Guest Network redesign - Anchor WLC removal

grochowskir — Mon, 05 Jul 2021 11:11:22 GMT

Hi,

Due to various reasons, I've been asked to limit the number of wireless controllers in our infrastructure from 4 (2 on the LAN side and 2 in the DMZ) to 2. I am considering removing the DMZ controllers which are currently serving Open Guest Wifi traffic. To the best of my understanding, this involves the following:

-creation of the guest VLAN intended for guest traffic on our LAN access layer switches and collapsed core switches and its addition on the trunks

-creation of an interface on the WLC for the guest VLAN

-addition of the guest VLAN to the trunk leading to the WLC

-creation of the wifi guest WLAN utilizing the newly created guest network interface on the WLC

-creation of an interface on our Sonicwall appliance to which the guest VLAN would be connected to. This interface would belong to the DMZ zone, thus isolating LAN traffic from the guest wifi traffic. This interface would also serve as a gateway for this guest VLAN.

-creation of the DHCP scope for the guest VLAN traffic. This could be done on the WLC or the Sonicwall. I've tried both methods.

Here are the two scenarios and issues that i am facing:

1. DHCP on the Sonicwall

A. via physical wire

A host is connected to a port in the guest vlan via physical wire on the L2 switch. It is able to obtain an IP address via DHCP, ping the gateway (sonicwall interface), ping other wired hosts on the same subnet and browse the web. I can't however, ping the WLCs interface assigned to this guest VLAN.

B. via Wifi

The wireless client is able to connect to the guest Wifi network but is unable obtain an IP address from the Sonicwall. Ultimately, the wireless client ends up with a self assigned IP address 169.x.x.x. Tried adding an address manually to the wireless interface just to eliminate a possible DHCP issue, however, the client still couldn't ping the gateway interface on the Sonicwall nor any other client within the guest VLAN as well as the WLCs interface in the guest VLAN.

2. DHCP on the WLC

A. via physical wire

A host is connected to a port in the guest vlan via physical wire on the L2 switch. It is unable to obtain an IP address via DHCP and ends up with a self-assigned IP address. Tried adding an IP address manually just to eliminate a possible DHCP issue and the client was able to ping the gateway interface on the Sonicwall and any other wired host within this same VLAN as well as access the Internet. Still unable to ping the WLCs interface in the guest VLAN.

B. via Wifi

The wireless client is able to connect to the guest Wifi network and it obtains an IP address from the WLC. It can't, however, access the Internet, nor ping any other wired host on the guest vlan. It can ping the WLC interface that is assigned to the guest VLAN and other wifi hosts within this same guest network.

The WLC can't ping the Sonicwall gateway nor any other host on the guest vlan in either scenario. The LAN WLC is connected directly to the core switch.

Can someone please point me towards the right direction here? I am attaching diagrams with current and proposed network layouts. Thank you in advance.

if you want to use the

Stephen Rodriguez — Fri, 06 Nov 2015 19:47:43 GMT

if you want to use the SonicWall as the DHCP server, you need to disable DHCP proxy on the WLC.

HTH,

Steve

Thanks Stephen. However, i

grochowskir — Fri, 06 Nov 2015 20:12:16 GMT

Thanks Stephen. However, i still can't ping the WLC's interface in the guest vlan and vice versa. I can ping any other host in this vlan. The vlan has been added to the trunk connecting the WLC with the Core switch. Somehow this interface is being isolated as it were on the LAN side. DHCP isn't the issue here. I have the guest vlan added on all access layer switches as well as core switches. I have added it to all required trunks as well. I can ping the sonciwall interface and other hosts in this vlan except the interface on WLC. Thanks.

topic Thanks Stephen. However, i in Wireless

Guest Network redesign - Anchor WLC removal

if you want to use the

Thanks Stephen. However, i