Create a Virtual LAN for Guest Users on an Integrated Services Router
|
|
|
|
Introduction
This document provides instructions for how to create a virtual LAN
(VLAN) for guest users on your network. A Guest VLAN gives guest users access
to the Internet and separates them from the rest of the network.
Note: VLANs are not supported on Cisco 800 series and SB 100 series
routers.
Back to Top
Requirements
-
You must have completed these worksheets from the
Site
Survey:
-
LAN Addressing Worksheet
-
Internet Worksheet
-
Firewall Worksheet
-
You must have completed the initial configuration of your router. If
you have not configured your router, refer to the
Site
Survey.
Back to Top
VLAN Overview
This section provides an overview of the Guest VLAN and how to use
VLANs in your network.
Supported VLANs
The Site IP Addressing Plan includes subnets for up to four virtual
LANs (VLANs) at each site. Each VLAN has a custom level of security for a
specific type of computer on the network, and uses firewalls to control access
between VLANs.
The site survey defines these VLANs:
-
Default VLAN (20)
-
Network Management VLAN (21)
-
Secure Server VLAN (22)
-
Guest VLAN (23)
The diagram gives an overview of each VLAN in the network. For more
information on other VLANs, refer to the
Configuration
Overview page.
The Guest VLAN
A Guest VLAN gives guest users access to the Internet and separates
them from the rest of the network.
The Guest VLAN provides these benefits:
-
Guest users can send traffic to the Internet and receive valid
responses
-
Guest users cannot communicate with other VLANs
-
Guest users can only use up to 256k bandwidth of the Internet
connection
-
If you have a wireless access point or a wireless router, you can
allow users to access the Guest VLAN with a wireless
connection.
Back to Top
Enable the Guest VLAN
Follow these steps to configure the Guest VLAN on an Integrated
Services Router:
Enable the VLAN on the Router
To enable the Guest VLAN on the router, follow these
steps:
-
Follow these steps to create connect to the router with
Telnet.
-
Click Start > Run.
-
In the Run dialog box, type cmd or
command, and then click OK to open a command
prompt window.
-
At the command prompt, type telnet
router-ip-address
and press
Enter. For
router-ip-address
, use the
Router IP address that you entered in field L6A of the LAN Addressing
Worksheet.
-
Log into the router with the router password that you entered in
field B11 of the Integrated Services Router Worksheet. For more information
about how to access the router, refer to
Configure
Your Router with Security Device Manager.
-
Type enable and press
Enter to enter privileged mode. Enter the enable password that
you entered in field B12 of the Integrated Services Router
Worksheet.
Router> enable
Router#
-
Type configure terminal and press
Enter to enter configuration mode.
Router# configure terminal
Router(config)#
-
Type interface vlan 23 and press
Enter.
Router(config)#interface vlan 23
-
Type description 256kbps Guest network
and press Enter.
Router(config-if)#description 256kbps Guest network
-
Type encapsulation dot1Q 23 and press
Enter.
Router(config-if)#encapsulation dot1Q 23
-
Type ip address
router-ip-address 255.255.255.0 and press
Enter. For
router-ip-address
, use the
Guest network router IP address that you entered in field L6D of the LAN
Addressing Worksheet.
Router(config-if)#ip address 192.168.13.1 255.255.255.0
-
Type ip nat inside and press
Enter.
Router(config-if)#ip nat inside
-
Type rate-limit output 256000 4000 8000 conform-action
transmit exceed-action drop and press
Enter.
Router(config-if)#rate-limit input 256000 4000 8000 conform-action
transmit exceed-action drop
-
Type rate-limit input 256000 4000 8000 conform-action
transmit exceed-action drop and press
Enter.
Router(config-if)#rate-limit input 256000 4000 8000 conform-action
transmit exceed-action drop
-
Type no shutdown and press
Enter.
Router(config-if)#no shutdown
Enable DHCP
To enable DHCP for the Guest network, follow these
steps:
-
Type ip dhcp pool guest and press
Enter.
Router(config-if)#ip dhcp pool guest
-
Type network guest-network
255.255.255.0 and press Enter. For
guest-network
, enter the
subnet for the guest network that you entered in field L1D of the LAN
Addressing Worksheet.
Router(dhcp-config)#network 192.168.13.0 255.255.255.0
-
Type domain-name
yourdomain
and press
Enter. For
yourdomain
, use the domain
name that you entered in field B48 of the Internet
Worksheet.
Router(dhcp-config)#domain-name abcompany.com
-
Type dns-server
dns-server-address
and press
Enter. For
dns-server-address
, use the
DNS server IP address that you entered in field L4 of the LAN Addressing
Worksheet.
