Hi Sean,

Please be aware that for guest access, the WLAN must be centrally switched. You can still enable HREAP on the AP, but for the guest WLAN, do not enable local switching.

Your firewall can be used to separate the guest WLAN subnet from the corporate subnet and direct traffic to the Internet. For best practice, I would advise that you have a separate WLC on the DMZ at the central office, which could also double as the DHCP server. Also do not use the controller management interface for the guest WLAN. Instead create a separate dynamic interface. This ensures that the clients do not pick up an IP address from the corporate if there is controller failure.

Cheers

thats the point of the separate comcast connection, it is totally separate from the corporate network and is open to the guest. So no firewall or anything will be used, it will be on a total separate VLAN.

The WLC will have its own interface, set to the correct VLAN and we will be using a separate DHCP for that VLAN and local to the site

So there is no way to make guest network local switched too? Let authentication be done at the controller but once the traffic is authenticated, local switch the guest traffic. This would be too bad for customers without enough WAN bandwidth to tunnel all guest traffic to corporate site and then go out to internet.

You can do local switching for guest, but you would have to create acl's to prevent guest traffic from accessing the internal network.

Sent from Cisco Technical Support iPhone App

Would that be FlexConnect ACLs or different?

Right now I created 2 different WLANs using same SSID. If I used WLAN # smaller than 17 then it didn't allow me to create same SSID.

WLAN 17 - SSID: Secure, LocalSwitching, Local Authentication(In case the WAN link is down, AP does Radius auth direct), VLAN MAP: 101

WLAN 18 - SSID: Guest, LocalSwitching, No local Authentication, VLAN MAP: 111

WLAN 17 is working fine still not sure if I have guest WLAN working properly. I don't see guest WLAN in the VLAN Mapping list as an option at all.

This is possible right?

HREAP central auth, locally switched?

  sorry for my bad drawing, i did it quickly.

Team,

Below is my screenshot. I was able to do WLAN to VLAN mapping and now getting local IP from local DHCP scope that's doing local switching. However for the guest wireless, I don't seem to have an option to add guest WLAN/VLAN mapping. My guest WLAN is # 18 that needs to map to VLAN # 111.

Thanks,

Sam

Have you enabled FlexConnect local switching on the WLAN?

Also have you added the guest WLAN to that particular AP group?

WLAN tab > Guest SSID > Advanced > FlexConnect Local Switching

Like Aaron mentioned, you didn't enable local switching on the guest WLAN. Enabling that in any WLAN, allows you to get the wlan to vlan mappings.

Sent from Cisco Technical Support iPad App

copy pasted from my older post.