cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1216
Views
5
Helpful
2
Replies
Highlighted
Beginner

Guest Wireless in VRF - Using WLC WebAuth

Hello,

I have wireless (Guest) clients that I want to isolate to only accessing our second internet connection.  The 5508WLCs are in HA mode and LAG's directly to a Nexus 7000.  The deployment model is a centralized deployment with Aps in local mode.  My initial though is to place SVI, on the Nexus 7000, supporting the Guest SSID into a VRF with a default route directed to the second internet router; a physical layer-3 interface, also on the Nexus 7000 into the same VRF; this physical interface is then connected to the second internet connection.  The client DHCP server is located in the same network segment as the second internet router's inside interface. I simple drawing is attached.

This should work, but my question is, with this design,  will it be possible for the wireless Guest clients to be redirected and leverage the internal WebAuth service on the controller?  If so, how?

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Hi

Hi

let's assume that all your L3 interfaces except guest are in the default vrf on the Nexus.

To achieve what you want to do, there are different solutions and I will talk about 2 of them.

I don't know if you have access to the router  AT&T MIS. If yes, you can create 2 sub interfaces with the link you are connecting between this router and Nexus. Those 2 interfaces will be in the global routing for the router, however :

- 1 of the sub interface will have an ip within the guest vrf on nexus, let's call it vrf-a

- the other will have an ip within the default vrf on the nexus, let's call it vrf-b

On the router, you will 1 static route going to wlc captive portal with vrf-b nexus ip as next-hop.

on the nexus, a static route going to guest vrf ssid network with vrf-b router ip as next-hop.

The 2nd solution would be using route leaking. Let me explain:

the goal is playing with route-import and export on vrf definitions and exchanging routes by using bgp.

For config example, let's do assumption:

- guest vrf network: 10.1.1.0/24

- wlc vrf network: 10.1.2.0/24

VRF Configuration:

vrf context GUEST
address-family ipv4 unicast
route-target import 11:11
route-target import 11:22
route-target export 11:11
vrf context WLC
address-family ipv4 unicast
route-target import 11:11
route-target import 11:22
route-target export 11:22

BGP Configuration:

router bgp 65150
vrf GUEST
address-family ipv4 unicast
network 10.1.1.0/24
vrf WLC
address-family ipv4 unicast
network 10.1.2.0/24

Output you should have: (sorry for the ouput, it's coming from a real lab and I have adapted it a little bit to match our case)

Nexus7k_LAB#show ip route vrf GUEST
IP Route Table for VRF "GUEST"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.1.1.0/24, ubest/mbest: 1/0, attached
*via 10.1.1.254, Vlan10, [0/0], 00:09:57, direct
10.1.2.0/24, ubest/mbest: 1/0, attached
*via 10.1.2.254%WLC, Vlan20, [20/0], 00:08:17, bgp-65150, external, tag 65150

hope this is clear?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
2 REPLIES 2
VIP Advisor

Hi

Hi

let's assume that all your L3 interfaces except guest are in the default vrf on the Nexus.

To achieve what you want to do, there are different solutions and I will talk about 2 of them.

I don't know if you have access to the router  AT&T MIS. If yes, you can create 2 sub interfaces with the link you are connecting between this router and Nexus. Those 2 interfaces will be in the global routing for the router, however :

- 1 of the sub interface will have an ip within the guest vrf on nexus, let's call it vrf-a

- the other will have an ip within the default vrf on the nexus, let's call it vrf-b

On the router, you will 1 static route going to wlc captive portal with vrf-b nexus ip as next-hop.

on the nexus, a static route going to guest vrf ssid network with vrf-b router ip as next-hop.

The 2nd solution would be using route leaking. Let me explain:

the goal is playing with route-import and export on vrf definitions and exchanging routes by using bgp.

For config example, let's do assumption:

- guest vrf network: 10.1.1.0/24

- wlc vrf network: 10.1.2.0/24

VRF Configuration:

vrf context GUEST
address-family ipv4 unicast
route-target import 11:11
route-target import 11:22
route-target export 11:11
vrf context WLC
address-family ipv4 unicast
route-target import 11:11
route-target import 11:22
route-target export 11:22

BGP Configuration:

router bgp 65150
vrf GUEST
address-family ipv4 unicast
network 10.1.1.0/24
vrf WLC
address-family ipv4 unicast
network 10.1.2.0/24

Output you should have: (sorry for the ouput, it's coming from a real lab and I have adapted it a little bit to match our case)

Nexus7k_LAB#show ip route vrf GUEST
IP Route Table for VRF "GUEST"
'*' denotes best ucast next-hop
'**' denotes best mcast next-hop
'[x/y]' denotes [preference/metric]
10.1.1.0/24, ubest/mbest: 1/0, attached
*via 10.1.1.254, Vlan10, [0/0], 00:09:57, direct
10.1.2.0/24, ubest/mbest: 1/0, attached
*via 10.1.2.254%WLC, Vlan20, [20/0], 00:08:17, bgp-65150, external, tag 65150

hope this is clear?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

yes, perfect, that's it!

yes, perfect, that's it!

Thank you for spending the time to lab it up and explain.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards