1. Home
  2. Wireless Networking
  3. WAP Best Practices

WAP Best Practices

I need to provide wireless access to customers in my customer lounge. I would like to hang a relatively inexpensive AP such as Linksys WAP54GX on one of my C2950 switches and allow these users to connect "only" to the internet. I know that having them PAT to a different network IP and setting DHCP for them will prevent ping scans but not network sniffing to determine a valid address for instance to static an IP on my corporate LAN. I know the safest solution is to provide a completely separate ISP connection but would like to avoid this. What would be the best way to achieve this. Would hanging the AP on a switch port configured to a different VLAN with corresponding ACL's provide this. If so how does one configure a VLAN 2 for instance that only has access to the gateway and does not broadcast to the AP users corporate LAN packets.

Any input greatly appreciated, I have delayed this project for some time do to security implications but need to get done.

Reply to
stormrunner
Loading thread data ...

You definitely want to put the guest wireless AP into separate VLAN. You can then policy-route that VLAN so that its traffic only flows to the Internet.

Reply to
Merv

Also disable CDP and routing updates (multicasts) on the switch port

Reply to
Merv

I'll assume you're using NAT/PAT on the corporate LAN and therefore are using RFC-1918 IP's. A separate PAT for the wireless should prevent both scanning from the wireless side. Something like:

Corporate Wireless Router LAN WAN SIDE LAN SIDE 10.0.0.xxx ========= IP=10.0.0.2 IP=192.168.1.1 Gateway=10.0.0.1 GW=10.0.0.1 NM=255.255.255.0 NM=255.255.255.252

With the netmask set to /30, the WAN side of the router can only see

10.0.0.1 and 10.0.0.2 which is all it needs to communicate only with the internet via the gateway. 10.0.0.3 also needs to be reserved as it's the broadcast IP. Any attempts by clients on the LAN side to ping or access IP's other than 10.0.0.1-10.0.0.3 will go through the default gateway at 10.0.0.1 instead.

Clients on the corporate LAN can sniff the traffic originating to/from the wireless router, but the LAN side of the wireless router never sees any of the corporate traffic.

I've setup only one WLAN this way and found it to be sufficiently secure and operate as I described. Actually, I used 255.255.255.248 to give me a few more IP's to play with so I could have a local server on the LAN. Before implementing, I suggest you confirm the security with someone that knows more about such things than me.

I'm not 100% sure that this is a totally secure arrangement, but seems adequate with my limited testing. It's also simpler than using a VLAN.

Careful. You started with a wireless router and just brought up an access point. These are quite different animals. The AP is just a bridge. There is no layer 3 services involved. If you're going to separate the traffic, a router or VLAN is required somewhere. If your

2950 is going to be configured as a VLAN, an AP is appropriate. Otherwise, a wireless router might be a better choice.

Sorry. I'm not familiar with the 2950 switch.

Reply to
Jeff Liebermann

If this is the way to go then thanks for confirming my thoughts on this. I tried to do this on Friday by configuring switch port to static VLAN 2 with access to the trunk. I'm sure I did something incorrectly as I could not ping the gateway. What are the proper config lines to add to the switch port to config to VLAN2 and still forward to gateway after I will sniff port to verify isolation from VLAN1 is complete if not modify accordingly. I have PBR running on gateway useing route-map could you include PBR example of this for forwarding to internet from switch

------------------------------------------------------------- I realize this is pretty lame have no experience with PBR or VLAN conf for switches we are small organization 130 node everything Native VLAN1

[not sure if this is even close I know how do this on router but switch routes level 2]

access-list 199 permit ip host {ap ip} host {gateway ip} would this somehow be written access-list 199 permit int fa 0/17 0/1

route-map GUEST_ACCESS permit 10 match ???? 199 set next-hop {"port" would this be fa 0/1}

int fa 0/1 ip policy route-map GUEST_ACCESS

(given router at channel 1 of switch) I also have a HSRP router at fa 0/22

-------------------------------------------------------------

Reply to
stormrunner

The C2950 is a layer 2 device only. To have multiple VLANs on your C2950 and to implement policy-based routing you will need a router or a layer 3 switch. You will need to implement VLAN trunking (read 802.1Q) between the router and the C2950 layer 2 switch.

On the VLAN interface on the router, configure policy based routing to allow the guest wireless VLAN traffic to be routed only to the Internet

BTW over time I would suggest moving entirely off VLAN 1 (native) as it is a security risk.

Reply to
Merv

for a 2950 802.1Q trunking configuration example, see:

formatting link

Reply to
Merv

You may find the Cisco Solution Designer helpful:

formatting link
as well as the Cisco Product Advisor:

formatting link
Sincerely,

Brad Reese BradReese.Com Cisco Repair Service Experts

formatting link
Hendersonville Road, Suite 17 Asheville, North Carolina USA 28803 USA & Canada: 877-549-2680 United Kingdom: 44-20-70784294 International: 828-277-7272

Reply to
www.BradReese.Com

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.