Guest VLAN with SG-200

Similar Messages

• Wired guest vlan with ISE

  Hi all,
  For those that have travelled down the path of ISE, is it reliable to put the all switch ports into a guest vlan and rely on the NAM to change that of corporate users? We will be using the NAM any connect supplicant for corporate users, so they should automatically be changed into the corporate vlan on successful authentication. Is this correct and is this reliable?
  Testing now with all ports on the corporate vlan has guests still accessing the corporate vlan initially before they are changed by the java applet upon registering as a guest user.
  Thanks
  Sent from Cisco Technical Support iPad App

  I will try to answer all of your quesitons:
  1.     "With the standard port configuration, is it better to have the switch ports on vlan 40 (guest vlan) by default, and have the corporate users NAM supplicant change the vlan to 20 if successful, or the other way around and have the ports in default state on vlan 20 (corporate) and when a guest hits the web portal have their vlan changed to vlan 40"
            - I suppose the standard is to have the port in the regular/standard VLAN and only put failed           authentications in the guest VLAN. However, with that being said, it really depends on what you are           trying to accomplish, thus I suppose you could try doing it the other way around. I have never tested it nor           deployed it that way so I highly recommend you try that in the lab
  2.     "I wanted to know if the change of vlan for corporate users with NAM is reliable?"
            - Yes it is. Well at least for the most part Some "dumb" devices such as printers, badge readers, etc,           might not know that a VLAN was changed, thus never request a new IP address. As a result, they get           stuck in the guest VLAN. That is why I usually like to NOT use guest VLAN but send all failed           authentications through the guest portal. There you can control who is guest and who is not via dACLs.
  3.     " We also plan on implementing low impact mode, ie open authentication with a default ACL as there are things           like PXE booting that needs to happen"
            - So my guess is that the guest VLAN terminates on some interface such as FW DMZ. That interface           usually has some ACL that blocks all RFC 1918 and permits everything else. If that is the case and you           want to use Low-Impact mode, then you will need to grant the same access on the DMZ interface as the           one granted in the Low-Impact mode ACL otherwise things will break

• Bridging multiple VLAN with sg 200-08 and wap321

  Hi all
  Equipment:
  ASA 5505
  2x gs 200-08
  2x wap321
  Is there a possibility, to bridge 2 VLAN between one and another side with two WAP 321 and use the AP's also as WDS Bridge to extend the Wireless Network?
  I need to extend the Range of the WLAN but also want to use 2 different VLAN on both sides of the network. There is no Possibility to establish a wired Connection, so i try to use the AP's in "workgroup bridge" mode, but i always can use only one VLAN on the other side.
  Thanks for any help

  Hi Luis
  The Problem is, there is no wired connection between the WAP321.
  The topology is like this:
  VLAN1------ASA5505--  --SG200-08---------WAP321             WAP321--------SG200-8-------VLAN1
                                               I                                                                                                 I
  VLAN2---------------------------                                                                                               -----------VLAN2
  VLAN1 and VLAN2 are also available in the WLAN on 2 Different SSID's:
  SSID: inside -> VLAN1
  SSID: outside -> VLAN2
  If i understand the Cluster mode right,there is a wired connection required between the WAP321 .
  In meantime i tried to connect the WAP321 over WDS, but always only VLAN1 is available on the "right" side of the Network.
  Is there a Possibility, to Bridge multiple VLAN's over a WDS connection?
  Best Regards
  Dominique

• 802.1X with Guest vlan support IOS version ???

  I don't know, Whitch IOS version support 802.1X with Guest vlan to Catalyst 2950 and 3550 switch
  please reply to my question.

