使用隔离 VLAN 的访客 WiFi - Cisco 路由

tag-icon tag-icon cisco wifi vlan cisco-catalyst isolated-network
使用隔离 VLAN 的访客 WiFi - Cisco 路由

我正在尝试为访客 WiFi 网络设置测试环境。我的目标是在完全不同的子网上使用单独的 SSID,并将其与管理子网完全隔离。

到目前为止,我有一台 Cisco Aironet 1602,广播两个不同的 SSID,如下所示:

管理-wifi - 192.168.0.x 访客-wifi - 172.16.0.x

Aironet 由 Cisco 2505 无线控制器控制,该控制器具有以下接口:

管理 - 192.168.0.240 访客 - 172.16.0.240

无线客户端和互联网之间有一台 Cisco Catalyst WS-C2960 交换机、一台 Cisco ASA 5505 和一台 Cisco 887VA 路由器。

我在 ASA 上配置了 192.168.0.x 和 172.16.0.x 接口,但到目前为止,如果我连接到 192.168.0.x 网络,我只能连接到互联网。当我在 172.16.0.x 网络上有一个 IP 地址时,我无法在本地或互联网上看到任何设备。有人能帮助我配置这个吗?因为我怀疑我需要在交换机级别对 VLAN 进行一些操作?

这是我的交换机配置:

Current configuration : 5782 bytes
!
! Last configuration change at 01:39:12 gmt Sun Apr 11 1993 by administrator
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ms-testswitch
!
boot-start-marker
boot-end-marker
!
no logging console
!
username administrator privilege 15 secret 5 $1$GyJu$uqo9yOnAb4vy8Tg2RoJrf.
username ccpuser privilege 15 secret 5 $1$Zmgi$TDnFyiE5YpS8KV46KvThW/
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default enable
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
clock timezone gmt 0 0
clock summer-time gmt recurring
system mtu routing 1500
vtp mode transparent
!
!
ip domain-name test.local
!
!
crypto pki trustpoint TP-self-signed-1865058432
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1865058432
 revocation-check none
 rsakeypair TP-self-signed-1865058432
!
!
crypto pki certificate chain TP-self-signed-1865058432
 certificate self-signed 01
!
!
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
vlan 172,192
!
!
!
!
!
interface FastEthernet0/1
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/2
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/3
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/4
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/5
 switchport trunk allowed vlan 172,192
 switchport mode trunk
 spanning-tree portfast
!
interface FastEthernet0/6
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/7
 switchport mode trunk
!
interface FastEthernet0/8
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/9
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/13
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/14
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/15
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/16
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/17
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/18
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/19
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/20
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/21
 switchport access vlan 192
!
interface FastEthernet0/22
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/23
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/24
 switchport access vlan 192
 switchport mode access
 spanning-tree portfast
!
interface GigabitEthernet0/1
 switchport access vlan 192
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 172
 switchport mode access
!
interface Vlan1
 no ip address
 no ip route-cache
 shutdown
!
interface Vlan172
 ip address 172.16.0.252 255.255.255.0
 no ip route-cache
!
interface Vlan192
 ip address 192.168.0.252 255.255.255.0
 no ip route-cache
!
ip default-gateway 192.168.0.250
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
snmp-server community switches RO
snmp-server location Project Room
snmp-server contact IT
snmp-server chassis-id ms
!
!
!
!
line con 0
 privilege level 15
line vty 0 4
 exec-timeout 0 0
 privilege level 15
line vty 5 15
 exec-timeout 0 0
 privilege level 15
!
end

如果有人能帮助我,我将不胜感激。圣诞快乐!

答案1

当您使用 WLC 时,您只需要将 Wi-Fi 管理 VLAN 连接到 WAP。WLC 不需要位于同一网络上,而且可能也不应该位于同一网络上(WLC 可以位于与 WAP 完全不同的位置)。

WAP 管理 VLAN 实际上与 Wi-Fi 用户网络无关;它用于将 CAPWAP 隧道返回到 WLC,并且每个 WAP 可以位于相同或不同的 Wi-Fi 管理 VLAN 上。

WLC 所连接的交换机需要将 Wi-Fi 用户 VLAN 中继到 WLC。管理和使用流量将使用从 WAP 到 WLC 的 CAPWAP 隧道,并在 WLC 处进入正确的 VLAN。

相关内容