I have a general question about securing the guest WLAN in FlexConnect deployment -
Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
I would highly appraciate your input on this topic.
option 1: connecting firewall directly to WLC port can be done only when lag disabled, With lag enabled, then the firewall needs to connect the switch directly.
option 2: ofcourse you need another WLC and very secured out of all the options.
option 3: ACL configured on WLC will have some performance hit, same is explained on cco.
Advantages are better in the order 2, 1, 3.
If we go for option 2 and if we do not have a second anchor WLC, then if the current Anchor WLC fails then the guest VLAN traffic will be blackholed? Can we fallback guest vlan traffic to central WLC if Anchor WLC is down?
Yes, you're right.
Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.