How to set WLC in DMZ zone

Answered Question
Dec 13th, 2011
User Badges:

Hi all, appreciated if you guys can answer this.


I have Cisco 2100 need to set up in DMZ and Air-Lap1131G as AP.


Right now i connected the WLC console to a PC to run the initial bootup in terminal and i really need the info that it required.

Now i have make a mistake by setting up the WLC in my network (assign lan network ip, lan subnet etc) so i set back the WLC to factory default

Now if i want the WLC to be in DMZ zone , what ip should i give, ( do i get one from my isp? and also how ip's is been distributed to all guest wireless devices, where is all this ip's need to be set) subnet, gateway etc during the initial setup and also after the setup config is finish , the WLC port 1 should connected to which device? and the AP must it be direct connected to the WLC only in this case to be work? can the AP be connected to the one of my network port cause i got few floors and 6 ap's to connected.


thanks.

Correct Answer by Stephen Rodriguez about 5 years 8 months ago

ok. So might be bit out of order..


Your WLC can connect into either the PTN or the LAN, so long as the AP can talk to,the WLC on 5246/5247, and this is generally going to be a pinhole in the firewall.



For the ap manager address you generally want this to be in the same subnet as the management address. You can use either. Dhcp option (43) or dns to point the ap at the WLC. Would use 192.168.62.2 if it's a ailanle, but that just for symmetry. The ap do not need to be in the same segment as the WLC so long as there is L3 reach ability between the subnets.


Any config floor inside reaching to the dmz controller is usually on the firewall, so you need to make sure the traffic can flow.


Of or any WLAN config I. The startup script, just put the minim in, then configure it once the WLC is up and running.



Sent from Cisco Technical Support iPad App

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Stephen Rodriguez Wed, 12/14/2011 - 04:33
User Badges:
  • Purple, 4500 points or more

The WLC should be assigned an address of the DMZ subnet. I wouldn't put an external ip on it personally , as you can use a RFC 1918 and not have to pay for it. If you are only using it for guests, you can configure the shop server on the WLC ti give out addresses to the clients.


The WLC would the plug intro a switch, and the APs would join across the LAN. Now if the APs are on the inside subnet(s), you'll need to pin hole the firewall , of one is I'm place, to allow UDP 5246/5247 do the ap can join.


Sent from Cisco Technical Support iPhone App

thomas_blackwin... Wed, 12/14/2011 - 19:36
User Badges:

Hi Stephen, Thanks for answering


So during the initial setup of the WLC, i assigned the following to the WLC


IP: 192.168.63.1 (RFC 1918)

Subnet: 255.255.254.0 (not my lan subnet)

gateway: 192.168.63.1

dhcp: 192.168.63.1

Port: is the port number of the WLC where it going to connect to a switch.


Now there is some question during the inital bootup where it is not in the manual of the cisco guide in setting up the WLC which is the following and won't allow me to continue until i key in define its entry.


  1. An access point manager interface IP address, such as 10.40.0.7.
  2. A management interface netmask address.
  3. A management interface default router IP address,
  4. A management interface port, such as 1


Now as what you mention above that all the AP's would join the network, this i understood cause i have 6 ap's to put at the building floors so it is not realistic to connect it directlyly to the WLC.


So for the four question above; what entry should i key in?


Now back to the 6 ap's , so for this ap's i need to assign my lan ip address to this ap's (using dhcp, to reserve ip for each ap's) or let it pickup dhcp ip address? also do i need to configure anything to the Aironet Ap's once it connected to my network(configure the ap's settings via web after it get an ip address)?


For the question on UDP 5246/5247 , now this i think is block cause my first try my wlc cannot detect the ap's

Now where i can check this entry? Is it in my firewall settings or do i need to create a new entry in the firewall settings.

i'm using TMG server.


For configure the shop server on the WLC to give out addresses to the clients. (Yes this is what i will do), so when i've finish configure the WLC initial setup. I need to access to the WLC via the Web and set the shop server settings in there right?


After the WLC is configure, since the wireless will be in DMZ, the port 1 of the WLC have to be connected to my Lan PTN swich right? instead of to the Network switch.


Lastly just few initial WLC initial config question;


  1. An RF group name entry( do i need to assign anything for this entry or just leave it blank)
  2. Whether or not to allow static IP addresses from clients, Y or N ( this entry i do not understand,clients meaning the guests which going to connect to my wireless network? if yes then i should key in NO right?
  3. RADIUS server IP address, communications port, and secret ( for this, since the WLC will be in the DMZ, would i need to define this? I want when guest access the wireless, they still need to key in the WEP key, where do i key in this entry?
  4. Status of radio resource management (RRM) (enabled or disabled)


sorry for so many question, this is my first time setting up a Cisco WLC


many thanks

.

Correct Answer
Stephen Rodriguez Wed, 12/14/2011 - 20:08
User Badges:
  • Purple, 4500 points or more

ok. So might be bit out of order..


Your WLC can connect into either the PTN or the LAN, so long as the AP can talk to,the WLC on 5246/5247, and this is generally going to be a pinhole in the firewall.



For the ap manager address you generally want this to be in the same subnet as the management address. You can use either. Dhcp option (43) or dns to point the ap at the WLC. Would use 192.168.62.2 if it's a ailanle, but that just for symmetry. The ap do not need to be in the same segment as the WLC so long as there is L3 reach ability between the subnets.


Any config floor inside reaching to the dmz controller is usually on the firewall, so you need to make sure the traffic can flow.


Of or any WLAN config I. The startup script, just put the minim in, then configure it once the WLC is up and running.



Sent from Cisco Technical Support iPad App

thomas_blackwin... Sun, 12/18/2011 - 19:54
User Badges:

Hi Stephen,


Thanks f, i understand the concept now, i will find out the other info by myself.

George Stefanick Sun, 12/18/2011 - 20:17
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

Tbw,


I attched a topolgy that i created as a reminder to myself for the ports that are needed between the DMZ and the internal controllers, radius, wcs etc ...


One type O is 1666 should be 16666...


Actions

This Discussion