2504 WLC on edge network for guest wifi

Shooter308 · ‎01-22-2013

I have a 2504 WLC with a 1042 AP and I have it placed on my edge Cisco 3750 switch.

I have the management interface of the WLC set on my WAN IP 71.x.x.x subnet range, and I have the WLC doing DHCP duties with a DHCP scope of 192.168.X.0. I have my DNS servers set on external DNS servers out on the Internet.

I have two Cisco 3845 Routers on my edge network - one for each ISP with BGP protocol.

Since my native VLAN is 71.x.x.x, I added a sub interface on my main core router and gave it a 192.168.x.1 255.255.255.0 address for the gateway. Also, I added ip prefix-list iBGP seq 10 permit 192.168.x.0/24 le 32 to my main core router. On my secondary ISP router I added

ip prefix-list iBGP seq 10 permit 192.168.X.0/24 le 32, and ip prefix-list OUT seq 10 permit 192.168.x.0/24 statements.

I added VLAN 10 to my edge switch and gave it IP 192.168.x.2 255.255.255.0, and the switchports that my core router and my WLC are connected to the edge switch, are in trunk mode with encapsulation dot1q 10. The switchport on my edge switch that the AP is connected to is in switchport access mode.

I can connect to the wifi with a 192.168.x.x IP address on my laptop, but I cannot get any Internet access.

Is it possible to have the DHCP scope be in a different subnet than my WAN IP subnet, and allow guests to get to the external Internet only? Do I need to put the WLC somewhere internal on my network i.e. the DMZ and then tunnel the traffic out to the Internet with no Internal network access?

Thanks for any help you can provide.

Stephen Rodriguez · ‎01-22-2013

no, what you have described should work.

When you added in the new 192.168.x.x address, did you remember to add it to your NAT ACL?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Shooter308 · ‎01-22-2013

NAT ACL on the core ISP router?

Currently there is no access-list on the router when I type command sh access-lists.

Do I have to reset my BGP in order for the new statements I added to the iBGP prefix list before 192.168.x.0 can be routed outside? Initially the only IP subnet on the iBGP prefix list was my WAN IP subnet 71.94.x.x.

Thanks,

Doug

Stephen Rodriguez · ‎01-22-2013

You are adverstising your internal routes to your ISP, and they are doing the NAT for you?

You should have somewhere that you are NATing your internal traffic to the provider.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Shooter308 · ‎01-22-2013

All of this wireless setup is located on my edge network. It is on my edge Cisco 3750 switch, which is between my PIX firewall and my two Cisco 3845 ISP routers. All of these devices have IP's on my native VLAN 71.94.x.x

Stephen Rodriguez · ‎01-22-2013

right, and how does a 'normal/current' user access the internet? Somwhere going to your ISP there should be some sort of NAT statement when you send interwebs traffic.

if your ISP is taking care of all of that for you, you probably need to let them know you added the subnet so they can do the NAT.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered