Wireless Guest network segregation

I am trying to create a wireless guest network that will only be able to get to the internet. It will be on the same access points as the company wireless but I only want the guest network to be able to get to the dsl router purchased for that purpose. The APs and all switches are made by Cisco.

How do I set up the acl's to accomplish this task.
William CoatsNetwork Administrator/EngineerAsked:
Who is Participating?
Craig BeckConnect With a Mentor Commented:
To fully comply with PCI requirements you should investigate purchasing a second WLC and configure it as a guest anchor controller.  It should be placed in a DMZ.

If that's not an option you could create a new WLAN and VLAN on the WLC, and use the DSL router as the gateway for that new VLAN.  You don't want to create a SVI or L3 interface on your corporate LAN for this VLAN - just connect the DSL router to the WLC on a dedicated port.
convergintConnect With a Mentor Commented:
Instead of ACLs you can do the following which I think may be simpler.

What you need to do is to create a new VLAN on the switches and the AP for the guest network.  The DSL router would be connected to that VLAN as well.  Then create a Wireless Guest wireless SSID, assign that SSID to the guest VLAN.

Different APs have different abilities to assign VLANs to SSIDs, some are able to, some are not.  I can't tell what models you have.
Daniel HelgenbergerConnect With a Mentor Commented:
There are basically three ways to achieve this:
1. NPS / VLAN combination; using RADIUS to authenticate employees and guests while guests would be send to another VLAN; this would be done by NPS / RADIUS server.
2. Using VLANs only and MultiSSID AP's
3. Setup new AP's for the guests.

Option one uses only one SSID, while you need Radius.
Option 2 needs Multi SSID capable access points, but is easier to set up.
Option 3 is basically the same as option 2 but with separate AP's.

The first two options require you to setup VLANs. It might be you do not even need an extra DSL line, your firewall is most likely capable handling VLANs - thus acting as gateway for both networks. This is as safe as using a separate WAN connection while configuration and maintenance overhead is reduced.
William CoatsNetwork Administrator/EngineerAuthor Commented:
My company has to meet PCI so that is why we are using a separate DSL line for the guest. We need to make sure the guest can't get to the company network. We currently have separate AP's for the guest but they are interfering with the company network. Thats why the question. All of our AP's are controlled by a Cisco WLC, so they can have multiple SSIDs assigned.

I guess our main concern is in getting the guests off of the trunk with the other SSID's and on to it's own solo vlan as soon as possible.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.