  Tkank for your help.
  Also, Cisco web is explained , except for Catalyst 2950 Standard Image (SI) in IOS 12.1(22)EA3
  but I can't understand, My site is using catalyst 2950 SI to 802.1X and guest vlan in IOS image 12.1(22)EA3
  ex) TW_14F_A_C2950_32.8#sh ver
  Cisco Internetwork Operating System Software
  IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(22)EA3, RELEASE SOFTWARE (fc1)
  Running Standard Image
  24 FastEthernet/IEEE 802.3 interface(s)
  Model number: WS-C2950-24
  please, reply for my question

• Guest Access with Inter-vlan Mobility

  I have a setup as follows
  Two datacenters each with one wlc5500, one guest access server and one internet circuit with firewall.
  LWAPs connect to the data centres over a WAN.
  Each LWAP has two SSIDs one guest with web auth and one private with 802.1x.
  Site1 has 40 APs and site2 has 10 APs.
  The best scenario would be to have 30 APs on each controller but this means that there would be a mix of APs centrally switched on different VLANs for the guest wlan.
  Is there any way to anchor clients that intially associate to WLC1 so that if they roam on to WLC2 they keep the same IP address from datacentre 1. Similarly those that associate to WLC2 keep their IP from datacentre 2 if they roam to WLC1. Finally if either WLC1 or WLC2 fail then all clients re-associate to the active WLC at one DC. All the config guides so far only depict one internet circuit so I can't work out if this is possible yet. So far with both WLCs active the client changes address as they roam to the other WLC.
  I would like to avoid creating a L2 link beween DCs if possible

  Thanks for looking
  (Cisco Controller) >show wlan 3
  WLAN Identifier.................................. 3
  Profile Name..................................... guest
  Network Name (SSID).............................. GUEST
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  NAC-State...................................... Disabled
  Quarantine VLAN................................ 0
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guest-vlan
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... 10.18.227.10
  DHCP Address Assignment Required................. Enabled
  --More-- or (q)uit
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... 802.11b and 802.11g only
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  --More-- or (q)uit
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Enabled
  ACL............................................. Unconfigured
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  --More-- or (q)uit
  Mobility Anchor List
  WLAN ID IP Address Status
  (Cisco Controller) >?
  (Cisco Controller) >show wln 3
  Incorrect usage. Use the '?' or key to list commands.
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show wlan 3
  WLAN Identifier.................................. 3
  Profile Name..................................... guest
  Network Name (SSID).............................. GUEST
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  NAC-State...................................... Disabled
  Quarantine VLAN................................ 0
  Number of Active Clients......................... 1
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guest-vlan
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... 10.253.128.10
  DHCP Address Assignment Required................. Enabled
  --More-- or (q)uit
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... 802.11b and 802.11g only
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  --More-- or (q)uit
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Enabled
  ACL............................................. Unconfigured
  Web Authentication server precedence:
  1............................................... local
  2............................................... radius
  3............................................... ldap
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Disabled
  H-REAP Local Switching........................ Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  --More-- or (q)uit
  Mobility Anchor List
  WLAN ID IP Address Status
  (Cisco Controller) >?

• VWLC issue with guest vlan

  Hi Team,
  I installed Cisco vWLC for the first time. Everything works fine except my guest vlan doesnt get IP address from the designated dmz network. I was wondering if I am missing something. Currently Flexconnect it configured on the wlans with LOCAL mode. I've alredy tried to go under each AP and perform vlan mapping but ... no luck so far.
  Please get back to me if you have any ideas.
  Respectfully,
  Marty-

  Hello Marty,
  As per your query i can suggest you the following solution-
  Guest vlan doesnt get IP address from the designated dmz network.So please apply the appropriate native vlan to the Flexconnect configured in the local mode.Also make sure to do vlan mapping in order to match Physial switch Vlan matching. Finally configure trunk on the Access-Point port with the corresponding native Vlan.
  For more information please refer to the link-
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
  Hope this will help

• Guest VLAN and SSID with a DHCP router

  I want to offer customers wireless access in my building. I've added VLAN 30 to my WAP with no encryption and broadcast the GUEST ssid. I also have a Netgear router plugged into a port with VLAN 30 access. I was hoping the wireless clients would get a DHCP address from this router since they are all on the same VLAN, but I cannot get it too work.
  Does anyone have any insight on this, or another way to setup the guest VLAN?

