Re: Separating/Securing Public Internet Acces with WLSM?

aarato · ‎01-13-2005

I need to use the same access point for internal (secure) access and public Internet access for guest users.

I used to do this just by trunking on the AP1200 and use two isolated VLAN<-> SSID pair separated by a Cisco switch. Now with the WLSM, I everything needs to go through the tunnel interface which does not make me very comfortable. What is the best practice to use WLSM-AP1200 to provide secure and unsecure wireless access? How do I separate the two types of traffic securely?

Any help would be greatly appreciated!

jmagnusson · ‎01-14-2005

Cisco themselves handled with BBSM. Security is only one issue. What about rate limiting user traffic ?

What about tracking Guest users ? .......

http://www.cisco.com/en/US/customer/about/ciscoitatwork/case_studies/wireless_dl4.html

aarato · ‎01-14-2005

Thanks for the reply, but the case study did not use WLSM.

As far as I know the only way to tunnel L3 roaming users on the WLSM is to route it through the tunnel interface. How can I separate the guest traffic from my secure traffic on the WLSM?

Has anybody done this? What is the best practice?

jmagnusson · ‎01-18-2005

Another mobility groups on the AP for guests... thus creating a seperate tunnel interface....

aarato · ‎01-18-2005

The issue is that this separate tunnel interface is one of the logical interface on my internal router, so I would have to restrict the traffic from the guest tunnel interface to other internal VLANs on my network.

So i guess, what is the best practice of isolating an interface on a router from the other router interfaces?

pam · ‎02-01-2005

what we did here is we set up a mobility group for the guest users on the wlsm. we then gave them their own segment with their dhcp addresses and then we set up policy routing and a route map on our 6500 to force all of the users from this segment directly to our firewall and on out to the internet. it appears to be working and no-one has broken it yet.

let me know if this helps

paul

aarato · ‎02-02-2005

Pam,

This is the best answer I got so far! Is this something that Cisco recommended to you? I am a little bit worried about possible security holes by relying on the policy-route to secure the guest VLAN. I just want to make sure I follow a "best practice". 🙂

Thanks,

Andras

dixho · ‎02-01-2005

You do not have to enable layer 3 mobility network on all SSID. You can define 2 VLANs with a SSID each. You enable layer 3 mobility network on the VLAN for internal uers. You do not enable layer 3 mobility on the guest users VLAN.

You define trunking on the ethernet switch. You need to define the native VLAN and the guest VLAN. All internal user traffic goes through the tunnel interface (i.e. native VLAN). The guest user goes through the guest VLAN on the ethernet switch.

Does it work for you?

aarato · ‎02-02-2005

Dixho,

Thank you very much for your reply, but one of the reason the WLSM purchase was approved is the fact that we can eliminate the need to have a common VLAN with a big spanning-tree. This network is huge and I would like to avoid creating a VLAN that spans the entire enterprise.

Andras

aarato · ‎02-08-2005

OK. I followed up with Cisco and their approved method is to create a separate VRF instance for the tunnel interface to isolate the guest traffic. Rate-limiting on the tunnel interface is also recommended to protect against DoS attacks.

They will publish a white paper on this soon, but I thought I would update this thread in case somebody has the same problem