Controllerless Networks

First, I just do tech support for client machines, but I have been tasked with setting up a few IAP-105s for our new WLAN. I am having issues keeping the guests off of the corporate network. My network is setup as follows.

Corporate:

networks: 192.168.x.x and 10.x.x.x (no WLAN on 10.x.x.x network.)

Vlan: 1

Guest:

network: 172.16.20.x

gateway: 192.168.20.1

Vlan: 2000

With the way I have things setup, the 172.16.20.0 can ping the 192.168.x.x network, but the 192.168.x.x cannot ping the 172.16.20.0 network. I don't want them to be able to send any traffic each other. Is the virtual controller somehow bridging/routing the traffic, or do I have to setup ACLs? The below is the current configuration. Any other suggestions for tweeking the config would be helpful as I am new to all this.

Thanks.

version 6.1.3.0-3.1.0

virtual-controller-country US

virtual-controller-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

name IAP_1

virtual-controller-ip 192.168.x.x

terminal-access

clock timezone none 00 00

rf-band all

allow-new-aps

allowed-ap xx:xx:xx:xx:xx

arm

 wide-bands 5ghz

 min-tx-power 18

 max-tx-power 127

 band-steering-mode prefer-5ghz

 air-time-fairness-mode fair-access

 client-aware

 scanning

syslog-level warn ap-debug

syslog-level warn network

syslog-level warn security

syslog-level warn system

syslog-level warn user

syslog-level warn user-debug

syslog-level warn wireless

mgmt-user xxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

wlan access-rule default_wired_port_profile

 rule any any match any any any permit

wlan access-rule Guest

 rule any any match any any any permit

wlan access-rule Corporate

 rule any any match any any any permit

wlan ssid-profile Guest

 index 0

 type guest

 essid Guest

 wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 opmode wpa2-psk-aes

 max-authentication-failures 3

 vlan 2000

 set-role-pre-auth Guest

 rf-band all

 captive-portal disable

 dtim-period 1

 inactivity-timeout 1000

 broadcast-filter none

 air-time-limit 20

 blacklist

 dmo-channel-utilization-threshold 90

wlan ssid-profile Corporate

 index 1

 type employee

 essid Corporate

 wpa-passphrase xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

 opmode wpa2-psk-aes

 max-authentication-failures 0

 vlan 1

 rf-band all

 captive-portal disable

 dtim-period 1

 inactivity-timeout 1000

 broadcast-filter none

 blacklist

 dmo-channel-utilization-threshold 90

enet-vlan guest

wlan external-captive-portal

 server localhost

 port 80

 url "/"

 auth-text "Authenticated"

blacklist-time 3600

auth-failure-blacklist-time 3600

ids classification

ids

 wireless-containment none

ip dhcp Guest

 server-type local

 server-vlan 2000

 subnet 172.16.20.0

 subnet-mask 255.255.255.0

 lease-time 14400

 dns-server 8.8.8.8,8.8.4.4

wired-port-profile default_wired_port_profile

 switchport-mode trunk

 allowed-vlan 1

 native-vlan 1

 no shutdown

 access-rule-name default_wired_port_profile

 speed auto

 duplex auto

 poe

 type employee

 captive-portal disable

wired-port-profile Guest

 switchport-mode trunk

 allowed-vlan 2000

 native-vlan 2000

 no shutdown

 access-rule-name Guest

 speed auto

 duplex auto

 poe

 type guest

 captive-portal disable

enet0-port-profile default_wired_port_profile

enet1-port-profile default_wired_port_profile

enet2-port-profile default_wired_port_profile

uplink

 preemption

 enforce none

l3-mobility

In the guest role you would simply block any traffic to the networks that you don't want users to get to.  The only exception would be for DNS if you are giving users an internal DNS server address.

I added new guest ACL and it does block the traffic. I was not sure if it was not supposed to bridge the traffic over different subnets automatically or if I had something not setup in my config correctly.

wlan access-rule Guest
 rule 192.168.0.0 255.255.0.0 match any any any deny
 rule 10.0.0.0 255.0.0.0 match any any any deny
 rule any any match any any any permit

Are there any other tweeks that I should make reguarding security?

That looks correct based on the information you provided.

Would it be advisable to setup a GRE tunnel to a CISCO router for the guest network? Would this further help keep the guests from accessing the corporate network?

It will not provide more protection.  Every packet goes through the access points' firewall and anything that needs to be dropped as per your rule, will be dropped at the access point promptly.  That is the advantage of an integrated firewall.

Thanks. Is there anything else that I should do to seucre the AP?

Strong admin password ;)