[Vincent_Vega]

I have a PIX 515 with 5 interfaces. I want to set up a wireless network, and serve DHCP addresses to wireless clients. This scope would be unique to that interface, and unique to the wireless clients. I want this traffic segregated from the rest of the network because it will be an untrusted network.

Is this possible? I need to provide wireless to visiting users and the wireless needs to be wide open so anyone inside a certain area of the building can connect to it without authentication for internet access. The building itself is very secure, there is 24x7 security presence, with over 200 cameras monitoring the grounds. Only someone in VERY CLOSE proximity could connect from outside. Our walls are very thick concrete and I have tested that. Security does NOT allow any sort of loitering so that is not a problem.

Any ideas? Could this be done?

[Dumber]

maybe this can help:
http://www.cisco.com/en/US/products/...806c1cd5.shtml

Maybe is an BBSM also an option.
http://www.cisco.com/en/US/products/...533/index.html

[ozgursen]

Hello have a Good days


The DHCP server process is enabled by default on versions of the Cisco IOS that support it. If for some reason the DHCP server process becomes disabled, it can be re-enabled by using the service dhcp global configuration command. The no service dhcp command disables the server.
Like NAT, DHCP servers require that the administrator define a pool of addresses.

the ip dhcp pool command defines which addresses will be assigned to hosts.

The first command, ip dhcp pool room12, creates a pool named room12 and puts the router in a specialized DHCP configuration mode. In this mode, use the network statement to define the range of addresses to be leased. If specific addresses are to be excluded on this network, return to global configuration mode


The ip dhcp excluded-address command configures the router to exclude 172.16.1.1 through 172.16.1.10 when assigning addresses to clients. The ip dhcp excluded-address command may be used to reserve addresses that are statically assigned to key hosts.

A DHCP server is capable of configuring much more than an IP address. Other IP configuration values can be set from the DHCP configuration mode


IP clients will not get very far without a default gateway, which can be set by using the default-router command. The address of the DNS server, dns-server, and WINS server, netbios-name-server, can be configured here as well. The IOS DHCP server can configure clients with virtually any TCP/IP information.


lists the key IOS DHCP server commands. These commands are entered in DHCP pool configuration mode, identified by the router(dhcp-config)# prompt.

Use the EXEC mode commands to monitor DHCP server operation



Easy IP is a combination suite of Cisco IOS features that allows a router to negotiate its own IP address and to do NAT through that negotiated address. Easy IP is typically deployed on a small office, home office (SOHO) router. It is useful in cases where a small LAN connects to the Internet by way of a provider that dynamically assigns only one IP address for the entire remote site.
A SOHO router with the Easy IP feature set uses DHCP to automatically address local LAN clients with RFC 1918 addresses. When the router dynamically receives its WAN interface address by way of the Point-to-Point Protocol, it uses NAT overload to translate between local inside addresses and its single global address. Therefore, both the LAN side and the WAN side are dynamically configured with little or no administrative intervention. In effect, Easy IP offers plug-and-play routing.





DHCP is not the only critical service that uses broadcasts. Cisco routers and other devices may use broadcasts to locate TFTP servers. Some clients may need to broadcast to locate a TACACS security server. In a complex hierarchical network, clients may not reside on the same subnet as key servers. Such remote clients will broadcast to locate these servers, but routers, by default, will not forward client broadcasts beyond their subnet. Some clients are unable to make a connection without services such as DHCP. For this reason, the administrator must provide DHCP and DNS servers on all subnets, or use the Cisco IOS helper address feature. Running services such as DHCP or DNS on several computers creates overhead and administrative problems, so the first option is not very appealing. When possible, administrators use the ip helper-address command to relay broadcast requests for these key UDP services.
By using the ip helper-address command, a router can be configured to accept a broadcast request for a User Datagram Protocol (UDP) service and then forward it as a unicast to a specific IP address. Alternately, the router can forward these requests as directed broadcasts to a specific network or subnetwork.






Özgür ŞENERDOĞAN

[daviddavis]

HI Vincent_Vega,

I would recommend using the wireless AP's to provide DHCP information instead of the PIX. I think it would make your life easier.

As far as not letting people outside the building connect, this is difficult. I think you need to look at some higher end wireless equipment (like something from Aruba Systems) to try to control this. You can, of course, spend a lot of time tweaking antenna systems and wireless signal strength levels on regular gear but there is gear that is especially designed to take the layout of the building, take the location of your AP's, hookup monitoring devices around the building to measure the signal strength, and automatically tweak the wireless device signal strength to not allow it outside the building.

Best of luck to you,
David