Solved: Connecting WLC 5508 to 2 different network devices. Possible?

TEOH SU KEONG · ‎09-17-2013

Hi,

I have an existing 5508 port 1 and 2 connect to core switch using LAG.

Vlan 10 is management vlan (dynamic AP management enabled)

vlan 100 is staff vlan

I plan to add another Guest vlan (vlan 200) in the WLC but using port 3 and connect to internet router directly so that guest can only go to the internet.

Is this possible?

How?

Thank you.

Leo Laohoo · ‎09-17-2013

But I want to separate the guest users from going into internal network.

What you are about to do, i. e. assign each dynamic interface to a port, is do-able. People are doing it now. However, know the risks. One of them is that you won't have redundancy. What happens if you wind up having nine dynamic interfaces? Doesn't stack up.

Alternatively, you can get a proxy server and you push your Guest traffic to the proxy server. If you have a firewall you can also explicitely put up firewall rules preventing guest access to corporate network and vice versa.

How can this be done?

First, you create a guest dynamic interface. Assign the guest dynamic interface a distribution port. Next create a guest SSID and assign the guest SSID to the guest dynamic interface.

View solution in original post

Leo Laohoo · ‎09-17-2013

Yes it can be done. Some people have done this but do consider that by doing this you take away link redundancy.

Alternatively, you put your distribution ports into a LAG and enable all the VLANs you are using. Use a router or a Layer 3 switch or a firewall to push the traffic to their respective destination.

TEOH SU KEONG · ‎09-17-2013

But I want to separate the guest users from going into internal network. Prefarably guest user can directly go to internet. That is why I was planning to connect the WLC to an internet router just for guest user to go internet.

How can this be done?

Leo Laohoo · ‎09-17-2013

But I want to separate the guest users from going into internal network.

What you are about to do, i. e. assign each dynamic interface to a port, is do-able. People are doing it now. However, know the risks. One of them is that you won't have redundancy. What happens if you wind up having nine dynamic interfaces? Doesn't stack up.

Alternatively, you can get a proxy server and you push your Guest traffic to the proxy server. If you have a firewall you can also explicitely put up firewall rules preventing guest access to corporate network and vice versa.

How can this be done?

First, you create a guest dynamic interface. Assign the guest dynamic interface a distribution port. Next create a guest SSID and assign the guest SSID to the guest dynamic interface.

TEOH SU KEONG · ‎09-18-2013

Okay thanks. I will try and see if it works or not.

By the way, the LAG is in enable status. Do I need to disable this function?

Leo Laohoo · ‎09-18-2013

You need to disable LAG if you want to do what you need. You also need to reboot the controller.

TEOH SU KEONG · ‎09-18-2013

So that means the original configuration where management and staff interface running on LAG on port 1 and 2 will not be able to do etherchannel anymore if I want to do what I need?

Instead to do what I need, I should map management interface and staff interface to port 1 and port 2 as backup?

while port 3 mapped to Guest interface?

Correct me if I am wrong.

TQ

Leo Laohoo · ‎09-18-2013

It's either you enable LAG or you disable. There will be no "secondary" or "backup" port once you disable LAG. I've been telling you that.

TEOH SU KEONG · ‎09-18-2013

Okay. So with LAG disabled,

It means that I can only use 1 distribution port which is for example, port 1 for management and staff interface which connect to core switch.

While mapping my Guest interface to port 3 at WLC which connects directly to internet router for guest to go internet only.

Am I right with this setup?

Scott Fella · ‎09-18-2013

Yes... Like Leo mentioned you first need to disable lag. Now you can define a primary port and a backup (optional) port if you want. So for example, for management, port 1 is primary and port 2 is backup. For staff, port 2 is primary and port 1 is backup. For guest, port 3 is primary and port 4 (optional) is backup. This gives you some redundancy on the links.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

TEOH SU KEONG · ‎09-19-2013

What about the configuration at core switch? If I disable LAG, both port 1 and port 2 will be trunk port allow management vlan and staff vlan. Will the core switch see it as a loop and disable one of the port through spanning tree?

devils_advocate · ‎09-19-2013

Without link aggregation, the switch will see a L2 loop and spanning tree will block one of the links.

If you have two links, setup a L2 port channel on the switch, configure it as a trunk and enable LAG on the WLC

TEOH SU KEONG · ‎09-19-2013

Right . Thanks for the suggestion and information. I will try it out.

Abhishek Abhishek · ‎09-19-2013

Yes, it is possible that guest can only go to the internet whwn you add the Guest Vlan in the WLC using port 3