Configuring Wireless Cisco Networks and Wireless Controllers.
1 post • Page 1 of 1
Hi all My scenario is cisco wlc 4404, with 20 access points, I want a internal client wlan, and a guest wlan, I have configured the vlans and wlans, however would it be possible to have all the internet traffic for the guests going out of the port 2 on the controller to the dmz of my firewall? how would I get this to work, the aps traffic coems through port one on the controller. please help cheers Carl
Carl, The short answer is yes. All you need is an ap-manager interface assigned to port 2 and assign the guest interface to port 2. Keep your vlan tagging straight. The other longer answer is I would probably not do it. In older codes, these seemed to work just fine. In newer codes, however, we see it more and more where sometimes you cannot pass the guest traffic out the second port for some reason. In fact, I am currently working an issue with a customer right now where we are seeing the WLC drop arp (CSCte67234) for the guest client trying to use Port 2. I am firm believer that although this can work, the best practice is to use either one port on the WLC for both internal and guest, or a port-channel/LAG with both ports on the WLC going to the same switch, and let the switched network/routers/firewalls handle keeping the guest traffic off your internal network as opposed to "routing around the firewall" by trying to use the WLC like a switch. Again, you can certainly give it a shot and if you don have any issues, then that is great. If it doesn work, then you might be running into an ARP problem or some other issue with the WLC connected in this fashion. Thanks, Lee
HiThanks for the reply Can you please tell me how I would do this? what would I use port 1 for on the controller is port 2 is the ap manager ? and also if I did this would the internal client vlan also have to pass through the firewall I would like the all the traffic to come through port 1, then send the guest traffic out of port 2 to the DMZ, what is the best way of setting this up ? please help cheers Carl
Carl, Are you asking how to set it up with guest traffic going out port 2 to the DMZ or are you asking about how to set it up the other way I mentioned? For the way you originally inquired about: A rule on the WLCs is that when you have more than one port physically connected you need to either use LAG or have an ap-manager interface assigned to each port. So you need would need to create a new dynamic interface, designate it as an ap-manager interface, and assign it to port 2. Port 1 would have the original ap-manager and management interfaces assigned to it. You would also need to create a new dynamic interface for the guest traffic and assign that to port 2 as well. Then under your WLAN configuration, assign the guest WLAN to the guest interface. You internal WLAN would be configured to use an interface that is assigned to port 1. So the internal traffic would in/out port 1 and the guest traffic would be in port 1(in the lightweight tunnel), and then out port 2. Port 1 on the WLC will be connected to a port on a switch on the trusted side of the FW and port 2 will be connected to a switch in the DMZ. For the way I mentioned, you can have a port-channel on the switch and LAG configured on the WLC and all client traffic is going to go into and out of that port. Then the VLAN setup on the switches will take it from there. You can reference chapt 3 of the WLC configuration guides for more information on LAG and mulitple ap-managers http://www.cisco.com/en/US/docs/wireles ... #wp1277659 I would suggest that you open a TAC case regardless of which method you are considering as I think it would be easier to go over all the variables and explain how the WLC functions on the phone as opposed to here. Thanks, Lee
Hi there thanks for that, however I am still uncertain how to approach it Why do I need 2 ap-manager interfaces? will it let me do this? and if both traffic comes in port 1, how does it know to send the traffic out of port 2 to the DMZ ? is this because the guest users will have the gateway set at the DMZ ? also, how can I have the WLAN on 2 ports ? ie apply it to port 1 and 2 ? cheers Carl