Solved

Wireless Guest network segregation

Posted on 2013-10-25
4
975 Views
Last Modified: 2013-11-01
I am trying to create a wireless guest network that will only be able to get to the internet. It will be on the same access points as the company wireless but I only want the guest network to be able to get to the dsl router purchased for that purpose. The APs and all switches are made by Cisco.

How do I set up the acl's to accomplish this task.
0
Comment
Question by:William Coats
4 Comments
 
LVL 10

Assisted Solution

by:convergint
convergint earned 167 total points
ID: 39600960
Instead of ACLs you can do the following which I think may be simpler.

What you need to do is to create a new VLAN on the switches and the AP for the guest network.  The DSL router would be connected to that VLAN as well.  Then create a Wireless Guest wireless SSID, assign that SSID to the guest VLAN.

Different APs have different abilities to assign VLANs to SSIDs, some are able to, some are not.  I can't tell what models you have.
0
 
LVL 13

Assisted Solution

by:Daniel Helgenberger
Daniel Helgenberger earned 166 total points
ID: 39600995
There are basically three ways to achieve this:
1. NPS / VLAN combination; using RADIUS to authenticate employees and guests while guests would be send to another VLAN; this would be done by NPS / RADIUS server.
2. Using VLANs only and MultiSSID AP's
3. Setup new AP's for the guests.

Option one uses only one SSID, while you need Radius.
Option 2 needs Multi SSID capable access points, but is easier to set up.
Option 3 is basically the same as option 2 but with separate AP's.

The first two options require you to setup VLANs. It might be you do not even need an extra DSL line, your firewall is most likely capable handling VLANs - thus acting as gateway for both networks. This is as safe as using a separate WAN connection while configuration and maintenance overhead is reduced.
0
 

Author Comment

by:William Coats
ID: 39601046
My company has to meet PCI so that is why we are using a separate DSL line for the guest. We need to make sure the guest can't get to the company network. We currently have separate AP's for the guest but they are interfering with the company network. Thats why the question. All of our AP's are controlled by a Cisco WLC, so they can have multiple SSIDs assigned.

I guess our main concern is in getting the guests off of the trunk with the other SSID's and on to it's own solo vlan as soon as possible.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 167 total points
ID: 39601281
To fully comply with PCI requirements you should investigate purchasing a second WLC and configure it as a guest anchor controller.  It should be placed in a DMZ.

If that's not an option you could create a new WLAN and VLAN on the WLC, and use the DSL router as the gateway for that new VLAN.  You don't want to create a SVI or L3 interface on your corporate LAN for this VLAN - just connect the DSL router to the WLC on a dedicated port.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Suggested Solutions

Working settings for French ISP Orange "Prêt à Surfer" SIM cards for data connections only. Can't be found anywhere else !
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now