WAP Best Practices

I need to provide wireless access to customers in my customer lounge. I
would like to hang a relatively inexpensive AP such as Linksys WAP54GX on
one of my C2950 switches and allow these users to connect "only" to the
internet. I know that having them PAT to a different network IP and setting
DHCP for them will prevent ping scans but not network sniffing to determine
a valid address for instance to static an IP on my corporate LAN. I know the
safest solution is to provide a completely separate ISP connection but would
like to avoid this. What would be the best way to achieve this.
Would hanging the AP on a switch port configured to a different VLAN with
corresponding ACL's provide this. If so how does one configure a VLAN 2 for
instance that only has access to the gateway and does not broadcast to the
AP users corporate LAN packets.

Any input greatly appreciated, I have delayed this project for some time do
to security implications but need to get done.

You definitely want to put the guest wireless AP into separate VLAN.
You can then policy-route that VLAN so that its traffic only flows to
the Internet.

Also disable CDP and routing updates (multicasts) on the switch port

On Sat, 1 Oct 2005 10:52:48 -0700, "stormrunner"
<(E-Mail Removed)> wrote:

>I need to provide wireless access to customers in my customer lounge. I
>would like to hang a relatively inexpensive AP such as Linksys WAP54GX on
>one of my C2950 switches and allow these users to connect "only" to the
>internet. I know that having them PAT to a different network IP and setting
>DHCP for them will prevent ping scans but not network sniffing to determine
>a valid address for instance to static an IP on my corporate LAN.

I'll assume you're using NAT/PAT on the corporate LAN and therefore
are using RFC-1918 IP's. A separate PAT for the wireless should
prevent both scanning from the wireless side. Something like:

Corporate Wireless Router
LAN WAN SIDE LAN SIDE
10.0.0.xxx ========= IP=10.0.0.2 IP=192.168.1.1
Gateway=10.0.0.1 GW=10.0.0.1 NM=255.255.255.0
NM=255.255.255.252

With the netmask set to /30, the WAN side of the router can only see
10.0.0.1 and 10.0.0.2 which is all it needs to communicate only with
the internet via the gateway. 10.0.0.3 also needs to be reserved as
it's the broadcast IP. Any attempts by clients on the LAN side to
ping or access IP's other than 10.0.0.1-10.0.0.3 will go through the
default gateway at 10.0.0.1 instead.

Clients on the corporate LAN can sniff the traffic originating to/from
the wireless router, but the LAN side of the wireless router never
sees any of the corporate traffic.

I've setup only one WLAN this way and found it to be sufficiently
secure and operate as I described. Actually, I used 255.255.255.248
to give me a few more IP's to play with so I could have a local server
on the LAN. Before implementing, I suggest you confirm the security
with someone that knows more about such things than me.

I'm not 100% sure that this is a totally secure arrangement, but seems
adequate with my limited testing. It's also simpler than using a
VLAN.

>I know the
>safest solution is to provide a completely separate ISP connection but would
>like to avoid this.
>That would be the best way to achieve this.
>Would hanging the AP on a switch port configured to a different VLAN with
>corresponding ACL's provide this.

Careful. You started with a wireless router and just brought up an
access point. These are quite different animals. The AP is just a
bridge. There is no layer 3 services involved. If you're going to
separate the traffic, a router or VLAN is required somewhere. If your
2950 is going to be configured as a VLAN, an AP is appropriate.
Otherwise, a wireless router might be a better choice.

>If so how does one configure a VLAN 2 for
>instance that only has access to the gateway and does not broadcast to the
>AP users corporate LAN packets.

Sorry. I'm not familiar with the 2950 switch.

>Any input greatly appreciated, I have delayed this project for some time do
>to security implications but need to get done.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

If this is the way to go then thanks for confirming my thoughts on this. I
tried to do this on Friday by configuring switch port to static VLAN 2 with
access to the trunk. I'm sure I did something incorrectly as I could not
ping the gateway. What are the proper config lines to add to the switch port
to config to VLAN2 and still forward to gateway after I will sniff port to
verify isolation from VLAN1 is complete if not modify accordingly. I have
PBR running on gateway useing route-map could you include PBR example of
this for forwarding to internet from switch


-------------------------------------------------------------
I realize this is pretty lame have no experience with PBR or VLAN conf for
switches we are small organization 130 node everything Native VLAN1

[not sure if this is even close I know how do this on router but switch
routes level 2]

access-list 199 permit ip host {ap ip} host {gateway ip}
would this somehow be written
access-list 199 permit int fa 0/17 0/1


route-map GUEST_ACCESS permit 10
match ???? 199
set next-hop {"port" would this be fa 0/1}

int fa 0/1
ip policy route-map GUEST_ACCESS

(given router at channel 1 of switch)
I also have a HSRP router at fa 0/22

-------------------------------------------------------------


"Merv" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Also disable CDP and routing updates (multicasts) on the switch port
>

The C2950 is a layer 2 device only. To have multiple VLANs on your
C2950 and to implement policy-based routing you will need a router or a
layer 3 switch. You will need to implement VLAN trunking (read 802.1Q)
between the router and the C2950 layer 2 switch.

On the VLAN interface on the router, configure policy based routing to
allow the guest wireless VLAN traffic to be routed only to the Internet


BTW over time I would suggest moving entirely off VLAN 1 (native) as it
is a security risk.

for a 2950 802.1Q trunking configuration example, see:

http://www.cisco.com/en/US/tech/tk38...800949fd.shtml

You may find the Cisco Solution Designer helpful:

http://www.ciscowebtools.com/sa2/child/1.0/index.asp

as well as the Cisco Product Advisor:

http://tools.cisco.com/GCT/PCTPST/index.jsp

Sincerely,

Brad Reese
BradReese.Com Cisco Repair Service Experts
http://www.BradReese.Com
1293 Hendersonville Road, Suite 17
Asheville, North Carolina USA 28803
USA & Canada: 877-549-2680
United Kingdom: 44-20-70784294
International: 828-277-7272