No announcement yet.

Guest WLAN

  • Filter
  • Time
  • Show
Clear All
new posts

  • Guest WLAN

    we currently have cisco 3650 switches in our production network. we'd like to introduce a wireless network that would allow guests to browse internet and have access to printers. we have done this by introducing a wireless router and allowing the router to go to internet.
    Now the problem part:
    - we don't want guest users to be able to communicate with our production network.
    - guest should only be able to print and browse internet

    how can we achieve this?

  • #2
    Re: Guest WLAN

    access control lists
    or vlans and routing.
    Please do show your appreciation to those who assist you by leaving Rep Point


    • #3
      Re: Guest WLAN

      thanks for replying tehcamel. could you please elaborate? my knowledge of cisco gear is very less.


      • #4
        Re: Guest WLAN

        There are a couple things you can do. Separate vlans for production network and for the guest vlan. From there you could have SVI's (Switched virtual interfaces) on the 3560 and use access-lists to filter. You could also look at private-vlans as the 3560 does support them. These can be tricky so look up the configuration guide on before attempting. Another option is to use PACL's (Port Based Access Lists) directly on the layer 2 switchport. Works the same as using an ACL on a Layer 3 interface except you can only apply PACL's inbound.

        vlan 20 - Example wireless vlan

        int vlan 20
        description GUEST_WIRELESS
        ip address
        ip access-group INTERNET_ONLY in

        ip access-list extended INTERNET_ONLY
        permit tcp any eq www (Allow web traffic)
        permit udp any eq 53 (Allow clients dns)
        permit udp any eq bootpc any eq bootps (Allow dhcp requests. A better option here would be to run dhcp on the switch for that vlan then this wouldnt be needed)
        permit ip (Allow access to printer or printserver)
        deny ip (Deny wireless clients from communicating, stops peer to peer, file sharing etc)

        Be carefull here as if you run any internal webservers this will give them access. You can use deny statements protect your internal servers. Put your more specific ACE's at the top.

        Another option would be to use policy routing to control the traffic on a per hop basis. This is by far the easier option but it really depends on how your network is configured etc.
        Last edited by auglan; 14th June 2012, 01:39.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)