Solved: Secure Guest Access with 5508 controller

Andy Johnson · ‎04-03-2012

Hi there,

Could someone point me in the right direction with regards to the following?

I have a requirement to set up a guest SSID for contractor so that they can use the internet while in the office.

Security say that all traffic on this SSID should be isolated and directed straight to the firewall, with no chance of contamination into the company network infrastructure.

With the 5508, my understanding is using the setting up a guest account functionality built in will achieve this, but all traffic would end up at the wireless controller. How do I then put a direct forward for all traffic to the firewall which will only affect the guest traffic?

Any help would be welcomed with delight and joy!!!

Andy

George Stefanick · ‎04-03-2012

1. Drop the traffic at the WLC apply ACl

2. Anchor the traffic to the DMZ

3. Take one of the ports from the WLC and plug it into the FW

DONE...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Surendra BG · ‎04-03-2012

Configure an ACL on the router of the ACL for that Guest VLAN so that, the Guest VLAN can only go out directly to the internet and not to communicate with any other VLAN..

Regards

Surendra

Regards
Surendra BG

braggb001 · ‎04-03-2012

The best way to accomplish this would be to have your internal controller anchor to another controller located in you DMZ. This would allow you to choose whatever SSID you want and have its traffic virtually terminate outside of your trusted network. If clients attached to this SSID needed access to internal resources they could use a VPN to come back in.

Sent from Cisco Technical Support iPad App

George Stefanick · ‎04-03-2012

1. Drop the traffic at the WLC apply ACl

2. Anchor the traffic to the DMZ

3. Take one of the ports from the WLC and plug it into the FW

DONE...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

deshtikypshaq · ‎04-03-2012

to George Stefanick

Could you provide url of documentation how to implement third solution -

Take one of the ports from the WLC and plug it into the FW,

especialy configuration of WLC.

blakekrone · ‎04-03-2012

There is no documentation for that, most don't do it and I've seen it not recommended before.

Anyways, all you do is setup a dynamic interface and select port 8 for example and plug that into your DMZ network or FW interface directly. This will only work if you are not doing LAG on the 5508.

George Stefanick · ‎04-03-2012

As Blake pointed out its not supported, but it works. I have a customer set up like this and they are running fine.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎04-04-2012

I too have customers setup this way with no issues. I don't know why it wouldn't be supported... It was supported on the 4400's and even on the 2504's. Oh well... It works fine.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***