On Sat, 1 Oct 2005 10:52:48 -0700, "stormrunner"
<stormrunner_removethis@comcast.net> wrote:
>I need to provide wireless access to customers in my customer lounge. I
>would like to hang a relatively inexpensive AP such as Linksys WAP54GX on
>one of my C2950 switches and allow these users to connect "only" to the
>internet. I know that having them PAT to a different network IP and setting
>DHCP for them will prevent ping scans but not network sniffing to determine
>a valid address for instance to static an IP on my corporate LAN.
I'll assume you're using NAT/PAT on the corporate LAN and therefore
are using RFC-1918 IP's. A separate PAT for the wireless should
prevent both scanning from the wireless side. Something like:
Corporate Wireless Router
LAN WAN SIDE LAN SIDE
10.0.0.xxx ========= IP=10.0.0.2 IP=192.168.1.1
Gateway=10.0.0.1 GW=10.0.0.1 NM=255.255.255.0
NM=255.255.255.252
With the netmask set to /30, the WAN side of the router can only see
10.0.0.1 and 10.0.0.2 which is all it needs to communicate only with
the internet via the gateway. 10.0.0.3 also needs to be reserved as
it's the broadcast IP. Any attempts by clients on the LAN side to
ping or access IP's other than 10.0.0.1-10.0.0.3 will go through the
default gateway at 10.0.0.1 instead.
Clients on the corporate LAN can sniff the traffic originating to/from
the wireless router, but the LAN side of the wireless router never
sees any of the corporate traffic.
I've setup only one WLAN this way and found it to be sufficiently
secure and operate as I described. Actually, I used 255.255.255.248
to give me a few more IP's to play with so I could have a local server
on the LAN. Before implementing, I suggest you confirm the security
with someone that knows more about such things than me.
I'm not 100% sure that this is a totally secure arrangement, but seems
adequate with my limited testing. It's also simpler than using a
VLAN.
>I know the
>safest solution is to provide a completely separate ISP connection but would
>like to avoid this.
>That would be the best way to achieve this.
>Would hanging the AP on a switch port configured to a different VLAN with
>corresponding ACL's provide this.
Careful. You started with a wireless router and just brought up an
access point. These are quite different animals. The AP is just a
bridge. There is no layer 3 services involved. If you're going to
separate the traffic, a router or VLAN is required somewhere. If your
2950 is going to be configured as a VLAN, an AP is appropriate.
Otherwise, a wireless router might be a better choice.
>If so how does one configure a VLAN 2 for
>instance that only has access to the gateway and does not broadcast to the
>AP users corporate LAN packets.
Sorry. I'm not familiar with the 2950 switch.
>Any input greatly appreciated, I have delayed this project for some time do
>to security implications but need to get done.
--
Jeff Liebermann
jeffl@comix.santa-cruz.ca.us
150 Felker St #D
http://www.LearnByDestroying.com
Santa Cruz CA 95060
http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
WAP Best Practices 
Linear Mode
