Cisco Systems, Inc.(R)    Cisco | Profile | Contacts & Feedback | Help
Cisco SMB Support Assistant
Create a Virtual LAN for Guest Users
Home > SMB Support Assistant Configuration Overview > Create a Virtual LAN for Guest Users  
 

Create a Virtual LAN for Guest Users

     Introduction
     Requirements
     VLAN Overview
          Supported VLANs
          The Guest VLAN
     Configure the Router
          Enable the VLAN on the Router
          Enable DHCP
          Enable Security
     Configure the Switch
          Enable Guest VLAN on the Root Switch
          Enable the Guest VLAN on a Non-Root Switch
          Enable Wireless Access
     Configure Wireless Access Point
     Add Users
          Add a Wired Guest User
          Add a Wireless Guest User
     Next Step
     Troubleshoot the Procedure
     Related Information

Download PDF


 		 Create a Virtual LAN for Guest Users 


Introduction

This document provides instructions for how to create a virtual LAN (VLAN) for guest users on your network. A Guest VLAN gives guest users access to the Internet and separates them from the rest of the network. If you have a wireless network, you can also provide wireless access to the Guest VLAN.

Note: VLANs are not supported on Cisco 800 series and SB 100 series routers.


Back to Top


Requirements

  • You must have completed these worksheets from the Site Survey:

    • LAN Addressing Worksheet

    • Internet Worksheet

    • Firewall Worksheet

  • You must have completed the initial configuration of your router, switch, and access point. If you have not configured these devices, refer to the Site Survey.


Back to Top


VLAN Overview

This section provides an overview of the Guest VLAN and how to use VLANs in your network.

Supported VLANs

The Site IP Addressing Plan includes subnets for up to four virtual LANs (VLANs) at each site. Each VLAN has a custom level of security for a specific type of computer on the network, and uses firewalls to control access between VLANs.

The site survey defines these VLANs:

  1. Default VLAN (20)

  2. Network Management VLAN (21)

  3. Secure Server VLAN (22)

  4. Guest VLAN (23)

The diagram gives an overview of each VLAN in the network. For more information on other VLANs, refer to the Configuration Overview page.

vlandiagram.gif

The Guest VLAN

A Guest VLAN gives guest users access to the Internet and separates them from the rest of the network.

The Guest VLAN provides these benefits:

  • Guest users can send traffic to the Internet and receive valid responses

  • Guest users cannot communicate with other VLANs in the network

  • Guest users can only use up to 256k bandwidth of the Internet connection

  • If you have a wireless access point or a wireless router, you can allow users to access the Guest VLAN with a wireless connection.


Back to Top


Configure the Router

Follow these steps to configure the Guest VLAN on the router:

Enable the VLAN on the Router

To enable the Guest VLAN on the router, follow these steps:

  1. Follow these steps to create connect to the router with Telnet.

    1. Click Start > Run.

    2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

    3. At the command prompt, type telnet router-ip-address and press Enter. For router-ip-address , use the Router IP address that you entered in field L6A of the LAN Addressing Worksheet.

    4. Log into the router with the router password that you entered in field B11 of the Router Worksheet.

  2. Type enable and press Enter to enter privileged mode. Enter the enable password that you entered in field B12 of the Router Worksheet and press Enter.

    Router>enable
Password:
Router#

  3. Type configure terminal and press Enter to enter configuration mode.

    Router# configure terminal
Router(config)#

  4. Type interface ethernet-interface-name.23 and press Enter. For ethernet-interface-name , use the name of the first Ethernet interface that you entered in field B35 of the Router worksheet.

    Router(config)#interface FastEthernet0/0.23

  5. Type description 256kbps Guest network and press Enter.

    Router(config-if)#description 256kbps Guest network

  6. Type encapsulation dot1Q 23 and press Enter.

    Router(config-if)#encapsulation dot1Q 23

  7. Type ip address router-ip-address 255.255.255.0 and press Enter. For router-ip-address , use the Guest network router IP address that you entered in field L6D of the Guest VLAN Addressing Worksheet.

