The aim of this wireless Packet Tracer lab is to configure a campus network allowing authenticated enterprise users to access enterprise ressources using their mobile devices while allowing a filtered public wireless access for unregistered users.
Two access points are connected to an access switch to publish two différent SSID ("default" and "Secured"). The basic access point broadcasts the public SSID. The Linksys AP broadcasts the protected SSID as this AP can be configured for WPA Enterprise security. Each SSID is mapped to a single vlan : vlan 20 for secure SSID, vlan 30 for public SSID. In a real world architecture, we would be using a Cisco Wireles Lan Controller (WLC) and Leight Weight AP. Support for Wireless Lan Controller (WLC) has been added in Packet Tracer 7.1 with the introduction of the Cisco 2504 Wireless Controller (limited functionalities).
The VLAN interface of the secure ssid (interface vlan 20) is hosted by the campus core and he traffic is directly routed to the datacenter. The VLAN interface of the public ssid (interface vlan 30) is hosted by the ASA firewall on it's outside interface. The public traffic is filtered before entering the campus
Step 1 : Campus CORE configuration
The campus core primary function is high speed routing. In this small campus design, core and distribution functions are collapsed on the same L3 switch. OSPF is configured for advertising classless 10.0.0.0/8 subnets (ip classless). A static route is configured through the ASA firewall to allow routing to the public wireless network. The static route is redistributed in OSPF and advertised as an external route (E2).
version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname CAMPUS-CORE ! ip routing ! interface Port-channel 1 no switchport ip address 10.1.0.1 255.255.255.248 ! interface FastEthernet0/1 no switchport channel-protocol lacp channel-group 1 mode active no ip address duplex auto speed auto ! interface FastEthernet0/2 no switchport channel-group 1 mode active no ip address duplex auto speed auto ! interface FastEthernet0/23 switchport access vlan 30 ! interface FastEthernet0/24 no switchport ip address 10.1.0.9 255.255.255.248 duplex auto speed auto ! interface GigabitEthernet0/1 switchport trunk encapsulation dot1q switchport mode trunk ! interface GigabitEthernet0/2 switchport trunk encapsulation dot1q switchport mode trunk ! interface Vlan1 no ip address shutdown ! interface Vlan10 ip address 10.1.10.1 255.255.255.0 ! interface Vlan20 ip address 10.1.20.1 255.255.255.0 ! router ospf 1 log-adjacency-changes redistribute static subnets network 10.0.0.0 0.255.255.255 area 0 ! ip classless ip route 10.1.30.0 255.255.255.0 10.1.0.10 !
Step 2 : ASA Firewall configuration
The ASA firewall own the public subnet gateway. This vlan interface is configured with a zero security-level to drop all incoming traffic by default. ICMP traffic from the campus to public subnet is allowed and inspected by the policy-map. The traffic inspection allows the return traffic coming from the public subnet to cross the firewall.
ASA Version 8.4(2) ! hostname ciscoasa names ! interface Ethernet0/0 switchport access vlan 30 ! interface Vlan1 nameif inside security-level 100 ip address 10.1.0.10 255.255.255.248 ! interface Vlan2 no nameif no security-level ip address dhcp ! interface Vlan30 nameif outside security-level 0 ip address 10.1.30.1 255.255.255.0 ! ! route inside 0.0.0.0 0.0.0.0 10.1.0.9 1 ! class-map icmp-class match default-inspection-traffic ! policy-map icmp_policy class icmp-class inspect icmp ! service-policy icmp_policy global
Step 3 : Access switch configuration
version 12.2 no service timestamps log datetime msec no service timestamps debug datetime msec no service password-encryption ! hostname CAMPUS-ACCESS-01 ! spanning-tree mode pvst ! interface FastEthernet0/1 switchport access vlan 30 ! interface FastEthernet0/2 switchport access vlan 20 ! interface GigabitEthernet0/1 switchport mode trunk !