Lab 21 - Public & Enterprise wlan users differentiation

4.4 1 1 1 1 1 Rating 4.40 (5 Votes)

Lab description

The aim of this Packet Tracer 6.2 lab is to configure an campus network allowing authenticated enterprise users to access enterprise ressources using their mobile devices while allowing a filtered public wireless access for unregistered users.

Two access points are connected to an access switch to publish two différent SSID ("default" and "Secured"). The basic access point broadcasts the public SSID. The Linksys AP broadcasts the protected SSID as this AP can be configured for WPA Enterprise security. Each SSID is mapped to a single vlan : vlan 20 for secure SSID, vlan 30 for public SSID. In a real world architecture, we would be using a Cisco Wireles Lan Controller (WLC) and Leight Weight AP but those devices are not available in Packet Tracer 6.2 . Rumors indicate that WLC colud be available in th next Packet Tracer version (Packet Tracer 7.0).

The VLAN interface of the secure ssid (interface vlan 20) is hosted by the campus core and he traffic is directly routed to the datacenter. The VLAN interface of the public ssid (interface vlan 30) is hosted by the ASA firewall on it's outside interface. The public traffic is filtered before entering the campus

Lab Topology

Packet Tracer 6.2 lab 21 (wlan user differentiationà topology

Lab solution

Step 1 : Campus CORE configuration

The campus core primary function is high speed routing. In this small campus design, core and distribution functions are collapsed on the same L3 switch. OSPF is configured for advertising classless 10.0.0.0/8 subnets (ip classless). A static route is configured through the ASA firewall to allow routing to the public wireless network. The static route is redistributed in OSPF and advertised as an external route (E2).

version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CAMPUS-CORE
!
ip routing
!
interface Port-channel 1
 no switchport
 ip address 10.1.0.1 255.255.255.248
!
interface FastEthernet0/1
 no switchport
 channel-protocol lacp
 channel-group 1 mode active
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/2
 no switchport
 channel-group 1 mode active
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/23
 switchport access vlan 30
!
interface FastEthernet0/24
 no switchport
 ip address 10.1.0.9 255.255.255.248
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport mode trunk
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.1.10.1 255.255.255.0
!
interface Vlan20
 ip address 10.1.20.1 255.255.255.0
!
router ospf 1
 log-adjacency-changes
 redistribute static subnets 
 network 10.0.0.0 0.255.255.255 area 0
!
ip classless
ip route 10.1.30.0 255.255.255.0 10.1.0.10 
!

Step 2 : ASA Firewall configuration

The ASA firewall own the public subnet gateway. This vlan interface is configured with a zero security-level to drop all incoming traffic by default. ICMP traffic from the campus to public subnet is allowed and inspected by the policy-map. The traffic inspection allows the return traffic coming from the public subnet to cross the firewall.

ASA Version 8.4(2)
!
hostname ciscoasa
names
!
interface Ethernet0/0
 switchport access vlan 30
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.1.0.10 255.255.255.248
!
interface Vlan2
 no nameif
 no security-level
 ip address dhcp
!
interface Vlan30
 nameif outside
 security-level 0
 ip address 10.1.30.1 255.255.255.0
!
!
route inside 0.0.0.0 0.0.0.0 10.1.0.9 1
!
class-map icmp-class
 match default-inspection-traffic
!
policy-map icmp_policy
 class icmp-class
  inspect icmp 
!
service-policy icmp_policy global

Step 3 : Access switch configuration

version 12.2
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname CAMPUS-ACCESS-01
!
spanning-tree mode pvst
!
interface FastEthernet0/1
 switchport access vlan 30
!
interface FastEthernet0/2
 switchport access vlan 20
!
interface GigabitEthernet0/1
 switchport mode trunk
!