Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
827
Views
8
Helpful
7
Replies

Cisco 9800 VRF 17.13.x question

Go to solution
msrohman
Level 1
Level 1

‎01-31-2025 12:02 PM

Hi all,

Looking to design/deploy a couple IoT enterprise wireless networks.  One of the WLAN networks will have access to the Internet only. The second WLAN will have access to the Internet as well as the internal (trusted) network.   Could I leverage the VRF feature in 17.13.x to forward WLAN traffic an a network zone (DMZ1) for Internet only and create another WLAN with a VRF to a different network zone (DMZ2) that allows internal network access?

 

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Flavio Miranda
VIP
VIP

‎01-31-2025 12:12 PM

@msrohman 

 Per cisco recommendation WLC should not have layer3 interface besides the management interface. Thus, if should not have VRF either.

 The proper design for what you want to accomplish, would be to work with 2 WLC and use the concept of Foreign/Anchor. One WLC on the DMZ and one on the Corp network.

View solution in original post

7 Replies 7

Go to solution
Flavio Miranda
VIP
VIP

‎01-31-2025 12:12 PM

@msrohman 

 Per cisco recommendation WLC should not have layer3 interface besides the management interface. Thus, if should not have VRF either.

 The proper design for what you want to accomplish, would be to work with 2 WLC and use the concept of Foreign/Anchor. One WLC on the DMZ and one on the Corp network.

Go to solution
msrohman
Level 1
Level 1
In response to Flavio Miranda

‎01-31-2025 12:41 PM

Got it. Thanks for the response. I'll look to design a solution similiar to the mentioned above.

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to msrohman

‎01-31-2025 12:49 PM

@msrohman  You can find tons of information about similar design if you look for wireless guest. It will be very similar to your requirement.

One WLC will hold the access point and it is called foreign and the traffic is send to another WLC in the DMZ which is call anchor.

 https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html

FlavioMiranda_0-1738356566999.png

 

Go to solution
msrohman
Level 1
Level 1

‎01-31-2025 01:14 PM

The challenge is that I have to put each group of IoT wireless devices into  DMZ zones and not  on the  internal network. But I'll take your appreciated advice and add a second anchor into a second DMZ zone that allows access to the internal network. I was trying to leverage one anchor for two different network zones within best design practices.

 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to msrohman

‎01-31-2025 02:36 PM

@msrohman You may not need two WLC in DMZ. You can think of using two interfaces of the same WLC connected in different DMZ. You can map SSID1 to one DMZ and SSID2 to the second DMZ.

 I am considering that your IoT devices will be somewhere in your corp network and that´s why I am suggesting the setup foreign/anchor.

  This way, you can use the same Access point you use for Corp users to collect the data from IoT devices and pass the traffic up to the WLC on the DMZ.

 But, nothing can prevent you to join the Access point directly on the WLC in the DMZ and this way use only one WLC and not foreign/anchor schema.

 

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎02-01-2025 09:36 AM

Just wanted to add some info.  I had a customer who wanted to tdo the same thing in multiple sites, but didn't want to purchase a controller in the DMZ.  What we ended up doing was dropping off the traffic in a vlan that had a VRF to the DMZ and that is how they separated traffic the way they wanted it.  They had a secure SSID that was all local to the site and for IoT and Guest, there was two separate VRF to different networks in the DMZ.

-Scott
*** Please rate helpful posts ***

Go to solution
Rich R
VIP
VIP

‎02-07-2025 03:14 AM

I was going to say what @Scott Fella said already - simply use VLANs to separate the traffic then you can use VRFs at router layer - but don't use VRFs on the WLC.  Although they are technically supported now (for specific features only), they come with a whole bunch of caveats so are best avoided if at all possible.

Also note that you should never be using 17.13.x in a production network normally.  That is a limited support release which will never get any bug fixes or security updates.  Refer to the TAC Recommended link below and use an Extended Support release - 17.12.x, 17.15.x etc

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card