+ Reply to Thread
Results 1 to 4 of 4
  1. Senior Member Danielh22185's Avatar
    Join Date
    Apr 2012
    Location
    DFW Area
    Posts
    1,172

    Certifications
    CCNP R&S, CCNA, CCENT
    #1

    Default Help -- Segmenting and Controlling Wireless Guest Networks

    So I recently moved to a new company where the wireless infrastructure appears to have a lot of holes. I've been here just a hair under 2 months and am finding issues left and right. Which for me I welcome the challenge, especially when it comes to wireless since this is less than one of my strong suits.

    So... Yesterday a user called into our service-desk with a complaint they could not connect wirelessly. Upon checking out the user I found they were not getting an IP address.

    Background: This is a flex-connect site with local DHCP scopes local to the site.

    ... So after checking out the switch where the WAPs sit I found there was address exhaustion on the wireless range. Naturally to relieve some pressure I was able to expand the range with no issues. However this got me and my manager thinking... The site does not have any where near the number of users that would exhaust the internal DHCP scope.

    Today I am giving this a deeper look and found the problem oh why exhaustion was occurring. The wireless DHCP range includes our guest network AND the corporate network. Big time uh oh... There should be some network seperation (one scope for each WLAN)

    So basically this site is operating unsecure and anybody with their cellphone can join the network and effectively the corporate environment with what seems to have no restriction.

    So I compared a setup on our other regional controller for a flex connect site. It is different (I think built by a separate network engineer as well). Different by it has a separate DHCP scope for the normal corporate users and for the guest network on the switch. So we at a minimum have separation of networks for the two WLANS. I also confirmed this by checking the WLC config for the WAP and it supports VLANs and there are separate vlans for the separate corporate and guest networks (this is what I would expect).

    Now one thing that throws me and here is really where my question is. Aside from separation of subnets, I am trying to figure out just how exactly these guest network users would be restricted from internal resources. I found a video on youtube (from 2013) where it explains having to configure flex connect ACL to control traffic. However we are not doing this. So I hope we are doing something else. We DO use NAC for user ports which I think we are also using some form of AAA for wireless clients too...somehow. How that provides a separation of user access based on guest vs normal corporate access is a bit beyond my understanding at this point.

    So at this point I have been pouring over Cisco documentation and youtube videos trying to figure it out. However a lot of what I have come across is old documentation. I am hoping our setup is more modern and utilizes simple stuff I don't quite understand yet. That said my MAIN questions are: What methods are out there that provide guest network separate of access and exactly how would those be expected to work. (I believe the youtube video I found is more of a legacy setup before NAC servers, which I know we have, so I think I need to be looking for something in that regard, but I don't know where else to be looking.

    I know we have some wireless gurus here and I know I am kind of asking some open ended stuff but any help at this level would be appreciated. Unfortunately the more senior engineer at the company isn't much help and I am not entirely sure he knows how it all works. I want to understand everything here and be able to make design recommendations since our wireless infra has been a big pain point.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Jan 2012
    Posts
    1,240

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #2
    I am no wireless guru by any means but by recommended design we have our guest network on an anchor controller in the dmz zone between firewalls. The corporate controller gets the hosts and sends a capwap tunnel over to the anchor controller in the dmz to forward the guest traffic. I attached a pic from ciscos design page which is bascially shows a visual on how it flows.

    guest.jpg
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

  4. Senior Member Danielh22185's Avatar
    Join Date
    Apr 2012
    Location
    DFW Area
    Posts
    1,172

    Certifications
    CCNP R&S, CCNA, CCENT
    #3
    Our wireless topology is a bit less sophisticated. We only have 2 controllers globally that maintain 53 WAPs. We do not have the budget for anchor controllers so this is why I am thinking / hoping something else has been done to keep the traffic segmented.
    Currently Studying: IE Stuff...kinda...for now...
    My ultimate career goal: To climb to the top of the computer network industry food chain.
    "Winning means you're willing to go longer, work harder, and give more than anyone else." - Vince Lombardi
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Jan 2012
    Posts
    1,240

    Certifications
    BS IT (CCNA R&S, Security, Voice) CCDA, MCP XP, A+, L+, P+, LPIC-1, SUSE CLA
    #4
    Based on the lack of information I'd say to deconstruct the wireless and break it down piece by piece so you can understand how it works. Start from the remote site thats properly configured with the flexconnect take a look at the config. Do a source ping from the guest network and see how far it goes on the corp side. Once you see where it stops check out the network device to see if there are any acl's. It would make sense if any acl's were closer to the source check the flexconnect AP, local Distribution switch or router, possible firewall for any acl's the acl can look like this.

    deny guest network -> corporate network
    permit all

    To add it could be vrf's configured that separate the netorks
    Last edited by dmarcisco; 07-06-2017 at 05:40 PM.
    In life you have to make your own opportunities. Don't let anyone stop you from your dreams to many negative people want you to fail because they can't succeed.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks