Table Of Contents
IP Redirect Application Note
Cisco maintains its leadership in Enterprise Wireless LAN market by introducing value-added
features on a timely basis. One of these features is IP Redirect, which was introduced in Cisco IOS Release 12.3(2) JA. The IP Redirect feature provides a stand alone Cisco Aironet access point the capability to redirect wireless IP data traffic to an alternate destination IP address on the wired LAN.
The IP Redirect feature is very useful feature not only for vertical markets, but also in other applications.
This document introduces the IP Redirect feature, explains its value in deploying wireless networks, identifies caveats, and provides workarounds to them where applicable.
The IP Redirect feature is designed to provide a means of diverting traffic from its specified destination on the wired LAN to a destination chosen by the network administrator. Some examples of how this feature might be used are:
•Establish next-hop routing; for example, pushing all guest traffic within an organization to the Internet router
•Establish guest access in an otherwise secured environment; for example, redirecting traffic to a splash page that details subscription/billing instructions
Supported Access Points
The IP Redirect feature is supported on the following access points:
•Cisco Aironet 1100 Series Access Point (AIR-AP1120/1121 and AIR-AP1130)
•Cisco Aironet 1200 Series Access Point (AIR-AP1200 and AIR-AP1230)
•Cisco Aironet 1300 Series Outdoor Access Point/Bridge operating in access point mode (AIR-BR1310)
This feature is specifically applicable to a retail requirement for directing IP data traffic to a specific destination over a shared network. Some customers may be able to accomplish this using policy based routing in the routers. However, there are many instances where the store based routers are managed by service providers or are non Cisco devices. Further, it is not uncommon for a service provider to charge a customer as much as $100 per store location to provide policy based routing.
IP Redirect can also be used to auto redirect traffic to a gateway for guest authentication.
IP Redirection is necessary primarily because there will be mobile clients in use in more than one store.
Dynamic Interchange Configuration Protocol (DHCP) only provides the IP address reconfiguration of those mobile clients. Manual reconfiguration of application-specific parameters, such as the destination IP address, port of the back office PC, and application proxy, must be accomplished by the mobile client user. This is not feasible because every time such a mobile client is used in another store (often several times per day), the driver must manually reconfigure it. Therefore, these clients are configured with a static destination IP address/port and redirection in the access point overwrites this address/port with the store-specific addresses. Also, it is necessary that no other IP traffic occur within the entire WLAN. All communication must be intercepted by applications running on the back office PC. Direct communication between mobile clients and any central infrastructure is considered a security hazard and must be blocked. Access to central data is supplied by application level proxies with additional security features enabled.
IP Redirect Features and Restrictions
IP Redirect consists of the following features and restrictions:
•Allows the administrator to enable IP Redirect on a per SSID basis. Clients associating to a configured SSID have their IP data redirected to an alternate destination IP address.
•All BOOTP/DHCP, DNS, and broadcast data are not redirected unless an optional IOS Access Control List (ACL) is configured.
•TCP/UDP port filters can be configured for the wireless data being received on the radio interface. If configured, the filters permit the data on the specified port to be passed. If the data doesn't match the port filters, the data is dropped. If no port filters are configured, all data is redirected and no data is dropped.
•IOS ACL filtering takes precedence over IP-redirect TCP/UDP port filters.
•If VLANs are configured, the client's data is forwarded on the VLAN specified in the SSID.
•IP Redirection is not supported in a WLSM Layer 3 Mobility environment.
•Supported Protocols are Telnet and HTTP.
Recommended Set Up
Figure 1 shows a recommended set up, which can be implemented on a large scale depending upon your application.
Figure 1 Recommended IP Redirect Setup
Refer to Figure 1 and follow these steps to configure the IP Redirect feature:
Step 1 Configure an access point with at least two SSIDs and VLANs with any combination of authentication and encryption.
Step 2 Configure at least one wireless client on each SSID and VLAN.
Step 3 Verify that the client on VLAN 20 is able to use Telnet to connect to a host on the wired network for VLAN20.
Step 4 Verify that the client on VLAN 10 is able to use Telnet to connect to a host on the wired network for VLAN10.
Step 5 (Optional) - Verify that the clients on each VLAN can browse to a page on the wired-side hosts for their respective VLANs.
Step 6 Chose the Security > Global SSID Manager screen, scroll to the General Settings section, and enable IP Redirection on one of the SSIDs pointing to the IP address of the host on the other VLAN as shown in Figure 2.
Figure 2 Enabling IP Redirection
Step 7 Use Telnet or browse to the local wired host and observe that the connection is redirected to the host on the other VLAN.
Step 8 Connect to a random address using Telnet or HTTP and observe that the client session is redirected to the appropriate host.
Step 9 Configure an ACL on the access point designated to drop Telnet or HTTP traffic and retry the connection. The client should be unable to communicate with the specified IP Redirect host.
Step 10 Reconfigure the SSIDs using a variety of authentication and encryption types.
Step 11 Apply a TCP-only filter to the SSID. HTTP sessions should be redirected, but Telnet sessions should not.
Step 12 Attempt to redirect traffic from a variety of client types (PCs, bar-code scanners, PDAs) and operating systems.
Step 13 Experiment with redirection of TCP and UDP protocols such as UDP - TFTP, NTP, DAYTIME TCP- SMTP, FTP, WWW, NTP, DAYTIME, and TELNET.
CCSP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0501R)
Copyright © 2005 Cisco Systems, Inc. All rights reserved.