  You can create a guest VLAN.
  http://www.cisco.com/en/US/products/hw/wireless/ps430/products_configuration_guide_chapter09186a00800e02cb.html#1074827

• Dot1x guest-vlan issues with windows XP

  Hi,
  I have dot1x setup on a 3560. I basically have 3 vlans configured.
  All ports are in vlan "guest (vlan 10)" by default. The authenticated "AUTH" vlan is pushed by the radius server after successful authentication. And finally I have a guest/auth-fail vlan for non-dot1x capable machines.
  Everything works fine except that when I connect windows XP machine which is not on the domain then I am not assigned to a guest vlan. The port stays in unauthorized state and a "show interface" output shows that the port is up but line protocol is down.
  It works sometimes but other times it doesnt.
  Is there a trick to it. Also I read an article on ciscos website which was specific to XP and dot1x i.e. the switches waits ~ 180 seconds and you need to plug the cable in/out of the switch to make it to work...I havent tried this yet but anybody has any better ideas then this technique.
  I have the standard config:
  int fa0/1
  dot1x port-control auto
  dot1x guest-vlan 10
  dot1x auth-fail vlan 10
  I am thinking of tweaking the "quite period" and the switch-to-client retransmission timeout values.
  Note: Like I mentioned earlier. After successful authentication corporate clients are put in the correct vlan. Its just the "guest" vlan piece which is not working.
  Thoughts? pointers? Comments?

  OK, first WRT the documentation reference:
  Not entirely accurate. If a host fails to respond to the authenticator, the port remains in the connecting state for [tx-period (max-reauth-req + 1)] seconds. A login window even appearing on an XP machine is dependent on the configuration (usually only occurs with MD5). Not sure about the unplugging cables stuff at all ;-). This certainly shouldn't be in there though, since that's not really a workaround for anything. It is correct in saying that 1X-capable hosts should not be placed in the Guest-VLAN. It's also correct in explaining the quiet period during the HELD state after a failed authentication attempt. However, the rest is completely dependent on the Microsoft supplicant. The Microsoft supplicant gives up on 1X entirely after it fails 3 times in a row. No other supplicants do this AFAIK. Since it gives up on 1X, then that explains why the port would be "stuck" in a connecting state. Not sure if this is just trivia or what though in context to the reference.
  WRT your configuration:
  If you're interested in having 1X timeout any quicker than it does now (see formula above) then the only timers/values you need to bother with are tx-period and/or max-reauth-req. supp-timeout is for non-EAP control packets. The quiet-period is how long the port is in a HELD state when it fails authentication.
  Does this help?

• 802.1x / dot1x Authentication, including Voice-Vlan and Guest-Vlan

  Hello,
  i have tried to configure a dot1x based Authentication.
  With an single host including guest-vlan, everything works fine.
  But i want to use an IP-Phone (wich is every times authenticated) and behind the Phone an Client.
  Is there a possible solution? And unfortunately IP-Phones are Avaya-Phones.
  i have  just tried so...
  interface GigabitEthernet0/4
  switchport access vlan 121
  switchport mode access
  switchport voice vlan 200
  authentication event fail action authorize vlan 99
  authentication event server dead action authorize vlan 121
  authentication event server alive action reinitialize
  authentication host-mode multi-host
  authentication order dot1x
  authentication port-control auto
  authentication periodic
  authentication violation restrict
  dot1x pae authenticator
  dot1x timeout quiet-period 10
  dot1x timeout tx-period 1
  spanning-tree portfast
  Thanks, for any possible solution!

  unfortunately because they are Avaya phones, the easy answer CDP-Bypass fails in this instance. When you plug in the phone, the switch will assume it's the 'single host' for this port, and restrict the port due to the authentication for the phone failing. Maybe you can just hard-code the voice-vlans on each phone, but that could get tedious depending on the amount of phones.
  I believe there is a DHCP option you can pass back that indicates the phone should be running on vlan 200, but for this to work you'd also need to set up a pre-auth ACL that would allow DHCP to work in the unauthorized state. I think it's 147 off the top of my head.
  Another solution (which isn't what you originally wanted, but it would work) is to just use multi-domain instead of single-host, and authenticate both the phone and the PC. The raduis server should be able to distinguish between what is configured as a phone and what is a host, and will send back the appropriate vlan if configured correctly.
  What are using for a radius server?

