DMZ Anchor WLC setup for Wireless Guest Access

Answered Question

I have the following setup.


A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.


An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.


Both WLCs are running the same 4.2.176 code.


DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.


I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"


----------------------------------------

The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.

----------------------------------------


1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.


What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?

Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.


In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.



2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?


3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?


4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?


Thanks.


Correct Answer by Scott Fella about 8 years 2 months ago

One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Scott Fella Fri, 04/03/2009 - 19:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

How do you set the DMZ WLC ingress/egress to be management interface of itself?


When you define WLAN for guest under DMZ WLC, the ingress is radio interface (802.11).


If I create Dynamic Interface in DMZ WLC, the Firewall interface to WLC will need to be trunk to support additional subnets. I have read the threads somewhere here that it is possible not to create Dynamic Interface for Guest WLAN under DMZ WLC.


I have no access to the WLCs now. I will test it tomorrow.


Thanks.

Scott Fella Fri, 04/03/2009 - 20:00
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

The ingress of an AP is the radio and the egress is its Ethernet port. The LWAPP packet then transverse the network and then ingress on the AP-Manager interface. Depending on what wlan the device associates to the WLC then egress the packet out the interface that packet should belong to, which is usually a dynamic interface but can be the management interface if configured that way.

mohanantassp Mon, 07/20/2009 - 01:17
User Badges:

Hi I saw ur link, do you have any configuration manuals for this kind of setup.


I have 4402 controller with 100 AP and 4402 controller with 12 AP. I will connect the 4402 controller to the cisco ASA5510 firewall and make it for the guest access.


4402-100 AP controller will be in the production LAN, how should i configure this 4402-12 AP Controller to tunnel the guest traffic. i know the design but how to configure and where to configure what.


anyone please advice.

mohanantassp Mon, 07/20/2009 - 01:17
User Badges:

Hi I saw ur link, do you have any configuration manuals for this kind of setup.


I have 4402 controller with 100 AP and 4402 controller with 12 AP. I will connect the 4402 controller to the cisco ASA5510 firewall and make it for the guest access.


4402-100 AP controller will be in the production LAN, how should i configure this 4402-12 AP Controller to tunnel the guest traffic. i know the design but how to configure and where to configure what.


anyone please advice.

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode