Wireless VLAN - Not sure?

Joined
Dec 5, 2003
Messages
517
As many of you may know I have been deploying Cisco Aironet wireless nodes. I have configured the node with WPA2 Enterprise using the built-in RADIUS server with LEAP authentication. Now I have another hurdle to jump.... separating the wireless network from the internal network. The equipment at the sites is SOHO, so there are no provisions for VLANs on the router (standard linksys affair). I was hoping I could configure the Cisco Aironet AP to block wireless nodes from accessing the internal network. The idea of creating a separate network using VLANs is the first idea that popped in my head... hopefully I can use the DHCP server built-in to the router.... not sure though. I am not familiar with VLANs, so I am directionless on this one. I think I might need a VLAN capable router/switch to make this happen. Correct me if I am wrong? Any other ideas would be greatly appreciated.
 

YeOldeStonecat

[H]F Junkie
Joined
Jul 19, 2004
Messages
11,330
What model existing Linksys gear....with some 3rd party firmware such as DD-WRT..you may get lots of VLAN features for free.
 

bealzz

Gawd
Joined
Jun 4, 2003
Messages
545
Or instead of a managed switch, you could just run all your wireless access points back to an unmanged switch that doesn't connect to your internal network, and then have an uplink to a box or router that can segregate the traffic. That way your wireless data is seperate and you dont need to invest in a managed switch.
 

MorfiusX

2[H]4U
Joined
Feb 13, 2004
Messages
3,007
Or instead of a managed switch, you could just run all your wireless access points back to an unmanged switch that doesn't connect to your internal network, and then have an uplink to a box or router that can segregate the traffic. That way your wireless data is seperate and you dont need to invest in a managed switch.

This won't work because, IIRC, he is trying to use a single AP to host multiple SSID with each SSID on a seperate VLAN for segregation.
 

Vengance_01

Supreme [H]ardness
Joined
Dec 23, 2001
Messages
6,541
Byte the bullet and run a managed switch. Separate VLANs are very nice. How big is your current infrastructure?
 

WesM63

2[H]4U
Joined
Aug 29, 2004
Messages
3,266
so you have cisco aironet then linksys router? lols

I have customers do it all the time. To cheap to buy a WLC or NAC, so they use a linksys router on the Internet only vlan to access the internet.
 
Joined
Dec 5, 2003
Messages
517
so you have cisco aironet then linksys router? lols

I have nothing to do with the current infrastructure. I was hired to deploy Cisco wireless nodes that comply with HIPAA guidelines. I have deployed as many security measures as possible... EAP-FAST with WPA2 (AES+CCMP). However, I would like to put the wireless nodes on their own broadcast domain and block access to the local wired subnet.
 

MorfiusX

2[H]4U
Joined
Feb 13, 2004
Messages
3,007
I have nothing to do with the current infrastructure. I was hired to deploy Cisco wireless nodes that comply with HIPAA guidelines. I have deployed as many security measures as possible... EAP-FAST with WPA2 (AES+CCMP). However, I would like to put the wireless nodes on their own broadcast domain and block access to the local wired subnet.

That's one of the things the controller is designed to do. You could piece this together other ways, but you can have all of your wireless stuff centrally controlled which will help when/if you start doing HIPAA audits.
 
Joined
Dec 5, 2003
Messages
517
Byte the bullet and run a managed switch. Separate VLANs are very nice. How big is your current infrastructure?

Yeah... or a smart switch. However, the infrastructure is very small.... 5 workstations maximum, and a single wireless AP. Can you still use the DHCP server on the Linksys router over VLANs? I would assume because you are still using the same subnet, just logically separating the two networks.
 
Joined
Dec 5, 2003
Messages
517
Or instead of a managed switch, you could just run all your wireless access points back to an unmanged switch that doesn't connect to your internal network, and then have an uplink to a box or router that can segregate the traffic. That way your wireless data is seperate and you dont need to invest in a managed switch.

Can you explain this solution in more detail? I would need to invest in a router that is capable of running VLANs... correct?
 
Joined
Dec 5, 2003
Messages
517
This won't work because, IIRC, he is trying to use a single AP to host multiple SSID with each SSID on a seperate VLAN for segregation.

Actually I only need a single SSID... I just want to separate traffic on the same subnet... block access to the wired network from the wireless clients.
 
Joined
Dec 5, 2003
Messages
517
That's one of the things the controller is designed to do. You could piece this together other ways, but you can have all of your wireless stuff centrally controlled which will help when/if you start doing HIPAA audits.

The WLAN controller seems a bit over the top considering there will be on AP per site.
 

MorfiusX

2[H]4U
Joined
Feb 13, 2004
Messages
3,007
The WLAN controller seems a bit over the top considering there will be on AP per site.

I must be getting your thread confused for another, sorry. If you used something like an ASA5505, it can do port isolation which is kinda what you are looking for. This can also be done with most *Nix FWs.
 
Top