Cisco IOS-fu #6 – Ruckus Public Wifi / Cisco ASA DMZ Setup

Hello!  A few months ago, LifeChurch.tv started the migration to Ruckus Wireless for our Central & OKC Broadcast campuses.  Things have been going very well.  I hope to blog about the Ruckus setup and such soon – or maybe have @mburleson do it since he was more involved than I was 🙂 #likeaboss

Anyway, one of the things we did was begin our Public Wifi move from a simple custom m0n0wall setup to the Ruckus setup.  When we did this, we set Ruckus Public Wifi up on a DMZ interface on our Cisco ASA cluster.  Let's walk through that Cisco setup:

First of all, I created a private VLAN  – vlan 60 – for the Public Wifi on our core switches, let VTP replicate, and then setup the interface.  Notice it has no IP addresses – didn't want any weird layer 3 routing here 🙂

Screen shot 2010-06-11 at 10.18.07 AM

That's easy. I did the same thing on our Cisco 4507 – the other HSRP core switch at our DR location.

Next, I configured interfaces on the switches to put the DMZ in the right interface.  At our Central location, I put the DMZ on our Cisco 6503E which is a secondary/daughter switch off our Core that we're using to offload some "not as important" things.

Screen shot 2010-06-11 at 10.28.15 AM

You'll notice that I made this a trunk port, not an "access" port – because I'm leaving room later for "sub DMZ" on my ASA Cluster – so – vlan 60 (Ruckus Public Wifi) is a "sub DMZ" also :)  Then I do the same thing on our Cisco 4507 – the other HSRP core switch at our DR location.  If you're new here, our network setup is detailed here.

Okay, next we'll set up the interface on the ASA cluster.  Our DMZ interface is gig0/3 – so – our "sub DMZ" will be interface gig0/3.60 (dotted 60 for vlan 60)

Screen shot 2010-06-11 at 10.32.44 AM

Since this is a cluster, detailed here, everything is sync'd between the two ASAs.

Now, let's create the access-list that will control the traffic allows on this DMZ.

Screen shot 2010-06-11 at 9.56.07 AM

Okay – basically – this allows our Public Wifi folks to do anything they want to do – send email using whatever client they have, use Skype, IM, access Church Online, and be filtered properly via Websense (that's the line with 10.5.1.140 in it).

Now let's apply the access-list.

Screen shot 2010-06-11 at 10.56.45 AM

Great.  There ya go.  Fairly "open" Public Wifi (but still filtered) – in a DMZ – all is well.

As for the Ruckus – what did that look like?  Like this:

Screen shot 2010-06-14 at 1.31.57 PM

We just created an SSID, clicked the "Guest Access" type, and tagged it with VLAN 60 – setup above on the cisco gear.  That's it.  Of course, under Guest Access you have some options:

Screen shot 2010-06-14 at 1.33.46 PM

This one is for your Terms of Use + Any Redirect you want.

Screen shot 2010-06-14 at 1.35.40 PM

There's also some personalization + network restriction options available too.

Anyway – those are the nuts & bolts.

If you are interested in learning more about Ruckus Wireless – ping @gregkamer with Mirazon – They are great to work with, and very #CITRT (Church IT) friendly.  I've used them for several projects related to storage, virtualization, sharepoint, etc.