02-23-2022 10:34 AM
Having an issue with static routes on a 9800 WLC and maybe what im trying to do isnt possible...
WLAN that is for access to our wired LAN works fine. Have a guest wifi interface connected from wlc -> firewall and i can ping that interface from the wlc but cannot get out to the internet. When i add a static route on the wlc to point the guest vlan out to that firewall interface, the guest wifi works, but the LAN wifi breaks. Its like i can only have one static route in there (which may be how its designed). Not sure if this physical setup is the way it should be done or possible or if i should go to my switch and let my switch do the routing out the firewall. Any suggestions or info on multiple static routes on the 9800 would be appreciated.
02-23-2022 10:41 AM
Not familiar with WLC but after a bit of searching seems Cisco recommendation is not to do the routing on it.
Recommended way seems to be to use a trunk to your switch and pass the vlans that way. You could then have L3 SVIs on your switch for LAN subnets but just extend a vlan to the firewall ie. no SVI on the switch, for your guest access and that would take care of the routing for you.
You could also move this post to wireless forums if it would help as they will have more knowledge there.
Jon
02-23-2022 10:47 AM
Thanks for the response. I initially thought the wireless forum but figured this is more of a routing type problem. I think thats the way im going to have to go is moving some cables and letting the switch do the routing. Figured id try to get some input and some knowledge on if it was possible and i was doing something wrong.
02-23-2022 10:52 AM
I believe from what I have read it is possible but not having used one did not want to say for sure.
Also just to clarify the switch would only route for internal vlans, for the guest vlan you pass it through to the firewall ie. no routing on the switch.
Jon
02-24-2022 02:47 PM
Hello @mark.amendola ,
@Jon Marshall is spot on
the WLC 9800 runs IOS XE but as the previous ones based on AirOS WLC 5580 or older are expected to be the emersion point of wireless users for every SSID. A good design rule would be:
One SSID, One VLAN, One IPsubnet
WLC 9800 ------ L2 trunk carrying all VLANs ----- Multilayer switch ---- FW
To be more correct a WLC can manage AP groups in this way or APs that are on remote sites like Cisco CUCM can manage IP phones in multiple sites.
CAPWAP a UDP based tunnel is built between each AP and the WLC and the WIFI users MAC addresses are seen as coming from the WLC uplink on the multilayer switch.
Finally, multiple SSIDs can be mapped to the same VLANs or because they use a different WPA2 pre shared key.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide