Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
7
Helpful
2
Replies

Central Switching Guest Design / ACL on Flex AP

jpl861
Level 4
Level 4

‎01-22-2016 07:26 AM - edited ‎07-05-2021 04:31 AM

Hi Friends,

Just want to ask some questions.

We only have controllers in our main data centers and all our spoke centers does not have internet and they have to route to the main DCs for internet access. Our wireless design is using flex-connect. All our SSIDs/WLANs were configured as FlexConnect local switching. So all our AP modes are FlexConnect as well. However, I configured the guest WLAN as a regular SSID and to not use FlexConnect local switching under WLAN so it is in native central switching mode that passes through the controller and was mapped to a WLC interface behind a firewall. So all guest traffic who require internet access will be thrown right away from the AP to the WLC which is at the edge of the network, behind an internet firewall with no access to internal LAN (except for RADIUS). The guest authentication is through an internal ISE server. It's working well right now (but still not in production) Does this design make sense? In my opinion, this is a more sensible design instead of using flex-connect for guest as guest traffic will be seen as native traffic inside our network and could impose security risk. Please advise here as I'm a newbie.

I am simply following this guide for guest net.

http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/115732-central-web-auth-00.html

I have another question. The design in another region is different as all of their spoke sites have local internet gateway so their guest net is also doing flex local switching. The company design document says I should also follow steps 3 and above of the document below but I haven't done it. Our guest-net is working fine. Can someone explain better if I should still follow it or what's the purpose of it?

http://www.cisco.com/c/en/us/support/docs/wireless/flex-7500-series-wireless-controllers/113605-ewa-flex-guide-00.html

I am under the assumption that those steps were necessary if you are doing External Web Authentication on a flex-connect environment wherein you would need to push a pre-auth ACL on the AP level since the WLAN is locally switched and needed some sort of idea which traffic has to be initially allowed. So since I am centrally switching my guest-net, I no longer need those.

Please advise.

Thanks in advance.


John

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎01-24-2016 10:49 PM

That is how I like to do it - tunnel guest traffic back to the WLC, and switch corporate traffic locally.

Prakash Parvathala
Level 4
Level 4

‎01-25-2016 05:00 AM

Check this link it may help you

http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

Configuring Flexconnect ACLs

http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-4/configuration/guides/consolidated/b_cg74_CONSOLIDATED/b_cg74_CONSOLIDATED_chapter_010001110.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card