Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLC 5508 Guest Access via WAN

Is it possible to provide wireless guest access over the WAN from another office via the WLC. I have WLC 5508 in a central office and have other remote offices that have one Access Point in each office that are autonomous; I will be converting these to LWAPP. Is it possible to route guest traffic back to the WLC then forward this traffic out to the internet? How would I route this traffic out as well? I see from some documents that they advise to install a secondary WLC in the DMZ and use anchor points. I only have one WLC

Any Documents or information will be helpful.

7 REPLIES
New Member

Re: WLC 5508 Guest Access via WAN

Your 5508 contains licence for upto 12 aps by default, so provided the 2 remote ap's you want to connect don't exceed this you should be fine, when converting them to LWAPP define your 5508 as the default controller, and provided there's no firewall in between (if so you'll need to add some rules) you should be ok (assuming there's a valid IP path/route from the AP's to your controller). 

Initially your Ap's should connect up to the 5508 in LOCAL mode, if you change this to HREAP mode and define a guest WLAN, you should be cooking on gas.  Have a hunt on the Cisco website regarding wireless guest access and most of what your after should be there.  I am assuming you will have the 5508 setup as an anchor controller here.

Topology wise typically you'll end up with something like this (I am assuming your anchor is in a DMZ here):

Remote AP (HREAP mode) --> WAN --> Central Office DMZ (firewalled?) --> 5508 Controller --> Internet

Hope this helps?

New Member

Re: WLC 5508 Guest Access via WAN

Thanks for the reply.

I have x1 WLC with 50 AP license as this provides corporate connectivity and Guest Wireless connectivity.  I have not setup the WLC as an anchor. I guess the configuration you mentioned would be if I was using Guest access only. Sorry I'm not familair with WLC and anchors. I was looking at the WLC ACL's on the guest WLAN and directing all traffic out via the firewall. Do you think this is not the right solution?

I have read that Cisco advise on placing a WLC in the DMZ and have a second WLC tunnel guest traffic out to it.

Hall of Fame Super Silver

Re: WLC 5508 Guest Access via WAN

If you don't have a wlc in the dmz, you can still create and anchor to your wlc at HQ. this way, all guest traffic at your remote site will be tunneled back to the wlc at HQ. Here is a good guide.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch.html

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC 5508 Guest Access via WAN

Thanks Fella.

I have two internal wlc at separate locations. One is primary and the second is a backup. The Internet connection is at a third location. Is my only option for guest access is to have a third wlc in the dmz using the anchor option?

I have setup a guest access as a test that has a ACL applied on the wlc which restricts access and only points to the firewall then out to the internet. Not ideal. What do you think?

Hall of Fame Super Silver

Re: WLC 5508 Guest Access via WAN

It's really up to you.. Having an anchor to me makes things simple. Webauth page, certificate and user login I'm a single wlc. It comes down I cost. You can always have guest access in each wlc, but you just need to create acl's to prevent them access on your network. I'm talking about acl's on your layer 3 device and not on the wlc.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: WLC 5508 Guest Access via WAN

Just to clarify, If I have a controller in my head office that is configured to provide guest access via our DMZ and provide direct internet access, If I deploy a HREAP AP into a branch office that is controlled by the head office controller. Is the clients able to receive an IP address via dhcp from the controller and tunnel this traffic back to controller then out to the DMZ or do I have to create a different dhcp scope for each  branch office for Guest access?

Just trying to get my head round it.

Re: WLC 5508 Guest Access via WAN

yes. So long as the guest WLAN is left in central mode it will work like that. All the traffic will be sent to the anchor

Steve

Sent from Cisco Technical Support iPad App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
2396
Views
0
Helpful
7
Replies