    Router(config-subif)#ip address 192.168.13.1 255.255.255.0

  8. Type rate-limit output 256000 4000 8000 conform-action transmit exceed-action drop and press Enter.

    Router(config-subif)#rate-limit output 256000 4000 8000 conform-action
			 transmit exceed-action drop

  9. Type rate-limit input 256000 4000 8000 conform-action transmit exceed-action drop and press Enter.

    Router(config-subif)#rate-limit input 256000 4000 8000 conform-action
			 transmit exceed-action drop

  10. Type ip nat inside and press Enter.

    Router(config-subif)#ip nat inside

  11. Type no shutdown and press Enter.

    Router(config-subif)#no shutdown

Enable DHCP

To enable DHCP for the Guest network, follow these steps:

  1. Type ip dhcp pool guest and press Enter.

    Router(config-subif)#ip dhcp pool guest

  2. Type network guest-network 255.255.255.0 and press Enter. For guest-network , enter the subnet for the guest network that you entered in field L1D of the Guest VLAN Addressing Worksheet.

    Router(dhcp-config)#network 192.168.13.0 255.255.255.0

  3. Type domain-name yourdomain and press Enter. For yourdomain , use the domain name that you entered in field B48 of the Internet Worksheet.

    Router(dhcp-config)#domain-name abcompany.com

  4. Type dns-server dns-server-address and press Enter. For dns-server-address , use the DNS server IP address that you entered in field L4 of the LAN Addressing Worksheet.

    Router(dhcp-config)#dns-server 198.6.1.1

  5. Type default-router router-ip-address and press Enter. For router-ip-address , use the router IP address that you entered in field L6D of the the Guest VLAN Addressing Worksheet.

    Router(dhcp-config)#default-router 192.168.13.1

  6. Type exit and press Enter.

    Router(dhcp-config)#exit
Router(config)#

  7. Type ip dhcp excluded-address dhcp-server end-static-range and press Enter. For dhcp server , use the DHCP Server for the Guest network that you entered in field L3D of the Guest LAN Addressing Worksheet. For end-static-range , use the first three the first three octets of the Guest network followed by .49.

    Router(config)#ip dhcp excluded-address 192.168.13.1 192.168.13.49

  8. Type ip dhcp excluded-address dhcp-end-range end-guest-range and press Enter. For dhcp-end-range use the DHCP End Range for the Guest network that you entered in field L51D of the Guest VLAN Addressing Worksheet. For end-guest-range , use the first three octets of the Guest network followed by .254.

    Router(config)#ip dhcp excluded-address 192.168.13.250
			 192.168.13.254

Enable Security

To enable security for the Guest network, follow these steps:

  1. Type access-list 23 permit guest-subnet 0.0.0.255 and press Enter. For guest-subnet , use the subnet that you entered in field L1D of the Guest VLAN Addressing Worksheet.

    Router(config)#access-list 23 permit 192.168.13.0 0.0.0.255

  2. Type ip nat inside source list 23 interface wan-interface overload and press Enter. For wan-interface , use the Internet interface that you entered in field B37 of the Router worksheet.

    Note: If you have more than one available Internet interface, choose the Internet interface that will be your primary connection to the Internet.

    Router(config)#ip nat inside source list 23 interface Ethernet0/1
			 overload

  3. Follow these steps to create firewall rules for the Guest VLAN:

    1. Type no access-list 123 and press Enter.

      Router(config)#no access-list 123

    2. Type access-list 123 remark Traffic from Guest VLAN and press Enter.

      Router(config)#access-list 123 remark Traffic from Guest
			 VLAN

    3. Type access-list 123 permit ip any host 255.255.255.255 and press Enter.

      Router(config)#access-list 123 permit ip any host
			 255.255.255.255

    4. Type access-list 123 permit udp any any eq bootps and press Enter.

      Router(config)#access-list 123 permit udp any any eq bootps

    5. Type access-list 123 deny ip any 192.168.0.0 0.0.255.255 and press Enter.

      Router(config)#access-list 123 deny ip any 192.168.0.0 0.0.255.255

    6. Type access-list 123 permit ip guest-subnet 0.0.0.255 any and press Enter. For guest-subnet , use the subnet that you entered in field L1D of the Guest LAN Addressing Worksheet. 

