I recently implemented a new wireless network within our head office site and a couple of smaller sites. This is based around 1131AG access points. Clients are authenticated using PEAP authentication to an IAS server. There is a second SSID accessible using a WPA key for visitors. The two WLANs are in separate VLANs and I am using pbr to push the traffic from the guest WLAN straight out to the internet.
Now, the problem I have is that this functionality is now required at more sites across the company and in different group companies. Will potentially be around 30 to 40 access points.
Different group companies do not share the same layer 2 and 3 technologies as my own, however we do share a common Active Directory for authentication.
What should my next step be to manage this growing wireless network? Managing guest access with keys and pbr does not seem very flexible and in the group companies, not even possible at the moment. I am aware of the WLC range but don't really know where to start. Our core switches are 4506's so the WiSM is out of the question.
For management of IOS AP's you can use the Wireless LAN Solution Engine. There are two versions; Express which can mange 50 APs (upgradable to 100 max) and the full version which can manage 000's of APs.
If you need a guest WLAN at the other sites the only real way of doing it (short of putting in a totally separate WLAN with an air gap between it and their LANs) would be to upgrade the infrastructure to allow for the use of VLANs as you have at your head office (as far as I know anyway!)
The better bet would be to convert to LWAPP and use a 4404-50 WLC. Setting up a guest network on the controlers is a snap.
With WCS you can manage all of your controllers in one central location and make settings changes right from one console. If you need multiple WCS servers, you can now manage multiple WCS servers with WCS navigator.
The 1131's will easily convert to LWAPP, so no new access points will be needed.
If you have remote sites with only a few AP's, you can use H-REAP to manage them with some fallback if they lose contact with the controller. Or implement a 2106 controller at the remote sites if there are less than 6 AP's.
For guest access, you can implement a 4402-12 controller in your DMZ and use it as an anchor controller to send all of your guest traffic through the LWAPP tunnel directly out of the firewall and to that controller where it only allows it out to the internet. It's definitely the best way to do a guest network. No PBR or access lists needed. However, you will still need the seperate VLAN.
I'm willing to be your Cisco rep will be hesitant to sell a WLSE these days. I can't even get a demo unit anymore.
True...good points. But the WLSE will go away in the next few years. With the 2106 and the new 500 series controllers coming out, there really isn't a need for stand alone AP's. Besides, the WLSE is kind of buggy and a pain. It's old technology IMHO.
From everything I've heard from the folks at Cisco (and we're a platnium partner), the WLSE is going away and even the new series of AP's coming out soon won't be available in IOS. Our local Cisco rep doesn't recommend them anymore and can't even get one for us to demo for customers. It's all Unified Wireless these days from Cisco.
You are definitely right, the WLSE's are cheaper, but you lose the ability to use WCS which is a great product if you are interested in location tracking, or setting up AP's and controllers quickly.
All good points here. It's up to the OP to decide what he wants to spend and which direction he wants to go here.