Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

guest wireless with single 4402 controller

Can you configure guest wireless with a single controller...all the docs I find have an anchor controller

any help or links would be appreciated

1 ACCEPTED SOLUTION

Accepted Solutions
Community Member

Re: guest wireless with single 4402 controller

Hi,

Sure thing, this is how we have it. It all depends on how security-paranoid you're :-)

Here is the way we have it done. All the following configuration is on Core controllers....Dynamic Interface for guest traffic and WLAN for guest SSID. Dynamic Interface uses VLAN ID which is trunked from Core Controller back to our Layer 2 switches.

This VLAN is trunked to our Firewall where security policy exists to allow services we want to allow for guests...

Be aware that guests get IP address prior to authentication and your Core Controller acts as DHCP relay, so your Firewall needs to allow DHCP relay traffic from IP address configured on Controller under Dynamic Interface to your DHCP servers.... It's a bit of a security concern cause you allow some traffic prior to authentication and even worth back to your Corporate network....

The other solution is internal DHCP server on the controller, but we wanted centralized IP management....again depends on your security posture.

HTH.

David

2 REPLIES
Community Member

Re: guest wireless with single 4402 controller

Hi,

Sure thing, this is how we have it. It all depends on how security-paranoid you're :-)

Here is the way we have it done. All the following configuration is on Core controllers....Dynamic Interface for guest traffic and WLAN for guest SSID. Dynamic Interface uses VLAN ID which is trunked from Core Controller back to our Layer 2 switches.

This VLAN is trunked to our Firewall where security policy exists to allow services we want to allow for guests...

Be aware that guests get IP address prior to authentication and your Core Controller acts as DHCP relay, so your Firewall needs to allow DHCP relay traffic from IP address configured on Controller under Dynamic Interface to your DHCP servers.... It's a bit of a security concern cause you allow some traffic prior to authentication and even worth back to your Corporate network....

The other solution is internal DHCP server on the controller, but we wanted centralized IP management....again depends on your security posture.

HTH.

David

Community Member

Re: guest wireless with single 4402 controller

we have also done the same, with a layer 2 link going to a firewall, we have no SVi's on the switches just layer 2 and have also secured with VACLS. looks pretty good to me, buying another controller for the anchor point is too exspensive !!

129
Views
0
Helpful
2
Replies
CreatePlease to create content