Solved: Re: Cisco Flex Connect and users can not get IP Address by WAN - Page 2

ivan.martin · ‎09-30-2012

Hello my name is Ivan

I have a wlc 5508 with license base to 50 aps, i use a deployment flex connect. I already registered all my access points, I use web authentication to authenticate users guest, and the service dhcp is in the central site.

My issue is the users in each remote site, can not get an ip address by dhcp from the central site, they can authenticate in the guest ssid, but any users can not get an ip.

The request is passing by the wan in this way

Central Site DHCP - Router WAN - Remote Site - Users with notebooks. I use flex connect central deployment (all the traffic consulting to the wlc) .

perhaps i should use local deploy? The wlc is in the central site.

Can you help me to resolving this issue please? , perhaps any advice?

Regards

Ivan.

grabonlee · ‎10-02-2012

A network diagram would help make it clearer what you want to achieve. What is your set up?

1. Is the WLC solely for guest access and the APs only broadcasting the guest SSID? or

2. are their 2 WLCs with one acting as the anchor for guest users?

You can configure different dynamic interfaces with its vlan ID for each site and the external dhcp IP address is specified on the each dynamic interface. Also the DHCP server has to be reachable from the WLC. You can ping the dhcp servers from the WLC to confirm reachability.

ivan.martin · ‎10-02-2012

Thanks Osita

I have

One WLC in the central site

Server DHCP in the central site, it can send the ip address to all the customer are in the remote Sites

3 SSID

Corporative with 802.1x peap

Directors with wpa psk with mac filtering

Guest with Web Authentication

I each remote site have a router wan, it can work that server dhcp to all the customer

Each remote site have the same network: 192.168.1.0/24 in the same vlan id 30

My issue is:

I shold deploy central authentication with central swithing or local switching?

If I configure central switching, i should configure interfaces dynamics for each remote site, but each network remote site and id vlan are the same.

How can I do iT?. I think that central authentication with local swithing can work very well in my scenary.

Whats your opinion?

Regards

Ivan

grabonlee · ‎10-03-2012

Hi

It's not best practice to have both your corporate clients and guests anchored on the same WLC. However, for your scenarion,I would suggest the following:

1. Disable LAG on the WLC if it exits

2. Create a dynamic vlan for guests and map it to a physical port on the controller. The WLC 5508 has 8 distribution ports so there is enough.

3. Your corporate clients SSID can be mapped to the management interface if you choose. The management interface takes the first port.

4. The dynamic interface for the guests must have the IP address of the external dhcp server specified.

5. If the WLC ports are connected to the same switch, you can create pre-authemtication ACL for guests to deny access to any corporate subnets and allow connection to only DNS,DHCP,and other necesssary services.

6. Map the guest SSID to the dynamic interface VLAN.