 NeTwOrKDawgNetworking is a lifestyle
join:2005-04-25
Brantford, ON | How would you do this? Complicated setup... Ok here is the scoop.
I have a centralized Internet connection out of my primary Datacenter.
One of my WAN locations wants to provide a guest wireless network, using my central Internet pipe.
I don't want the guest network to have access to the rest of my WAN, so I was thinking something like this below
Setup new VLAN going from AP to my Cisco 2801.
Setup a GRE tunnel, so this new VLAN goes via a Point to Point link to my head office router.
Setup an ACL on my head office router, so the traffic is denied to all 10.x.x.x, 172.16.x.x, and 192.168.x.x subnets, but permits all else.
Does this seem like it would work? |
|
cramer
join:2007-04-10
Raleigh, NC
kudos:5 | We'd need to know a lot more details about your network, but VLAN and Policy Based Routing are the things that pop into my head. AP in a vlan transported back to the datacenter where pbr/vrf/etc. plops that vlan into it's own little corner. |
|
nosx
join:2004-12-27
00000
kudos:5 | You need a WCS from Cisco.
You can build a guest SSID on your remote access points that tunnels back to your WCS in the central datacenter for internet traffic, keeping it completely separate and secure from the rest of your corporate network.
Ask your sales engineer to help design and price a solution. |
|
 yaplejPremium
join:2001-02-10
White City, OR | reply to NeTwOrKDawg
I am having to address a similar issue soon. I have 30+ sites that they want to provide guest internet through the internet connection in our HQ site.
My thoughts are to use L2TPv3 and create a tunnel from the guest VLAN at each remote office back to the guest VLAN in the HQ. I have not tried this yet but I dont know if a single interface can have multiple L2TPv3 tunnels so I was thinking about using a loopback for each remote office L2TPv3 tunnel. Then bridge all those loopback interfaces together to a physical interface in the guest VLAN at the HQ.
Its pretty ugly but given my equipment and network I am pretty limited. The other thought was to use a 2nd "backup" L2TPv3 tunnel to our secondary HQ site so if one was down they could use that instead.
All theory atm as I have not had time to build a lab for that yet. Our remote offices are using 2811s and I was going to use a 2821 as the aggregation point or (L2TPv3 hub) in each HQ site.
My major doubt in the feasibility of this is binding a L2TPv3 tunnel to a loopback interface.
»www.cisco.com/en/US/docs/ios/12_···pv3.html
--
sk_buff what?
Open Source Network Accelerators
»www.trafficsqueezer.org
»www.opennop.org
|
|
| reply to nosx
said by nosx:You need a WCS from Cisco.
You can build a guest SSID on your remote access points that tunnels back to your WCS in the central datacenter for internet traffic, keeping it completely separate and secure from the rest of your corporate network.
Ask your sales engineer to help design and price a solution.
+1...
You'd create an anchor to your controller and give it a separate network. but as nosx stated you'd need an SE to help you out. |
|
NeTwOrKDawgNetworking is a lifestyle
join:2005-04-25
Brantford, ON | reply to NeTwOrKDawg
I got this working, until my WCS controller and new APs arrive...
I setup a vrf on the router at each location, and setup a GRE tunnel inside that vrf. Then I setup routing inside the vrf/GRE combo, and it works like a charm.  |
|
|
|
yaplejPremium
join:2001-02-10
White City, OR | Would you mind posting an example of your config? I would love to see how you did that. |
|
