Wired Guest Access

Unanswered Question
Jan 6th, 2009

I am trying to setup a wired guest access VLAN using the WLC 4402, Does any one know if this actually works? The WLC documentation suggets it is possible but I have heard otherwise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Mon, 01/12/2009 - 06:52

In order to provide the wired guest access, the designated ports in the layer-2 access layer switch need to be configured on the guest VLAN by the administrator. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller. The local controller tunnels the guest traffic across a EoIP tunnel to a DMZ Anchor controller. This solution requires at least two controllers.

Here is the URL for the Wired Guest Access using Cisco WLAN Controllers Configuration


jordanperks Mon, 01/12/2009 - 06:58

I recently set this up using a 1-controller solution just to prove it worked to management and to see if it was something they would like us to look into deploying. We will soon be changing to a 2-controller wired guest solution. The configuration guide on Cisco's site does a great job of walking you through it. http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml

jhedstr2 Tue, 01/13/2009 - 05:28

Hi Jordanperks,

Just remember to use diffrent VLAN ID as ingress on the two controllers. We tried to use the same VLAN ID on two WLC and hoped and the installation would be redundant. This don't work at all.

Since clients see both controller when the same VLAN is used, but they only logg on to one, it will be very unstable.


jordanperks Wed, 01/28/2009 - 13:26

I used our Guest WLAN as the Egress Interface and created a new VLAN interface(199) for the ingress interface. I then assigned vlan 199 (not to be confused with interface vlan 199. You want to keep it layer 2) to a switch on my desk and a switchport on that switch. Plugged my laptop in to that switchport and opened a web browser. I got the cisco login page just like you would on a guest WLAN.

The DHCP server is on the anchor controller and is giving out IP address from a class C x.x.232.x. The subnet's default gateway is an interface on our firewall and that subnet has a specific rule set limiting it to only web access.

That is a very basic overview of what I did. If you need me to get into further detail let me know.

EDIT: We are using code on our 4402.

scottrunyon Tue, 03/31/2009 - 15:45

Did you actually get this to work with one controller? I have this setup on one controller and the Wired clietns do not get their DHCP offer forwared through the WLC from the DHCP server. Logging indicates that it is do to the fact that the VLAN does not have and IP address associated to it.

jordanperks Wed, 04/01/2009 - 06:26

Here is the basics of how I configured wired guest.

Ingress interface does not have an IP, but Egress interface does.

DHCP is handed out by controller.

Switchports are in the same VLAN as the ingress interface.

wesleyterry Mon, 01/12/2009 - 19:22

I was toying with the Idea of doing this with my 1510 Mesh AP's (and 1020's) that aren't supported in 5.X.

Basically, I was going to use one Controller on 4.1 code with all of these APs. Then I would dump out all of my "guest wlans" on the a private vlan and trunk that private vlan into another controller (with 5.X). That controller would be configured with that vlan as a guest vlan and then Anchors it to my DMZ Controller....

So in theory, if you want wired guest access, I'm pretty sure you just make the configuration on the internal controller specifying it as a Wired Guest VLAN, and then anchor it to the DMZ.

However, I haven't read up on it recently, so I don't remember exactly the config. But I suppose the previous links posted have the details,


This Discussion



Trending Topics - Security & Network