Guest WLAN with one WLC

AScaredSquirrel · ‎09-01-2020

I got the following hardware:

1x Cisco Systems AIR-CT5508-12-K9

6x Cisco Systems AIR-AP1142N-E-K9

I have to set up a guest WLAN network that has no access to the local network (192.168.0.0/24), only to the internet.

Currently I am using the management VLAN on the 192.168.0.0 net. It uses the physical router (Ubuntu Server) on 192.168.0.1 as gateway. The router handles the communication between the local network and the internet. It also serves as the DHCP and DNS server.

At first I tried adding a second WLAN with an ACL on Layer 3 Security limiting the access to the 192.168.0.0 network but that resulted in clients getting kicked of immediately. I don't even know if my goal can be achieved that way.

Second I tried adding another VLAN (ID 10) with a 10.10.10.0 net. The gateway is 10.10.10.1 which the router is listening on on the same physical NIC that it listenes on on the 192.168.0.0 net. The problem there is that while I am able to reach the router from any client in the network, the WLC can't. I also can't ping the WLC on its address on the 10.10.10.0 net, that being 10.10.10.2.

What am I doing wrong? Is there another way to do this withput a second WLC?

I have attached a rough diagram of the setup I am trying to create. If you need further information on this, just let me know.

Thanks in advance!

Scott Fella · ‎09-01-2020

What you are trying to do is something that is not typically deployed in any environments. If you want multiple SSID’s or have the ability to isolate vlans, you need a switch and router that can handle multiple vlans. The wlc is not meant to be like home wireless routers and is very different as you can already tell.

-Scott
*** Please rate helpful posts ***

AScaredSquirrel · ‎09-03-2020

I am aware that this is not the typical way to set up such a solution. I can't however justify the purchase of a second WLC just for a guest WLAN.

Could you elaborate more on what I actually have to do? What does it mean that I need to have a switch and router that can handle multiple vlans?

Please bare in mind that I am a beginner in the Cisco world and am not that familiar with the wireless infrastructure Cisco has to offer.

patoberli · ‎09-07-2020

This is unrelated to Cisco actually.

You need a router that is VLAN capable (or virtual interfaces) and maybe a switch that is vlan capable. Typically a router has several LAN ports, so if you can use one as a switch-port (most can this today), you don't need an additional switch.

On the router you have to create two networks (virtual network interfaces), one for the guests and one for the other users. Those interfaces you configure with the VLAN number you want to use on the WLC. The WLC you attach to one of the router switch ports, in trunk mode. The trunk needs to carry at least those two VLANs. The VLAN ID must be identical on the router/switch and the WLC (so guest =10 and users = 11 for example). Lastly you need to setup a firewall (on the router, if possible) between those two networks to allow/deny what you want.

You could also use your linux server for this (have a read into virtual interfaces), but it's generally not recommended. Make sure that routing is enabled and the lan port configured as a trunk (dot1q).

It doesn't matter which manufacturer the router is.