wireless design help

mr_fc · ‎10-09-2012

Hi guys........just have few qestions about designing WLC 5508

The scenario is that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.

T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.

Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)

Now my question is as follwow.

1- Keeping in mind that there is only one WLC where should i physically put it?

2- How guest users will work ? How the authentication will be done?

3-There are 8 SFP ports in WLC how physical topology will look like?

4-How many Vlans i have to make for wirless users will that be 10? (1 at each site) ?

my last question is that how these ports work on WLC are they just like swicth e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)

Thanks guy and hope to get a response ASAP.

grabonlee · ‎10-09-2012

1. Don't use LAG

2. Create a guest interface and map to one of ports 2 - 8.

3. Guest interface should have a dhcp server address. Dhcp server should be on the dmz and separate from corporate dhcp

4. Guest ssid should be mapped to the guest interface.

5. Connect physical port for guests to firewall.

6. Create FW rule to prevent guest subnet to corporate.

7. Use pre-authentication ACL on WLC to restrict guest subnet to DNS, DHCP server, Virtual interface 1.1.1.1

8. Guest vlan should be routable to dhcp server.

That's all I think off the top of my head.

mr_fc · ‎10-09-2012

OSITAN N Many thanks please comment

Internet

!

FW 1

!

! <---------------------Traffic comming this way

!

FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------

! !

------Trusted----- ! !

! ------Branch Router-------> RT

------------------!--------- !

! ! ! SW

DSN AD DHCP !

!

AP

USER

1 Where WLC Place so that Guest trafice dont go to Trusted area?

2. Its gona be H-Reap so DHCP would be local for branch

3. Voce user Qos? priority how ? example

4 Guest Firewall rules to use only internet ?

grabonlee · ‎10-09-2012

Hi

Why do you have branch users on a DMZ?Aae they not trusted. Is the MPLS cloud not a private VPN?

Anyway,

The WLC will be in the trusted area behind FW2; Please don't use HREAP. I suggest you do either of the following:

1. Use Policy based routing and GRE tunnels. OR

2. Use distributed ACLs that deny guest to enterprise vlans and allows only Internet traffic, DHCP, DNS (if the corporate and guest are on the same L3 switch and there is a layer 3 interface for both guests and corporate). FW2 will also enforce what traffic is allowed to the Guest. OR

3. Connect the guest vlan directly to your dmz and ensure no layer 3 interface for the guest vlan. The traffic to and from the guest vlan will be determined by the rules you set on FW2.

The FW config should be done by whomsoever manages you FW.

Web authentication will be done by the WLC and the guest accounts can be local. Use lobby ambassador to create the guest accounts.

The links below explains PBR and GRE tunnels.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob30dg/GstSvc1.html#wp1011037

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/GuestAcc.html