We're a small MSP that services small and medium sized businesses, so we're not necessarily pushing out the high-end enterprise grade hardware. I mean we do deploy Cisco ASAs, PoE managed switches, APs, etc. but at the same time we also typically just use the ISP Gateway or a SOHO Router as the main router for our customers' networks.
My coworker has given me an interesting Networking puzzle that I'm not quite sure how to resolve.
So typically we deploy something like this:
ISP Modem/Router/Gateway > Cisco ASA > Switches and WAPs > Workstations and VoIP phones
However we're wanting to implement a Guest Network functionality. With the typical SOHO router, you can just turn on Guest Network functionality and it's no problem, works fine. However the problem is that, most of the time, A) The SOHO router is too far away to be effective as the Guest WiFi WAP and B) The Cisco WAPs we deploy don't segregate Guest clients from the rest of the LAN, so theoretically anyone who's on the Guest WiFi has full access to the LAN, which we don't want.
The Cisco WAPs do have a Guest Portal where guest users would have to log in, but this still doesn't actually segregate users from the rest of the LAN. AFAIK this is because the WAPs are just APs not routers, which is what we need.
So the idea was to add a second SOHO router to the existing aforementioned config, connected to one of the switches, which would function as the "Guest WiFi router", which we could then connect more WAPs to if needed. However the problem here is that, even if we put this Guest WiFi Router on a different subnet than the LAN, Guest clients still have access to the LAN because the WAN Port on the router is just connected to the LAN switch and not the ISP Modem/Gateway.
So is there a way that we can have a separate Guest WiFi Router that will allow traffic to pass through to the Internet, but will restrict access to the company's LAN?
I was thinking it would have to be done with via some sort of Firewall rules or maybe VLANs but neither me or my coworker are quite sure if that would work.
If anyone has any suggestions in this regard it would be much appreciated :)
No comments:
Post a Comment