SSID for IPAD/IPHONE

cisco.plus · ‎07-28-2012

Hi

on a 5508 WLC can we create new SSID for IPAD / IPHONE Users without having ISE, onyly Iphone / IPAD are allowed to be authenticated rest all should be denied. IS this possible

Please input

cheers

CP

Scott Fella · ‎07-28-2012

You need an ISE or something that does profiling.

-Scott
*** Please rate helpful posts ***

cisco.plus · ‎07-28-2012

Thanks Scott

Possible to configure DHCP on WLC for Tablets only with WPA2 and forward the traffic to Core.

then the core will route this vlan to a router to send traffic on internet. Also this DHCP range should not communicate with other network on the lan segment. can ISP DNS be configured on WLC in this scenario

Possible to restrict Bandwidth incomming/outgoing traffic for this new SSID on WLC

cheers

CP

Scott Fella · ‎07-28-2012

You can do per user bandwidth contracts to limit the bandwidth using QoS or you can limit the bandwidth for a particular subnet from the core. The only way is to have one SSID for the iPads and another SSID for the iPhones etc. this way you can have users connect their phones to a certain SSID and put them in a separate subnet so you can police them or even put them in a dsl Internet connection if you wanted.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

cisco.plus · ‎07-29-2012

Scott,

Good Idea to offload Iphone/Ipad traffic to normal DSL but I am not sure on how to route traffic from WLC to DSL Modem and return Traffic. currently DSL modem is not connected to network and our default route from BackBone is send to Cisco ASA.

Steps required

Create SSID on WLC
Configure DHCP on WLC for IPAD Subnet
Create VLAN on BB for IPAD Subnet # VLAN 6
assign IP on VLAN #6
connect the DSL Model to BB on VLAN#6

Feedback if these are correct steps and missing steps

thanks all

cheers

CP

Scott Fella · ‎07-29-2012

Well if your wlc is configured for lag and you do have more than one port connected from your wlc to the core, this is what you can do.

Connect the dsl modem to port on you switch and set that port to vlan 900 or something you are not using. You will have to create a layer 3 interface and set that to dhcp (obtain its ip address from the isp) unless the ISP gives you a static address. Then you add a new dynamic interface to the wlc for this network. You assign it a profile name and set the vlan to 900. Give it an ip address in that subnet and adding the gateway and mask.

Make sure the new subnet is not in your routing table and you can also configure acls to prevent this subnet from communicating to your internal and vice versa. You can have the router/layer 3 switch provide dhcp or you can have the wlc provide dhcp. If the wlc provides dhcp, then you need to make sure dhcp proxy is enabled on the wlc.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

cisco.plus · ‎07-30-2012

Scott

I am missing how to route traffic to dsl.modem for ipad-vlan and acl to prevent communication between ipad subnet and data subnet. I didnt see dhcp proxy option on wlc

Vlan 2

interface vlan 2

description DATA-VLAN

ip address 172.16.5.1 255.255.254.0

VLAN 900

interface vlan 900

description IPAD-VLAN

ip address 192.168.1.250 255.255.255.0

interface FA 0/28

description connected to DSL Modem

switchport mode access

swtichport access vlan 900

interface Giga 1/0/1

description connected to WLC

switchport mode trunk

ip route 0.0.0.0 0.0.0.0 Cisco-ASA

cheers

CP

cisco.plus · ‎08-01-2012

hello

ACL restriction is working but browsing still not. I can ping the dsl modem from switch but no browsing

access-list 25 deny 172.16.5.0 0.0.1.255

access-list 25 permit any

inter vlan 900

ip access-group 25 out

cheers

CP

Scott Fella · ‎08-03-2012

Well you would need a ip route from the 192.168.1.0 to the DSL modem of 192.168.1.1. Is that a DSL modem only or a DSL/Router? The eason I cask, is because if its a modem, then your config should be like this:

VLAN 900

interface vlan 900

description IPAD-VLAN

ip address dhcp

This interface should get an address from your ISP.

-Scott
*** Please rate helpful posts ***