No announcement yet.

Catalyst Express and Aironet 1240 VLANS

  • Filter
  • Time
  • Show
Clear All
new posts

  • Catalyst Express and Aironet 1240 VLANS

    Network is as follows (inherited from a previous consultant):

    DSL with static IP
    PIX 501 acting as the gateway router and firewall
    Catalyst Express 500 network switch (no config, acting as switch only)
    Aironet 1240AG AP
    MS SBS 2003 Doing DHCP for the internal network.
    MS Terminal Server for remote clients from VPNs

    Before anybody suggests adding a real router... it is not going to happen any time soon. They pix is the VPN endpoint for two remote offices and they spent a lot of time and money getting it configured.... I will change it out when the time is right, but this is not the time!

    To the question:

    I have setup plenty of Aironet/871W VLAN networks with dual SSIDs for guest and employee use. Two subnets and ACLs handed out by the 871W. I would like to do the same here but it will be a year or two before they can be talked into upgrading the PIX 501.

    This client would like a guest SSID for office visitors. Can the CATALYST EXPRESS 500 be used with the single 1240AG to accompolish this?

  • #2
    Re: Catalyst Express and Aironet 1240 VLANS

    Hi BeanAnimal,

    I am having trouble picturing how this is going to work with the hardware that you have.

    I believe that the 1242 can do two SSIDs with two networks but once you have two networks, I can't picture any device on the list that would route the traffic from the second network. Currently, you just have the 1 internal LAN and 1 subnet.

    If the PIX had a DMZ port, then it you could run a second cheapo wireless AP to the DMZ. That is what I would like to see, seperate AP and seperate subnet going to a different interface on a router / firewall.

    I am not saying that it WON'T work, just that I can't see how at my initial look at this.

    Anyone out there have any other ideas on how BeanAnimal can make this work with the existing equipment?
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training - Free IT Training Products
    Personal Websites: &


    • #3
      Re: Catalyst Express and Aironet 1240 VLANS

      It depends what is the end requirement here - I'm guessing that BeanAnimal wants to allow visitors to the company to have access to the internet (webmail, own company vpn etc - the usual scenario) whilst preventing accessing the client's corp lan.

      I approached this (admittedly with a significantly different setup) by only allowing specific MACs to access my Aironet.
      This meant, that as i had to visit each visitor to get the wireless MAC off their laptop, I could enforce the company policy of getting confirmation from the visitor that they had adequate, up to date, virus scanner installed.
      As they hit the LAN as non-members of my domain, group policies on the AD handled that side of things, but they had a clean shot out of the router, firewall, mcafee intrushield, bluecoat proxy at the internet.

      (As you can guess from above, we're pretty "belt n braces", but we haven't had an outtage due to malware since we implemmented all this, two years back).


      • #4
        Re: Catalyst Express and Aironet 1240 VLANS

        I might be totally wrong here as im new to cisco. But i am trying to do a similar thing here myself. The only problem i am having is with Radius authentication for my wireless. But if you setup VLAN's on your switch running on different subnets, cant you just configure WIRELESS1 = CORPVLAN WIRELESS2 = GUESTVLAN. Then on your firewall / router create a virtual interface(not sure if possible. im thinking of linux here) and then firewall out source GUESTVLAN > CORPVLAN to deny access. Im not sure if that will work at all. Ideally you should have a router with two lan ports to seperate your networks. But if its possible to add a virtual interface and assign a vlan to that interface then it should work.

        Not sure if this works, just thought of it after i posted. Cant you just configure the Switch with vlan's and trunk the port that the access point goes into. Aslong as you have setup the two wireless networks in the access point with different vlan's then that should seperate the two networks. Then your pix firewall should be trunked into the witch also and then configure your routing / firewalling on the pix.

        Eg: Internet ----- > PIX <--------->VLAN1 & VLAN2 -------> Trunked Port(s) on Switch <--------- VLAN1 & VLAN2------> Access Point

        Make sense?


        Last edited by AndrewH; 22nd November 2007, 05:09.