cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1496
Views
0
Helpful
7
Replies

DMZ over WAN

I am trying to setup the framework for our guest wireless network. 

 

I currently have 4 locations with one of those 4 locations containing the datacenter.

 

Our firewall has a DMZ interface setup on it.  This interface has an IP of 192.168.1.1.  This interface connects to a Nexus switch layer 2 with the port on the Nexus being in VLAN 192.  VLAN 192 on the Nexus has no IP interface, it only has an IP helper which is the firewall DMZ interface(firewall acts as DHCP server).  The Nexus is trunked to the LAN at the building the data center resides in.  The Nexus is also connected directly through dark fiber/layer 3 EIGRP to 3 remote locations.  Our wireless is a Cisco WLC 5508 and this 5508 is also trunked/LAG directly to Nexus.  I have an SSID for our guest wifi that has an interface of 192.169.1.2 on the controller.  The APs are trunked to their switch allowing VLAN 192. At the main location where the data center is located I am able to join the guest wireless, get an IP from the firewall, and authenticate to gain access to the internet.  I am trying to figure out what the most secure way would be to setup the 3 remote locations.  I have VLAN 192 setup at all the remote locations the same as it is at the main location, without an ip interface.  I was trying to setup these VLANs without an IP so that there was no way for them to see the other VLANs. 

 

My question is, how can I route VLAN 192 at the remote locations back to the DMZ on the firewall so that the users at the remote locations can access the internet?  Will I have to put an IP interface on VLAN 192 at the remote locations to do this (and then apply an ACL to prevent access to other vlans)? Is it an option to supply a second connection from the data center Nexus switches to the core switch at the remote locations layer 2 on vlan 192?  Are there any other options?

7 Replies 7

Jeroen Huysmans
Level 1
Level 1

Hi,

 

can't you create a guest ssid which tunnels the user-traffic up to the controller (no flexconnect SSID)?

That would bring all your guest traffic to 1 location: I assume your controller is also in the DC?

This would save you effort and would not mix your guest traffic with production traffic on your wan links (which might be a security consideration if you are unable to use eg separate vrf's)

 

Jeroen

Is it possible to tunnel the traffic back to the controller from the remote site's APs if all the remote APs are in FlexConnect mode?  They need to be in an AP group to allow this to happen right?  Also, the APs at the DC location are in an AP group.  Can APs be in multiple groups?

 

Correct controller is in DC.  

dbogdan
Level 1
Level 1
If the controller is at the DC then by defining the remote site ap's (no flexconnect) you would only need to add the guest ssid to the AP group. It would then be tunneled back to the controller as Jeroen has also stated. In essence you only need the subnet/vlan the AP lives on to get back to the controller via some router of course. Everything else (the ssids you are using) is tunneled.

All our other production SSIDs are configured to switch locally using Flex Connect at the remote sites.  I really didn't want to change this. Is it possible to create 1 AP group on the WLC for the guest SSID, assign the guest SSID to that AP group with the guest interface as its interface and then add the APs at the remote sites and the DC site to that AP group while also keeping the rest of the production SSIDs the same (in FlexConnect)?

 

If the traffic on a centrally switched SSID switches on the VLAN the AP lives on how is that traffic kept totally separate/isolated from other network traffic/VLANs?    

 

 

 

 

Well the way I did it was each ssid had it's own vlan. The guest network was logically out of band on its own vlan with no ingress from any where except a separate gateway where we had a meraki mx400. Our network was mpls. Why may I ask can't you dump off the guest network to a local internet link since you're already using flexconnect? That may make it easier.

We don't have direct internet at the remote locations. All internet is fed from the DC.
Was your controller and the meraki gateway connected layer 2?

 

I am not too familiar with vrf but is this my best bet to totally isolate the guest traffic?

 

I do have spare fibers. Is it an option to supply a second connection from the data center Nexus switches to the core switch at the remote locations layer 2 on vlan 192? 

Yes it was L2. I do believe you can use flexconnect and non flexconnect ssids though. Correct me if I'm wrong.


Review Cisco Networking for a $25 gift card