Router(dhcp-config)#dns-server 198.6.1.1
-
Type default-router
router-ip-address
and press
Enter. For
router-ip-address
, use the
router IP address that you entered in field L6D of the the Guest VLAN
Addressing Worksheet.
Router(dhcp-config)#default-router 192.168.13.1
-
Type exit and press
Enter.
Router(dhcp-config)#exit
Router(config)#
-
Type ip dhcp excluded-address dhcp-server
end-static-range
and press Enter. For
dhcp-server
, use the DHCP
Server for the Guest network that you entered in field L3D of the LAN
Addressing Worksheet . For
end-static-range
, use the
first three octets of the Guest network followed by .49.
Router(config)#ip dhcp excluded-address 192.168.13.1 192.168.13.49
-
Type ip dhcp excluded-address
dhcp-end-range end-guest-range
and press
Enter. For
dhcp-end-range
, use the DHCP
End Range for the Guest network that you entered in field L51D of the LAN
Addressing Worksheet. For
end-guest-range
, use the
first three octets of the Guest network followed by .254.
Router(config)#ip dhcp excluded-address 192.168.13.250
192.168.13.254
Enable Security
To enable security for the Guest network, follow these
steps:
-
Type access-list 23 permit
guest-subnet 0.0.0.255 and press
Enter. For
guest-subnet
, use the subnet
that you entered in field L1D of the Guest VLAN Addressing
Worksheet.
Router(config)#access-list 23 permit 192.168.13.0 0.0.0.255
-
Type ip nat inside source list 23 interface
wan-interface overload and press
Enter. For
wan-interface
, use the
Internet interface that you entered in field B37 of the Router
worksheet.
Note: If you have more than one available Internet interface, choose
the Internet interface that will be your primary connection to the
Internet.
Router(config)#ip nat inside source list 23 interface Ethernet0/1
overload
-
Follow these steps to create firewall rules for the Guest
VLAN:
-
Type no access-list 123 and press
Enter.
Router(config)#no access-list 123
-
Type access-list 123 remark Traffic from Guest
VLAN and press Enter.
Router(config)#access-list 123 remark Traffic from Guest
VLAN
-
Type access-list 123 permit ip any host
255.255.255.255 and press
Enter.
Router(config)#access-list 123 permit ip any host
255.255.255.255
-
Type access-list 123 permit udp any any eq bootps
and press Enter.
Router(config)#access-list 123 permit udp any any eq bootps
-
Type access-list 123 deny ip any 192.168.0.0
0.0.255.255 and press
Enter.
Router(config)#access-list 123 deny ip any 192.168.0.0 0.0.255.255
-
Type access-list 123 permit ip
guest-subnet 0.0.0.255 any and press
Enter. For
guest-subnet
, use the subnet
that you entered in field L1D of the Guest LAN Addressing Worksheet.
Router(config)#access-list 123 permit ip 192.168.13.0 0.0.0.255 any
-
Type access-list 123 permit ip
guest-subnet 0.0.0.255 any and press
Enter. For
guest-subnet
, use the subnet
that you entered in field L1D of the LAN Addressing
Worksheet.
Router(config)#access-list 123 permit ip 192.168.13.0 0.0.0.255
any
-
Type interface vlan 23 and press
Enter. For
ethernet-interface-name
, use
the name of the first Ethernet interface that you entered in field B35 of the
Router worksheet.
Router(config)#interface vlan 23
-
Type ip access-group 123 in and press
Enter.
Router(config-if)#ip access-group 123 in
-
Type end and press
Enter to exit configuration mode.
Router(config-if)#end
Router#
-
Type write memory and press
Enter to save your configuration.
Router#write memory
Enable the VLAN on an Integrated Switch
Follow these steps to enable the Guest VLAN on an integrated
switch:
-
Type enable and press
Enter to enter privileged mode. Enter the enable password that
you entered in field B12 of the Router Worksheet and press
Enter.
Router> enable
Router#
-
Type vlan database and press
Enter.
Router#vlan database
Router(vlan)#
-
Type vlan 23 name Guest media ethernet state
active and press Enter.
Router(vlan)#vlan 23 name Guest media ethernet state
active
-
Type exit and press
Enter.
Router(vlan)#exit
APPLY completed.
Exiting....
Router#
-
Type configure terminal and press
Enter.
Router#configure terminal
Router(config)#
-
Type spanning-tree vlan 23 root primary
and press Enter.
Router(config-if)#spanning-tree vlan 23 root primary
VLAN 23 bridge priority set to 8192
VLAN 23 bridge max aging time unchanged at 20
VLAN 23 bridge hello time unchanged at 2
VLAN 23 bridge forward delay unchanged at 15
-
Type end and press
Enter.
