×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Unanswered Question
Nov 2nd, 2013
User Badges:

I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:


WLC 2504

1142 LAPs

4510R+E

ASA 5510


Existing configuration as follows:


WLC management interface and APs addressed on the 192.168.126.0 /25 network

Internal WLAN mapped to the management interface

Management interface VLAN ID 0 (untagged) and dynamic AP management enabled

WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7

4510 connected to ASA inside interface (security level 100)

Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)

ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network


What is the best way to add guest wireless to our existing configuration?

Note: I need the guest wireless to be filtered by Websense as our internal wireless is


Any advice would be greatly appreciated!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yahya Jaber Sat, 11/02/2013 - 02:54
User Badges:
  • Bronze, 100 points or more

Hi,


you can use the second port on the WLC, create the guest interface and assign it to the new port, then connect that port directly to the switch as access with guest VLAN, then from the switch to the ASA.

John Woods Sat, 11/02/2013 - 03:13
User Badges:

Thank you for the quick reply! Ok, so create a dynamic interface mapped to port 2 on the wlc, connect port 2 to an access port on my core switch configured for the new guest vlan? Also, when I create the dynamic interface, do I set the vlan id to 0 or tag it with the new guest vlan id?

Yahya Jaber Sat, 11/02/2013 - 03:19
User Badges:
  • Bronze, 100 points or more

Hi,


no, set it to the guest VLAN ID.

John Woods Sat, 11/02/2013 - 03:24
User Badges:

OK great. When I create this new dynamic interface, should i check the box to enable dynamic ap management or not? Also, for the connection to the ASA, do I make a new connection from the core switch to another port on the ASA for this new guest vlan?

John Woods Sat, 11/02/2013 - 03:35
User Badges:

I see. Thank you. As for the new connection from the core switch, just configure it as an access port with access to the new guest vlan? Also, when I assign an IP address to the new dynamic interface on the WLC, do I set its default gateway to the IP address that I give to the new ASA port? The SVI on the core switch should not have an IP address correct?

John Woods Sat, 11/02/2013 - 04:00
User Badges:

Yahya, thank you so much for your configuration advice. I will give it a try and let you know how it turned out.


Thanks again!


JW

Yahya Jaber Sat, 11/02/2013 - 04:02
User Badges:
  • Bronze, 100 points or more

Hi,


please let me know how it goes

John Woods Sat, 11/02/2013 - 14:33
User Badges:

As far as DHCP for the wireless guests, I do not want to use my internal DHCP server. That leaves me two options, use the WLC or ASA. Are there any distinct advantages or disadvantages to using either?

Scott Fella Sat, 11/02/2013 - 15:53
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Use the WLC. You don't want to open ports just for dhcp to the guest. You might also run into issues with the ASA and dhcp unless you disable dhcp proxy, but you can try. The WLC is your best bet since it's just guest.

Sent from Cisco Technical Support iPhone App

John Woods Sat, 11/02/2013 - 18:59
User Badges:

Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?


Any input would be greatly appreciated...


JW

Scott Fella Sat, 11/02/2013 - 19:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

I would trunk each port, but the main thing is that you only allow the guest vlan on the trunk port connected to the WLC port 2 and on port one, only allow the management and any other dynamic interface that is using port two.

Sent from Cisco Technical Support iPhone App

John Woods Sat, 11/02/2013 - 19:20
User Badges:

So right now all we have on the 2504 is the (mandatory) management interface and virtual interface. The management interface is untagged (vlan id 0) and dynamic ap management is enabled. The only connection from the 2504 to the 4510 is via port 1 on the 2504 to a trunk link on the 4510 with default vlan 7 and allowed vlan 7 (the 2504 management IP of 192.168.126.131 is in vlan 7). So you are saying to connect port 2 on the 2504 to another trunk link on the 4510 and create a dynamic interface mapped to port 2 and configure the guest wlan to use that dynamic interface? Forgot to mention our internal wlan is uing the management interface...

Scott Fella Sat, 11/02/2013 - 19:36
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

Yes that is what I would do. This way your guest vlan doesn't need a layer 3 interface and you have another port on your FE connect to that vlan. You can achieve this either way, but depends on how you want to isolate the guest traffic. One this to do is connect a laptop to a port for the guest and see if it has connectivity or not. This will eliminate any wireless issues if any.

Sent from Cisco Technical Support iPhone App

Actions

This Discussion

Related Content