Solved: Anchor WLC in DMZ, FW doesn't support mulit-static Rts.

lbrusso6824 · ‎01-29-2009

Hi gang,

Not looking for anyone to hold my hand, but sure could use some advice.

We're working through our deployment of a guest WLC. Our anchor WLC is in our DMZ.

The management and AP-Manager are on the same subnet. The Dynamic "VLAN" interface is on a different subnet than the other interfaces, and its gateway is the DMZ interface of the firewall.

Problem, the firewall doesn't support multiple static routes.

Do the Management and Dynamic interfaces always have to be on different subnets?

Anyone have experience with this type of configuration?

I understand the value of time, so I honestly appreciate any help I get.

Best regards

Larry Brusso

wesleyterry · ‎01-30-2009

Just for clarification, we are talking wireless guest access right? Not Wired guests?

Wired Guests require you to create a custom port in a specific vlan (but not when you are configuring this on the anchored controller)

Anyhow... just make sure the WLAN you want to anchor is configured identical to the one on the DMZ controller. Then make sure you anchor that controller to the DMZ, and then make sure you anchor the dmz wlan to itself.

View solution in original post

Leo Laohoo · ‎01-29-2009

Hi Larry,

According to the Configuration Guides, the AP-Manager "... must have a unique IP address and is usually configured on the same VLAN or IP subnet as the management interface, but this is not a requirement."

Otherwise, the rest can be on their own subnets.

Does this information help?

lbrusso6824 · ‎01-30-2009

Hi Leo,

Thanks for the reply. You are correct about the AP-manager. Our problem is with the Dynamic "VLAN" interface that our guest traffic is on, which must be on a different subnet than the other interfaces.

Basically, our problem is that we have two different subnets for management and traffic, which then requires a router behind our DMZ. Our firewall doesn't do routing, and therefore doesn't support multiple subnets on the DMZ interface.

Thanks again for your reply.

Best regards

Larry

wesleyterry · ‎01-29-2009

Are you implying that in your DMZ controller you have a dynamic interface?

In my configurations, my management/ap-manager interfaces are in the same subnet as the DMZ (gateway is the Firewall). My "guest" WLANs on the DMZ are just set to use the management interface.

Now maybe this isn't the correct way, but I've never had a problem with it. This way your DMZ only needs to have the one subnet.

lbrusso6824 · ‎01-30-2009

Hi Wesley,

Thanks for replying once again to one of my posts. I do indeed appreciate the help.

Hmmm.... perhaps we have bumbled the Guest VLAN configuration on the Anchor WLC??????

I know we have to configure a "Guest VLAN Interface", (Enterprise Mobility Design Guide pg 10-16).

I think as we were working through the GUI steps we kept getting an error when we entered an ip address that was on the same subnet as the management interface.

In the "Wireless Controller Configuration Guide pg 3-8", It states "All dynamic interfaces must be on a different IP subnet from all other interfaces configured on the port"

Are you saying that the Guest VLAN Interface doesn't have to be a dynamic interface and can be on the same subnet with the management and AP-Manager?

Many many thanks for your help!

Best regards

Larry

Scott Fella · ‎01-30-2009

Westley is correct.... the easiest way is touse the management & ap-manager interface. You can use a dynamic interface is you want to manage the guest wlc from your inside network. You will need to open up your FW for this and that is why using your management interface is the easiest. Here is a link on how to set it up.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html

-Scott
*** Please rate helpful posts ***

lbrusso6824 · ‎01-30-2009

Hi Scott,

I have the deployment guide already, but thanks for the link anyway.

Sounds like we need to go back and have another look at the way we have our Guest VLAN Interface configured.

It just didn't make sence to me that we would have to position a router within the DMZ to handle the management and guest traffic.

But we thought the instructions were telling us that we needed to make the Guest VLAN Interface a Dynamic interface. This would of course mean that we would have two different subnets behind the DMZ and would require routing.

Thanks again for your reply and your help. We're struggling through this, and we sure do appreciate the advice and guidance!

Many thanks!

Larry

Scott Fella · ‎01-30-2009

What FW do you have... usually you can place multiple subnets in a DMZ which will allow you to use a dynamic interface.

-Scott
*** Please rate helpful posts ***

wesleyterry · ‎01-30-2009

My guest setup is as follows:

DMZ:

DMZ Gateway: 192.168.5.1 (Firewall DMZ Interface)

Controller: management 192.168.5.30

Controller: AP-manager 192.168.5.31

WLAN's are all configured to use management interface.

WLAN's are all anchored to the DMZ controller (even on the DMZ controller, you anchor it to itself).

WLAN's are all configured with DHCP from 192.168.5.30 (management of DMZ Controller)

DHCP Scope hands out addresses in the 192.168.5.X scope with the gateway as the firewall

and again, the firewall does the routing between the DMZ and the internet.

lbrusso6824 · ‎01-30-2009

Thanks wesley,

I'm embarrassed to tell you that, that is how I had originally configured our Anchor WLC.

The Anchor WLC in the DMZ with its gateway pointed at the DMZ interface of the firewall. Where I got into trouble was when I started to configure the guest VLAN. I could swear that I originally tried to give it an address on the same subnet as the management interface and got a network error message.

After doing some more digging into the guides, I came to the conclusion that the Guest VLAN had to be a "Dynamic Interface", which took me down the whole multi-subnet road.

From what you and the others are telling me, the Guest VLAN doesn't have to be a "Dynamic Interface", and I can indeed give it an IP address on the same subnet as the management interface.

Guess I need to go back to my original layout in the DMZ and revisit all of my Anchor Controller's interface configurations.

Man, I can't thank you and the others enough for your help. I'd still be going around the barn with the whole routing issue otherwise.

Have a good day.

Larry

wesleyterry · ‎01-30-2009

Just for clarification, we are talking wireless guest access right? Not Wired guests?

Wired Guests require you to create a custom port in a specific vlan (but not when you are configuring this on the anchored controller)

Anyhow... just make sure the WLAN you want to anchor is configured identical to the one on the DMZ controller. Then make sure you anchor that controller to the DMZ, and then make sure you anchor the dmz wlan to itself.

lbrusso6824 · ‎01-30-2009

Yes, we're talking wireless guest access, we're on the same sheet of music.

Thanks again!

Larry

lbrusso6824 · ‎02-13-2009

Just wanted to take the time to say thanks.

We're up and running and everything works peachy. ;)

I can't thank y'all enough for your help. Hopefully one day I'll be in a position to help someone.

Now I have to go hang out with the Linux folks because the boss wants us to put one of those nifty "catch and release" portals on the public wireless.

I think I need more Motrin!

regards to all

Larry