I am looking for a wireless LAN controller tha can do the following:
1) Need to able to work with existing cisco AP AIR-AP1242AG-E-K9 (x 4) , AIR-AP1242AG-S-K9 (x 3) , AIR-AP1242AG-C-K9 (x 1) and in future to be added Aironet 1250 ( 802.11n) devices which are spread across various offices both local and oversea and connected via a Wide Area Network
2) A single Wireless LAN controller will be in head office to intercept guest authentication traffic but internet traffic will either go via the branch office internet gateway or head office internet gateway. Staff access authentication traffic is via MS ISA radius sever working in conjuction with AD, PEAP and Certificate service(already set this up and is it working in a test environment).
3)Guest access is control by issuing a time expiration login credentials from the WLAN controller. A web https login page will be presented to guest for authentication upon launching the web browser (similar to some hotel hot spot concept) .This mean that a single SSID is broadcast which depending on whether the client is a staff or a guest, the setup must be able to response appropriately to authenticate these 2 group of users.
4)In head office, I am using a L3 4948 switch as a core switch connnecting a few L2 2960 edge switches without having any VLAN to segregate my subnet.I am turning on some of the port to a router interface.
In the branch office only L2 switches and one single subnet. Wireless network and wired network are shared in the same network for each subnet.
Based on these requirements, I think Cisco 4404 or Cisco 4402 WLAN controller can do the job. The question is do I need to have L2 VLAN in my environment to work to fufill the above requirement as I read from the cisco config example that there is some VLAN to be set in the initial config of WLAN controller.
I will try to answer this.
1) You can't have mixed ap's from different countries tied back to a WLC.
2) If your guest traffic is going upstrean to your head end office, then traffic will exit through that internet gateway. No reason you should have traffic go back and fourth.
3) Since you will be using webauth, then all guset traffic will be tunneld back to the WLC and use the head end internet gateway.
4) You should always seperate your wired and wireless.... keeps you out of trouble and issues. How is your branch office connect back to your core? You must have a router in which you still can have multiple subnets.
Hopefully I understood your question.
Thanks for your reply.
For some of our branch offices, they have their own internet gateway, therefore it only make sense that their internet traffic go via their own gateway. Others that do not will depend on the head office gateway.
The branch office network is connected to a WAN via a router before reaching the other end with another router to the head office.
Ok I get your point. Each branch offices have only one subnet, there is no VLAN or L3 switches to create more subnet, there could be situation which I will be faced with mixing wireless and wired network. That means putting a small switch to be in between the APs & WLC in branch office in order for it to control the wireless traffic. Does this make sense?
For each branch office with different country codes, you will need a WLC. If you have multiple branch offices with same country codes on the ap's then you can centralize a wlc for thoses branches and run h-reap on the remote branches and run local on the ap's that are on the same location as the wlc.
With H-REAP, you can dump traffic local and also have the choice to authenticate centrally back to your HQ.
If you have a L2 switch connected to a router, you can do it the old fashoin way and do a router on a stick. The switch and router must be able to form a trunk though.
I am getting confuse, http://www.cisco.com/en/US/products/ps6521/products_tech_note09186a0080736123.shtml
the design guideline seems to suggest I can do without the WLC in each remote branch office and have just one WLC in head office to control the APs in oversea branch offices across the WAN.I just need to turn on H-REAP on the head office WLC.There are also options to specify how internet traffic should be routed in branch offices location whether to route it to HQ or through the branch offices gateway.Please advise.
You can, as long as your access points use the same country code as the WLC. You configure only one country code on the WLC, the ap's you buy for a specific country has specific channels and power settings due to regulations. Also if you buy a WLC for America (-A) and try to us an ap form another country, that ap will not join the controller. H-REAP will work for you if you have a WLC and branch office using the same country code.
I may be wrong here (that would be no surprise ;-) but didn't this change in WLC 4.1.x.x
Version 4.1 or higher;
Configuring Country Codes
Controllers and access points are designed for use in many countries with varying regulatory requirements. The radios within the access points are assigned to a specific regulatory domain at the factory (such as -E for Europe), but the country code enables you to specify a particular country of operation (such as FR for France or ES for Spain). Configuring a country code ensures that each radio's broadcast frequency bands, interfaces, channels, and transmit power levels are compliant with country-specific regulations.
Generally, you configure one country code per controller, the one matching the physical location of the controller and its access points. However, controller software release 4.1 or later allows you to configure up to 20 country codes per controller. This multiple-country support enables you to manage access points in various countries from a single controller.
Note Although the controller supports different access points in different regulatory domains (countries), it requires all radios in a single access point to be configured for the same regulatory domain. For example, you should not configure a Cisco 1231 access point's 802.11b/g radio for the US (-A) regulatory domain and its 802.11a radio for the Great Britain (-E) regulatory domain. Otherwise, the controller allows only one of the access point's radios to turn on, depending on which regulatory domain you selected for the access point on the controller. Therefore, make sure that the same country code is configured for both of the access point's radios.
From this good doc;
What do you think?
Rob you are right... I guess I never looked into it, because I never had to do a design with ap having different country codes. I really would like to see how well it works.