Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

WLC WLAN behind a firewall

Hello,

I want to configure a WLAN associated with a vlan behind a firewall.

do I have to open any port to let the wlc work?

I have management interface and ap manager interface in inside LAN, i have a protected WLAN in inside LAN and I want to configure a new WLAN in the DMZ.

Thanks

Johnny

3 REPLIES
Community Member

WLC WLAN behind a firewall

Best practice is to have a separate controller in the DMZ dedicated to "guest" wireless.  You would then anchor to that WLAN from your internal controllers.  There are 2 ports that need to be allowed to achieve this.

While a lot of companies can not afford a separate controller, a less secure way is to add the VLAN to your internal controllers, create the DMZ interface on your controller and make sure you have a route/router to handle that traffic.  That's how we did it until we bought our 5508-12's to do our guest wireless.

Hope this helps...

Tony

Community Member

WLC WLAN behind a firewall

Thanks Tony,

I have costumers which dedicated a seprated WLC to anchor guest-wlans.

In this case my costumer doesn't wanto to buy a new controller.

So I need to know which port do I have to open on my firewall (if I need to open) and to which addresses (management or all interfaces?). suppose that the firewall has the correct routes to route all the subnet.

Thanks

Johnny

Community Member

WLC WLAN behind a firewall

Ok... we had an internal(10.1.1.1), DMZ(10.2.1.1), interface on our PIX firewall.  Let's say those are VLANs 1,2...

We connected a 3560 to VLAN 2 and put VLAN interface as 10.2.1.11... we routed all 10.2.1.0 255.255.255.0 traffic on our firewall to 10.2.1.11, and routed all less specific traffic(10.2.0.0) to the DMZ interface(10.2.1.1)

Then, we connected our controllers(physical interface #2) to that 3560, you should already have interface #1 connected to the internal network.

We put a DMZ interface on the controller(10.2.1.10) with a default gatewat of 10.2.1.11

We put a VLAN 2 interface on the 3560(10.2.1.11) and a static route 0.0.0.0 0.0.0.0 10.2.1.1

no ports need to be opened for this configuration, although you will need some type of routing capability via router or L3 switch...

1. Traffic from the controller is sent to the 3560 for VLAN 2

2. The 3560 sends it to the firewall on the DMZ interface

3. The firewall sends traffic to the internet and return traffic to the 3560

note: I typed this from memory, and may have left out a detail or two, but this is the nuts and bolts of how we set it up...

Let me know if you have any questions..

Thanks,

Tony

1072
Views
0
Helpful
3
Replies
CreatePlease to create content