I just got a new requirement for our wirless rollout and I need some help. Plan the best way to provide employee and guests wireless access w/ the guests separate from the production environment.
We have a 5508 controller w/ 1142 APs. I have two GBICs in the interfaces (only one is being used). I want to use a backhaul connection for the guest access. I am having a hard time invisioning how to physically set up the cabling from the patch panel. Again, the requirement is to not allow guest users to connect to our production network but I still want/need to manage the APs. This will eventually need to be supported for remote sites tunneling back to the primary location.
You have a couple of options, the first is to install another 5508 in the DMZ and use it as a Guest Anchor WLC - simplest and most secure option but costs extra.
For some of my installs I've used VLANs to segment the guest wireless, using the firewall as the DHCP server and default gateway.
If you want to use a separate physical interface on the WLC then you can patch it into a separate interface on your firewall or connect it to your DMZ or external Internet.
As a rule I always put an ACL on the WLC interface to block any traffic to private IPs (10.0.0.0, 172.16.0.0 & 192.168.0.0) so there's no way guest could talk to the Internal LAN even if there was a route
Sent from Cisco Technical Support iPad App
Thanks John. Adding a second WLC is not an option at this point. I am thinking about having all of the APs (locally) connect up through a switch on the DMZ, using Vlans to direct the traffic out the dedicated guest connection and route the other traffic internally through the firewall. Still trying to wrap my brain around how and where the WLC will tie in. Also, similar to you, I am using my 3750 for DHCP settings. Not sure how that will work moving forward.
Well you don't want to put the APs in the dmz. Guest traffic is tunneled to the wlc an placed on the interface you assigned. So you either use an acl or configure one of the ports on the wlc on the guest vlan in the dmz and connect that port to that vlan. With this senerio, lag is disabled.
Sent from my iPhone
Like Scott says, you really don't want to install the AP's in the DMZ - typically the AP's are scattered around your building and are connected to your LAN access switches; extending your DMZ or trying to patch back to a DMZ switch wouldn't be a good idea
The Lightweight AP's (CAPWAP and LWAAP) are connected to switchports configured in "access mode" - not trunked like stand-alone AP's. All traffic from the AP to the WLC is encapsulated, effectively tunneled through your LAN to the WLC. The WLC becomes the point of ingress and egress for all wireless client traffic - so you don't need to worry too much about the link between the AP and WLC
The part that you need to consider is how the guest traffic gets from the WLC to the Internet; for my customers I will typically use a dedicated VLAN for the guest SSID. On the WLC I will add an ACL to block any traffic from potentially touching the internal LAN, in addition the VLAN will have no VLAN Interface configured on my switch so there is no route available. On the firewall I will terminate that VLAN so that the firewall becomes the default gateway for the VLAN (guest clients). I will also use the firewall as the DHCP server, if possible.
You can use the internal DHCP if you want to, but I tend to try and avoid doing that - that also means that you'll need to create a route to your internal network and then secure it
Depending on your physical infrastructure you could dedicate a physical interface on the WLC just for the guest access - you would still want to put a NAT/Firewall between the WLC and Internet
Check out the Cisco design guides - they're really good www.cisco.com/go/srnd
Thanks for the replies, very helpful.
How does this sound. I have my APs connected to a switch. That switch has a trunk to the WLC. The WLC has a trunk to the production environment which has access to resources and is routed through our ISP. On the first switch I have a dedicated link (DSL, T-1, Wireless Backhaul). I separate traffic heading to the WLC based on VLANs and SSIDs. Again, my mandate is to keep the guest traffic as much away from the production traffic. I like what both of you have described and I am looking to use as part of my proof of concept.
I have included a PDF of the basic layout I am trying to possibly accomplish. If there is no clear cut way to do this while having the ability to manage the APs then I need to be able to present that. Note the switch in this example is technically on the inside of our firewall and yes, I am still planning to use ACLs. Basically, does this make sense?
You're obviously quite concerned about security but you will also need to consider performance, I wouldn't want to sacrifice performance for the corporate users just to provide guest Internet access. You haven't mentioned how many AP's you will be installing or how many clients you will support. 802.11n supports 350Mbps and some of the later 4x4 AP's will support 450Mbps - that's why the AP's have Gigabit ports and should be connected to Gigabit switches. You need to consider that all of the traffic from the AP's will ingress on the same port (unless you create different DHCP scopes and direct groups of AP's to different Management IP addresses).
LAG is either on or off - the beauty of using LAG is that you can Etherchannel from 2 to 8 ports so you can have up to 8Gbps throughput possible (and it gives you link redundancy too) - and you only need to configure one Management IP. Obviously, if you use LAG, then you can't configure a separate interface just for the Public wireless, that's why I would typically use a VLAN.
If you want to manually configure the individual interfaces, you can do that but you'll need to configure a separate management IP for each and think about how you want redundancy to work.
I still don't see the need to connect the AP's to the DMZ switch - you could use a third interface just for the AP's (depending on your network topology and how these would be cabled back to this switch)
Bottom line is there's many ways to skin a cat (if you're that way inclined -) and what you deploy really depends on your requirements - just don't forget about performance, redundancy and ease of management - what works in a PoC might not scale to a full deployement
Currently they have a 5508 and 1142's and using only one out of two GBICs. So my suggestion if you want to go this route per say is to place your AP's and the WLC's on the switch stack. You have port one on your wlc connect to the switch stack and port two on your wlc connect to your switch that connects to the DSL. Now you specify on the WLC that port 1 is your primary for the management and your internal interface and port 2 is primary for your guest interface. Port 1 that connects to your switch will be a dot1q trunk allowing only the management vlan and the internal "employee" vlan. Port two can just be an access port, but the siwtch must be set to an access port and the wlc interface for that will be set to '0', untagged. You can configure that port as a trunk and then only allow the guest vlan also. In this scenario, you will not need any ACL's on the DSL switch, since I'm guessing it will be isolated anyway's just for the DSL. Nothing gets bridged or routed through the WLC. Alos with guest, I would disable WMM so that guest users do not connect higher than 54mbps.
If you decide you need more than one port for your internal traffic, then you will need to do LAG and you will no longer be able to specify what port is for what. If you have to go this route, then you would connect your AP's, WLC and the DSL switch to the switch stack. you would create a layer 2 vlan (no svi, ex vlan 99) and the dsl switch would connect to that vlan. You can then trunk all the vlans you need on an etherchannel from the WLC to the switch stack. You still specify that vlan 999 is for guest and you can create a WLC ACL to deny the guest subnet to access the internal subnet if you want, but since there is no L3, you should be fine.