dedicated for Guest. This link is terminated on a regular ADSL modem without being part of our network. We want all Guest Internet traffic to reach the ADSL Router. where should I create the Guest VLAN / where the DHCP for Guest users should be created. what is the best practise for similar setup.

Our Network is simple

ISP_Reuter-------ASA_Firewall--------------4505------------LAN-switch 2950

ADSL_modem------------ users connect via wireless but restricted to certain area only.

Thanks JS

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to joseph.steve

‎10-29-2011 01:57 PM

You would create a vlan on the 4500 for your wireless guest (ex. vlan 998). Do not create an svi interface you do not want this routing. You then assign an access port to vlan 998 and connect your adsl router. If your router is providing dhcp, then let that do dhcp. You will need to allow vlan 998 on the wlc trunk port. The wlc will need an ip address also on vlan 998. If the adsl router doesn't provide dhcp the have the wlc do that. If the adsl does provide dhcp, then make sure the ISP excludes the wlc ip address.

With no vlan 998 layer 3 interface, there is routing between your guest and internal. You can create a vlan acl also.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
9 Replies 9

Go to solution
chucktranhpb
Level 1
Level 1

‎10-29-2011 01:42 AM

Create the guest vlan wherever the 10 APs are located but don't configure the svi for that vlan. Attach the dsl modem to an access port in the guest vlan. Create a dhcp scope on the controller for the guest vlan traffic, being sure to set the gateway address to the internal address of your dsl modem.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to chucktranhpb

‎10-29-2011 11:11 AM

Chuck,

I think you meant to say create the guest vlan on the switch the WLC is connected to since traffic is tunneled to the WLC. The WLC will need to have a dynamic interface on the guest vlan.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
chucktranhpb
Level 1
Level 1

‎10-29-2011 11:30 AM

Scott is right, I was thinking of setting the guest wireless up as locally switched into a guest VLAN since there are only two switches in the network. Create the VLAN on the switch the WLC is physically connected to and drop all guest traffic into that VLAN. Connect the DSL modem into a port on that switch and give it access to the guest VLAN.

0 Helpful

Go to solution
joseph.steve
Level 1
Level 1
In response to chucktranhpb

‎10-29-2011 01:39 PM

Hi Chuck & Scott

I got total 15 access switches on the network. All are uplink to the 4500 series box. For simplicity of layout I didnt mention in the initial layout. I see there is option on WLC to create Guest VLAN using Guest Interface. I am still unclear with the following

  1. Where do I connect the DSL modem Ethernet Interface
  2. Where do I configure the DHCP for Guest vlan ( Guest gets Dynamic IP )
  3. How to ensure there is no communication between Guest Traffic and LAN Traffic ( Guest cannot access any LAN network )

Thanks JS

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to joseph.steve

‎10-29-2011 01:57 PM

You would create a vlan on the 4500 for your wireless guest (ex. vlan 998). Do not create an svi interface you do not want this routing. You then assign an access port to vlan 998 and connect your adsl router. If your router is providing dhcp, then let that do dhcp. You will need to allow vlan 998 on the wlc trunk port. The wlc will need an ip address also on vlan 998. If the adsl router doesn't provide dhcp the have the wlc do that. If the adsl does provide dhcp, then make sure the ISP excludes the wlc ip address.

With no vlan 998 layer 3 interface, there is routing between your guest and internal. You can create a vlan acl also.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
joseph.steve
Level 1
Level 1
In response to Scott Fella

‎10-29-2011 10:12 PM

Thanks Scott

0 Helpful

Go to solution
praetoleiad
Level 1
Level 1
In response to Scott Fella

‎02-24-2012 01:17 AM

hi scott,

let me clarify on this statement,

"With no vlan 998 layer 3 interface, there is routing between your guest and internal"

i think what you really meant was,

With no vlan 998 layer 3 interface, there is NO routing between your guest and internal"

support forums is a "highway of knowledge!" Thanks guys for sharing your thoughts, this is really helpful.

0 Helpful

Go to solution
praetoleiad
Level 1
Level 1
In response to Scott Fella

‎02-26-2012 06:03 PM

hi scott,

i am trying to implement the set-up you're pointing out. on the core switch, i have implemented a layer 2 guest vlan. the wlc is connected via trunk port to the core switch and created management ip and guest vlan on the wlc. instead of dsl modem, internet gateway (antlabs inngate) is connected to the access port on the core switch. antlabs doesn't have a physical ip address, and the gateway for guest vlan is pointed to a fictitious ip (172.16.100.254/24 - non existent ip).

0 Helpful

Go to solution
edondurguti
Level 4
Level 4
In response to Scott Fella

‎08-07-2012 01:43 PM

hi fella,

wlc - switch the link needs to be trunk?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card