Wireless Guest Access path isolation without anchor controller

Unanswered Question
Apr 12th, 2010

Do not get the same isolation with one WLC and VLANs that with two WLC (anchor controller dessign)?

I think if you have one WLC and you assign a diferent VLAN for Guest Access, and you secure with ACLs this VLAN (you allow only access to Internet) you have path isolation, isn't it? It's as secure as anchor dessign, isn't it?

I don't see the necessity to buy another controller to deploy Guest Access.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Scott Fella Mon, 04/12/2010 - 20:05


You are right that you have path isolation but the option and the reason some go with a guest anchor solution is that they just want traffic to dump right into the dmz.  There is no right or wrong reason to use a guest anchor or not, but some just don't want to deal with ACL's and making sure changes to ACL's all of a sudden open up ports to the internal network.   See with Guest Anchors, traffic as you know will tunnel from the foreign WLC to the Guest anchor.  Well now here are some advantages.... the guest wlc can be used as a dhcp for webauth users, usernames are applied on the guest anchor, use an external dns and you don't add anything to your internal network per say.  Guest anchor allow total isolation since no traffic (dhcp, dns, etc) is directed to an intenal source.  Peace of mind I guess.... but I have deployed it both ways.


jmprats Mon, 04/12/2010 - 23:50

OK, thanks, but with VLANs I can put  guest traffic directly into a DMZ too (I can define in the switch the guest vlan into the dmz-vlan with no access to internal network)

jhedstr2 Wed, 04/14/2010 - 06:00

It depends an the size of the network. If you only have one or two WLC and they are close to the DMZ, you can easly use VLAN to isolate guest trafic. But if network gets bigger and you have many WLC and with a router hop away from the Internet exit, then it's really easier to use an anchor controller. You don't want to extend the guest VLAN passed routers and add accesslist on the way.


This Discussion



Trending Topics - Security & Network