Guest Vlan on umnaged network

I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
At the moment we have an unmanaged network so everything is using vlan1
We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
 speed 100
 duplex full
 nameif inside
 security-level 100
 ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
interface FastEthernet0/15
 switchport mode trunk
 switchport nonegotiate
 speed 100
 duplex full
Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
interface GigabitEthernet0/2
 description Netgear GS748T
 switchport trunk allowed vlan 1-4
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 flowcontrol receive desired
(There are some other vlans created, not sure what they are for yet, I'm new here!)
We've just bought a Cisco WS-C3650-24PS - sw3
I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
I'm a beginner at this so the theory is there but not sure how to execute it!
I'm thinking on the firewall fw1
eth2
 speed 100
 duplex full
 nameif guest
 security-level 90
 ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
on sw1 connect Gi0/2 to sw3 Gi1/1/1
config to be
switchport trunk allowed vlan 20
switchport mode trunk
switchport nonegotiate
speed 1000
duplex full
sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
Or if is the wrong way of doing it let me know a better solution
Apologies in advanced if this is not making much sense!

I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

Similar Messages

  • HQ and Remote Wired Guest VLAN

    Hello all,
    I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
    Each location has its own guest vlan.  On ISE the standard rule are:
    Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
    This rule is working good for HQ.
    Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
    This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
    with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
    Let me know if anyone has idea or have solved this problem.
    Thank you.

    Hi,
    You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
    Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • 802.1x Auth-Fail VLAN and Guest-VLan not available

    Hi Pros,
    Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
    I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
    Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
    I found this link on Cisco's site:
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
    That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
    EZVPN_Remote(config-if)#int fa1
    EZVPN_Remote(config-if)#dot
    EZVPN_Remote(config-if)#dot1?
    dot1q
    EZVPN_Remote(config-if)#dot1
    EZVPN_Remote(config-if)#int vlan1
    EZVPN_Remote(config-if)#dot1x ?
      default           Configure Dot1x with default values for this port
      host-mode         Set the Host mode for 802.1x on this interface
      max-reauth-req    Max No.of Reauthentication Attempts
      max-req           Max No.of Retries
      pae               Set 802.1x interface pae type
      port-control      set the port-control value
      reauthentication  Enable or Disable Reauthentication for this port
      timeout           Various Timeouts
    Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
    EZVPN_Remote#sh ver
    Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2011 by Cisco Systems, Inc.
    Compiled Tue 12-Jul-11 21:02 by prod_rel_team
    ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
    EZVPN_Remote uptime is 6 hours, 1 minute
    System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
    System restarted at 14:52:47 UTC Thu Oct 13 2011
    System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
    Last reload type: Normal Reload
    Last reload reason: Reload Command
    This product contains cryptographic features and is subject to United
    States and local country laws governing import, export, transfer and
    use. Delivery of Cisco cryptographic products does not imply
    third-party authority to import, export, distribute or use encryption.
    Importers, exporters, distributors and users are responsible for
    compliance with U.S. and local country laws. By using this product you
    agree to comply with applicable laws and regulations. If you are unable
    to comply with U.S. and local laws, return this product immediately.
    A summary of U.S. laws governing Cisco cryptographic products may be found at:
    http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
    If you require further assistance please contact us by sending email to
    [email protected].
    Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
    Processor board ID FTX153482GK
    5 FastEthernet interfaces
    1 Virtual Private Network (VPN) Module
    256K bytes of non-volatile configuration memory.
    126000K bytes of ATA CompactFlash (Read/Write)
    License Info:
    License UDI:
    Device#   PID                   SN
    *0        CISCO881-SEC-K9       xxxxxxxx
    License Information for 'c880-data'
        License Level: advipservices   Type: Permanent
        Next reboot license Level: advipservices
    Thanks in advance!

    Shamless bump...

  • 802.1X un-authenticated user and guest VLAN

    Is there an option for 802.1X wired network to put any un-authenticated user onto the guest VLAN instead of no access? Thanks.

    You can read more about "802.1X authentication failure VLAN" in the release notes for cat 6000 8.4 new features. It may not be in your hardware yet.
    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/relnotes/ol_4498.htm

  • 802.1x Guest Vlan and Routed access layer design

    Hi!
    For many reasons, I have to re-design my campus network in a more ISP like way. The plan is to move to a routed access layer in the next two years. I have 802.1x with guest vlan on my access ports(3750). I was reading on the subject and I found that the guest vlan feature was not availeble with internal vlan(routed port).
    Is this limitation realy there, is there a way I can get around it without complicating my design even more. Do cisco have plan to lift this???

    You cannot use/configure 802.1X on a routed port today. Typically, 802.1X is to be used for LAN edge ports.
    The Guest-VLAN should work with a routed access design though. If your Guest-VLAN is chosen to be separate from say otherwise statically configured access VLANs, you would need to configure it via separate SVI with corresponding IP info (in a routed access model).
    Hope this helps,

  • Guest-vlan; catalyst 2960

    Hello,
    I would like to configure a guest-vlan and restricted-vlan on a 2960 switch, but I can not.
    The IOS version (obtained trough: show version) is:
    Switch Ports Model              SW Version            SW Image
    *    1 52    WS-C2960S-48FPS-L  12.2(53)SE2           C2960S-UNIVERSALK9-M
    I am trying to configure the interface using the following commands:
    RAK-ASW01#configure
    Configuring from terminal, memory, or network [terminal]?
    Enter configuration commands, one per line.  End with CNTL/Z.
    RAK-ASW01(config)#interface gigabitEthernet 1/0/11
    RAK-ASW01(config-if)#switchport mode access
    RAK-ASW01(config-if)#dot1x port-control auto
    RAK-ASW01(config-if)#dot1x guest-vlan 17
    RAK-ASW01(config-if)#end
    the result is the following, as if the guest-vlan is not supported:
    RAK-ASW01#show dot1x interface gigabitEthernet 1/0/11
    Dot1x Info for GigabitEthernet1/0/11
    PAE                       = AUTHENTICATOR
    PortControl               = AUTO
    ControlDirection          = Both
    HostMode                  = SINGLE_HOST
    QuietPeriod               = 60
    ServerTimeout             = 0
    SuppTimeout               = 30
    ReAuthMax                 = 2
    MaxReq                    = 2
    TxPeriod                  = 30
    RAK-ASW01#
    similar result is obtained while trying to configure a auth-fail vlan.
    the full configuration file is attached.
    many thanks in advance,
    Alaeddine

    Hi,
    I am trying to see the guest-vlan configuration, but I was not able to see it. Therefore, my first thought was that the guest-vlan is not supported by this IOS release.
    Another point is that, although I am not able to see the configuration of the guest-vlan and the auth-fail vlan, they do exist and they are operational: when I try to connect a device to the switch and it fails to authenticate, the switch connects the device to the restricted vlan.
    So my question is: why I can not see the guest-vlan and the auth-fail vlan configuration?
    Thanks in advance,
    Alaeddine

  • Multiple Guest VLANs and Shared WLC

    Hi,
    I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
    I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
    Please advise how best I should implement this.
    many thanks
    Sankung   

    It sounds like you already have this done.  You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
    Then on the internal anchor the SSID to the same SSID in the DMZ
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

    I have a general question about securing the guest WLAN in FlexConnect deployment -
    Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
    Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
    Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
    What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
    I would highly appraciate your input on this topic.
    Thank you.

    Yes, you're right.
    Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
    On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
    If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

  • Guest VLAN cannot ping gateway

    Hi Sir,
         I have an issue wherein my guest vlan cannot ping its gateway thus it cant go through the web auth page. I have been given an ip address with corresponding gateway, subnet and dns for the guest vlan. I have allowed all the vlans in the trunk port for wlc and ap connection.
         wat do you think is the problem? hope you could help on this.
    thanks.
    Regards,
    Neri

    Hi Neri
    The way this should work is that the client connects to the guest network and gets an IP address from DHCP. The DHCP configuration should include the default gateway and must include a DNS address.
    When the client opens a web browser the browser tries to connect to the configured home page. This means that a DNS lookup is sent out and the controller intercepts it and forwards it on. Providing there is a response from the DNS server the controller will cause the client browser to re-direct to the web authentication login page.
    It is therefore essential that the controller can see the DNS server. Forget the PING for now - DNS is a must. You can prove the rest of the system by ensuring the guest client has an IP address. Open the client browser and try and connect to http://1.1.1.1 (assuming your virtual interface on the controller is 1.1.1.1). If you get re-directed to the web authentication login page then the issue is a DNS issue.
    Regards
    Roger

  • Guest VLAN with SG-200

    I'd like to use the SG-200 to create an isolated guest VLAN that cannot access the secure LAN, except of course for the router. This post discusses the necessary ACE's to use with an SG-300, but it's not clear that this level of access control exists on the SG-200. Is it possible to isolate a guest VLAN with the SG-200? My network is a roaming (bridged) network that looks like this:
    [Modem] — [AE Router] — [Switch] — [Roaming Wifi]

    Thank you very much for the pointers. I found a way to use the router as my VLAN, keeping the SG-200 as a simple switch. This turns out to be the best option because my router doesn't support ACL's or multiple VLANs that would be used for isolating VLANs on my level 2 switch.
    This router-based solution involved resolving a simple DNS issue. My router gets DNS from the server, which the router's VLAN guests cannot see. Configuring DNS by hand on guest clients (e.g. Google DNS 8.8.8.8, 4.4.4.4) provides guest internet access, isolated from the LAN, all with roaming. And I'm using one less piece of hardware by using the router's VLAN. Thanks again.

  • Flexconnect on VRF guest vlan

    Hi all, I have a multi site customer with a vrf guest vlan in any site.
    Now I have to place a WLC on the HQ to manage all the wifi for HQ and other office, all the APs in the remote sites are in flexconnect mode.
    On the VLAN mapping for AP I set the correct guest vlan for every AP/site but the guest network over vrf seems not working properly.
    For the AP in the HQ if I turn off flexconnect and use the AP in local mode the vrf guest works well (using the internal DHCP of WLC).
    Anyone have tried a config like this?
    Thanks

    Cool, We fixed our DHCP issue it was related to how we had several APs advertising the SSID . One was transmitting at a higher power than the other/plus it had no DHCP -assigned ot the interface. The weaker transmitter did so it would ping pong to the stronger signal and back to the weaker .  LOL

  • VWLC issue with guest vlan

    Hi Team,
    I installed Cisco vWLC for the first time. Everything works fine except my guest vlan doesnt get IP address from the designated dmz network. I was wondering if I am missing something. Currently Flexconnect it configured on the wlans with LOCAL mode. I've alredy tried to go under each AP and perform vlan mapping but ... no luck so far.
    Please get back to me if you have any ideas.
    Respectfully,
    Marty-

    Hello Marty,
    As per your query i can suggest you the following solution-
    Guest vlan doesnt get IP address from the designated dmz network.So please apply the appropriate native vlan to the Flexconnect configured in the local mode.Also make sure to do vlan mapping in order to match Physial switch Vlan matching. Finally configure trunk on the Access-Point port with the corresponding native Vlan.
    For more information please refer to the link-
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
    Hope this will help

  • Dot1x guest VLAN on 2960G

    Hi,
    I have a 2960 sw configured for dot1x authentication, the problem is the Guest VLAN and Restricted VLAN didnot work. The switch port was stuck in authenticating status.
    The server is Juniper IC4500.
    Switch is 2960G, IOS 15.0(1)SE2
    the configuration:
    aaa new-model
    aaa authentication login default local
    aaa authentication dot1x default group radius
    aaa authorization exec default local
    aaa authorization network default group radius
    dot1x system-auth-control
    dot1x test timeout 30
    dot1x guest-vlan supplicant
    dot1x critical eapol
    interface FastEthernet0/32
    switchport access vlan 28
    switchport mode access
    authentication event fail action authorize vlan 41
    authentication event server dead action authorize vlan 41
    authentication event server dead action authorize voice
    authentication event no-response action authorize vlan 41
    authentication event server alive action reinitialize
    authentication host-mode multi-auth
    authentication order mab
    authentication port-control auto
    authentication timer reauthenticate 300
    authentication violation protect
    mab eap
    dot1x pae authenticator
    dot1x timeout quiet-period 5
    dot1x max-req 1
    dot1x max-reauth-req 1
    dot1x max-start 1
    spanning-tree portfast
    Anyone with experience on this pls help.
    Thanks,
    hoanghiep

    forgot to mention that multi-auth do not support actions on either no-response or fail authentication events. So you need to set host-mode to MDA or single host.
    Ref:
    http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1454875

  • Route Guest VLAN directly to the internet

    All, I am wanting to create a guest SSID/VLAN that is redirected straight to the internet, without any access to our network? I know how to create a guest SSID/VLAN but dont know how to send all traffic on that VLAN directly to the internet? How would the client obtain a DHCP address if its on a VLAN seperate the network?

    Here is how I set up our wireless guest vlan:
    1. I use 802.1x with PEAP to authenticate guests against a MS RADIUS server. Once successful, the AP allows guest to broadcast DHCP request.
    2. My router forward the DHCP request to DHCP server which assign IP and necessary options to guests, using IP helper-address command.
    3. My router has access-lists to prevent guests from accessing any corporate IP addresses (allowing only DHCP broadcasts)
    4. A route-map is configured on the default router on the guest vlan so that it will route all traffic sourced from that vlan out to the Internet. I use "set IP default next-hop xxx.xxx.xxx.xxx" to route the traffic directly to our proxy server or firewall.
    This is not a very user-friendly setup on the client side, because I have to mannually configure guest laptops to do 802.1x w/ PEAP. Sometime it is a pain with work with so many different wireless cards/utilities.
    HTH,
    daniel

  • 802.1X with Guest vlan support IOS version ???

    I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
    please reply to my question.

    Tkank for your help.
    Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
    but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
    ex) TW_14F_A_C2950_32.8#sh ver
    Cisco Internetwork Operating System Software
    IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
    Running Standard Image
    24 FastEthernet/IEEE 802.3 interface(s)
    Model number: WS-C2950-24
    please, reply for my question

Maybe you are looking for

  • Can I change the apple Id that iTunes match is associated with??

    I have two apple id's and when I set up iTunes match it associated with the wrong one Can I switch it?

  • MS Word email attachments do not open on my E6

    When I receive a MS Word attachment via email and try to open it, I get a "Unable to open. Attachment file not supported" message. When I use QuickOffice and access my Dropbox, I can open any document and make edits. Does anyone have an idea what cou

  • TV only comes in in black & white

    my TV only comes in in black/white. I'm not able to get it in color.

  • Use of digital connection and Headphones - is it possibl

    I am extremely happy as I have found that by using the "Flexijack" configured as a digital output and connecting it to my Logitech speakers I have resolved a problem that had developed with my front speakers going missing. BUT when I try and use my h

  • NOTHING or wrong info in LINK VIEW

    I am using RH HTML x4.1. I have taken a project over from a previous writer (no longer with the company). I have found MANY "orphaned" topics with no real links to anything else. In addition, I am changing many of the topic names, etc. I am trying to