      Router(config)#access-list 123 permit ip 192.168.13.0 0.0.0.255 any

    7. Type access-list 123 permit ip guest-subnet 0.0.0.255 any and press Enter. For guest-subnet , use the subnet that you entered in field L1D of the LAN Addressing Worksheet.

      Router(config)#access-list 123 permit ip 192.168.13.0 0.0.0.255
			 any

  4. Type interface ethernet-interface-name.23 and press Enter. For ethernet-interface-name , use the name of the first Ethernet interface that you entered in field B35 of the Router worksheet.

    Router(config)#interface FastEthernet0/0.23
Router(config-if)#

  5. Type ip access-group 123 in and press Enter.

    Router(config-if)#ip access-group 123 in

  6. Type end and press Enter to exit configuration mode.

    Router(config-if)#end
Router#

  7. Type write memory and press Enter to save your configuration.

    Router#write memory

  8. Type exit and press Enter to exit the Telnet session.

    Router#exit

Back to Top


Configure the Switch

Follow these steps to modify your root switch to support the Guest VLAN:

Enable Guest VLAN on the Root Switch

If you have an external root switch, follow these steps to enable the Guest VLAN on the switch:

Note: This procedure assumes that your router is connected to port 2 of the root switch.

  1. Follow these steps to create connect to the switch with Telnet.

    1. Click Start > Run.

    2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

    3. At the command prompt, type telnet switch-IP-address and press Enter. For switch-IP-address , use the switch IP address that you entered in field L8 of the LAN Addressing Worksheet.

    4. Log into the switch with the password you entered in field S5 of the Switch Port Assignments Worksheet.

  2. Type enable and press Enter. Enter the enable password that you entered in field S5 of the Switch Port Assignments Worksheet and press Enter.

    switch>enable
switch#

  3. Type configure terminal and press Enter.

    switch#configure terminal
switch(config)#

  4. Type vlan 23 and press Enter.

    switch(config)#vlan 23

  5. Type state active and press Enter.

    switch(config-vlan)#state active

  6. Type name guest and press Enter.

    switch(config-vlan)#name guest

  7. Type interface FastEthernet0/2 and press Enter.

    Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/2.

    switch(config-vlan)#interface FastEthernet0/2
switch(config-if)#

  8. Type description Internal router port and press Enter.

    switch(config-if)#description Internal router port

  9. Type switchport trunk allowed vlan add 23 and press Enter.

    switch(config-if)#switchport trunk allowed vlan add
		  23

  10. Type exit and press Enter.

    switch(config-if)#exit
switch(config)#

  11. Type spanning-tree vlan 23 root primary and press Enter.

    switch(config)#spanning-tree vlan 23 root primary

  12. Type end and press Enter.

    switch(config-if)#end
switch#

  13. Type write memory and press Enter.

    switch#write memory

  14. Type exit and press Enter.

    switch#exit

Enable the Guest VLAN on a Non-Root Switch

Follow these steps to enable the Guest VLAN on a non-root switch. Repeat these steps for each non-root switch in your network that uses the Guest VLAN.

Note: This procedure assumes that port 1 of the non-root switch is connected to the root switch.

  1. Follow these steps to create connect to the switch with Telnet.

    1. Click Start > Run.

    2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

    3. At the command prompt, type telnet switch-IP-address and press Enter. For switch-IP-address , use the switch IP address that you entered in field L9-L12 of the LAN Addressing Worksheet.

    4. Log into the switch with the password you entered in field S64 of the Switch Port Assignments Worksheet.

  2. Type enable and press Enter. Enter the enable password that you entered in field S64 of the Switch Port Assignments Worksheet and press Enter.

    switch>enable
switch#

  3. Type configure terminal and press Enter.

    switch#configure terminal
switch(config)#

  4. Type vlan 23 and press Enter.

    switch(config)#vlan 23

  5. Type state active and press Enter.

    switch(config-vlan)#state active

  6. Type name guest and press Enter.

    switch(config-vlan)#name guest

  7. Type interface FastEthernet0/1 and press Enter.

    Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/1.

