AP: GUEST SSID CONFIGURATION: CLI MODE


TOPICS

AP MODEL DETAILS

CONNECTIVITY DIAGRAM

SCENARIO

CONFIGURATION ON WAP

CONFIGURATION ON LAYER 2 DEVICE

CONFIGURATION ON LAYER 3 DEVICE

********************

MODEL DETAILS

WAP MODEL:    CISCO AIRONET  3602

IMAGE TYPE:    AUTONOMOUS

WAP MANAGED BY:   SWITCH

************************

 

CONNECTIVITY DIAGRAM

LAYER 3 SWITCH  ( Single Device )  ====  LAYER 2 SWITCH   ====    AP

**********************

 

SCENARIO

CHANGES ON WAP

We have to configure Guest SSID or simply, we have to create a Guest Account on WAP, for Guest users.

For new Guest SSID, we need to create new VLAN &  assign VLAN to Radio interface of WAP.

Corresponding to above configuration on WAP, We need to perform changes on connected Layer 2 & Layer 3 devices.

Authentication used will be open type.

 

CHANGES ON LAYER 2 SWITCH

On Layer 2 switch, we need to create Layer 2 VLAN created on WAP.

On Layer 2 switch, newly create VLAN needs to be allowed.

 

CHANGES ON LAYER 3 SWITCH

On Layer 3 switch, we need to create Layer 3 VLAN to allow users to communicate with other VLAN’s.

We have to apply Access-list on newly created VLAN. This Access-List will allow Guest users to access applications in the network, but deny Guest users to access other network devices in the network.

Need to allow newly created VLAN on trunk ports of the switch, Trunk ports in Ether channel scenario is also given.

Allow newly created VLAN in the internal network, to give users access to company’s network.

*****************

 

CONFIGURATION ON WAP

 

dot11 ssid Guest-Accessvlan 5authentication openguest-modeinterface dot11Radio 1

ssid Guest-Access

vlan 5
authentication open
guest-mode
interface Dot1Radio1.5encapsulation dot1Q 5
bridge-group 5
bridge-group 5 port-protected
interface dot11Radio 0Ssid Guest-access
Vlan 5
Authentication openGuest-mode
interface Dot1Radio0.5encapsulation dot1Q 5
bridge-group 5
bridge-group 5 port-protected

 

interface Gi0.5

encapsulation dot1Q 5

bridge-group 5
bridge-group 5 port-protected

*****************

CONFIGURATION ON LAYER 2  SWITCH

 

VLAN 5

description guest-wireless

 

Switch and IP Interface Configuration
10.151.232.131_13thFloor-Sw1 Gig 0/3 switchport trunk allowed vlan add 5
10.151.232.132_13thFloor-Sw2 Gig 0/3 switchport trunk allowed vlan add 5

******************

 

CONFIGURATION ON LAYER 3  SWITCH

Create Layer 3 VLAN or SVI.

interface Vlan5
description Guest Wireless Access
Ip Address 10.151.245.129 255.255.255.192

ip helper-address 10.144.3.72
ip helper-address 10.146.3.101
ip helper-address 10.146.4.163
ip helper-address 10.146.4.164
ip helper-address 10.146.4.165
ip helper-address 10.149.231.8

 

Create Access List to allow applications related subnets & deny other network devices

ip access-list extended Guest-Access
permit udp any host 10.149.194.174 eq bootps
permit udp any host 10.149.194.174 eq bootpc
permit tcp any host 10.149.231.8 eq www
permit tcp any host 10.149.231.8 eq 443
permit tcp any host 10.149.231.8 eq domain
permit tcp any host 10.149.194.95 eq domain
permit tcp any host 10.146.5.195 eq domain
permit ip any host 10.149.231.8 log
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
permit ip any any

 

Apply Access-List to newly created VLAN

interface Vlan5
ip access-group Guest-Access in

 

Allow newly created VLAN on the trunk ports

Interface Configuration
int G4/1 switchport trunk allowed vlan add 5
int g4/31 switchport trunk allowed vlan add 5

Possible Error: If we allow VLAN on member physical ports of Etherchannel. Then, there will be mismatch in the allowed VLAN’s on member physical ports & etherchannel. Due to this, Complete Etherchannel will went down.

Solution: While allowing newly created VLAN on trunk ports in etherchannel. Allow VLAN on Port channel, it will automatically reflect on all the member physical ports.

 

 

Advertise newly created VLAN for Guest account,  in the protocol running in the network

Example: OSPF is running the network. Then, newly created VLAN has to be advertised in OSPF.

Configuration

router ospf 1

network 10.151.245.128  0.0.0.63  area 0

***********************

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s