Cisco Support Community
Community Member

Wireless Guest Internet Only Access

We just got our 4402 WLC with 1131ag access points up and running. We would now like to set up guest access with only internet access. Our vendor has suggested setting up a dmz on our checkpoint firewall and have it do dhcp and then setting up a wlan on our controller for the guest access. My question is: what do I need to do on the switch side to set this up? Is is just as simple as creating a vlan and giving it an ip address in the dmz range? Or is there another way of setting up internet only guest access?

Any suggestions would be appreciated.

Thanks in advance.


Community Member

Re: Wireless Guest Internet Only Access


It is just as simple as making a designated vlan and associate a ssid to that vlan. further more you need an acl eliminating access to your private ip and only allowing the traffic needed for your guests ie. http ftp https.


Community Member

Re: Wireless Guest Internet Only Access

It depends if all you are wanting to do is Internet-only on you controller. If thats it, then you can place your controller in a dmz. Have a device handout the dhcp information to your clients. Set your controller for layer-3 mode. Have your APs connect to your controller (make sure you have the correct ports allowed through your firewall between the APs and the controller). I would recommend placing the APs on a seperate VLAN than other internal traffic with the appropriate LWAPP options configured in the DHCP scope.

The clients will then associate to the SSID you have setup. They will pull an IP address from the DMZ.

A few years ago on my first LWAPP deployment, I did this setup and it worked perfectly. I would also recommend having the DHCP server in the DMZ assaign an IP address that is not routable in your internal network. That way, if somebody makes a mistake and their is leakage, the traffic can't be routed anywhere since the source IP address of the wireless client isnt routable. You can use this DMZ controller access for Internet only which can also be used by internal people to VPN back to you internal network if you have that permitted.

If however, you are planning to do both direct connection to your internal network and an internet-only connection (two different SSIDs) the best way is to get a small controller for your DMZ (like a 4402-12) and a larger controller for internal (4402-25 or 4404-100). Have your DMZ controller be a guest internet controller that is setup as the guest "anchor". There are lots of docs on the Cisco web site. This solution works great. I use a 4402-12 as a DMZ anchor and have about 20 4404-100s that are anchored to it.

Community Member

Re: Wireless Guest Internet Only Access

In reference to your earlier comments in regards to problems with wireless access through the DMZ, I have been having lots of problems in getting this to work.

I have a 4402 in the DMZ and a 4404 in the LAN; I have ping, mping & Eping connectivity between the controllers. I have configured both controllers in to the same mobility group and have configured the guest_wireless WLAN with the correct mobility anchors, i.e. the LAN WLC has an anchor pointing to the DMZ and the DMZ points to itself.

I have configured a DHCP scope on the DMZ WLC and this is where the problems being, I can not get a user to receive DHCP from the DMZ controller. The client can see the Guest_wireless WLAN and connects up but fails to receive DHCP.

I have made sure that the correct ports have been opened up and this is confirmed by the Eping connectivity. Could there be an additional port number that needs defining to allow DHCP through the firewall or does the DHCP requests pass down the mobility tunnel between the controllers.

Any help or suggestions please!

CreatePlease to create content