cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2194
Views
0
Helpful
4
Replies

Guest Wireless Access without Anchor Controller

kdasari01
Level 1
Level 1

Hello:

We have been using Cisco WLC based wireless architechture for both secure and guest wireless access for over 5 years now. We have about 30 sites globally each site with at least one contoller (larger sites with at least two controllers per site) and up to 40 APs per location.

We have originally designed this solution a few years ago, at that time if my memory serves right, it was Cisco recommended design as well. We have Guest SSIDs and Secure SSIDs in each location on the same controller. However, Guest WLANs map to WLC interfaces that connect to DMZ switch and recieve IP Addresses in the IP Range assigned for DMZ subnets. As such the guest users will not have access to Internal resources with the Firewall Interface controlling the DMZ is modified to explicitly permit that traffic.

Is there any security risks associated with this design? I am hearing all this talk about Guest Anchor wireless controllers. Since we are a global company and have many sites, to add 30 WLCs for guest access is cost prohibitive.

Can somebody please comment on this and point me to any document that discusses the pitfalls of design that is similar to our setup. Am i making this up or our design a recommended design by Cisco in the past and now changed.

Thanks

Kumar

4 Replies 4

Todd S
Level 1
Level 1

That design works fine, I've implemented it before.

Thanks for the reply. I am doing this now and it works. However, anyone want to discuss why this design is less optimal visa vi having a desing with an achor WLC in DMZ.

Hi,

Are you still facing this issue? If not could you please mark the Question as Answered.

thanks,
Vinay

Thanks & Regards

Hi there - I was just wondering if this is still recognised as an approved soloution?

 

I would like to provide guest access via our WLC's which are in the same site as our firewall / FTD devices.

 

If I can dedicate one of the interfaces on our WLC's to DMZ only traffic this would be a far more cost effective solution rather than having to tunnel to another WLC.

 

Review Cisco Networking for a $25 gift card