05-21-2015 06:34 AM - edited 03-08-2019 12:06 AM
Hello.
I have 3 WAPs with 2 corporate SSIDs. I would like to create a new guest-SSID on a separate VLAN (50) and subnet that will just go directly out to the Internet.
- Corporate wireless pulls DHCP from a Windows server (10.x.x.x)
- I would like to have the router give out DHCP to the guest devices (192.168.10.x)
Router:
I setup sub-int gi0/0.50 with IP address 192.168.10.1, "encapsulation dot1q 50", and configure the DHCP exclusions/scope.
Questions:
- The switchports connecting to my WAPs have to be trunks since they will now be carrying the additional VLAN50, correct?
- Is a vlan interface with an IP address required or do I just need the VLAN 50 on my switch? The vlan interface is just for management or L3, correct?
- How do I ensure that only VLAN50 pulls DHCP from the router? Is it because the interface with the IP address of the default-router in the scope is tagged as VLAN50?
- I have a serial connection back to the main office. Would I configure an ACL to deny 192.168.10.0 any (followed by allow any any) out that serial interface? Internet traffic goes out another port and NAT is handled by the firewall.
Thanks!
Solved! Go to Solution.
05-21-2015 10:00 AM
1) the WAP configuration depends on if you are using WLC and which modes, or if you are configuring in Autonomous mode. If your WAP does VLAN tagging then yes trunk should be fine.
2) you just need the vlan 50 in the vlan database on your switch, no L3 required - especially that it is a guest network. Make sure your management interface on that switch is not vlan 50.
3) You dont have to do anything. Make sure you configure the DHCP scope with all the options like DNS and default gw on your router, enable "router on a stick" like configuration with your physical interface on router and switch with trunking and sub-interface. Since it will be all layer 2, DHCP should be able to flow through end to end.
4) I would deny everything coming in to the router on gi0/0.50 with an ACL like this:
ip access-list extended BLK-RFC1918
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 172.16.0.0 0.15.255.255
100 permit ip any any
But remember if you want the router to be DNS server then you need to allow DNS to the router.
hope this helps
Bilal
05-21-2015 10:00 AM
1) the WAP configuration depends on if you are using WLC and which modes, or if you are configuring in Autonomous mode. If your WAP does VLAN tagging then yes trunk should be fine.
2) you just need the vlan 50 in the vlan database on your switch, no L3 required - especially that it is a guest network. Make sure your management interface on that switch is not vlan 50.
3) You dont have to do anything. Make sure you configure the DHCP scope with all the options like DNS and default gw on your router, enable "router on a stick" like configuration with your physical interface on router and switch with trunking and sub-interface. Since it will be all layer 2, DHCP should be able to flow through end to end.
4) I would deny everything coming in to the router on gi0/0.50 with an ACL like this:
ip access-list extended BLK-RFC1918
10 deny ip any 10.0.0.0 0.255.255.255
20 deny ip any 192.168.0.0 0.0.255.255
30 deny ip any 172.16.0.0 0.15.255.255
100 permit ip any any
But remember if you want the router to be DNS server then you need to allow DNS to the router.
hope this helps
Bilal
05-21-2015 10:32 AM
on the switchport you will have an interface in vlan 50, where the guest DHCP request will come, on this interface configure "ip-helper address <address of router acting as DHCP server>"
This way when switch receives the DHCP broadcast message it will change it to unicast and send it to router, if you have DHCP snooping running in your network make sure the interface connecting to router is trusted.
feel free to rate this post if it helps you !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide