MPLS & guest wireless networks?

louis0001 · ‎08-08-2013

We have multiple sites connected via an MPLS network. We manage our own BGP.

We have a wireless controller at SITE A (Corp HQ) which communicates with the WAP's on all other sites. SITE A also has the gateway to the internet.

However, the communication is on a flat network on vlan1. I've been asked to put a guest wireless network in which will have a captive portal on the controller which is fairly straight forward to set up. The controller has vlan capability and will offer out dhcp leases on the vlan.

I would like the traffic on the guest network to be completely segregated from the corporate network.

So would it be a simple case of seting up for example vlan2 on the controller, vlan2 on the switch, vlan 2 on all of the routers/switches?

Any pointers would be appreciated.

Louis

mfurnival · ‎08-09-2013

Louis, there is a bit more to it than that. The usual way to do this is to have two VRFs - one for your corporate network and one for your guest wireless. That way you have two separate routing tables and (unless you configure it) no routing between the two networks. So what you would need to do is:

1. Create VRF and extend to all branch sites.

2. Create dot1q subinterface on each branch router

3. Create new VLAN on branch switches

4. Configure trunk between branch routers and switches to trunk both your old and new VLANs

You don't have to use VRFs but if you don't then you will have to configure ACLs to restrict Guest <--> Corporate communication.

louis0001 · ‎08-09-2013

Yes, I didn't mean it to sound so simple. I was thinking of doing the what you have suggested but the wireless controller was throwing me with the dhcp leasing.

In it's simplest form it wants a single /24 subnet which would lease to all sites rather than multiple subnets ie one for each site.

So for example, the best way I can see to set it up is to set vlan100 across all sites and then configure sites like:

SITE A 192.168.1.0/24 (has gateway to internet and wireless controller will offer seperate dhcp leases for each site)

SITE B 192.168.2.0/24

SITE C 192.168.3.0/24

mfurnival · ‎08-09-2013

You could just have one /24 subnet and use "ip-helper" on the guest wireless VLAN at each site which would forward the DHCP request over the WAN to the controller. Much tidier that having a separate subnet for each site.

louis0001 · ‎08-09-2013

How would that be setup?

vlan100

SITE A = 192.168.1.0/24 (dhcp server 192.168.1.10)

SITE B = 192.168.1.0/24 (ip helper-address 192.168.1.10)

SITE C = 192.168.1.0/24 (ip helper-address 192.168.1.10)

and next hop would be gateway at SITE A?

mfurnival · ‎08-12-2013

Sorry Louis - thinking about it a bit more I think my suggestion was wrong. You will need a separate subnet per site.

Santhoshkumar Duraiswamy · ‎08-28-2013

I am currently configuring the similar setup for my client...16 branches with APs and central site with vWLC running under VMware cluster.

Each branch router is configued with subinterfaces and all the networks are routed back to central site to internal and external access.

e.g. VLAN 5 Voice, VLAN11 Data, VLAN13 Mgmt, VLAN12 Internal WiFi and VLAN50 Guest

VLAN 13 is native VLAN on the trunk port both to vWLC and to APs on remote site.

AP at central site is connected to access port as all user traffic will be tunnelled back to vWLC using CAPWAP tunnel...where as remote APs will be switching the traffic locally and will be sending it to default gateway for routing for all other WLANs except for Guest. The guest traffic will be sent back over the WAN to WLC using CAPWAP tunnel.

louis0001 · ‎09-15-2013

Hi,

sorry to bring this up so late as it slipped onto the backburner but is now at the forefront again.

I'm trying to get my head around the vlan's and subnetting.

Should I just setup one vlan for guest access across multiple sites eg vlan5 setup on each branch router going back to the HQ which has vlan5 setup to route to the internet.

Our wireless controller (not cisco) has the ability to have multiple SSID's etc but I can't see a way on it to offer multiple DHCP per vlan eg if I set SSID= GUEST with vlan5, it can only have 1 dhcp server per vlan. Alternatively, I could get the each branch router to offer dhcp locally.

So would I be better setting up like this:

HQ (central DHCP server and wireless controller)

PRIVATE SSID = vlan1 10.1.100.0/24 with gw 10.1.100.2 to internet

GUEST SSID = vlan5 192.168.100.0/24 with gw 192.168.100.2 to internet

SITE A (connected via ADSL MPLS)

PRIVATE SSID = vlan1 10.1.101.0/24 (using ip helper)

GUEST SSID = vlan5 192.168.101.0/24 (dhcp issued locally)

SITE B (connected via ADSL MPLS)

PRIVATE SSID = vlan1 10.1.102.0/24 (using ip helper)

GUEST SSID = vlan5 192.168.102.0/24 (dhcp issued locally)

SITE C (connected via ethernet MPLS)

PRIVATE SSID = vlan1 10.1.103.0/24 (using ip helper)

GUEST SSID = vlan5 192.168.103.0/24 (dhcp issued locally)

Any help would be appreciated. It's the first time I've set the same guest network up over multiple sites.

Louis

Santhoshkumar Duraiswamy · ‎09-16-2013

Hi,

Vlans are locally significant so you can still have vlan 5 across entire office (hq, site a, b, c)...set ip helper for that vlan on each office to your central dhcp server to send dhcp request.

In your central dhcp server create separate scope for each network and set the router ip, dns according to the network scope...and you will be fine.

Whether to keep dhcp central or local are all depends on how you want to keep the mgmt of dhcp and redundancy design... But if all the traffic ( internet and local intranet ) are coming from centrally then it's easy to keep dhcp at head office and use one / two dhcp servers configured to load balance..

My recommendation is to create one DMZ network and use this as gateway for your guest network for more security and easy to manage the access rules...and keep your guest network centrally switched

Hope this helps and let me know if you need more info

louis0001 · ‎10-14-2013

Hi, sorry to drag this up as we are now at the stage of implementing it.

I was advised to have a central DHCP server giving out a 172.31.0.0 255.255.252.0 lease and putting across eg vlan 31

Now we have a mixture of Ethernet, ADSL going into our MPLS network.

The cisco engineer on site advised that if I put a vlan ie vlan 31 on a branch site (ADSL), the any clients connecting to the GUEST SSID would pick up a lease from the central DHCP server at the main office (which is what we want)

However, this is without setting up subnets at the branch office but I can't see how this would work as it goes against what I think we need. I think he may have been getting confused with local traffic rather than remote traffic via ADSL but I could be wrong.

Unfortunately, our wireless controller will only allow one vlan per SSID which is then advertised across all sites.

So I can't have an SSID for each site eg SITE_A_GUEST, SITE_B_GUEST and can only have one GUEST_NETWORK across all sites with one large DHCP range centrally. Alternatively, they could be leased locally but I'd rather stay away from this.

Could i use the following?

All on vlan 31 for 30 sites

CENTRAL DHCP SERVER lease 172.31.0.10 /19 (IP address = 172.31.0.2)

172.31.0.0/19 advertised via BGP & all branch office subnets in vrf via BGP

SITE A = 172.31.1.0/24 with ip helper address of 172.31.0.2

SITE B = 172.31.2.0/24 with ip helper address of 172.31.0.2

SITE C = 172.31.3.0/24 with ip helper address of 172.31.0.2

Any pointer would be appreciated.

Thanks

Louis