I have been working on my organizations Wifi infrastructure and have had general success. However, there's always more than one way to skin a cat. The one right way and the half dozen half-assed ways! lol
My question is based on the following scenario:
I have my WLC and AP's all on a VLAN tied to my management interface.
I have clients associating with those AP's and the clients are being handed IP's in that same management VLAN.
I want to now create a guest WLAN that will send all the guest clients to the internet, bypassing the production network.
Based on this, is it better to have the WLC and Access Points which are on the management interface on a seperate vlan than what I have my clients connecting on?
Currently, everything's on vlan 130. The controller, the AP's and any clients. They're all on the same subnet/vlan 130.
So now, when I want to setup that new guest WLAN and have that on our "internet only" vlan, which is vlan 150 for example, how are they supposed to get an IP address issued when the AP's are connected to the POE switch and on access ports assigned to VLAN 130?
Everything's working great right now for the production WiFi.. but adding this new guest WLAN and having it use the same AP's is gonna be a challenge.
I don't think I'm going about this correctly. Can I get some direction please?
Steve, you're easilly becoming my favorite member on this community!
Okay, so for medium sized org, I don't want the production WLAN linked to the management interface. That's an easy enough change. Thanks for the clarification.
As for the guest WLAN, I created an interface specially for the guest WLAN, assigned it to my "IE only" vlan and gave it an ip on that vlan. But the question remains, if the AP's are connected on switchports that are assigned to one vlan, can I expect that when a guest connects to a WLAN being advertised by that AP, that it will be able to reach the DHCP server for the "IE only" vlan?
Sorry if this sounds like a stupid question... sometimes the hamster falls off the little wheel.
I would like to piggy back on Steve's comment. The best practice is to use a WLC as a anchor controller and install her in the DMZ. This means that the native guest packet never touches your wired switch fabric until she hits the DMZ. Now, if you have a small office this may not make financial sense. But again, your post is best practice.
Today, you are dumping the guest into the heart of your network with an ACL. Should that ACL be altered by accident you could have a issue on your hands.
I would also seperate the WLC management VLAN from your production VLAN where you're guest live. You really should have the following:
VLAN XX Management
VLAN XX Data
VLAN XX Guest
Just my 2 pennys...
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...