Some SMB offices who have an Enterprise wireless (used by their employees) would in addition to this prefer to have a Guest Wireless for their guests, which allow their guests to only access the internet but not their corporate servers or systems. For this to be implemented on an autonomous Access Point sub-interfaces need to be created on the dot11radio interface, one for Guest VLAN and one for Secure (Office) VLAN. Here in this example the Fast Ethernet port on the Access Point is divided into 3 sub-interfaces: Guest VLAN, Secure VLAN and Management VLAN (for remotely telnet'ing to the Access Point using the BVI inteface IP address ). While on the Switch, the port connected to Access Point needs to be configured as a Trunk port allowing all VLAN's and an Access List need to be applied on the Guest VLAN interface so that they cannot access the corporate network.
========================
Configuration on Access Point
========================
dot11 ssid Secure
vlan 201
authentication open
authentication key-management wpa
wpa-psk ascii 7 12495447445B54340F1915
!
dot11 ssid Guest
vlan 202
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 106B27332A2E25222A2D
!
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 201 mode ciphers tkip
!
encryption vlan 202 mode ciphers tkip
!
ssid Secure
!
ssid Guest
!
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
bridge-group 201 subscriber-loop-control
bridge-group 201 block-unknown-source
no bridge-group 201 source-learning
no bridge-group 201 unicast-flooding
bridge-group 201 spanning-disabled
!
interface Dot11Radio0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
bridge-group 202 subscriber-loop-control
bridge-group 202 block-unknown-source
no bridge-group 202 source-learning
no bridge-group 202 unicast-flooding
bridge-group 202 spanning-disabled
!
!
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
hold-queue 160 in
!
interface GigabitEthernet0.200
encapsulation dot1Q 200 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.201
encapsulation dot1Q 201
no ip route-cache
bridge-group 201
no bridge-group 201 source-learning
bridge-group 201 spanning-disabled
!
interface GigabitEthernet0.202
encapsulation dot1Q 202
no ip route-cache
bridge-group 202
no bridge-group 202 source-learning
bridge-group 202 spanning-disabled
!
interface BVI1
ip address 10.0.200.4 255.255.255.0
no ip route-cache
===================
Configuration on Switch
===================
interface Vlan202
description *** Guest Wifi VLAN ***
ip address 10.0.202.1 255.255.255.0
ip access-group 101 in
!
interface Vlan200
description *** Management VLAN ***
ip address 10.0.200.1 255.255.255.0
!
interface Vlan201
description *** Secure Wifi VLAN ***
ip address 10.0.201.1 255.255.255.0
!
!
access-list 101 deny ip 10.0.202.0 0.0.0.255 10.0.200.0 0.0.0.255
access-list 101 deny ip 10.0.202.0 0.0.0.255 10.0.201.0 0.0.0.255
access-list 101 permit ip any any
1 comment:
Find Great Deals For Cisco Wap131 Wireless-N Dual Radio Access Point With POE. Shop With Confidence On eJobber.co.uk! ... Best Selling In Wireless Routers.
For best:Cisco Wap131 Wireless-N Dual Radio Access Point With POE
Post a Comment