Setting Up Guest Network Cisco WAP571

[jasons6930]

Hi Guys,

Currently test driving the WAP571 and all good so far, however, i am having a little trouble setting up a guest wifi network that allows internet access only.

These are, via a poe switch, connected to LAN1 on my Draytek 2862.

I have set up a network on the 2.4 band and ticked the channel isolation box, however, this is still allowing access to wired devices on the network.

Do i need to set up a Vlan on the Draytek and on the AP to only allow internet access?

If so, a little idiots guide would be appreciated.

thanks!

 

[degrub]

set up a vlan in your router, assign it to GUEST ssid (or whatever you want to call it) on one or both bands in the AP. set up the DHCP server in the router for that vlan. Make sure inter-vlan communication is turned off if that is a setting in the router or ap . You can also set firewall rules to prevent access to other sub-lans.

 

[coxhaus]

+1. That is basically what I do with my Cisco WAP571 units except I use a Cisco layer 3 switch and I use ACL, access control lists, to control access on my network for my guest network. I share my printer with my guests and well as internet but no other access to my local LAN.

 

[coxhaus]

I just realized I mistyped my Cisco wireless unit number. My Cisco wireless units are WAP371 not WAP571 as typed above.

I don't know why chrome would be crashing. You might try to add a wired port to the guest VLAN to eliminate the wireless unit. I assume Edge works fine since you singled out Chrome.

 

[jasons6930]

Sorry about the late reply guys.

Thanks for the suggestions.

With acl, do you need the Mac addresses of the clients first?

 

[coxhaus]

No. I segment by network and IP address range. I don't do anything by MAC.

My guest are in a separate network VLAN. To share printers I use a 248 mask for my shared devices on my regular LAN. So I use a mask of 0.0.0.248 to address shared IPs.

 

[umarmung]

ACLs on switches are almost always more limited and inconvenient than just using the stateful firewall on your router. If a router is powerful (and unusual) enough that it supports VLANs, then it should have a good firewall for inter-VLAN routing, or simply the option to disable inter-VLAN routing. Some router firewalls also support port-based access control, which means you would not need VLANs in this situation because you could prevent ports talking to each other.

If your router supports installing third party firmware, especially OpenWRT, then you can get VLAN support that way.

 

[coxhaus]

ACLs on switches are almost always more limited and inconvenient than just using the stateful firewall on your router. If a router is powerful (and unusual) enough that it supports VLANs, then it should have a good firewall for inter-VLAN routing, or simply the option to disable inter-VLAN routing. Some router firewalls also support port-based access control, which means you would not need VLANs in this situation because you could prevent ports talking to each other.

I kind of agree except my layer 3 switch is faster than my Cisco router probably all small routers. It can move 40 gig per second. I use a Cisco layer 3 switch which works at layer 3 just like a router so I can use ACLs just like a router. The only thing missing from my layer 3 switch is NAT. So in my case my Cisco router does not even know any VLANs exist on my local network. All the VLANs are defined to my layer 3 switch. My router is only my internet firewall, DNS cache and nothing else. This makes for a very fast router since the CPU is not side tracked with other functions. My layer 3 switch does DHCP as it is turned off on my router.

I always work at OSI layer 3 which is the IP layer. And I recommend this. OSI Layer 2 at the MAC layer is too limited for my taste and does not scale very well in large networks. So if I handled ports talking to each other it would be at a router level layer 3 not layer 2. When I plan networks on white boards they are always at OSI layer 3 the IP layer. I don't believe in bridging, routing is much preferred and faster.

 

[EmeraldDeer]

I kind of agree except my layer 3 switch is faster than my Cisco router probably all small routers. It can move 40 gig per second. I use a Cisco layer 3 switch which works at layer 3 just like a router so I can use ACLs just like a router. The only thing missing from my layer 3 switch is NAT. So in my case my Cisco router does not even know any VLANs exist on my local network. All the VLANs are defined to my layer 3 switch. My router is only my internet firewall, DNS cache and nothing else. This makes for a very fast router since the CPU is not side tracked with other functions. My layer 3 switch does DHCP as it is turned off on my router.

I always work at OSI layer 3 which is the IP layer. And I recommend this. OSI Layer 2 at the MAC layer is too limited for my taste and does not scale very well in large networks. So if I handled ports talking to each other it would be at a router level layer 3 not layer 2. When I plan networks on white boards they are always at OSI layer 3 the IP layer. I don't believe in bridging, routing is much preferred and faster.

My Guest VLAN ACL/ACE was a lot of work, especially with the Cisco SG300-10 web interface

 

[umarmung]

Going to get a bit technical here... That's the difference between the packet filtering of ACLs (stateless) and a stateful IP firewall. One deals with packets, the other deals with connections, sessions and higher.

The result is that you need more rules with ACLs, whereas in a good firewall, you can just create zones and groups, like sets of interfaces, VLANs, ports, addresses and sets of objects in general. Connection tracking and NAT is done automatically. Also, states like Established, Related and Invalid often have sensible default rules, so you only have to worry about New connections. This is a lot more reliable, centralized, easier to maintain and secure than even the most advanced types of ACLs, which are rare anyway, e.g. Reflexive ACLs. About the most advanced ACL types seen in non-enterprise equipment are Extended ACLs that can merely check for bits flipped in a packet, which can often be bypassed by a targeted hack.

The main advantage of ACLs is that they can be done at line rate or with much lower processing overhead. This can be useful when scaling up traffic/throughput while keeping the local network topology scaling more slowly (otherwise managing the ACLs becomes overwhelming). This offload can also be useful if such filtering would otherwise be using up precious resources on edge routers and is instead being done by internal network devices like L3 switches. For most residential networks, this level of processing should not be a concern in most configurations - you would need something that pounds your router like high throughput combined with heavy QoS, enormous firewall rule sets, unusual Intrusion Prevention etc.

By the way, no matter what access control methods you use, it is best from a security perspective and often for convenience, to have a default Deny Everything forwarding rule to which you then add exceptions. This should eliminate most other "Deny" rules.