I have the following situation:
* business Head Office (HO) and primary Data Centre (DC) are separated by ~5 km, "core" Cat6ks in each site, connected via 10 Gb/s fibre (utilisation under 5%)
* Internet connectivity is via an ASA at the DC
* HO has a Cisco wireless network, all wireless infrastructure (APs and WISMs) located at HO
* each site has separate address space
The business needs wireless guest internet access; the guest wireless is to be directly connected to the Internet (via NAPT). The guest access network must be completely isolated from the rest of the business ("completely" = layer 2 and above).
The question is thus: how best to connect a network segment in one location (guest wireless at the HO) to a network segment in another (the Internet link at the DC) whilst maintaining complete separation from the rest of the network?
I believe there are the following possible general solutions:
1. convert the existing L3 link HO-DC link to a trunk and simply carry the wireless VLAN over; requires the existing L3 /30 network to be moved to a new "point to point" VLAN (ptp=pruned from all other trunks)
2. use a tunnel to carry the guest VLAN over to the DC via the existing unmodified L3 link
and a solution peculiar to wireless guest access:
3. purchase an additional WLAN Controller for guest access and locate it at the DC (if I understand the wireless guest access stuff correctly, the HO WLCs can tunnel the guest SSID traffic over L3 to a dedicated "guest anchor" WLC in the DC; the guest WLC can then be connected directly to the ASA).
(and for completeness:0. a physically separate network; this is not feasible; 4. a multitude of non-Cisco-supported solutions e.g. EoIP, tun, ...)
Of course there are pros and cons for each approach:
pros: comparatively easy to provision
cons: some people might shudder at a VLAN that spans buildings 5 km apart; requires attention to pruning to avoid VLANs leaking between sites; increases complexity of the existing HO-DC connection (was simple routed port, now a VLAN on a trunk); no redundancy (we have alternate L3 paths between HO and DC); HO address space shows up on ASA interface in the DC (looks messy), or vice-versa
pros: no modifications to existing link required; takes advantage of L3 redundancy
cons: more config; (would need a L2TP tunnel; is there any other way in IOS of bridging two distant LAN segments? Alternately use plain GRE but will need VRFs at each end to ensure L3 segregation)
3. Guest Anchor WCS
pros: as 2., but "off the shelf" (right?)
Clearly Cisco have considered this issue and hence the Guest Anchor feature; however I have very similar requirements coming up for other non-wireless projects.
Thanks in advance for any constructive comments.