First, I just do tech support for client machines, but I have been tasked with setting up a few IAP-105s for our new WLAN. I am having issues keeping the guests off of the corporate network. My network is setup as follows.
Corporate:
networks: 192.168.x.x and 10.x.x.x (no WLAN on 10.x.x.x network.)
Vlan: 1
Guest:
network: 172.16.20.x
gateway: 192.168.20.1
Vlan: 2000
With the way I have things setup, the 172.16.20.0 can ping the 192.168.x.x network, but the 192.168.x.x cannot ping the 172.16.20.0 network. I don't want them to be able to send any traffic each other. Is the virtual controller somehow bridging/routing the traffic, or do I have to setup ACLs? The below is the current configuration. Any other suggestions for tweeking the config would be helpful as I am new to all this.
Thanks.
version 6.1.3.0-3.1.0
virtual-controller-country US
virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name IAP_1
virtual-controller-ip 192.168.x.x
terminal-access
clock timezone none 00 00
rf-band all
allow-new-aps
allowed-ap xx:xx:xx:xx:xx
arm
wide-bands 5ghz
min-tx-power 18
max-tx-power 127
band-steering-mode prefer-5ghz
air-time-fairness-mode fair-access
client-aware
scanning
syslog-level warn ap-debug
syslog-level warn network
syslog-level warn security
syslog-level warn system
syslog-level warn user
syslog-level warn user-debug
syslog-level warn wireless
mgmt-user xxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
wlan access-rule default_wired_port_profile
rule any any match any any any permit
wlan access-rule Guest
rule any any match any any any permit
wlan access-rule Corporate
rule any any match any any any permit
wlan ssid-profile Guest
index 0
type guest
essid Guest
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 3
vlan 2000
set-role-pre-auth Guest
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
air-time-limit 20
blacklist
dmo-channel-utilization-threshold 90
wlan ssid-profile Corporate
index 1
type employee
essid Corporate
wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
opmode wpa2-psk-aes
max-authentication-failures 0
vlan 1
rf-band all
captive-portal disable
dtim-period 1
inactivity-timeout 1000
broadcast-filter none
blacklist
dmo-channel-utilization-threshold 90
enet-vlan guest
wlan external-captive-portal
server localhost
port 80
url "/"
auth-text "Authenticated"
blacklist-time 3600
auth-failure-blacklist-time 3600
ids classification
ids
wireless-containment none
ip dhcp Guest
server-type local
server-vlan 2000
subnet 172.16.20.0
subnet-mask 255.255.255.0
lease-time 14400
dns-server 8.8.8.8,8.8.4.4
wired-port-profile default_wired_port_profile
switchport-mode trunk
allowed-vlan 1
native-vlan 1
no shutdown
access-rule-name default_wired_port_profile
speed auto
duplex auto
poe
type employee
captive-portal disable
wired-port-profile Guest
switchport-mode trunk
allowed-vlan 2000
native-vlan 2000
no shutdown
access-rule-name Guest
speed auto
duplex auto
poe
type guest
captive-portal disable
enet0-port-profile default_wired_port_profile
enet1-port-profile default_wired_port_profile
enet2-port-profile default_wired_port_profile
uplink
preemption
enforce none
l3-mobility
#3600