Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
6
Replies

Guest WLAN without two controllers

Go to solution
lcaruso
Level 6
Level 6

‎09-06-2013 05:05 AM - edited ‎07-04-2021 12:46 AM

Hi,

Please understand first the reason for asking this question is I've had a case open with TAC for two weeks now without solution, so we've probably covered most of the obvious points or questions one could ask. Notwithstanding, is it possible to use an internal L3 core switch to restrict guest traffic in wireless scenario where the client opts not to purchase two controllers and place one controller in the dmz as recommended?

The core switch is a 3750X and this network is all L2 at the edges with all vlans coming back to the core 3750X. Another feature is the management interface of the WLC 5508 is in the same vlan as the ASA (see diagram).

In applying various ACLs in an attempt to restrict visitor traffic, no consistent result has occurred. For example, I can..

allow bootps/bootpc

allow dns to an internal server

deny all to private addresses

permit http and https to any

deny any

and invariably what happens appears to be due to the L2/L3 function that some frames are getting switched and other packets are getting routed and the ACLs are applied to SVIs so there are never hits on the permit http and https and when this ACL is in place guests cannot access the Internet. So part of the problem at first seemed to be that the WLC and the ASA were in the same vlan or at least we saw ip redirects increasing at a high rate. So we added no ip redirects for that vlan but still no go.

Possibly VACLs would work but I'd have to verify the the traffic flow to be sure.

If the answer is they need a second controller that's what we need to know. Otherwise, if this is just not getting the switch configured as needed and/or moving the WLC out of the same vlan as the ASA, that would be good to know.

Thanks.

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Chris Illsley
Level 3
Level 3

‎09-06-2013 06:21 AM

The WLC isn't going to be the issue here, unless you're creating the ACLs on the WLC, which is horrible.

I think your best bet would be to secure the VLAN without the WLC in place, one you're happy it's working then set up the SSID and test again, it should all be fine.

If you are not using LAG, you probably are, you could configure the guest interface and patch directly into the DMZ so all guest traffic goes out this interface.

The second controller answer works best as that keeps the guest traffic completely off your internal network.

Thanks

Chris

View solution in original post

0 Helpful

Go to solution
Chris Illsley
Level 3
Level 3
In response to lcaruso

‎09-06-2013 08:08 AM

Best practice is matching software versions.

Thanks

Chris

View solution in original post

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to lcaruso

‎09-06-2013 08:11 AM

You can use a 2504, but just look at the limitations to the max client (500) and throughout (2 gig w/lag). If you require more than this, then you need to go with a 5508-12.

I have installs that we have had to disable lag an one port would connect to the DMZ. This was some because of budget and the customer couldn't buy another WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Chris Illsley
Level 3
Level 3

‎09-06-2013 06:21 AM

The WLC isn't going to be the issue here, unless you're creating the ACLs on the WLC, which is horrible.

I think your best bet would be to secure the VLAN without the WLC in place, one you're happy it's working then set up the SSID and test again, it should all be fine.

If you are not using LAG, you probably are, you could configure the guest interface and patch directly into the DMZ so all guest traffic goes out this interface.

The second controller answer works best as that keeps the guest traffic completely off your internal network.

Thanks

Chris

0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Chris Illsley

‎09-06-2013 08:01 AM

If I can talk them into a second controller just for Guest wireless, does it have to be a matching model or can it be a 2504?

0 Helpful

Go to solution
Chris Illsley
Level 3
Level 3
In response to lcaruso

‎09-06-2013 08:08 AM

Best practice is matching software versions.

Thanks

Chris

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to lcaruso

‎09-06-2013 08:11 AM

You can use a 2504, but just look at the limitations to the max client (500) and throughout (2 gig w/lag). If you require more than this, then you need to go with a 5508-12.

I have installs that we have had to disable lag an one port would connect to the DMZ. This was some because of budget and the customer couldn't buy another WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Scott Fella

‎09-06-2013 09:02 AM

Here is the thing also... I have used WLC with different versions and also have used old 4400's as guest anchors.  You might be able to find some 4400's cheap or else if the 2504's will work for you, they might be a cheaper solution.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
lcaruso
Level 6
Level 6
In response to Scott Fella

‎09-06-2013 09:37 AM 

I have installs that we have had to disable lag an one port would  connect to the DMZ. This was some because of budget and the customer  couldn't buy another WLC.

I have ports available on the 5508 that are (obviously) not lagged. Would that give me what I need to reconfigure the guest wlan and connect directly to the dmz?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card