Router(config-if)#end
Router#
-
Type write memory and press
Enter.
Router#write memory
-
To enable wireless access to the Guest VLAN, proceed to the next
section. If you do not want to enable wireless access to the Guest VLAN,
proceed to Add Users.
Back to Top
Enable Guest on Wireless
Follow these steps to enable the guest network on the wireless antenna
of your ISR:
Note: If you have an ISR without a wireless antenna but that is connected
to an AP, see Enable the Guest Network for an External
AP
-
Type configure terminal and press
Enter.
Router#configure terminal
Router(config)#
-
Follow these steps to configure the first radio
interface:
-
Type interface dot11Radio0 and press
Enter.
Router(config)#interface dot11Radio0
Router(config-if)#
-
Type ssid guest and press
Enter.
Router(config-if)#ssid guest
-
Type vlan 23 and press
Enter.
Router(config-if)#vlan 23
-
Type authentication open and press
Enter.
Router(config-if)#authentication open
-
Type guest-mode and press
Enter.
Router(config-if)#guest-mode
-
Type interface dot11Radio0.23 and
press Enter.
Router(config-if)#interface dot11Radio0.23
-
Type encapsulation dot1Q 23 and press
Enter.
Router(config-subif)#encapsulation dot1Q 23
-
Type no cdp enable and press
Enter.
Router(config-subif)#no cdp enable
-
If you have an Integrated Services Router with a 5.8 Ghz radio,
follow these steps to configure the second radio interface:
Note: If your router does not have a 5.8 Ghz radio, proceed to the
next step.
-
Type interface dot11Radio1 and press
Enter.
Router(config)#interface dot11Radio1
Router(config-if)#
-
Type ssid guest and press
Enter.
Router(config-if)#ssid guest
-
Type vlan 23 and press
Enter.
Router(config-if)#vlan 23
-
Type authentication open and press
Enter.
Router(config-if)#authentication open
-
Type guest-mode and press
Enter.
Router(config-if)#guest-mode
-
Type interface dot11Radio1.23 and
press Enter.
Router(config-if)#interface dot11Radio1.23
-
Type encapsulation dot1Q 23 and press
Enter.
Router(config-subif)#encapsulation dot1Q 23
-
Type no cdp enable and press
Enter.
Router(config-subif)#no cdp enable
-
Type end and press
Enter.
Router(config-subif)#end
Router#
-
Type write memory and press
Enter.
Router#write memory
-
Type exit and press
Enter.
Router#exit
-
Proceed to Add
Users.
Back to Top
Enable the Guest Network for an External AP
To configure an external access point (AP) connected to an Integrated
Service Router (ISR), follow these steps:
Modify the Router
Follow these steps to modify your router to support the Guest VLAN on
an external AP:
Note: If you have a router with an integrated switch and built-in wireless
antenna, see Enable the Guest Network.
-
Type configure terminal and press
Enter.
Router#configure terminal
Router(config)#
-
Type interface
ethernet-interface-name
and press
Enter. For
ethernet-interface-name
, use
the name of the Ethernet interface that is attached to the wireless AP. All of
the Ethernet interfaces are listed in field B35 of the Router worksheet.
Router(config)#interface FastEthernet0/5
-
Type description Wireless AP and press
Enter.
Router(config-if)#description Wireless AP
-
Type switchport mode trunk and press
Enter.
Router(config-if)#switchport mode trunk
-
Type switchport trunk encapsulation
dot1q and press Enter.
Router(config-if)#switchport trunk encapsulation dot1q
-
Type switchport trunk allowed vlan add
23 and press Enter.
Router(config-if)#switchport trunk allowed vlan add 23
-
Type end and press
Enter.
Router(config-if)#end
Router#
-
Type write memory and press
Enter.
Router#write memory
-
Type exit and press
Enter.
Router#exit
Modify the AP
If you have an wireless access point, follow these steps to enable the
Guest VLAN for wireless users:
Note: The wireless configuration does not provide user authentication. Any
wireless computer within range of the Access Point can access the wireless
Guest network.
-
Follow these steps to create connect to the AP with Telnet.
-
Click Start > Run.
-
In the Run dialog box, type cmd or
command, and then click OK to open a command
prompt window.
-
At the command prompt, type telnet
ap-ip-address
and press
Enter. For
ap-ip-address
, use the AP IP
address that you entered in field W10 of the Wireless
Worksheet.
-
Log into the AP with the password you entered in field S5 of the
Wireless Worksheet.
-
Type enable and press
Enter. Enter the enable password that you entered in field W15
of the Wireless Worksheet and press
Enter.
ap>enable
ap#
-
Type configure terminal and press
Enter.
ap#configure terminal
ap(config)#
-
Follow these steps to configure the first radio
interface:
-
Type interface dot11Radio0 and press
Enter.
ap(config)#interface dot11Radio0
ap(config-if)#
-
Type ssid guest and press
Enter.
ap(config-if)#ssid guest
-
Type guest-mode and press
Enter.
ap(config-if-ssid)#guest-mode
-
Type vlan 23 and press
Enter.
ap(config-if-ssid)#vlan 23
-
Type authentication open and press
Enter.
ap(config-if-ssid)#authentication open
-
Type exit and press
Enter.
ap(config-if-ssid)#exit
ap(config-if)#
-
Type interface dot11Radio0.23 and
press Enter.
ap(config-if)#interface dot11Radio0.23
-
Type encapsulation dot1Q 23 and press
Enter.
ap(config-subif)#encapsulation dot1Q 23
-
Type no cdp enable and press
Enter.
ap(config-subif)#no cdp enable
-
Type bridge-group 23 and press
Enter.
ap(config-subif)#bridge-group 23
-
If you have an Aironet 1200 series AP with a 5 Hz radio, follow
these steps to configure the second radio interface:
Note: If your AP does not have a 5 Hz radio, proceed to the next
step.
-
Type interface dot11Radio1 and press
Enter.
ap(config)#interface dot11Radio1
ap(config-if)#
-
Type ssid guest and press
Enter.
ap(config-if)#ssid guest
-
Type guest-mode and press
Enter.
ap(config-if-ssid)#guest-mode
-
Type vlan 23 and press
Enter.
ap(config-if-ssid)#vlan 23
-
Type authentication open and press
Enter.
ap(config-if-ssid)#authentication open
-
Type exit and press
Enter.
ap(config-if-ssid)#exit
ap(config-if)#
-
Type interface dot11Radio1.23 and
press Enter.
ap(config-if)#interface dot11Radio1.23
-
Type encapsulation dot1Q 23 and press
Enter.
ap(config-subif)#encapsulation dot1Q 23
-
Type no cdp enable and press
Enter.
ap(config-subif)#no cdp enable
-
Type bridge-group 23 and press
Enter.
ap(config-subif)#bridge-group 23
-
Type interface FastEthernet0.23 and
press Enter.
ap(config-subif)#interface FastEthernet0.23
-
Type encapsulation dot1Q
23
and press
Enter.
ap(config-subif)#encapsulation dot1Q
23
-
Type bridge-group 23 and press
Enter.
ap(config-subif)#bridge-group 23
-
Type end and press
Enter.
ap(config-subif)#end
ap#
-
Type write memory and press
Enter.
ap#write memory
-
Type exit and press
Enter.
ap#exit
Back to Top
Add Users
To move users to the Guest VLAN, follow these steps:
Add a Wired Guest User
Follow these steps to add a guest user connected directly to a switch
port on the ISR:
-
Type configure terminal and press
Enter.
Router#configure terminal
Router(config)#
-
Type interface FastEthernet
interface-number
and press
Enter. For
interface-number
, use the
number of the switch port that you want to assign to a Guest user. The
available switch ports are listed in field B36 of the Router Worksheet.
Router(config)#interface FastEthernet0/2
Router(config-if)#
-
Type description Guest Switch Port and
press Enter.
Router(config-if)#description Guest Switch Port
-
Type switchport access vlan 23 and press
Enter.
Router(config-if)#switchport access vlan 23
-
Type end and press
Enter.
Router(config-if)#end
Router#
-
Type write memory and press
Enter.
Router#write memory
-
Record the device name in the first available field from fields
L8-L35 of the Guest VLAN Addressing Worksheet.
-
Ensure that the guest device is configured to receive an IP address
automatically. For more information about how to configure an IP address on a
PC, refer to
Configure an
IP Address on Your PC.
Back to Top
Next Step
You have now set up a Guest VLAN on your network.
To make further changes to your network, refer to the
Configuration
Overview page.
Back to Top
Troubleshoot the Procedure
This section provides information about common problems that you may
encounter. If this information does not solve your problem, contact the
SMB
Technical Assistance Center (SMB TAC) for assistance.
Problem
|
Cause(s) and Suggested Solution(s)
|
I cannot connect to the router with Security Device Manager
(SDM).
|
Refer to
Configure
Your Router with Security Device Manager
|
I cannot telnet to my external wireless Access Point
(AP).
|
Refer to
Configure the
Access Point. To enable telnet, go to Services >
Telnet/SSH.
|
I have a guest user that cannot connect to the network on the
Guest VLAN
|
|
Back to Top
Related Information