• Hyper-V 2012 R2 - Linux Guest VLAN Settings lost after reboot

  Hi Guys,
  last night a have seen a strange behavior with a Sophos UTM 9.204020 Linux Guest VM. (This VM is based on SUSE SLES v11? i think)
  So i have Setup this in my home lab and experienced the same problem.
  ----Setup-----
  2 External VM Switches
  Management OS is on VLAN 4093 with IP 192.168.20.1
  The guest network adapter is in Trunk Mode, VLAN Tag (4093) is set in the guest OS with IP 192.168.20.100
  Everything works until you kick off a reboot from the guest or hyper-v console, after the reboot you loose the connectivity on the network adapter with the vlan trunk.
  If you shutdown the guest and start it everthing works again - this happens only on reboot!!
  I have tried diffrent things (static mac, enable disable hardware features (vmq/offloading etc) on the vm network adapter but always the same error.
  After some search on the net i have found this article: Link 
  This guy has the same problem with another linux vm (based on debian) his workaround was to trigger a powershell script with the eventlog after reboot of the vm, this works for me too but this must be bug?
  Has anyone else experienced this problem?
  André

  Hi Andre,
  I would suggest you to install the supported Linux guest OS on hyper-v , please refer to following link:
  http://technet.microsoft.com/en-US/library/dn531030.aspx
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• HQ and Remote Wired Guest VLAN

  Hello all,
  I am having trouble to create a standard condition for Policy Authorization.  Basically there are HQ and remote locations configure for guest access.
  Each location has its own guest vlan.  On ISE the standard rule are:
  Standard Rule 1 if Unknown AND Wired_MAB then Guest_Access
  This rule is working good for HQ.
  Standard Rule 2 if (Unknown OR MTL_Devices) AND Wired_MAB_MTL_Guest then Montreal_Guest
  This rule is design for remote but Standard rule 1 is taking over because first match applied and since the OR condition may cause some problem
  with internal users since the condition is Unknown OR MTL_Devices.  There is no AND condition for this.
  Let me know if anyone has idea or have solved this problem.
  Thank you.

  Hi,
  You need to change the order of your rules, ISE uses the first matched rule from top to bottom, in your case the MTRL is matching the first rule since it is more open than the rule below which has the check for the network device.
  Please change the order and see if this fixes your issue, if this doesnt work, post a screenshot of your policies just to make sure we are on the same page.
  Thanks,
  Tarik Admani
  *Please rate helpful posts*

• Wired guest access with 5508

  Hi
  I have setup wireless guest access for a customer with a single 5508 and web authentication no problem at all. He then wanted to test wired guest access. The 5508 is currently connected to a single 3560 switch. The wired clients get a DHCP address OK but cannot reslove DNS and thus don't get redirected to teh guest login portal. I have even tried turning of all L3 security to no avail. The setup is as follows
  VLAN 101 access points and 5508 management interface
  VLAN 102 wired guest access dynamic ingress (L2 config only no SVI on 3560)
  VLAN 103 wireless guest dynamic egress nterface L3 network with SVI on switch
  VLAN 104 wired guest dynamic egress interface L3 network with SVI on switch
  There are two DHCP pools setup on the WLC one for the VLAN 103 and one for the VLAN 104 subnets.
  The internet router is also connected to the 3560 on a sepearte VLAN with an SVI. the 3560 has a default route to teh internet router and teh DHCP pools give the DHCP clients a default gateway of the IP address of dynamic interface 103 or 104. The Internet routre can ping the WLC on both these addresses.
  LAG is enabled on teh WLC and VLANs 101-104 are trunked to it from the 3560.
  I even tried making the wired guest egress interface the same one as for wireless. The wired clientys now got an IP address on the wireless range but still couldnt pass any traffic. It's like the intrenal bridging on teh WLC between VALN 102 and 104 (or 103) is broken. Tried both the lates 6.x and 7.x software on the WLC. Any ideas ? All the problems I can find with this seem to relate to not gettingas far as a DHCP address but that works fine.
  Thanks
  Pat

