Wifi Tech Doc

i'm going to go ahead and build out the guest network at the IP level and the VLAN9 level. try to work it all the way through to the outside. Will NAT some 192.168.9.0. so, eth2 on the PIX is now tagged VLAN9, but I realize I cant be putting it on the same 192.168.9.0 segment. so now I'm making it be on the same class C that the internal managment i/f is on. but a different subnet. so: 192.168.32.97/255.255.255.252 for a branch switch, router interface: (i.e. mo-3524,fa0/24) switchport mode trunk switchport trunk encapsulation dot1q switchport trunk allowed vlan all dhcp out some 192.168.xx.0 addresses on vlan 9 2620 int fa0/0.9 192.168.xx.1 encapsulation dot1q 9 in the PIX, add a route for the branch's guest network c:\usr\doc\WIFI-vlan-moving-into-production.vsd SC-AP1 vlan 1 native [infrastructure, (not used in SSID)] vlan 2 .57 [SSID=sainthelens, staff, DHCP from SPRUCE] vlan 3 198.207.188 [SSID=handheld, DHCP from somewhere?] vlan 9 192.168.57 [SSID=guest, DHCP from sc-72] with a new web-filter access rule in the pix, directing all port 80 traffic at the websense filter, now the 192.167.57 network should be completely web filtered. some things to fix remain: -- protecting our own general network from the guest laptops. -- VLAN9 interface for the PIX -- also access rules in the PIX to prevent any access to our internal hosts, except public ones -- allowing for other protocols to be used on the guest vlan -- https -- possible other web ports, i.e. 8080 -- anything else we want to offer by policy? SMTP,POP,chats etc, VPN, FTP, ssh alright. guest shouldn't need any EAP/PEAP TLS TKS stuff. but we're going to use IAS/radius. probably have to The default channel setting for the wireless device radios is least congested; at startup, the wireless device scans for and selects the least-congested channel. For most consistent performance after a site survey, however, we recomend that you assign a static channel setting for each access point. The channel settings on the wireless device correspond to the frequencies available in your regulatory domain. See Appendix A, "Channels and Antenna Settings," for the frequencies allowed in your domain. http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_guide_chapter09186a0080341d17.html "If you are using the 802.1x supplicant provided by Microsoft, the idle time out will be longer than the settings in RADIUS/AP and DSA- 3100. Except for the idle timer, there is no way for the user to logoff from 802.1x Access Point in the current 802.1x implementation by Microsoft." -- Dlink DSA3100 manual