Best practice is to have a separate controller in the DMZ dedicated to "guest" wireless. You would then anchor to that WLAN from your internal controllers. There are 2 ports that need to be allowed to achieve this.
While a lot of companies can not afford a separate controller, a less secure way is to add the VLAN to your internal controllers, create the DMZ interface on your controller and make sure you have a route/router to handle that traffic. That's how we did it until we bought our 5508-12's to do our guest wireless.
I have costumers which dedicated a seprated WLC to anchor guest-wlans.
In this case my costumer doesn't wanto to buy a new controller.
So I need to know which port do I have to open on my firewall (if I need to open) and to which addresses (management or all interfaces?). suppose that the firewall has the correct routes to route all the subnet.
Ok... we had an internal(10.1.1.1), DMZ(10.2.1.1), interface on our PIX firewall. Let's say those are VLANs 1,2...
We connected a 3560 to VLAN 2 and put VLAN interface as 10.2.1.11... we routed all 10.2.1.0 255.255.255.0 traffic on our firewall to 10.2.1.11, and routed all less specific traffic(10.2.0.0) to the DMZ interface(10.2.1.1)
Then, we connected our controllers(physical interface #2) to that 3560, you should already have interface #1 connected to the internal network.
We put a DMZ interface on the controller(10.2.1.10) with a default gatewat of 10.2.1.11
We put a VLAN 2 interface on the 3560(10.2.1.11) and a static route 0.0.0.0 0.0.0.0 10.2.1.1
no ports need to be opened for this configuration, although you will need some type of routing capability via router or L3 switch...
1. Traffic from the controller is sent to the 3560 for VLAN 2
2. The 3560 sends it to the firewall on the DMZ interface
3. The firewall sends traffic to the internet and return traffic to the 3560
note: I typed this from memory, and may have left out a detail or two, but this is the nuts and bolts of how we set it up...
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...