cargex
asked on
Cisco WiFi Guest network best practices
Hi Guys,
I have to setup a WiFi guest network and I'm wondering what are the best practices.
As a premise I have a Cisco Stack, 1 WiFi controller, and 2 WiFi Access Points, that are currently connected to my users vlan, like one more client (switchport mode access) so the users just connect to the main SSID, provide the password and get an IP address from the same network that my users that connect to the Ethernet cable do.
I'm thinking that I should do the following:
Create a new vlan in the Cisco Stack.
Give access to the new vlan to the ports where I have the Controller and the 2 Access Points connected.
Create a new SSID "Guest_Network".
Create a new DHCP Scope in the Cisco Stack that will provide the IP Addresses for the Guest Network.
So what do I need?
First somebody to tell me if my plan is correct, if not what should I change.
Once the plan is correct, then I need the commands to do all this in the Cisco Stack.
Thanks in advance.
I have to setup a WiFi guest network and I'm wondering what are the best practices.
As a premise I have a Cisco Stack, 1 WiFi controller, and 2 WiFi Access Points, that are currently connected to my users vlan, like one more client (switchport mode access) so the users just connect to the main SSID, provide the password and get an IP address from the same network that my users that connect to the Ethernet cable do.
I'm thinking that I should do the following:
Create a new vlan in the Cisco Stack.
Give access to the new vlan to the ports where I have the Controller and the 2 Access Points connected.
Create a new SSID "Guest_Network".
Create a new DHCP Scope in the Cisco Stack that will provide the IP Addresses for the Guest Network.
So what do I need?
First somebody to tell me if my plan is correct, if not what should I change.
Once the plan is correct, then I need the commands to do all this in the Cisco Stack.
Thanks in advance.
Best practise is to use a dedicated guest anchor controller in a DMZ.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I'm using the same access points for the regular employees network SSID, and the guest network SSID, so it needs to be a solution done at the Cisco Stack to separate the traffic that is coming in through the same port where I connect the Access Point.
ASKER
What I'm looking for is how to create a DHCP configuration in my Cisco Stack that will only serve the Guest Network, and my first guess is that I have to create a different vlan for that guest network.
So the steps would look something like this:
Create vlan
Add Access Point ports in the Cisco Stack to that vlan
Create DHCP Service in the Cisco Stack that will service the guest network vlan only!!!
If you can give me the Cisco commands that would be great!
So the steps would look something like this:
Create vlan
Add Access Point ports in the Cisco Stack to that vlan
Create DHCP Service in the Cisco Stack that will service the guest network vlan only!!!
If you can give me the Cisco commands that would be great!
I can give you better details if you can give me details on the physical topology -
but this is what you would need to do
1. create a new VLAN in the Cisco switch stack
2. create a new interface in the controller and assigned the same VLAN as the switch
3. define the IP of the DHCP server for the guest VLAN on the interface settings
4. Create a new scope for the new guest vlan
Hope this helps
but this is what you would need to do
1. create a new VLAN in the Cisco switch stack
2. create a new interface in the controller and assigned the same VLAN as the switch
3. define the IP of the DHCP server for the guest VLAN on the interface settings
4. Create a new scope for the new guest vlan
Hope this helps
There are multiple ways to go about this - you can connect on port on the wireless controller directly to the firewall and create a public interface on the Controller and a new guest SSID which will route traffic directly to the firewall or if you are short on interfaces on the firewall then you can plug in the DMZ interface
...assuming you're not using LAG at the WLC. If you are using LAG you can't do this.
I'm using the same access points for the regular employees network SSID, and the guest network SSID, so it needs to be a solution done at the Cisco Stack to separate the traffic that is coming in through the same port where I connect the Access Point.
Actually, using a dedicated guest anchor WLC creates a tunnel from the internal WLC to the anchor WLC in the DMZ. The APs still connect to the internal WLC but the guest traffic gets pushed to the anchor WLC and drops off there in the DMZ.
I really wouldn't advise putting a SVI at your switch stack for Guest just to do DHCP. That'll enable guest users to get to your LAN unless you secure it properly with an ACL.
The best setup for the Guest WIFI is to choose a port on the WLC and route this directly to the firewall and assign the DHCP by the WLC which what I recommended in the first post
I beg to differ @Kaiser Anwar. The best way to do this is as per vendor best-practise, as per my first post.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch10GuAc.html
Using a dedicated port is widely considered to be a poor-man's solution IF you can't go down the guest anchor route.
http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch10GuAc.html
Using a dedicated port is widely considered to be a poor-man's solution IF you can't go down the guest anchor route.
You asked for best practise, yet marked a workaround as the answer?!
DO NOT enable the InterVLAN routing options though!