Solved: Officeextend suggestion?

Network Pro · ‎12-16-2011

Hi,

I have attached a diagram of the current topology. At present, we have two 5508 connected to our core. We also have a 4402 behind the firewall (DMZ) just purely for guest access. So the staff users connect to the access point which in turns connects to the Staff WLC 1 (if this fails then to Staff WLC2). any guest user connect to the access point which in turn connects to Staff WLC which anchors to Guest WLC which then provides access. Sicne the guest is behind the DMZ they can only access the internet and not out internal network.

Now we want to officeextend our network - we want our users to use 1132 AP's at home to access the Infrastructure. is there a way we can do this without disturbing the existing infrastructure.

On reading cisco website, i know the best praticse is to use 2 5508 (one behind the firwall and the other anchored to this access the internet netwrok ) i thought since we have a Cisco (dmz) switch (48 port) and only the 4402 (Guest WLC) is connected to it, maybe purchase another 5508 WLC and connect to the 48 port cisco (dmz) switch. will this work ?

any thoughts appreciated?

Thanks

blakekrone · ‎12-19-2011

Don't think of the DMZ setup in terms of a "normal" DMZ in this scenario with the levels and such. By having the two controllers be mobility members we somewhat negate the use of the DMZ concept a little. Your internal SSID that exists on the DMZ controller will actually be anchored internally via the EoIP tunnel between the two controllers which is allowed through your firewall. On the internal controller you then setup an anchor to itself for that internal SSID. This way when your corp traffic comes into the DMZ controller via the OEAP it will be sent across the mobility tunnel allowed through the firewall to your internal controller which is anchored to itself allowing the traffic to finally reach your wired network.

The guest is actually anchored to the DMZ 5508, the anchor is where do you end up getting onto the wired network. The other controller is the foreign controller.

View solution in original post

Stephen Rodriguez · ‎12-16-2011

Yes, that would work. For the OE, you need either a 5508 or a WiSM2 in the DMZ for the OEAP to connect to. So you could totally put a 5508 in the DMZ just for the OEAP, and still leave the guest anchoring to the 4402.

Then, once you get everything settled, you could migrate the guest to the 5508, and only have the one WLC in the DMZ. Or you could use both of them as anchors for the guest WLAN. Either way, it should work like a champ.

HTH,

Steve

----------------------------------------------------------------------------------------------------------

Please remember to rate helpful posts or to mark the question as answered so that it can be found later.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Network Pro · ‎12-16-2011

Thanks stephen for your sugesstion.

jsut a bit of clarification on how to impltement this ? so if pplace another 5508 connected to the DMZ switch in the DMZ zone, then how would this connect to the internal network as the dmz is usually from higher securtliy level to lower, isnt it ? so in this case say the internal network of the firewall is 100 and the new 5508 controller placed in dmz is 40 (Say) then how would this work ?

can you please give me some more hints on this on the design and implementation pls (also is a 1:1 NAT required to give the new 5508 a ip address )?

Thanks

Network Pro · ‎12-18-2011

any thoughs on this ?

Network Pro · ‎12-19-2011

any thoughts on the above please as i need to implement the above asap...so your thoughts are very much appreciated.

Thanks

blakekrone · ‎12-19-2011

This would work the same way as you have it setup for the 4402. I personally would simply remove the 4402 and replace it with the 5508. Then just make sure you update the internal controllers with the new MAC address of the 5508 for the mobility tunnels. On the DMZ 5508 you would create the guest and the internal SSID, the internal SSID would be anchored to the inside controller. I have some of this up on my blog:

http://blakekrone.com/2011/03/10/cisco-officeextend-always-connected

Network Pro · ‎12-19-2011

Thanks blakekrone. actually i had gone through your blog earlier to these posts. it was very helpfull. thanks.. just a few things i need clarifying....

the guest ssid is anchroed to the internal 5508 but the internal ssid would the other way round, isnt it ? at present our the guest users will not be able to access the internal network as its on the dmz with a lower security level. now if i were to publish this ssid on the same wlc (behind the dmz) how would it be able to access the internal network ?

Thanks

blakekrone · ‎12-19-2011

Don't think of the DMZ setup in terms of a "normal" DMZ in this scenario with the levels and such. By having the two controllers be mobility members we somewhat negate the use of the DMZ concept a little. Your internal SSID that exists on the DMZ controller will actually be anchored internally via the EoIP tunnel between the two controllers which is allowed through your firewall. On the internal controller you then setup an anchor to itself for that internal SSID. This way when your corp traffic comes into the DMZ controller via the OEAP it will be sent across the mobility tunnel allowed through the firewall to your internal controller which is anchored to itself allowing the traffic to finally reach your wired network.

The guest is actually anchored to the DMZ 5508, the anchor is where do you end up getting onto the wired network. The other controller is the foreign controller.

George Stefanick · ‎12-19-2011

Nice Job Blake ... +5

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Network Pro · ‎12-20-2011

Thanks blake...good explanation...just a few more things.

can the same controller on the dmz handle two mobility anchors on the opposite direction ? (as presently, there is a tunnel for the guest access from internal wlc to guest wlc (in dmz). so can there be a tunnel in the opposite direction ?

also blake on your blog you had posted in two firewalls..i suppose we can use the same firewall to open up the ports, isnt it ?

Thanks

George Stefanick · ‎12-20-2011

Correct. The dmz anchor controller can handle both guest and oe traffic.

Sent from Cisco Technical Support iPad App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Network Pro · ‎12-20-2011

and one firewall would do for this, wouldnt it ?

Thanks

blakekrone · ‎12-20-2011

Yes, I simply have two firewalls as representation that you have things segmented off and protected.

Network Pro · ‎12-20-2011

thanks very much..i will get back to you if i have any problems at the time of implementation.