I am trying to setup the framework for our guest wireless network.
I currently have 4 locations with one of those 4 locations containing the datacenter.
Our firewall has a DMZ interface setup on it. This interface has an IP of 192.168.1.1. This interface connects to a Nexus switch layer 2 with the port on the Nexus being in VLAN 192. VLAN 192 on the Nexus has no IP interface, it only has an IP helper which is the firewall DMZ interface(firewall acts as DHCP server). The Nexus is trunked to the LAN at the building the data center resides in. The Nexus is also connected directly through dark fiber/layer 3 EIGRP to 3 remote locations. Our wireless is a Cisco WLC 5508 and this 5508 is also trunked/LAG directly to Nexus. I have an SSID for our guest wifi that has an interface of 192.169.1.2 on the controller. The APs are trunked to their switch allowing VLAN 192. At the main location where the data center is located I am able to join the guest wireless, get an IP from the firewall, and authenticate to gain access to the internet. I am trying to figure out what the most secure way would be to setup the 3 remote locations. I have VLAN 192 setup at all the remote locations the same as it is at the main location, without an ip interface. I was trying to setup these VLANs without an IP so that there was no way for them to see the other VLANs.
My question is, how can I route VLAN 192 at the remote locations back to the DMZ on the firewall so that the users at the remote locations can access the internet? Will I have to put an IP interface on VLAN 192 at the remote locations to do this (and then apply an ACL to prevent access to other vlans)? Is it an option to supply a second connection from the data center Nexus switches to the core switch at the remote locations layer 2 on vlan 192? Are there any other options?
