There is more than one way to skin a cat. I'm sure you've heard that before - and frankly - I still think it's a very gross thing to say. I'm not quite sure why you would skin a cat.
But, I can agree there is often more than one way to accomplish a task.
Recently, I worked with my friends @wantmoore & @jasonpowell at Granger Church to implement a really REALLY simple BYOD (bring your own device) network. This has generated a lot of buzz within the CITRT / Church IT Network Community - so - I figure it's best to just blog it out.
The basic premise is: a seperate network for "non church owned" devices like iOS, Personal Laptops, Intern/ Volunteer workstations, etc. These devices need to access SOME internal servers/services, and the Internet (duh), but not everything. I've done this 5-6 different ways, but, since so many have asked - here's how we did it at GCC (and incidentally, similarly to how we do this at Mirazon too for our teaching labs and such).
1) Created a new VLAN. Rather than using GCC configs/screen shots - here's the Mirazon setup. We use VLAN 666. Ha. #shenanigans
We use an HP L3 Chassis switch as our core.
ip address 192.168.66.1 255.255.255.0
ip helper-address 10.0.99.34 (for DHCP - we wanted to use the same/common DHCP server)
untagged (appropriate ports here)
tagged (appropriate ports here - be sure to tag all the way through from core to edges)
2) We create an ACL that allows/denies access as appropriate.
ip access-list extended "100"
permit udp 0.0.0.0 255.255.255.255 10.0.99.34 0.0.0.0 eq 67 (for DHCP)
deny ip 192.168.66.0 0.255.255.255 10.0.99.0 0.255.255.255 (network based deny)
deny ip 192.168.66.0 0.255.255.255 10.0.150.0 0.255.255.255 (network based deny)
deny ip 192.168.66.0 0.255.255.255 10.0.1.2 0.0.0.0 (host based deny)
permit ip 192.168.66.0 0.255.255.255 0.0.0.0 255.255.255.255 (allow internet)
3) We create a new Wireless SSID that references/tags VLAN 666. Give it a secure password. You may want to further lock this down to MAC Addresses and AUP (Acceptable Use Policy) to make sure only devices you allow/touch/see have access.
4) We apply the ACL to VLAN 666
(rest of the config is above)
ip access-group "100" in
No, this isn't the only way. You're smart. I'm sure you have your own way that works too.
We could have created this on another interface on a firewall - and used THAT as the security device instead of a simple ACL on the core L3 switch. Sure. Do that.
We could have probably locked down security a little tighter. Great. Do that too.
How have YOU solved this in your environment?