Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
2
Replies

guest wireless with single 4402 controller

Go to solution
columoconnor
Level 1
Level 1

‎03-25-2008 06:04 AM - edited ‎07-03-2021 03:35 PM

Can you configure guest wireless with a single controller...all the docs I find have an anchor controller

any help or links would be appreciated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dknov
Level 3
Level 3

‎03-25-2008 02:57 PM

Hi,

Sure thing, this is how we have it. It all depends on how security-paranoid you're :-)

Here is the way we have it done. All the following configuration is on Core controllers....Dynamic Interface for guest traffic and WLAN for guest SSID. Dynamic Interface uses VLAN ID which is trunked from Core Controller back to our Layer 2 switches.

This VLAN is trunked to our Firewall where security policy exists to allow services we want to allow for guests...

Be aware that guests get IP address prior to authentication and your Core Controller acts as DHCP relay, so your Firewall needs to allow DHCP relay traffic from IP address configured on Controller under Dynamic Interface to your DHCP servers.... It's a bit of a security concern cause you allow some traffic prior to authentication and even worth back to your Corporate network....

The other solution is internal DHCP server on the controller, but we wanted centralized IP management....again depends on your security posture.

HTH.

David

View solution in original post

0 Helpful
2 Replies 2

Go to solution
dknov
Level 3
Level 3

‎03-25-2008 02:57 PM

Hi,

Sure thing, this is how we have it. It all depends on how security-paranoid you're :-)

Here is the way we have it done. All the following configuration is on Core controllers....Dynamic Interface for guest traffic and WLAN for guest SSID. Dynamic Interface uses VLAN ID which is trunked from Core Controller back to our Layer 2 switches.

This VLAN is trunked to our Firewall where security policy exists to allow services we want to allow for guests...

Be aware that guests get IP address prior to authentication and your Core Controller acts as DHCP relay, so your Firewall needs to allow DHCP relay traffic from IP address configured on Controller under Dynamic Interface to your DHCP servers.... It's a bit of a security concern cause you allow some traffic prior to authentication and even worth back to your Corporate network....

The other solution is internal DHCP server on the controller, but we wanted centralized IP management....again depends on your security posture.

HTH.

David

0 Helpful

Go to solution
littledavewhite
Level 1
Level 1
In response to dknov

‎03-26-2008 08:04 AM

we have also done the same, with a layer 2 link going to a firewall, we have no SVi's on the switches just layer 2 and have also secured with VACLS. looks pretty good to me, buying another controller for the anchor point is too exspensive !!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card