cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1300
Views
10
Helpful
3
Replies
zakir.ahmed
Beginner

Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

I have a general question about securing the guest WLAN in FlexConnect deployment -

Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch

Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ

Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself

What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?

I would highly appraciate your input on this topic.

Thank you.

3 REPLIES 3
Saravanan Lakshmanan
Cisco Employee

option 1: connecting firewall directly to WLC port can be done only when lag disabled, With lag enabled, then the firewall needs to connect the switch directly.

option 2: ofcourse you need another WLC and very secured out of all the options.

option 3: ACL configured on WLC will have some performance hit, same is explained on cco.

Advantages are better in the order 2, 1, 3.

If we go for option 2 and if we do not have a second anchor WLC, then if the current Anchor WLC fails then the guest VLAN traffic will be blackholed? Can we fallback guest vlan traffic to central WLC if Anchor WLC is down?

Yes, you're right.

Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.

On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.

If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

Content for Community-Ad