Since offering a Guest Wifi network has become a pretty standard practice it’s something that will be added to the ISRs at the branch locations. However, since this is a guest network it is untrusted and should not have access to the internal network.
The first step is to create a VRF for the guest network. This will prevent traffic from the guest network from ever being exposed to the routes to the internal network.
vrf defInition IWAN-Guest
address-family ipv4
exit-address-family
The guest machines will require DHCP, so the router will be configured to hand out IPs. For the DHCP range the 192.168.254.0 was selected, and the IPs from 1 to 19 are excluded. The Google DNS server at 8.8.8.8 is set as the guest DNS server.
ip dhcp excluded-address vrf IWAN-Guest 192.168.254.1 192.168.254.19
ip dhcp pool IWAN-Guest
vrf IWAN-Guest
network 192.168.254.0 255.255.255.0
default-Router 192.168.254.1
dns-server 8.8.8.8
Next comes the class maps for traffic filtering. We are going to allow DHCP and ICMP between the router and the guest network, as well as allow outbound traffic. Based on the security needs ICMP can be removed, and the protocols allowed outbound can be restricted.
class-map type inspect match-any Guest-RTR-ICMP
match access-group name Guest-ICMP-In
class-map type inspect match-any RTR-Guest-ICMP
match access-group name Guest-ICMP-Out
class-map type inspect match-any Guest-RTR-DHCP
match access-group name Guest-DHCP-In
class-map type inspect match-any RTR-Guest-DHCP
match access-group name Guest-DHCP-Out
class-map type inspect match-any Guest-Outside-Class
match protocol dns
match protocol http
match protocol https
match protocol ftp
match access-group name Guest-Out
The policies are configured to pass DHCP traffic and inspect everything else.
Policy-map type inspect Guest-Outside-Policy
class type inspect Guest-Outside-Class
inspect
class class-default
drop
Policy-map type inspect Guest-Self-Policy-In
class type inspect Guest-RTR-DHCP
pass
class type inspect Guest-RTR-ICMP
inspect
class class-default
drop
Policy-map type inspect Guest-Self-Policy-Out
class type inspect RTR-Guest-DHCP
pass
class type inspect RTR-Guest-ICMP
inspect
class class-default
drop
A zone will need to be created for the guest network
zone security Guest
The new zone will need to be configured to communicate with the router and internet zone, and the policies will need to be applied
zone-pair security Guest-Router source Guest destination self
service-Policy type inspect Guest-Self-Policy-In
zone-pair security Router-Guest source self destination Guest
service-Policy type inspect Guest-Self-Policy-Out
zone-pair security Guest-Internet source Guest destination Internet
service-Policy type inspect Guest-Outside-Policy
Next the guest interface will be created. The VLAN 999 is being assigned for the guest network, and so a correlating subinterface will be created. The IP used here needs to match the default gateway that was set earlier in the DNS settings
interface GigabitEthernet0/0/0.999
description Guest-Network
encapsulation dot1Q 999
vrf forwardIng IWAN-Guest
ip address 192.168.254.1 255.255.255.0
ip nat inside
zone-member security Guest
Then a NAT statement is required to translate addresses.
ip nat inside source route-map NAT-Guest interface GigabitEthernet0/0/1 vrf IWAN-Guest overload
A static route is needed to allow access to the outside network.
ip Route vrf IWAN-Guest 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1
A route map was used in the NAT statement to identify inside machines, so that route map needs to be created
Route-map NAT-Guest permit 10
match ip address Guest-Internet
match interface GigabitEthernet0/0/1
Lastly, we will create the ACLs. Again, these ACLs can be adjusted to restrict traffic as needed.
ip access-list extended Guest-DHCP-In
permit udp any eq bootpc any eq bootps
!
ip access-list extended Guest-DHCP-Out
permit udp any eq bootps any eq bootpc
!
ip access-list extended Guest-ICMP-In
permit icmp any any echo
permit icmp any any echo-reply
!
ip access-list extended Guest-ICMP-Out
permit icmp any any echo
permit icmp any any echo-reply
!
ip access-list extended Guest-Internet
deny ip 192.168.254.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip 192.168.254.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.254.0 0.0.0.255 any
!
ip access-list extended Guest-Out
permit ip 192.168.254.0 0.0.0.255 any
Now all that is needed is to assign the Guest SSID to VLAN 999 and configure switch ports accordingly.