    switch(config-vlan)#interface FastEthernet0/1
switch(config-if)#

  8. Type switchport trunk allowed vlan add 23 and press Enter.

    switch(config-if)#switchport trunk allowed vlan add
		  23

  9. Type exit and press Enter.

    switch(config-if)#exit
switch(config)#

  10. Type spanning-tree vlan 23 and press Enter.

    switch(config)#spanning-tree vlan 23

  11. Type end and press Enter.

    switch(config)#end
switch#

  12. Type write memory and press Enter.

    switch#write memory

  13. Type exit and press Enter.

    switch#exit

Enable Wireless Access

To add a wireless access to the guest VLAN, you need to modify the settings of the switch port connected to the wireless AP. Follow these steps to modify your switch settings to support wireless guest access:

Note: You can use this procedure for the root switch or a non-root switch.

  1. Follow these steps to create connect to the switch with Telnet.

    1. Click Start > Run.

    2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

    3. At the command prompt, type telnet switch-ip-address and press Enter. For switch-ip-address , use the switch IP address that you entered in field L8-12 of the LAN Addressing Worksheet.

    4. Log into the switch with the admin password that you entered in field S5 of the Switch Port Assignments worksheet.

      User Access Verification

Username: admin
Password:
Switch#

  2. Type configure terminal and press Enter.

    switch#configure terminal
switch(config)#

  3. Type interface FastEthernetport-number and press Enter. For port-number , use the switch port number that is attached to the AP, such as Fastethernet0/5.

    Note: For the Catalyst 4500, the slot number of the switch module determines the interface number. For example, if the first switch module is installed in slot 2 of the switch, the correct interface is FastEthernet2/5.

    switch(config)#interface FastEthernet0/5
switch(config-if)#

  4. Type description Wireless AP and press Enter.

    switch(config-if)#description Wireless AP

  5. Type switchport trunk allowed vlan 23 and press Enter.

    switch(config-if)#switchport trunk allowed vlan 23

  6. Type end and press Enter.

    switch(config-if)#end
switch#

  7. Type write memory and press Enter.

    switch#write memory

  8. Type exit and press Enter.

    switch#exit

Back to Top


Configure Wireless Access Point

If you have a wireless access point, follow these steps to enable the Guest VLAN for wireless users:

Note: The wireless configuration does not provide user authentication. Any wireless computer within range of the Access Point can access the wireless Guest network.

  1. Follow these steps to create connect to the AP with Telnet.

    1. Click Start > Run.

    2. In the Run dialog box, type cmd or command, and then click OK to open a command prompt window.

    3. At the command prompt, type telnet ap-ip-address and press Enter. For ap-ip-address , use the AP IP address that you entered in field W10 of the Wireless Worksheet.

    4. Log into the AP with the password you entered in field S5 of the Wireless Worksheet.

  2. Type enable and press Enter. Enter the enable password that you entered in field W15 of the Wireless Worksheet and press Enter.

    ap>enable
ap#

  3. Type configure terminal and press Enter.

    ap#configure terminal
ap(config)#

  4. Follow these steps to configure the first radio interface:

    1. Type interface dot11Radio0 and press Enter.

      ap(config)#interface dot11Radio0
ap(config-if)#

    2. Type ssid guest and press Enter.

      ap(config-if)#ssid guest

    3. Type guest-mode and press Enter.

      ap(config-if-ssid)#guest-mode

    4. Type vlan 23 and press Enter.

      ap(config-if-ssid)#vlan 23

    5. Type authentication open and press Enter.

      ap(config-if-ssid)#authentication open

    6. Type exit and press Enter.

      ap(config-if-ssid)#exit
ap(config-if)#

    7. Type interface dot11Radio0.23 and press Enter.

      ap(config-if)#interface dot11Radio0.23

    8. Type encapsulation dot1Q 23 and press Enter.

      ap(config-subif)#encapsulation dot1Q 23

    9. Type no cdp enable and press Enter.

      ap(config-subif)#no cdp enable

    10. Type bridge-group 23 and press Enter.

      ap(config-subif)#bridge-group 23

  5. If you have an Aironet 1200 series AP with a 5 Ghz radio, follow these steps to configure the second radio interface:

    Note: If your AP does not have a 5 Ghz radio, proceed to the next step.

