![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Looking at rolling out some Cisco Light weight access points (4 AP-1010's and 2 AP-1130's in lightweight mode on a WLC-2106)
Trying to figure out how to do this securely.
Plan is to have 3 SSIDs between 2 VLAN's
we'll call one VLAN 1, which is the internal network for trusted company owned devices, and the other we'll call VLAN 2 which will be comprised of one SSID for guests, and another SSID for employees (personal devices) this network will be internet only, but all traffic is routed though the catalyst core for ALL VLANs
Now, Ideally we'd just have the WLC completely segregated, but the requirement is to not have to have people on VLAN1 VPN to get access to the corporate LAN, which makes things difficult. We have concerns regarding the possibility of people screwing around and doing L2 attacks, which could affect our Core (catalyst 4510R) MAC flooding etc. Due to other requirements we will also be doing the DHCP relay on the core, and not the WLC for all wireless clients.
without having these physically separate, what precautions should I be taking, right now it's just going to be ACL's filtering traffic to private networks, and allowing DHCP traffic on the core.
Trying to figure out how to do this securely.
Plan is to have 3 SSIDs between 2 VLAN's
we'll call one VLAN 1, which is the internal network for trusted company owned devices, and the other we'll call VLAN 2 which will be comprised of one SSID for guests, and another SSID for employees (personal devices) this network will be internet only, but all traffic is routed though the catalyst core for ALL VLANs
Now, Ideally we'd just have the WLC completely segregated, but the requirement is to not have to have people on VLAN1 VPN to get access to the corporate LAN, which makes things difficult. We have concerns regarding the possibility of people screwing around and doing L2 attacks, which could affect our Core (catalyst 4510R) MAC flooding etc. Due to other requirements we will also be doing the DHCP relay on the core, and not the WLC for all wireless clients.
without having these physically separate, what precautions should I be taking, right now it's just going to be ACL's filtering traffic to private networks, and allowing DHCP traffic on the core.