  Hi
  Yes got it resolved. It turns out that the connection from the wired guest access port to the WLC must be L2. That is the switch that the wired guest acces sport is connected and WLC are connected to must be L2 only. We were using a single switch to do the testing and it was also doing the routing for the test LAN. Even though there was no L3 VLAN interface configured for the VLAN that the guest access port was on for some reason this breaks it. Absolu Didnt have chance to work out the exact limitations of this as we simply made the switch L2 only and configured an 802.1Q trunk to the Internet router and made subinterfaces on the router for the wired and wireless egress ports and it worked then. No config change was needed on the WLC at all.
  The only thing I can think of is that it's something about the way the WLC joins the wired guest access ingress VLAn and egress VLAN. The WLC isn't a reall router it says so in the documentation. I think the packet coming from the wired access port is being bridged to the egress VLAn not routed and this is what screws it up (remeber with a router the source and destination MAC addresses would be changed with a bridge they aren't). Got to be something along those lines. If you have a bigger newtork with a guest anchor WLC handling this function you dont run into this as the traffic is coming over an EOIP tunnle from the remote WLC so the switch with the guest anchor WLC doesnt see the MAC address of the wired guest PC.

• Guest Vlan on umnaged network

  I've bought some unifi wifi access points which I want to add to our network. We use a mix of cisco and netgear switches (I'll be phasing out the netgears over time). I'd like to make a guest vlan for the wifi, I'm just not sure how is best to do it, there are some details on a possible setup here.
  At the moment we have an unmanaged network so everything is using vlan1
  We use 2 Cisco Pix 515e firewall's (One as backup), they go directly to a switch, then we use a Windows server for DHCP. The config for firewall (fw1) the interface that connects to a switch is:
   speed 100
   duplex full
   nameif inside
   security-level 100
   ip address 192.168.135.248 255.255.192.0 standby 192.168.135.249
  on the switch it connects to called sw1 (C2950-I6Q4L2-M) the port is configured like so:
  interface FastEthernet0/15
   switchport mode trunk
   switchport nonegotiate
   speed 100
   duplex full
  Port Gi/02 connects to the next switch which is a netgear GS748T (sw2) which then connects to various other switches
  interface GigabitEthernet0/2
   description Netgear GS748T
   switchport trunk allowed vlan 1-4
   switchport mode trunk
   switchport nonegotiate
   speed 1000
   duplex full
   flowcontrol receive desired
  (There are some other vlans created, not sure what they are for yet, I'm new here!)
  We've just bought a Cisco WS-C3650-24PS - sw3
  I was thinking of only plugging in the wifi access points into cisco switches only and creating a Vlan - Vlan20 and only allowing Vlan20 to specific ports if this is possible?
  I'm a beginner at this so the theory is there but not sure how to execute it!
  I'm thinking on the firewall fw1
  eth2
   speed 100
   duplex full
   nameif guest
   security-level 90
   ip address 192.168.0.248 255.255.255.0 standby 192.168.0.249
  on sw1 connect Gi0/2 to sw3 Gi1/1/1
  config to be
  switchport trunk allowed vlan 20
  switchport mode trunk
  switchport nonegotiate
  speed 1000
  duplex full
  sw3 will already have vlan1 going to it as part of the unmanaged network as it is connected to another switch on another port already.
  So my question is how do I setup the dhcp server on sw3 for vlan20 (192.168.0/24)
  And how would both vlans get sent to the wifi access points which are patched into sw3 but without vlan 20 traffic being sent other ports which do not have the ap's connected to them? I would also like to allow vlan20 to another cisco switch.
  Or if is the wrong way of doing it let me know a better solution
  Apologies in advanced if this is not making much sense!

