cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1970
Views
10
Helpful
3
Replies

Wireless Guest Access path isolation without anchor controller

jmprats
Level 4
Level 4

Do not get the same isolation with one WLC and VLANs that with two WLC (anchor controller dessign)?

I think if you have one WLC and you assign a diferent VLAN for Guest Access, and you secure with ACLs this VLAN (you allow only access to Internet) you have path isolation, isn't it? It's as secure as anchor dessign, isn't it?

I don't see the necessity to buy another controller to deploy Guest Access.

Thanks

3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame

jmprats,

You are right that you have path isolation but the option and the reason some go with a guest anchor solution is that they just want traffic to dump right into the dmz.  There is no right or wrong reason to use a guest anchor or not, but some just don't want to deal with ACL's and making sure changes to ACL's all of a sudden open up ports to the internal network.   See with Guest Anchors, traffic as you know will tunnel from the foreign WLC to the Guest anchor.  Well now here are some advantages.... the guest wlc can be used as a dhcp for webauth users, usernames are applied on the guest anchor, use an external dns and you don't add anything to your internal network per say.  Guest anchor allow total isolation since no traffic (dhcp, dns, etc) is directed to an intenal source.  Peace of mind I guess.... but I have deployed it both ways.

Scott

-Scott
*** Please rate helpful posts ***

OK, thanks, but with VLANs I can put  guest traffic directly into a DMZ too (I can define in the switch the guest vlan into the dmz-vlan with no access to internal network)

It depends an the size of the network. If you only have one or two WLC and they are close to the DMZ, you can easly use VLAN to isolate guest trafic. But if network gets bigger and you have many WLC and with a router hop away from the Internet exit, then it's really easier to use an anchor controller. You don't want to extend the guest VLAN passed routers and add accesslist on the way.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: