can I plug port 2 of my WLC 4404 into my dmz for guest user access

Answered Question
Jun 29th, 2010

Hi all

My scenario is

cisco wlc 4404, with 20 access points,   I want a internal client wlan, and a guest wlan, I have configured the vlans and wlans, however would it be possible to have all the internet traffic for the guests going out of the port 2 on the controller to the dmz of my firewall? how would I get this to work, the ap's traffic coems through port one on the controller.

please help

cheers

Carl

I have this problem too.
0 votes
Correct Answer by leejohns about 6 years 5 months ago

Carl,

You need to have two AP-manager interfaces becuase you are physically connecting two distribution ports on the WLC.  When you do that, you must either use LAG (which you cannot do in the case because you are connecting to two different switches) or have an ap-manager assigned to each port (this is how you can have switch redundancy).  So yes, it will let you do that. Please refer to the config guide link I sent you for more information on using multiple ap-manager interfaces.

The WLC knows to send the guest traffic out port 2 because the guest WLAN is assigned to the guest interface which in turn is assigned to port 2.

Again, I would highly recommend that you open a TAC case so you can speak with an engineer and discuss this as as you can see, it can be kind of confusing

Lee

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
leejohns Tue, 06/29/2010 - 12:28

Carl,

The short answer is yes.  All you need is an ap-manager interface assigned to port 2 and assign the guest interface to port 2.  Keep your vlan tagging straight. 

The other longer answer is I would probably not do it.  In older codes, these seemed to work just fine. In newer codes, however, we see it more and more where sometimes you cannot pass the guest traffic out the second port for some reason. In fact, I am currently working an issue with a customer right now where we are seeing the WLC drop arp (CSCte67234) for the guest client trying to use Port 2.

I am firm believer that although this can work, the best practice is to use either one port on the WLC for both internal and guest, or a port-channel/LAG with both ports on the WLC going to the same switch, and let the switched network/routers/firewalls handle keeping the guest traffic off your internal network as opposed to "routing around the firewall" by trying to use the WLC like a switch.

Again, you can certainly give it a shot and if you don't have any issues, then that is great.  If it doesn't work, then you might be running into an ARP problem or some other issue with the WLC connected in this fashion.

Thanks,

Lee

carl_townshend Tue, 06/29/2010 - 12:40

Hi

Thanks for the reply

Can you please tell me how I would do this? what would I use port 1 for on the controller is port 2 is the ap manager ? and also if I did this would the internal client vlan also have to pass through the firewall

I would like the all the traffic to come through port 1, then  send the guest traffic out of port 2 to the DMZ,

what is the best way of setting this up ?

please help

cheers

Carl

leejohns Tue, 06/29/2010 - 13:14

Carl,

Are you asking how to set it up with guest traffic going out port 2 to the DMZ or are you asking about how to set it up the other way I mentioned?

For the way you originally inquired about:  A rule on the WLCs is that when you have more than one port physically connected you need to either use LAG or have an ap-manager interface assigned to each port.  So you need would need to create a new dynamic interface, designate it as an ap-manager interface, and assign it to port 2.  Port 1 would have the original ap-manager and management interfaces assigned to it.  You would also need to create a new dynamic interface for the guest traffic and assign that to port 2 as well.  Then under your WLAN configuration, assign the guest WLAN to the guest interface.  You internal WLAN would be configured to use an interface that is assigned to port 1.  So the internal traffic would in/out port 1 and the guest traffic would be in port 1(in the lightweight tunnel), and then out port 2.

Port 1 on the WLC will be connected to a port on a switch on the trusted side of the FW and port 2 will be connected to a switch in the DMZ.

For the way I mentioned, you can have a port-channel on the switch and LAG configured on the WLC and all client traffic is going to go into and out of that port.  Then the VLAN setup on the switches will take it from there.

You can reference chapt 3 of the WLC configuration guides for more information on LAG and mulitple ap-managers  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1277659

I would suggest that you open a TAC case regardless of which method you are considering as I think it would be easier to go over all the variables and explain how the WLC functions on the phone as opposed to here.

Thanks,

Lee

carl_townshend Tue, 06/29/2010 - 13:24

Hi there

thanks for that, however I am still uncertain how to approach it

Why do I need 2 ap-manager interfaces? will it let me do this? and if both traffic comes in port 1, how does it know to send the traffic out of port 2 to the DMZ ? is this because the guest users will have the gateway set at the DMZ ? also, how can I have the WLAN on 2 ports ? ie apply it to port 1 and 2 ?

cheers

Carl

Correct Answer
leejohns Wed, 06/30/2010 - 05:27

Carl,

You need to have two AP-manager interfaces becuase you are physically connecting two distribution ports on the WLC.  When you do that, you must either use LAG (which you cannot do in the case because you are connecting to two different switches) or have an ap-manager assigned to each port (this is how you can have switch redundancy).  So yes, it will let you do that. Please refer to the config guide link I sent you for more information on using multiple ap-manager interfaces.

The WLC knows to send the guest traffic out port 2 because the guest WLAN is assigned to the guest interface which in turn is assigned to port 2.

Again, I would highly recommend that you open a TAC case so you can speak with an engineer and discuss this as as you can see, it can be kind of confusing

Lee

Actions

This Discussion