We have the Cisco WLC 2504 with a couple of access points. On this WLC we have a network connection via a radius server for our employees. The DHCP server for this connection is the server you see on the drawing. The connection from the switch to the WLC is connected on port 1 of the WLC. This connection works like a charm.
Now I want to create a second network (which is divorced from our internal network) for our guests, but it doesn’t work till now. What we have at the moment is:
A connection from the firewall via the router to the internet
A connected cable from the firewall to the WLC on port 2
A configured interface (port 2) on the WLC
A configured Wlan on the WLC (it is possible to connect to the guest Wlan with a static ip)
The SSID of the guest network is broadcasted via the AP’s which also broadcast the internal network SSID
The problem I have now is:
I have no connection between the WLC Port 2 (192.168.10.2) and the firewall (192.168.10.1). When I try to ping the firewall (192.168.10.1) I get a no reply received message.
How can I get this working? I hope someone can help me with this. Thanks in advance!
You cannot configure WLC port as L3 port & directly terminate a connection from your firewall. Physical connection from firewall has to terminate on your switch (let's say vlan 10 access port) & WLC port 2 also connect on to that switch on vlan 10. Then your switch should have a SVI for vlan 10.
Then see whether you can ping from firewall to WLC & vice versa.
Thanks for your answer and sorry for my late answer, but it was very busy in the holiday season.
We just have tested the setup as you mentioned, but it didn't work. I created a Vlan (10) on the switch (HP) and we connected WLC port 2 and the firewall on this Vlan. We've tried it with the ports tagged/untagged/no/forbid, but all 4 settings weren't working. We couldn't ping the firewall on ip 192.168.10.1. We connected a phone with a static ip to the network and with the programm "Fing" we could see everything connected on the network, except the firewall.
Do you have another Idea of how to get this to work? Thanks in advance!
The issue is that the WLC will not route between VLANs. In order for the scenario that Rasika recommended to work, the switch needs to be a layer 3 switch or needs a layer 3 device attached to it to route between the VLANs.
In my WLC, I have a guest interface as well:
The gateway listed in the VLAN 50 Interface on my L3 Switch:
I then have a route established on my switch to send that traffic to my ASA:
Due to that, I can ping the ASA from my WLC:
Of course, my WLAN for guests only has access to the guest Interface Group:
Try these changes on your switch (or other Layer 3 Device) and let us know if it worked for you.
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.