Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

I need to add guest (internet only) wireless to our existing internal wireless and am looking for advice as to the best practice configuration. Existing infrastructure as follows:

WLC 2504

1142 LAPs

4510R+E

ASA 5510

Existing configuration as follows:

WLC management interface and APs addressed on the 192.168.126.0 /25 network

Internal WLAN mapped to the management interface

Management interface VLAN ID 0 (untagged) and dynamic AP management enabled

WLC port 1 (only) connected to 4510 via trunk with native VLAN set to 7 and allowed VLAN set to 7

4510 connected to ASA inside interface (security level 100)

Switchport on 4510 connected to ASA configured as switchport access VLAN 99 (our internet VLAN)

ASA inside interface NOT configured for subinterfaces and is addressed on the 192.168.121.0 /25 network

What is the best way to add guest wireless to our existing configuration?

Note: I need the guest wireless to be filtered by Websense as our internal wireless is

Any advice would be greatly appreciated!

Everyone's tags (2)
15 REPLIES
Bronze

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Hi,

you can use the second port on the WLC, create the guest interface and assign it to the new port, then connect that port directly to the switch as access with guest VLAN, then from the switch to the ASA.

Community Member

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Thank you for the quick reply! Ok, so create a dynamic interface mapped to port 2 on the wlc, connect port 2 to an access port on my core switch configured for the new guest vlan? Also, when I create the dynamic interface, do I set the vlan id to 0 or tag it with the new guest vlan id?

Bronze

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Hi,

no, set it to the guest VLAN ID.

Community Member

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

OK great. When I create this new dynamic interface, should i check the box to enable dynamic ap management or not? Also, for the connection to the ASA, do I make a new connection from the core switch to another port on the ASA for this new guest vlan?

Bronze

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

hi,

nope, dont check it, since this option is for letting the AP join that interface "get an IP from that subnet"

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1117494

and yes, new connection between the ASA and the switch.

Community Member

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

I see. Thank you. As for the new connection from the core switch, just configure it as an access port with access to the new guest vlan? Also, when I assign an IP address to the new dynamic interface on the WLC, do I set its default gateway to the IP address that I give to the new ASA port? The SVI on the core switch should not have an IP address correct?

Bronze

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Hi,

Yes.

Community Member

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Yahya, thank you so much for your configuration advice. I will give it a try and let you know how it turned out.

Thanks again!

JW

Bronze

Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Hi,

please let me know how it goes

Community Member

Re: Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

As far as DHCP for the wireless guests, I do not want to use my internal DHCP server. That leaves me two options, use the WLC or ASA. Are there any distinct advantages or disadvantages to using either?

Hall of Fame Super Silver

Re: Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Use the WLC. You don't want to open ports just for dhcp to the guest. You might also run into issues with the ASA and dhcp unless you disable dhcp proxy, but you can try. The WLC is your best bet since it's just guest.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Thank for the reply Scott. The configuration recommendations from Yahya did not work. I set up as he recommended and also added a dhcp scope on the wlc. Client gets dhcp but cannot even ping the wlc much less anything else. Yahya stated above to configure port 2 on the wlc to an access port on my 4510. Aren't all connections from the wlc supposed to be trunk links to the switch? Shouldn't I just leave the management interface on the wlc untagged and add a dynamic interface for each wlan and tag it with the approriate vlan id? And then leave the (one) physical connection on the wlc (port 1) connected to a trunk link on the 4510 that allows the required vlans?

Any input would be greatly appreciated...

JW

Hall of Fame Super Silver

Re: Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

I would trunk each port, but the main thing is that you only allow the guest vlan on the trunk port connected to the WLC port 2 and on port one, only allow the management and any other dynamic interface that is using port two.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Community Member

Re: Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

So right now all we have on the 2504 is the (mandatory) management interface and virtual interface. The management interface is untagged (vlan id 0) and dynamic ap management is enabled. The only connection from the 2504 to the 4510 is via port 1 on the 2504 to a trunk link on the 4510 with default vlan 7 and allowed vlan 7 (the 2504 management IP of 192.168.126.131 is in vlan 7). So you are saying to connect port 2 on the 2504 to another trunk link on the 4510 and create a dynamic interface mapped to port 2 and configure the guest wlan to use that dynamic interface? Forgot to mention our internal wlan is uing the management interface...

Hall of Fame Super Silver

Re: Guest wireless with WLC 2504, Catalyst 4510R+E and ASA 5510

Yes that is what I would do. This way your guest vlan doesn't need a layer 3 interface and you have another port on your FE connect to that vlan. You can achieve this either way, but depends on how you want to isolate the guest traffic. One this to do is connect a laptop to a port for the guest and see if it has connectivity or not. This will eliminate any wireless issues if any.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
3966
Views
0
Helpful
15
Replies
CreatePlease to create content