Guest WiFi + Network separation

RS19 · ‎05-17-2020

I am planning to implement guest WiFi access in my network.

Already we have the Cisco AP & WLC in place. The existing Cisco AP has 1 SSID for intra WiFi access.

The WLC is in the Data center & the APs are in branch locations.

I want to setup additional SSID for Guest Internet access.

For the internet Guest access it will have local breakout to Internet from the branch.

So would like to understand, how to achieve network segregation in this scenario.

The Guest VLAN should have access only to Internet.

No access to corporate network & the guest VLAN should be isolated.

How to achieve this ? Attached is the diagram for your reference.

JPavonM · ‎05-17-2020

What about using ACL's in the Guest SSID to deny access to RFC1918 local LAN (superseded by RFC5735)? Have you also considered splitting Guest traffic into a different VRF?

HTH
-Jesus
*** Please Rate Helpful Responses ***

RS19 · ‎05-18-2020

ACL is one option which I am thinking now.

Regarding vrf currently it is not possible due to some restrictions in the hardware & the design

Rasika Nayanajith · ‎05-18-2020

In the given context, you have to apply some ACL on vlan 100 (guest vlan) to prevent it from communicating with your internal network. You can permit to DNS/DHCP & then block to rest of your internal network. Then permit any.

If you want to completely isolate guest traffic, then you tunnel guest traffic to a DMZ WLC, where you do not terminate in your internal corporate switch network. Refer below for more details

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/WirelessNetwork_GuestAccessService.html

HTH

Rasika

*** Pls rate all useful responses ***

RS19 · ‎05-18-2020

Thanks. ACL is the option i am looking for. Regarding the WLC option It is not feasible since I dont have the anchor WLC & also I want to use the local internet in the branch locations to exit to Internet. I dont want my traffic to flow this DC and use Internet at DC .

RS19 · ‎05-31-2020

Further to the above discussions, I have updated the diagram as attached.

Below is the further explanation.

- In Each floor there is guest VLAN which needs internet access.

- For Each Guest VLAN, I will apply ACL so that It does not communicate with other internal segments.

Questions:

- On Core Switch(L3#1,L3#2) is it required to add default route pointing to R#1 & R#2 ?

- Is it possible to achieve without Default route in R#1 & R#2 ?

The reason for asking this is because if default route is added in L3#1 & L3#2, even other segments will have route to internet which I want to avoid

- I want to have route only to the Guest VLAN(Segment)

How to achieve this ? Is some kind of policy map or policy route in L3#1 & L3#2, will help in achieving this ?

RS19 · ‎05-31-2020

Any help regarding my query

patoberli · ‎06-03-2020

The route should automatically be set, if you have a vlan interface on your core switches. This is also the point (the router for the guest vlan) where you would apply the ACL to that vlan interface.