Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1293
Views
5
Helpful
12
Replies

WLC2106 adding wlan

Go to solution
mfilipovski
Level 1
Level 1

‎01-03-2011 03:05 AM - edited ‎07-03-2021 07:36 PM

Hi,

I have a wlc2106 with 3 LAP1042 for my internal users. I authenticate them through a ms radius with 801.x. This works good.

I have for testing created a guest wlan using webauth and this works. I want my guest wlan to be located on my DMZ ( asa5510 ) but i am not sure the best way to set it up.  I would like to use my existing AP´s for this but that might not be possible.

Cheers

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
b.garczynski
Level 1
Level 1
In response to mfilipovski

‎01-04-2011 01:44 PM

You are on base except for the last part. Assuming that your APs are in local mode and not HREAP mode it does not matter what VLAN they reside(assuming they can route to the WLC). In a lightweight wireless environment all traffic from from the AP will be inside the LWAPP/CAPWAP tunnel and the only time that traffic is released to the network is through the controller. This allows you to define the DMZ physical port on the WLC and physically cable it to the DMZ port on your firewall. You could also create a tagged "trunk" interface and pass all VLANs to a core/access switch if you do not have enough physical cables. Just be sure that you do not add an IP address to the DMZ any other place than your WLC interface and the port on your firewall. If the only other VLAN in the environment is the same VLAN as the management interface is in, you can simply tie your new SSID used for production data access to the management port. This will allow you to segment out guests with out the need for any AP configuration change and only minor switching and firewall changes.

Thanks,

View solution in original post

12 Replies 12

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee

‎01-03-2011 03:25 AM

Hello,

A typical deployment for guest access with WLAN exit points in a DMZ is with a mobility anchor:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp1011037

This would however require a second WLC platform of the type 440x, WiSM, 5508, or integrated in switches (e.g., 3750).

Let me know if this helps,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
mfilipovski
Level 1
Level 1
In response to Federico Ziliotto

‎01-03-2011 04:23 AM

Thanks,

That is not an option at the moment, probably never. Don´t think i will get the funds for buying a new WLC for this purpose. I guess i can use ACL´s and bind them to the guest WLAN but that will put them on my LAN and i don´t want that. Anything else that might work?

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to mfilipovski

‎01-03-2011 04:31 AM

AFAIK, By having Just a WLC, we cannot do much.. n as you already know that 2106 does not become a Guest Anchor as well.. so we can go for just a WEB AUTH.. and also there is no support for External web portal as well..

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG
0 Helpful

Go to solution
Federico Ziliotto
Cisco Employee
Cisco Employee
In response to mfilipovski

‎01-03-2011 04:32 AM

Hello,

Apart from ACLs, there are not too many other options I could think of either to achieve this with a single WLC.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

Go to solution
mfilipovski
Level 1
Level 1
In response to Federico Ziliotto

‎01-03-2011 04:35 AM

OK!

I will talk to the spenders =) Thanks for the information!

0 Helpful

Go to solution
Surendra BG
Cisco Employee
Cisco Employee
In response to mfilipovski

‎01-03-2011 04:37 AM

No problem!! thanks for posting on CSC!! have a great day!!

lemme know if this answered your question..

Regards
Surendra
====
Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

Regards
Surendra BG
0 Helpful

Go to solution
b.garczynski
Level 1
Level 1

‎01-04-2011 09:34 AM

Since you have a 2106 WLC I am assuming that your network is quite small. You could create a new VLAN at layer 2 only from the WLC to the DMZ of your firewall. The default gateway would be the DMZ interface for the wireless guests. This would restrict all guest traffic to that VLAN as it is not possible to route a layer 2 only VLA. Also no ACLs would be needed in this configuration. Depending on your configuration this may not be possible but I think it is a good option in your situation.

Thanks,

0 Helpful

Go to solution
mfilipovski
Level 1
Level 1
In response to b.garczynski

‎01-04-2011 12:05 PM

Hi,

That sounds really good. Not sure how i will configure the WLC for this. Is this correct...

1. AP-mananger and managment on LAN.

2. Configure one port on the WLC and name it WIFI with SSID and connect it to my DMZ.

3. The ports in the switch that the AP´s are connected to are members to both VLAN´s ( LAN and DMZ network )  , i want to use my existing AP´s and not buy new ones.

0 Helpful

Go to solution
b.garczynski
Level 1
Level 1
In response to mfilipovski

‎01-04-2011 01:44 PM

You are on base except for the last part. Assuming that your APs are in local mode and not HREAP mode it does not matter what VLAN they reside(assuming they can route to the WLC). In a lightweight wireless environment all traffic from from the AP will be inside the LWAPP/CAPWAP tunnel and the only time that traffic is released to the network is through the controller. This allows you to define the DMZ physical port on the WLC and physically cable it to the DMZ port on your firewall. You could also create a tagged "trunk" interface and pass all VLANs to a core/access switch if you do not have enough physical cables. Just be sure that you do not add an IP address to the DMZ any other place than your WLC interface and the port on your firewall. If the only other VLAN in the environment is the same VLAN as the management interface is in, you can simply tie your new SSID used for production data access to the management port. This will allow you to segment out guests with out the need for any AP configuration change and only minor switching and firewall changes.

Thanks,

Go to solution
mfilipovski
Level 1
Level 1
In response to b.garczynski

‎01-04-2011 01:52 PM

That sounds exactly what i want. Really nice information. Going to try that on friday, gonna get back to you with information. I assume i can use the internal DHCP server on the WLC for the guest users.

Thx again

0 Helpful

Go to solution
b.garczynski
Level 1
Level 1
In response to mfilipovski

‎01-05-2011 09:32 AM

You can use the WLC or the ASA for DHCP, obviously not both at the same time.

Thanks,

0 Helpful

Go to solution
mfilipovski
Level 1
Level 1
In response to b.garczynski

‎01-05-2011 09:35 AM

Hi, got this working this morning. Works like a charm.

Thank you very much

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card