    1. Type interface dot11Radio1 and press Enter.

      ap(config)#interface dot11Radio1
ap(config-if)#

    2. Type ssid guest and press Enter.

      ap(config-if)#ssid guest

    3. Type guest-mode and press Enter.

      ap(config-if-ssid)#guest-mode

    4. Type vlan 23 and press Enter.

      ap(config-if-ssid)#vlan 23

    5. Type authentication open and press Enter.

      ap(config-if-ssid)#authentication open

    6. Type exit and press Enter.

      ap(config-if-ssid)#exit
ap(config-if)#

    7. Type interface dot11Radio1.23 and press Enter.

      ap(config-if)#interface dot11Radio1.23

    8. Type encapsulation dot1Q 23 and press Enter.

      ap(config-subif)#encapsulation dot1Q 23

    9. Type no cdp enable and press Enter.

      ap(config-subif)#no cdp enable

    10. Type bridge-group 23 and press Enter.

      ap(config-subif)#bridge-group 23

  6. Type interface FastEthernet0.23 and press Enter.

    ap(config-subif)#interface FastEthernet0.23

  7. Type encapsulation dot1Q 23 and press Enter.

    ap(config-subif)#encapsulation dot1Q
		  23

  8. Type bridge-group 23 and press Enter.

    ap(config-subif)#bridge-group 23

  9. Type end and press Enter.

    ap(config-subif)#end
ap#

  10. Type write memory and press Enter.

    ap#write memory

  11. Type exit and press Enter.

    ap#exit

Back to Top


Add Users

To move users from the Default VLAN to the Guest VLAN, follow these steps:

Add a Wired Guest User

Follow these steps to add a wired guest user:

  1. Record the device name in the first available field from fields L8-L35 of the Guest VLAN Addressing Worksheet.

  2. Ensure that the guest device is configured to receive an IP address automatically. For more information about how to configure an IP address on a PC, refer to Configure an IP Address on Your PC.

  3. Refer to Move a LAN User Between Groups and follow the instructions to move the user switch port to the Guest VLAN.

Add a Wireless Guest User

Follow these steps to add a wireless guest user:

  1. Record the device name in the first available field from fields L8-L35 of the Guest VLAN Addressing Worksheet.

  2. Ensure that the guest device is configured to receive an IP address automatically. For more information about how to configure an IP address on a PC, refer to Configure an IP Address on Your PC.

  3. To configure the wireless client with the appropriate security, refer to Configure the Wireless Client Adapter. The Guest network uses the SSID "guest" with no encryption or authentication.


Back to Top


Next Step

You have now set up a Guest VLAN on your network.

To make further changes to your network, refer to the Configuration Overview page.


Back to Top


Troubleshoot the Procedure

This section provides information about common problems that you may encounter. If this information does not solve your problem, contact the SMB Technical Assistance Center (SMB TAC) for assistance.

Problem

Cause(s) and Suggested Solution(s)

I cannot connect to the router with Security Device Manager (SDM).

Refer to Configure Your Router with Security Device Manager.

I cannot connect to the switch with Cisco Network Assistant (CNA).

Refer to Configure the Catalyst Switch with Cisco Network Assistant.

I cannot open a Telnet connection to the wireless Access Point (AP).

In the Access Point configuration menu, go to Services > Telnet/SSH to enable Telnet. For more information about how to configure the AP, refer to Configure the Access Point.

I have a guest user that cannot connect to the network on the Guest VLAN


Back to Top


Related Information
Service Requests

  Open a service request
  Update a service request

Feedback

Please rate this document.
++ + +/- - --

This document solved my problem.
Yes No Just Browsing

Suggestions for improvement:




If Cisco may contact you for more details
or for future feedback opportunities,
please enter your contact information.
Full Name:
E-mail:



© 1992-2006 Cisco Systems, Inc. All rights reserved. Terms and Conditions, Privacy Statement, Cookie Policy and Trademarks of Cisco Systems, Inc.