Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco catalyst 3850 switch wireless Guest setup

Posted on 2015-01-21
13
Medium Priority
?
320 Views
Last Modified: 2015-10-19
Hi experts,

compliments for the new year...  
I'm back and lets call this phase two.

my previous questions  were:  ID: 28539488,  Asked On2014-10-17 at 14:46:34

You guys help me on a Cisco catalyst 3850 switch wireless controller configurations...  All my AP's are controller based and they all connect just fine now.  thanx


But, with phase two,  I needs to split this network into two...  There are tons of document available but I don't get one related to my device.  

I did some research and went through some  videos too but I first wanted to know if any you guys have worked on this before and it will help a lot.


The client will technically have three options
1.      Put more Wireless LAN controllers into the Network by placing on in the DMZ zone but this would be more costly but the best approach and it's scalable.  
2.      If they have small DMZ such as only a firewall, then we'll need some sorts of layer 2 connection to that firewall.  A vlan should be created that all guest traffic should  be passed to that port
The last option would be to create
3. ACL's on what the guest could and shouldn't access


In my case,  I only have one WLC which is my switch and will it be best if practice I connect one cable directly from my WLC switch to the firewall and offload guest traffic to it?


I hope this is informative and if possible send  me links again.  

I don't see any Cisco as a topic
0
Comment
Question by:salt-eit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
13 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40561914
If you don't have an anchor WLC you should use a separate interface from your firewall and use that as the gateway for the Guest VLAN (your option 2).  It's a tried and tested solution and providing you don't allow anything from the Guest VLAN to the rest of the LAN it'll be secure enough.

ACLs won't be enough to keep things secure.
0
 

Author Comment

by:salt-eit
ID: 40562093
@craigback you're on  track...  but I'm a newbie to this and I will need links to the configs.  The links I found are for other devices.  thanx

I'll share my configs and the configs that I think will make this work,  please edit  if you think otherwise.

Yes,  no traffic should go to the internal network...
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40562814
I think I remember participating in the previous question... what configs do you have on your switches at the moment?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:salt-eit
ID: 40567040
I've cut the configs in half as the WiFi will be the only important part.  I only have one profile in this config,  no guest settings or a second profile has been added yet.  

from a basic scenario, how would you configure you guest wireless network?

The corporate WiFi points to client vlan100 and we do get IP's from our DCHP server as the IP helper.  

Let me know if you need more info
switch-config.docx
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40602984
from a basic scenario, how would you configure you guest wireless network?
It depends on a few things...

1] Where guest traffic will go (we know this already)
2] How you want to authenticate guest users
3] What you want to let guest users access (generally internet only)

There are other questions but generally this is what we need to establish first.
0
 

Author Comment

by:salt-eit
ID: 40603378
Thanx for coming back...


you right,

1.  guess should go straight to the net only.
2.  We'll need to implement Mac security on the internal wifi too.  
I thought of setting a second SSID where all guest connects to, which is the obvious...  then from there a web portal should ask them for a username and password.  The password should expired after a specific period.
3.  yes,  on point'

now...  trying to put the configs together. let me know if you need more info about the switch,  I'll quickly go through one document and share my Ideas.  If you perhaps have more docs,  please share the links.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 40639314
I thought I'd replied to this!?

The configs are tricky as you'd need to use the switch for the Web-Auth part of the Guest authentication.  This would provide a layer-3 path into your network which would render the link to the firewall pointless.  In order to secure it we'd need to use a separate WLC in the DMZ as a guest anchor controller.

FWIW, Cisco don't provide any config guides for what you're trying to do with your guest solution, so you can assume that the approach is a no-no.

The best way to do it would be to just forget Web-Auth (to remove the dependency for a SVI at the switch) and push clients straight to the firewall.
0
 

Author Comment

by:salt-eit
ID: 40640137
Craig...  you're on point,  I want to ask you something before I jump back to the wireless guest side.

mac address security/  Port security...
The client wants to implement this on his network too and might required this for the wireless side too. Cam overflow protection purpose...etc

with port security basics...

one gets three options:  static,  dynamic and sticky... I believe sticky's the best option for a larger network,  rather then putting every mac address in manually,

is it good practice to set all specific ports to a limit of only one mac address?

in my scenario,  1 core switch 3850s,  and 4 2950 switches,  should one configure port security only on one switch or is it necessary to do this only all switches.  

violations:
Protect, restrict and Shutdown...
is it good practice to use aging with these options?  I'll also use the Automatic recovery process.


again,  thanx for all your help.
0
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 2000 total points
ID: 40640199
If you use 802.1x you don't want port-security.  The two don't work well together.  If you don't use RADIUS you can't do 802.1x; then port-security is probably desirable.

If you don't want devices to move to different ports, use sticky and restrict the port to one sticky MAC address.  That will help with MAC spoofing and stop people from moving devices to ports where you don't want them.

You need to implement port-security at the switchport level, so wherever you want to restrict the MAC addresses that pass through a port you'll need to do it at the switchport.

Configuration of violations is really down to what you want to happen.  If you use protect the security violation counter isn't incremented, but with restrict it is.  They both do the same thing in that they stop more than the allowed number of MAC addresses to pass through the port.  If you use the shutdown option the port does just that, until you either manually enable the port or you use the err-disable recovery method.  If you want to ensure that violations are dealt with automatically, use the err-disable method.
0
 

Author Comment

by:salt-eit
ID: 40641868
thanx,

Just want to clarify on something in your previous comment...


"If you use 802.1x you don't want port-security"

Since 3850 wlc switch will be handle my wireless configs...  will port security on it have any impact? we won't do mac address for wifi  devices anymore.
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 40641954
Port-security does nothing for wireless clients but it will for the APs.  If you use port-security at the switchport you don't want to be authenticating the AP using 802.1x (actually the AP itself, not clients connected to it).

Port-security shouldn't be confused with wireless MAC authentication, which only applies to clients and is enforced at the AP's wireless interface, not the switchport.

When talking about 802.1x and port-security together we're talking about wired only.  Don't consider wired 802.1x and wireless 802.1x in the same sentence as they won't affect each other.
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Suggested Courses

596 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question