WLC Guest Tunnel

Unanswered Question
Jul 17th, 2008
User Badges:

Hi,

I've some questions about Guest Tunneling, since the docs on CCO is not so complete.


Right now I've 2WLC4400 Series in a redundant way with 2 WLANs, 1WLAN per AP Group. All the APs are setup as H-REAP node.


We've to setup a WLC in DMZ so that Guest WLAN traffic will be tunneled from the internal WLC to the DMZ and all is fine.


The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it? the DHCP Server should be setup in DMZ?


Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?


What about the AP sice are setup like H-REAP Node with switch port as access?


Many thanks for helping me find a solution

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Scott Fella Thu, 07/17/2008 - 07:34
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Let me give this a shot:


The WLAN Guest and the interface should be defined both on internal and DMZ WLC...isn'it?


-Yes and they have to be configured exactly alike.


the DHCP Server should be setup in DMZ?


-Yes, use the Guest Controller for this


Then I'll setup the mobility Anchor between WLC#1 internal and WLC DMZ and between WLC#2 internal and WLC DMZ correct?


-All three should be configured in the mobility group.


What about the AP sice are setup like H-REAP Node with switch port as access?


-If you have the ap on the management vlan and you want the user on a different local vlan, then you have to configure the port as a dot1q trunk. The management vlan will have to be the native vlan of the trunk. If the users will be going back to the DMZ, then you should not make the ssid local switching and just have that tunnel back to the foreign controller, which will have a tunnel to the dmz wlc. If you need to have more than one vlan, then you need to configure the port as a trunk.


Hope this helps.

oguarisco Mon, 07/21/2008 - 22:03
User Badges:

Hi


thnx very much for the useful information...

still some open point about H-REAP and VLAN...


so basically the Guest WLAN will not be locally switched it will be tunneled to WLC where will be tunneled to the DMZ WLC...but right now the IP Address of the AP is on the same subnet as the users which use this AP...


Now with Guest WLAN, I can keep this configuration and simply add the Guest VLAN in mode tunneled with the controller or should I create VLAN and setup one VLAN for the AP MGMT, one VLAN for the WLAN Local switched and one VLAN for the guest??? This would increase the complexity it would be better to keep the existent scenario (same VLAN for AP MGMT, for WLAN local-switched and WLAN Guest)


Thnx

Omar



Scott Fella Tue, 07/22/2008 - 11:43
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

You can do that if you want and it would not be an issues. The only thing is you cannot protect your internal network from your guest since they will be in the same subnet.

oguarisco Wed, 07/23/2008 - 00:54
User Badges:

Hi fella,

Tnx a lot for the useful infos...are you sure??? maybe i'm missing a piece of the puzzle...let's do a resume:

- My APs on different IP Subnet are configured as H-REAP nodes

- my internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching

- my WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC

- the WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs

- the Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs

- the Guest WLAN will be anchored from the internal WLCs to the external one.


So basically one WLAN client which will connect to Guest WLAN, all traffic will be LWAPP tunneled from AP MGMT IP to WLC AP-Manager IP and then, since this WLAN is anchored to the DMZ WLC, the traffic will be EoIP tunneled to this WLC where is active an DHCP Server.


After the client is receving an IP Address from the WLC's DHCP Server the Firewall in front of the WLC will be block all the access to the internal IP subnet and permti only to be routed to the external of the enteprise...


Am I wrong with something?

Thnxxxxx

Scott Fella Wed, 07/23/2008 - 04:57
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Okay... lets start again:


- My APs on different IP Subnet are configured as H-REAP nodes


Your H-REAP ap's should have an ip address on it's local subnet


- My internal WLCs are configured with more WLANs to do central AUTH and LOCAL switching


This is fine.


- My WLANs since are in H-REAP mode are mapped the to AP-Manager interface of the WLC


The WLAN should be mapped to the local vlan or a vlan located centrally where the wlc is located


- The WLC in DMZ, behind a Firewall, is configured with mobility group to be "in the same one" with the internals WLCs


This is fine


- The Guest WLAN, defined on internal and external WLCs is mapped to AP-Manager IP to be LWAPP Tunneled (central Switching) and spread on all my APs


WLAN's should not be mapped to the AP-Manager interface. They should either be mapped to the management interface or any dynamic interface you create.


- The Guest WLAN will be anchored from the internal WLCs to the external one.


Correct.... the guest wlc and the foreign wlc should be configured in each mobility group configuration.


Hope this helps...


oguarisco Thu, 07/24/2008 - 23:30
User Badges:

Hi

thnx for the info...maybe you've already experienced this strange behaviour with Mgroup:


I've one MGroup (default customized) where belongs both internal WLC (WLC1 and WLC2) and another Mgroup (default customized) where belongs the WLC DMZ...the strange is that from WLC1 to the others the data path is up but control path down, on WLC2 all is OK WLC DMZ but with WLC1 control path is down ...

similar on WLC DMZ all is OK with WLC2 but with WLC1 control path is down


I've tried to reach and seen that with both ping and eping all is fine but mping don't answer

Do you have an idea?

Tnx a lot


rochoa8aeg Mon, 10/27/2008 - 14:07
User Badges:

Why would you find a need to add a anchor controller into the mix, cant you simply route your 'Guests' out a Guest VLAN? Why make things more complicated... Or am I missing something?

oguarisco Tue, 10/28/2008 - 00:51
User Badges:

Hi,

my problem was a SW bug related...in fact in 5.0 is solved...


We have two internal WLCs and one DMZ WLC where we've anchored the guest WLAN so that it will be tunneled from the internal WLCs to the WLC in DMZ using EoIP, the DHCP Server is setup in DMZ...


in this way I don't need to create a VLAN for the WLAN Guest on the net infrastructure but I simply configure the WLAN Guest in Local Mode (since the LAP are in H-REAP) and activate it on the AP needed and the traffic form the Guest Client will be tunneled from the LAP to the WLC internal and from the WLC internal to the WLC in DMZ


This is an excellent solution if you have a network composed by more than 500 switches...


Regards

Omar

Actions

This Discussion