cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12701
Views
0
Helpful
17
Replies

Cisco Flex Connect and users can not get IP Address by WAN

ivan.martin
Explorer
Explorer

Hello my name is Ivan

I have a wlc 5508 with license base to 50 aps, i use a deployment flex connect. I already registered all my access points, I use web authentication to authenticate users guest, and the service dhcp is in the central site.

My issue is the users in each remote site, can not get an ip address by dhcp from the central site, they can authenticate in the guest ssid, but any users can not get an ip.

The request is passing by the wan in this way

Central Site DHCP - Router WAN - Remote Site - Users with notebooks. I use flex connect central deployment (all the traffic consulting to the wlc) .

perhaps i should use local deploy? The wlc is in the central site.

Can you help me to resolving this issue please? , perhaps any advice?

Regards

Ivan.

1 Accepted Solution

Accepted Solutions

Hi

It's not best practice to have both your corporate clients and guests anchored on the same WLC. However, for your scenarion,I would suggest the following:

1. Disable LAG on the WLC if it exits

2. Create a dynamic vlan for guests and map it to a physical port on the controller. The WLC 5508 has 8 distribution ports so there is enough.

3. Your corporate clients SSID can be mapped to the management interface if you choose. The management interface takes the first port.

4. The dynamic interface for the guests must have the IP address of the external dhcp server specified.

5. If the WLC ports are connected to the same switch, you can create pre-authemtication ACL for guests to deny access to any corporate subnets and allow connection to only DNS,DHCP,and other necesssary services.

6. Map the guest SSID to the dynamic interface VLAN.

View solution in original post

17 Replies 17

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Is the SSID in central or local switching?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hello Scot Fella

Is Local swithing.

thanks for your answer

Any advice?

Regards

So local switching means the subnets the clients will get needs to be created at the site the WLC is located. The WLC also needs to have a dynamic interface on those subnet. Is this how you have things setup.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Ivan,

FlexConnect local switching is not ideal for the guest user setup. I would suggest you stick to central switching. Local switching means that the packets are switched locally, and with your guest anchored centrally at the WLC, your configuration has to be central switching.

Thanks Osita

In your case, if I configure central flex connect, when Should I configure the Server dHCP? In the central site?

Is possible that the users in each remote site get different ip address?

Regards

Ivan

As long as you don't  enable local switching on the SSID, traffic will be centrally switched. You can create a single dhcp scope for all guests at the central site or you create a separate scope. That means for separate dhcp, each site will have a different ssid.

Hello Osita

Thanks for your answer.

Please could you give an example about your advice?. The link between the access point and the swithc is trunk passing the vlan.

I confuse about how should I configure the wlc interfaces to each ssid or mapping all the vlans using central switching

Thanks

Ivan

Hi Scott thanks for your answer

I just only configure 3 interfaces, management service port and virtual interface. The server dhcp is in each remote site. For example,

Remote Site A:

Service DHCP

Access Point Flex Connect, connecting with trunk link toward switch core

Each remote site have its own internet

The vlan id is the same in each remote site and with the same network

The broadcast dhcp is local

How can I should configure according your advice?

Regards

Ivan

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Like I mentioned, if you want client traffic at the remote site, you need I enable local switching. If you have the WLAN as centrally switched, you need I define the subnets at the site the WLC is at. With local switching enabled, you can define the WLAN to vlan mapping on each ap. it's a different configuration than local or central switched APs.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Scott Fella
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Take a look at this link as it will explain the difference and what you need to do to make it work.

http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

In addition to the link Scott posted. Since you mentioned guest services, also use the link below:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html

Another link for flexconnect is:

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html

Hi Osita, thanks for your advice

In the case all the guest in remote sites have the same network but with different vlan id, i believe that i should use central swithing, with own service dhcp getting the ip address.

Is correct that?

Ivan

Hi Ivan

For guest users, I suggest you keep it simple.

1. Create a single dhcp scope at the central site, preferably on the WLC which I hope is on your DMZ. Limit the lease time to 30mins or less, so that outsiders do not hold on to IP addresses for a long time and hence fill up your scope.

2. Use central switching and not local switching on the WLAN SSID.

Thanks Osita

If I configure Central Authentication and  I configure central switching I need to create a dynamic interafce for each remote site and each dynamic interface associated with a different VLAN ID, because I can not associate a single interface dynamic to the same  VLAN ID, but in my case the client remote in each remote site have the same network segment with the same VLAN ID with the same SSID for guests. My goal is to configure web authentication with the local DHCP server at each remote site, will this work?.Each remote site have its own server dhcp.

If I configure authentication central authentication with central switching with web authenticacion as I set in my scenario?

My issues are the interfaces dynamics, because I have the same network to the customer guest with the same ID VLan in each remote site

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers