[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Wireless Guest network segregation

Posted on 2013-10-25
4
Medium Priority
?
1,052 Views
Last Modified: 2013-11-01
I am trying to create a wireless guest network that will only be able to get to the internet. It will be on the same access points as the company wireless but I only want the guest network to be able to get to the dsl router purchased for that purpose. The APs and all switches are made by Cisco.

How do I set up the acl's to accomplish this task.
0
Comment
Question by:William Coats
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 10

Assisted Solution

by:convergint
convergint earned 668 total points
ID: 39600960
Instead of ACLs you can do the following which I think may be simpler.

What you need to do is to create a new VLAN on the switches and the AP for the guest network.  The DSL router would be connected to that VLAN as well.  Then create a Wireless Guest wireless SSID, assign that SSID to the guest VLAN.

Different APs have different abilities to assign VLANs to SSIDs, some are able to, some are not.  I can't tell what models you have.
0
 
LVL 13

Assisted Solution

by:Daniel Helgenberger
Daniel Helgenberger earned 664 total points
ID: 39600995
There are basically three ways to achieve this:
1. NPS / VLAN combination; using RADIUS to authenticate employees and guests while guests would be send to another VLAN; this would be done by NPS / RADIUS server.
2. Using VLANs only and MultiSSID AP's
3. Setup new AP's for the guests.

Option one uses only one SSID, while you need Radius.
Option 2 needs Multi SSID capable access points, but is easier to set up.
Option 3 is basically the same as option 2 but with separate AP's.

The first two options require you to setup VLANs. It might be you do not even need an extra DSL line, your firewall is most likely capable handling VLANs - thus acting as gateway for both networks. This is as safe as using a separate WAN connection while configuration and maintenance overhead is reduced.
0
 

Author Comment

by:William Coats
ID: 39601046
My company has to meet PCI so that is why we are using a separate DSL line for the guest. We need to make sure the guest can't get to the company network. We currently have separate AP's for the guest but they are interfering with the company network. Thats why the question. All of our AP's are controlled by a Cisco WLC, so they can have multiple SSIDs assigned.

I guess our main concern is in getting the guests off of the trunk with the other SSID's and on to it's own solo vlan as soon as possible.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 668 total points
ID: 39601281
To fully comply with PCI requirements you should investigate purchasing a second WLC and configure it as a guest anchor controller.  It should be placed in a DMZ.

If that's not an option you could create a new WLAN and VLAN on the WLC, and use the DSL router as the gateway for that new VLAN.  You don't want to create a SVI or L3 interface on your corporate LAN for this VLAN - just connect the DSL router to the WLC on a dedicated port.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
This program is used to assist in finding and resolving common problems with wireless connections.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question