cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2336
Views
0
Helpful
9
Replies

Guest Internet Access

joseph.steve
Level 1
Level 1

I am running a 5508 WLC with 10 Access Point. we need to allow Internet Access to Guest. 10MB DSL Internet is dedicated for Guest. This link is terminated on a regular ADSL modem without being part of our network. We want all Guest Internet traffic to reach the ADSL Router. where should I create the Guest VLAN / where the DHCP for Guest users should be created. what is the best practise for similar setup.

Our Network is simple

ISP_Reuter-------ASA_Firewall--------------4505------------LAN-switch 2950

ADSL_modem------------ users connect via wireless but restricted to certain area only.

Thanks JS

1 Accepted Solution

Accepted Solutions

You would create a vlan on the 4500 for your wireless guest (ex. vlan 998). Do not create an svi interface you do not want this routing. You then assign an access port to vlan 998 and connect your adsl router. If your router is providing dhcp, then let that do dhcp. You will need to allow vlan 998 on the wlc trunk port. The wlc will need an ip address also on vlan 998. If the adsl router doesn't provide dhcp the have the wlc do that. If the adsl does provide dhcp, then make sure the ISP excludes the wlc ip address.

With no vlan 998 layer 3 interface, there is routing between your guest and internal. You can create a vlan acl also.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

View solution in original post

9 Replies 9

chucktranhpb
Level 1
Level 1

Create the guest vlan wherever the 10 APs are located but don't configure the svi for that vlan. Attach the dsl modem to an access port in the guest vlan. Create a dhcp scope on the controller for the guest vlan traffic, being sure to set the gateway address to the internal address of your dsl modem.

Chuck,

I think you meant to say create the guest vlan on the switch the WLC is connected to since traffic is tunneled to the WLC. The WLC will need to have a dynamic interface on the guest vlan.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

chucktranhpb
Level 1
Level 1

Scott is right, I was thinking of setting the guest wireless up as locally switched into a guest VLAN since there are only two switches in the network. Create the VLAN on the switch the WLC is physically connected to and drop all guest traffic into that VLAN. Connect the DSL modem into a port on that switch and give it access to the guest VLAN.

Hi Chuck & Scott

I got total 15 access switches on the network. All are uplink to the 4500 series box. For simplicity of layout I didnt mention in the initial layout. I see there is option on WLC to create Guest VLAN using Guest Interface. I am still unclear with the following

  1. Where do I connect the DSL modem Ethernet Interface
  2. Where do I configure the DHCP for Guest vlan ( Guest gets Dynamic IP )
  3. How to ensure there is no communication between Guest Traffic and LAN Traffic ( Guest cannot access any LAN network )

Thanks JS

You would create a vlan on the 4500 for your wireless guest (ex. vlan 998). Do not create an svi interface you do not want this routing. You then assign an access port to vlan 998 and connect your adsl router. If your router is providing dhcp, then let that do dhcp. You will need to allow vlan 998 on the wlc trunk port. The wlc will need an ip address also on vlan 998. If the adsl router doesn't provide dhcp the have the wlc do that. If the adsl does provide dhcp, then make sure the ISP excludes the wlc ip address.

With no vlan 998 layer 3 interface, there is routing between your guest and internal. You can create a vlan acl also.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

Thanks Scott

hi scott,

let me clarify on this statement,

"With no vlan 998 layer 3 interface, there is routing between your guest and internal"

i think what you really meant was,

With no vlan 998 layer 3 interface, there is NO routing between your guest and internal"

support forums is a "highway of knowledge!" Thanks guys for sharing your thoughts, this is really helpful.

hi scott,

i am trying to implement the set-up you're pointing out. on the core switch, i have implemented a layer 2 guest vlan. the wlc is connected via trunk port to the core switch and created management ip and guest vlan on the wlc. instead of dsl modem, internet gateway (antlabs inngate) is connected to the access port on the core switch. antlabs doesn't have a physical ip address, and the gateway for guest vlan is pointed to a fictitious ip (172.16.100.254/24 - non existent ip).

hi fella,

wlc - switch the link needs to be trunk?

Review Cisco Networking for a $25 gift card