WAP Best Practices

Discussion in 'Cisco' started by stormrunner, Oct 1, 2005.

  1. stormrunner

    stormrunner Guest

    I need to provide wireless access to customers in my customer lounge. I
    would like to hang a relatively inexpensive AP such as Linksys WAP54GX on
    one of my C2950 switches and allow these users to connect "only" to the
    internet. I know that having them PAT to a different network IP and setting
    DHCP for them will prevent ping scans but not network sniffing to determine
    a valid address for instance to static an IP on my corporate LAN. I know the
    safest solution is to provide a completely separate ISP connection but would
    like to avoid this. What would be the best way to achieve this.
    Would hanging the AP on a switch port configured to a different VLAN with
    corresponding ACL's provide this. If so how does one configure a VLAN 2 for
    instance that only has access to the gateway and does not broadcast to the
    AP users corporate LAN packets.

    Any input greatly appreciated, I have delayed this project for some time do
    to security implications but need to get done.
    stormrunner, Oct 1, 2005
    #1
    1. Advertising

  2. stormrunner

    Merv Guest

    You definitely want to put the guest wireless AP into separate VLAN.
    You can then policy-route that VLAN so that its traffic only flows to
    the Internet.
    Merv, Oct 1, 2005
    #2
    1. Advertising

  3. stormrunner

    Merv Guest

    Also disable CDP and routing updates (multicasts) on the switch port
    Merv, Oct 1, 2005
    #3
  4. On Sat, 1 Oct 2005 10:52:48 -0700, "stormrunner"
    <> wrote:

    >I need to provide wireless access to customers in my customer lounge. I
    >would like to hang a relatively inexpensive AP such as Linksys WAP54GX on
    >one of my C2950 switches and allow these users to connect "only" to the
    >internet. I know that having them PAT to a different network IP and setting
    >DHCP for them will prevent ping scans but not network sniffing to determine
    >a valid address for instance to static an IP on my corporate LAN.


    I'll assume you're using NAT/PAT on the corporate LAN and therefore
    are using RFC-1918 IP's. A separate PAT for the wireless should
    prevent both scanning from the wireless side. Something like:

    Corporate Wireless Router
    LAN WAN SIDE LAN SIDE
    10.0.0.xxx ========= IP=10.0.0.2 IP=192.168.1.1
    Gateway=10.0.0.1 GW=10.0.0.1 NM=255.255.255.0
    NM=255.255.255.252

    With the netmask set to /30, the WAN side of the router can only see
    10.0.0.1 and 10.0.0.2 which is all it needs to communicate only with
    the internet via the gateway. 10.0.0.3 also needs to be reserved as
    it's the broadcast IP. Any attempts by clients on the LAN side to
    ping or access IP's other than 10.0.0.1-10.0.0.3 will go through the
    default gateway at 10.0.0.1 instead.

    Clients on the corporate LAN can sniff the traffic originating to/from
    the wireless router, but the LAN side of the wireless router never
    sees any of the corporate traffic.

    I've setup only one WLAN this way and found it to be sufficiently
    secure and operate as I described. Actually, I used 255.255.255.248
    to give me a few more IP's to play with so I could have a local server
    on the LAN. Before implementing, I suggest you confirm the security
    with someone that knows more about such things than me.

    I'm not 100% sure that this is a totally secure arrangement, but seems
    adequate with my limited testing. It's also simpler than using a
    VLAN.

    >I know the
    >safest solution is to provide a completely separate ISP connection but would
    >like to avoid this.
    >That would be the best way to achieve this.
    >Would hanging the AP on a switch port configured to a different VLAN with
    >corresponding ACL's provide this.


    Careful. You started with a wireless router and just brought up an
    access point. These are quite different animals. The AP is just a
    bridge. There is no layer 3 services involved. If you're going to
    separate the traffic, a router or VLAN is required somewhere. If your
    2950 is going to be configured as a VLAN, an AP is appropriate.
    Otherwise, a wireless router might be a better choice.

    >If so how does one configure a VLAN 2 for
    >instance that only has access to the gateway and does not broadcast to the
    >AP users corporate LAN packets.


    Sorry. I'm not familiar with the 2950 switch.

    >Any input greatly appreciated, I have delayed this project for some time do
    >to security implications but need to get done.



    --
    Jeff Liebermann -cruz.ca.us
    150 Felker St #D http://www.LearnByDestroying.com
    Santa Cruz CA 95060 http://802.11junk.com
    Skype: JeffLiebermann AE6KS 831-336-2558
    Jeff Liebermann, Oct 1, 2005
    #4
  5. stormrunner

    stormrunner Guest

    If this is the way to go then thanks for confirming my thoughts on this. I
    tried to do this on Friday by configuring switch port to static VLAN 2 with
    access to the trunk. I'm sure I did something incorrectly as I could not
    ping the gateway. What are the proper config lines to add to the switch port
    to config to VLAN2 and still forward to gateway after I will sniff port to
    verify isolation from VLAN1 is complete if not modify accordingly. I have
    PBR running on gateway useing route-map could you include PBR example of
    this for forwarding to internet from switch


    -------------------------------------------------------------
    I realize this is pretty lame have no experience with PBR or VLAN conf for
    switches we are small organization 130 node everything Native VLAN1

    [not sure if this is even close I know how do this on router but switch
    routes level 2]

    access-list 199 permit ip host {ap ip} host {gateway ip}
    would this somehow be written
    access-list 199 permit int fa 0/17 0/1


    route-map GUEST_ACCESS permit 10
    match ???? 199
    set next-hop {"port" would this be fa 0/1}

    int fa 0/1
    ip policy route-map GUEST_ACCESS

    (given router at channel 1 of switch)
    I also have a HSRP router at fa 0/22

    -------------------------------------------------------------


    "Merv" <> wrote in message
    news:...
    > Also disable CDP and routing updates (multicasts) on the switch port
    >
    stormrunner, Oct 1, 2005
    #5
  6. stormrunner

    Merv Guest

    The C2950 is a layer 2 device only. To have multiple VLANs on your
    C2950 and to implement policy-based routing you will need a router or a
    layer 3 switch. You will need to implement VLAN trunking (read 802.1Q)
    between the router and the C2950 layer 2 switch.

    On the VLAN interface on the router, configure policy based routing to
    allow the guest wireless VLAN traffic to be routed only to the Internet


    BTW over time I would suggest moving entirely off VLAN 1 (native) as it
    is a security risk.
    Merv, Oct 1, 2005
    #6
  7. stormrunner

    Merv Guest

    Merv, Oct 1, 2005
    #7
  8. www.BradReese.Com, Oct 2, 2005
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Peter Yardley
    Replies:
    0
    Views:
    512
    Peter Yardley
    Dec 27, 2003
  2. Abhi

    Cisco Best Practices

    Abhi, Apr 14, 2004, in forum: Cisco
    Replies:
    1
    Views:
    3,260
  3. Rob
    Replies:
    8
    Views:
    6,554
    Hansang Bae
    May 22, 2004
  4. cameran

    PIX ACL best practices

    cameran, Aug 24, 2004, in forum: Cisco
    Replies:
    1
    Views:
    4,069
    Walter Roberson
    Aug 24, 2004
  5. Jac
    Replies:
    1
    Views:
    2,836
Loading...

Share This Page