Anchor WLC in DMZ, FW doesn't support mulit-static Rts.

Answered Question
Jan 29th, 2009
User Badges:

Hi gang,

Not looking for anyone to hold my hand, but sure could use some advice.


We're working through our deployment of a guest WLC. Our anchor WLC is in our DMZ.

The management and AP-Manager are on the same subnet. The Dynamic "VLAN" interface is on a different subnet than the other interfaces, and its gateway is the DMZ interface of the firewall.


Problem, the firewall doesn't support multiple static routes.

Do the Management and Dynamic interfaces always have to be on different subnets?

Anyone have experience with this type of configuration?


I understand the value of time, so I honestly appreciate any help I get.


Best regards

Larry Brusso



Correct Answer by wesleyterry about 8 years 2 months ago

Just for clarification, we are talking wireless guest access right? Not Wired guests?


Wired Guests require you to create a custom port in a specific vlan (but not when you are configuring this on the anchored controller)


Anyhow... just make sure the WLAN you want to anchor is configured identical to the one on the DMZ controller. Then make sure you anchor that controller to the DMZ, and then make sure you anchor the dmz wlan to itself.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Thu, 01/29/2009 - 18:43
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Hi Larry,

According to the Configuration Guides, the AP-Manager "... must have a unique IP address and is usually configured on the same VLAN or IP subnet as the management interface, but this is not a requirement."


Otherwise, the rest can be on their own subnets.


Does this information help?

lbrusso6824 Fri, 01/30/2009 - 06:16
User Badges:

Hi Leo,

Thanks for the reply. You are correct about the AP-manager. Our problem is with the Dynamic "VLAN" interface that our guest traffic is on, which must be on a different subnet than the other interfaces.

Basically, our problem is that we have two different subnets for management and traffic, which then requires a router behind our DMZ. Our firewall doesn't do routing, and therefore doesn't support multiple subnets on the DMZ interface.

Thanks again for your reply.

Best regards

Larry

wesleyterry Thu, 01/29/2009 - 20:08
User Badges:
  • Bronze, 100 points or more

Are you implying that in your DMZ controller you have a dynamic interface?


In my configurations, my management/ap-manager interfaces are in the same subnet as the DMZ (gateway is the Firewall). My "guest" WLANs on the DMZ are just set to use the management interface.



Now maybe this isn't the correct way, but I've never had a problem with it. This way your DMZ only needs to have the one subnet.

lbrusso6824 Fri, 01/30/2009 - 06:53
User Badges:

Hi Wesley,

Thanks for replying once again to one of my posts. I do indeed appreciate the help.


Hmmm.... perhaps we have bumbled the Guest VLAN configuration on the Anchor WLC??????


I know we have to configure a "Guest VLAN Interface", (Enterprise Mobility Design Guide pg 10-16).

I think as we were working through the GUI steps we kept getting an error when we entered an ip address that was on the same subnet as the management interface.


In the "Wireless Controller Configuration Guide pg 3-8", It states "All dynamic interfaces must be on a different IP subnet from all other interfaces configured on the port"


Are you saying that the Guest VLAN Interface doesn't have to be a dynamic interface and can be on the same subnet with the management and AP-Manager?


Many many thanks for your help!

Best regards

Larry

Scott Fella Fri, 01/30/2009 - 07:27
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Westley is correct.... the easiest way is touse the management & ap-manager interface. You can use a dynamic interface is you want to manage the guest wlc from your inside network. You will need to open up your FW for this and that is why using your management interface is the easiest. Here is a link on how to set it up.


http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html


lbrusso6824 Fri, 01/30/2009 - 07:51
User Badges:

Hi Scott,

I have the deployment guide already, but thanks for the link anyway.


Sounds like we need to go back and have another look at the way we have our Guest VLAN Interface configured.


It just didn't make sence to me that we would have to position a router within the DMZ to handle the management and guest traffic.

But we thought the instructions were telling us that we needed to make the Guest VLAN Interface a Dynamic interface. This would of course mean that we would have two different subnets behind the DMZ and would require routing.


Thanks again for your reply and your help. We're struggling through this, and we sure do appreciate the advice and guidance!


Many thanks!

Larry

Scott Fella Fri, 01/30/2009 - 07:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

What FW do you have... usually you can place multiple subnets in a DMZ which will allow you to use a dynamic interface.

wesleyterry Fri, 01/30/2009 - 08:03
User Badges:
  • Bronze, 100 points or more

My guest setup is as follows:

DMZ:


DMZ Gateway: 192.168.5.1 (Firewall DMZ Interface)

Controller: management 192.168.5.30

Controller: AP-manager 192.168.5.31


WLAN's are all configured to use management interface.


WLAN's are all anchored to the DMZ controller (even on the DMZ controller, you anchor it to itself).


WLAN's are all configured with DHCP from 192.168.5.30 (management of DMZ Controller)


DHCP Scope hands out addresses in the 192.168.5.X scope with the gateway as the firewall


and again, the firewall does the routing between the DMZ and the internet.



lbrusso6824 Fri, 01/30/2009 - 09:08
User Badges:

Thanks wesley,

I'm embarrassed to tell you that, that is how I had originally configured our Anchor WLC.


The Anchor WLC in the DMZ with its gateway pointed at the DMZ interface of the firewall. Where I got into trouble was when I started to configure the guest VLAN. I could swear that I originally tried to give it an address on the same subnet as the management interface and got a network error message.


After doing some more digging into the guides, I came to the conclusion that the Guest VLAN had to be a "Dynamic Interface", which took me down the whole multi-subnet road.


From what you and the others are telling me, the Guest VLAN doesn't have to be a "Dynamic Interface", and I can indeed give it an IP address on the same subnet as the management interface.


Guess I need to go back to my original layout in the DMZ and revisit all of my Anchor Controller's interface configurations.


Man, I can't thank you and the others enough for your help. I'd still be going around the barn with the whole routing issue otherwise.


Have a good day.


Larry

Correct Answer
wesleyterry Fri, 01/30/2009 - 09:12
User Badges:
  • Bronze, 100 points or more

Just for clarification, we are talking wireless guest access right? Not Wired guests?


Wired Guests require you to create a custom port in a specific vlan (but not when you are configuring this on the anchored controller)


Anyhow... just make sure the WLAN you want to anchor is configured identical to the one on the DMZ controller. Then make sure you anchor that controller to the DMZ, and then make sure you anchor the dmz wlan to itself.




lbrusso6824 Fri, 01/30/2009 - 09:23
User Badges:

Yes, we're talking wireless guest access, we're on the same sheet of music.

Thanks again!


Larry

lbrusso6824 Fri, 02/13/2009 - 12:58
User Badges:

Just wanted to take the time to say thanks.

We're up and running and everything works peachy. ;)

I can't thank y'all enough for your help. Hopefully one day I'll be in a position to help someone.

Now I have to go hang out with the Linux folks because the boss wants us to put one of those nifty "catch and release" portals on the public wireless.

I think I need more Motrin!

regards to all

Larry

Actions

This Discussion