Wireless, GUEST and STAFF

neuroticneurotic Member Posts: 7 ■□□□□□□□□□
Hi everyone.

I need your help badly.

We have cisco aps and wireless controller and we are about to deploy it tomorrow.
Currently, our client has a FLAT vlan design and they require us to create Wireless network for GUEST, STAFF and VIP.
Guest wireless should not have access to the internal network..
Now, is there a way to achieve their requirements without adding VLANs in the switch?

As far as i know, we can achieve this by adding vlans in the switch and implement access-lists to restrict guest from the internal network.

please help!


  • shodownshodown Member Posts: 2,271
    This is typically done by adding VLAN's to the switch. Usually I terminate the guest vlan on the firewall, and terminate the corp wireless on the core switch. I'm not sure what specific models you are using, but its best practice to use seperate VLANs
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • neuroticneurotic Member Posts: 7 ■□□□□□□□□□
    Hi shodown!

    Thanks for responding! I really appreciate it.

    Anyways, we are using cisco wireless controller 2504 and access point 1702.

    My problem is that our client doesn't want to add additional vlans in the switch.

    Currently, everything is on vlan 1. Do you have any idea how to achieve this w/o using VLANs?
  • shodownshodown Member Posts: 2,271
    1. You have to break down broadcast domains and explain it to them about how much chatter that will be on that vlan which can seriously affect performance. The Security risk of everyone being on 1 vlan and so on, and how its not best practice due to what I mentioned above. Here is a guide that can help. I don't do much wireless so someone else can chime in, but you need to talk to them about using 1 vlan. Below is a guide that can help you out.

    Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller, Release 4.1 - Cisco
    Currently Reading

    CUCM SRND 9x/10, UCCX SRND 10x, QOS SRND, SIP Trunking Guide, anything contact center related
  • neuroticneurotic Member Posts: 7 ■□□□□□□□□□
    Thanks shodown. Appreciate your inputs!

    By the way, this is not possible if we our using the firewall to restrict access to the internal network since the ssid has to be on different subnets right?

    Our firewall can only permit or deny thru a single host or a network range, correct?
  • kmusk01kmusk01 Member Posts: 23 ■□□□□□□□□□
    In theory you could install a home wifi router and that be used for the guest network. It would give them a mini subnet within your main vlan1 network. However you may/will run into issues with DHCP on hard wire clients. They will start to pickup dhcp from that new home router instead of the main dhcp server.

    I don't believe there is a way for you to allow only wireless clients to grab an IP and not hard wire clients.

    On your firewall if you only have 2 ports, 1 for in and 1 for out you can still accomplish another vlan for guest traffic. You need to have another outside IP address and another router or L3 switch. Basically you would do the following:
    - Take you main inet connection and plug into switch in a dummy vlan (say15)
    - Take outside port of RTR and plug into switch in a dummy vlan (15)
    - Take the new RTR outside port and plug into switch in same vlan as above (15)
    - Take second outside IP address on put on new RTR or L3 switch on outside interface
    - Take RTR inside interface and plug into switch in vlan 1
    - Take new RTR inside interface and plug into switch (whatever you want your guest vlan to be say 50)

    This allows you to use the same inet connection for both vlans. You can then do QOS if needed so guest network doesn't hog all the bandwidth.

    We do a similar setup here as the provider only gives us 1 cable for inet, but we have multiple outside IPs.

  • emerald_octaneemerald_octane Member Posts: 613
    what the heck. why would they spring for the 2504 and not want to deploy a separate VLAN. it's trivially easy to do what they want in that case. You can have multiple SSIDs that terminate on the same interface/vlan (1 in this case) but it's literally the same as dropping them on the "internal" LAN as you already know. The 2504 is capable of oh so much more. it's one of my favorite pieces of equipment.
  • AwesomeGarrettAwesomeGarrett Member Posts: 257
    What is the existing wireless infrastructure? Is there an anchor controller somewhere for Guest-Wifi or is this a SO-HO setup?
Sign In or Register to comment.