Solved: Re: Any Best Practices for Guest Access? - Page 2

rlaudicina · ‎11-29-2011

Looking to create a guest access WLan so that Vendors can have internet access along with vpn into their own network while disallowing access to our internal systems.

I have created a Guest WLan and configured it on the WLC side. I think all I have to do now is to configure the core switch with athe New 99 Vlan along with configuring the trunk ports connected to the WLC's.

My question is, am I missing anything in the setup? and are there any "best practices" wen it comes to Guest access? I am hoping to use web-passthru authentication. I dont believe this requires any AAA or Radius servers which we dont have set up. I will probably just want a single "guest" account which will provide internet access without allowing access to the internal lan. Am I on the right track here?

rlaudicina · ‎12-01-2011

Thanks Scott for all of your help so far.

I decided to try and do this thing right and from scratch. So I deleted all of my guest Wlan and plan to configure this per cisco recomendations.

So what I have done so far is to movel all of my AP's on to a single controller (approx 30) and then setup LAG using the 2nd WLC port into a diff card on the 4100 Switch. I now have all ap's on a single controller (memory utilzation is still under 70% so I should be fine). The 2nd controller will be brought back up into the DMZ and set up to anchor the new Guest Wlan after I know LAG is working correctly.

I configured it on the controller ports and it seems to be working fine. I am stumbling a bit on configuring the connected switchports for Etherchannel. I have assigned both ports to a new channel group 5. When I try to assign an IP address to the new Chanel-group 5 interface it tells me that I am overlapping with my wireless Vlan. I am not sure what IP to assign to the interface, I assumed that it needed to be on the same vlan/subnet as the WLC but then I get the vlan overlap message.

Scott Fella · ‎12-01-2011

Here is how your switchport should be setup... There is no ip address on these trunk ports:

Configuring Neighbor Devices to Support LAG

The controller's neighbor devices must also be properly configured to support LAG.

•Each neighbor port to which the controller is connected should be configured as follows:

interface GigabitEthernet

     switchport

     channel-group  mode on

     no shutdown

•The port channel on the neighbor switch should be configured as follows:

interface port-channel

     switchport

     switchport trunk encapsulation dot1q

     switchport trunk native vlan

     switchport trunk allowed vlan

     switchport mode trunk

     no shutdown

This is an example 802.1Q switch port configuration:

interface GigabitEthernet1/0/1
description Trunk Port to Cisco WLC
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2-4,60
switchport mode trunk
no shutdown

http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080665cdf.shtml#wlc

-Scott
*** Please rate helpful posts ***

rlaudicina · ‎12-01-2011

Ok Im confused...the ports are currently configured exactly as you said , except that there is no allowed vlan statements (I am told that I didn't need to put allow statements in because we dont block any by default).

I did this configuration in order to get H-reap working, I also id this on all the connected AP switchports as you suggested.

I was trying to follow a document explaining how to enable LAG on the actual switchports which is was why it was asking for an ip ...channel group etc....do I not need to do this? The controller is now setup utilizing both ports connected into different cards in the switch with LAG enabled. All Ap's are now assigned to port 29. So I know the WLC is configured right, but not sure what to do with the switchports, i.e etherchannel, lag ...

Scott Fella · ‎12-01-2011

You don't need the allowed vlans, it's just best practice to allow the wlc vlan and any other vlans configured on the wlc. If you don't have that, it will still work. Make sense.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

rlaudicina · ‎12-01-2011

Yes thanks, So do I need to do anything for LAG on the WLC Switchports?

Scott Fella · ‎12-01-2011

Nope... Just make sure the etherchannel is up.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

rlaudicina · ‎12-01-2011

lol thats the configuration I was having the problems with

Scott Fella · ‎12-01-2011

Can you post your configuration so I can see what you have?

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

rlaudicina · ‎12-01-2011

Oh I didn't realize that you had already gave me that config above. So I just went and tried to enter it in and when I did the Channel_group 5 mode on command I got the following error:

Etherport is L2 and port-channel is L3

This is the existing Port Config interface GigabitEthernet6/2 description Connected to WLANHQ01 switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport mode trunk media-type rj45 interface GigabitEthernet5/5 description Connected to WLANHQ01 Port 2 switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport trunk allowed vlan 60,99 switchport mode trunk media-type rj45 !

rlaudicina · ‎12-01-2011

Ok I entered the commands just as you stated above without creating the port channel interface first. and no errors, I attached the port configs on both WLC switchports

Scott Fella · ‎12-01-2011

Each WLC needs to be on a different channel group. How many ports are you connecting on each wlc.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

rlaudicina · ‎12-01-2011

I connected 2 ports of a single 44-2 WLC and just did the configuration you mentioned. I then had to change it from channel 2 to 9 since channel 2 was in use. Once I did this, it created a channel-9 interface which I will inclide in the file. The 2nd WLC has now become unreachable in WCS which is ok for the moment since theyre are no AP's on it anyway.

Scott Fella · ‎12-01-2011

I can't view the whole zip file from my phone. Can you just paste that on the body of the post so I can review it.

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

rlaudicina · ‎12-01-2011

It dosent seem to want to let me paiste it unless I choose HTML ! interface Port-channel9 switchport switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport trunk allowed vlan 60,99 switchport mode trunk ! ! interface GigabitEthernet5/5 description Connected to WLANHQ01 Port 2 switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport trunk allowed vlan 60,99 switchport mode trunk media-type rj45 channel-group 9 mode on ! ! interface GigabitEthernet6/2 description Connected to WLANHQ01 Port 1 switchport trunk encapsulation dot1q switchport trunk native vlan 60 switchport mode trunk media-type rj45 channel-group 9 mode on !

rlaudicina · ‎12-01-2011

!
interface Port-channel9
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport trunk allowed vlan 60,99
switchport mode trunk
!

!
interface GigabitEthernet5/5
description Connected to WLANHQ01 Port 2
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport trunk allowed vlan 60,99
switchport mode trunk
media-type rj45
channel-group 9 mode on
!

!
interface GigabitEthernet6/2
description Connected to WLANHQ01 Port 1
switchport trunk encapsulation dot1q
switchport trunk native vlan 60
switchport mode trunk
media-type rj45
channel-group 9 mode on
!