• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 518
  • Last Modified:

Wireless Access Point VLAN

I want to install a wirelss in our production environment, however i dont want any users of this wireless to have access to my lan only to the internet via our default gateway.

I wa going to create a new VLAN on our Cisco switch and plug the wireless AP into that port and that vlan. I can set the AP up for DHCP and now the clients can connect to it and get an ip ok. But they cant get internet access. they also cant ping the gateway as its on a different subnet and vlan. how can i sort this nice and easy?

1 Solution
Don JohnstonInstructorCommented:
If your switch is a multilayer switch, you'll need to create an SVI (switched virtual interface) also known as a VLAN interface for that VLAN. This will be the default-gateway for all devices on that VLAN.

You'll also need to reconfigure the DHCP scope so all the clients get the new default-gateway.
kingcastleAuthor Commented:
yeah but how do i get the new dhcp clients to use my existing default gateway
If they are on a separate VLAN it is as if they are plugged into an entirely separate switch with no connection to your main LAN (including your gateway). You need to connect your new VLAN to an Internet connection by either:

Using a router or a layer 3 switch (as donjohnston suggested). You will need to set access control lists to prevent access to the production VLAN from the wireless VLAN

Add an extra NIC to your firewall and plug this into the wireless VLAN. Set the IP address of this new interface as the default gateway on the AP

Buy a cheap ADSL broadband package for the wireless VLAN. Configure the IP address of the new broadband router as the gateway on the AP. Sounds expensive, but is dead simple to install and maintain.

Let me know if you have any questions, good luck!

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Don JohnstonInstructorCommented:
>yeah but how do i get the new dhcp clients to use my existing default gateway

They don't. By creating a new VLAN, you have created a new IP network. Each IP network has it's own default-gateway. Which either means a multilayer switch or a router on that network is the default-gateway for all hosts on that network.

Istvan KalmarCommented:

If you want totaly separete the wireless users, please implement VRF-Lite:


Best regards,
DId you have any thoughts on these options?  Let me know if you'd like to discuss any further.



Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now