  I actually use UniFi APs in our environment too, great little APs as long as you buys the Pro models (the standard ones have their short falls).
  I think your PIX config looks good (it's been a while since I've touched one so I'd have to login to the 525 I have at home to confirm) Just ensure it's configured to disallow traffic from your guest VLAN to the internet network, if memory serves there's an option that's on by default to disallow traffic from a higher security if to a lower.
  It may be better to configure Sw1/0/2 and Sw3/1/1/1 with all of your VLANs, if you want redundancy you can create a LAG between the two with multiple ports. If you use different links for different VLANs and down the road something happens and both of those ports become active on the same VLAN (I/E you or someone else forgets that you're using different uplinks for different VLANs) if STP isn't setup properly you'll create a loop on that VLAN potentially flooding the network with broadcast traffic.
  As for the UniFi config, you configure the ports that the APs connect to as trunks, I assume you'll be managing the APs over VLAN 1 so the ports should be VL1 untagged, VLAN 20 tagged.
  The UniFi Controller software is used setup and manage the APs if you haven't already done so install it. Once you have it installed you want to create two SSIDs one without VLAN tagging enabled which will be your internal SSID, and another with VLAN tagging enabled for VL20 which will be your guest SSID. This way when a client connects to the Guest SSID the AP(s) will tag their traffic VLAN 20, so on ingress to SW3 the traffic will be tagged with the correct VLAN.
  The attached is a screen from my UniFi guest SSID config, you can also assign guests to a user group, which allows you to limit the bandwidth at the AP.

• Guest access with CWA on ISE

  Hi support community
  we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.
  so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?
  Many thanks in advance...

  Hi, thanks for answering...
  Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).
  however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...
  thanks

• 802.1x Auth-Fail VLAN and Guest-VLan not available

  Hi Pros,
  Having an issue with an 881 I have recently acquired. I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...
  I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.
  Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.
  I found this link on Cisco's site:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6660/ps6808/deployment_guide_c07_458259_ns855_Networking_Solutions_White_Paper.html
  That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
  EZVPN_Remote(config-if)#int fa1
  EZVPN_Remote(config-if)#dot
  EZVPN_Remote(config-if)#dot1?
  dot1q
  EZVPN_Remote(config-if)#dot1
  EZVPN_Remote(config-if)#int vlan1
  EZVPN_Remote(config-if)#dot1x ?
    default           Configure Dot1x with default values for this port
    host-mode         Set the Host mode for 802.1x on this interface
    max-reauth-req    Max No.of Reauthentication Attempts
    max-req           Max No.of Retries
    pae               Set 802.1x interface pae type
    port-control      set the port-control value
    reauthentication  Enable or Disable Reauthentication for this port
    timeout           Various Timeouts
  Any thoughts why I'm seeing this behavior? Feature-set? IOS Version?
  EZVPN_Remote#sh ver
  Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(2)T4, )
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2011 by Cisco Systems, Inc.
  Compiled Tue 12-Jul-11 21:02 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
  EZVPN_Remote uptime is 6 hours, 1 minute
  System returned to ROM by reload at 14:53:21 UTC Thu Oct 13 2011
  System restarted at 14:52:47 UTC Thu Oct 13 2011
  System image file is "flash:c880data-universalk9-mz.151-2.T4.bin"
  Last reload type: Normal Reload
  Last reload reason: Reload Command
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 881 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memor.
  Processor board ID FTX153482GK
  5 FastEthernet interfaces
  1 Virtual Private Network (VPN) Module
  256K bytes of non-volatile configuration memory.
  126000K bytes of ATA CompactFlash (Read/Write)
  License Info:
  License UDI:
  Device#   PID                   SN
  *0        CISCO881-SEC-K9       xxxxxxxx
  License Information for 'c880-data'
      License Level: advipservices   Type: Permanent
      Next reboot license Level: advipservices
  Thanks in advance!

  Shamless bump...