Internal WLAN and Guest WLAN

Hans Juergen Guenter · ‎04-17-2023

Hello,
I'm slowly getting a little better at configuring the Cisco AP via the WLC. Now I'm in the
process of setting up a guest WLAN in addition to the internal WLAN. Now my question
about it:
1. How do I configure the switch port where the AP is connected so that it provides the
internal WLAN and then also the guest WLAN?

Here are some of the data for the WLANs:
- Internal WiFi no tag
- Guest WiFi VLAN 10
- Internal WLAN obtains an IP from the FW via DHCP (192.168.100.0/23).
- Guest WLAN should also obtain an IP via the FW via DHCP (192.168.102.0/23).

What do I have to configure on the switch port so that both WLANs can be reached
via the AP and can access the Internet? I read that the lightweight AP does not
understand VLAN tagging and that the port should therefore be configured as an
access port. But then it is stuck in a VLAN and I need VLAN 10 (guest WLAN) and
VLAN 1 (internal WLAN).

Best regards

marce1000 · ‎04-17-2023

- For starters for CAPWAP based access points (lightweight) , all of that is handled on the controller where the guest WLAN is mapped to a separate VLAN for guest traffic (usually) , same mechanism for internal traffic ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hans Juergen Guenter · ‎04-17-2023

Hello marce1000,

So I only have to switch the port to which the WLC is connected as a
trunk port with the permitted VLAN 1 and 10. And the AP is then simply
connected to a switch port access and I don't give a VLAN there?
Is that correct then?

marce1000 · ‎04-17-2023

- For a lightweight access point , it only needs a capwap tunnel to the controller , usually a special vlan is reserved for that and the access points are then put in that vlan , (access points in a switch uses 'host mode' , switchport mode access (e.g.) and no trunk configurations at all). On the controller the situation is different because the needed vlans must be made available (and mapped to WLANs ) , hence trunk links are needed , more correct info's are found here :
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/68100-wlan-controllers-vlans.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Hans Juergen Guenter · ‎04-17-2023

Hello marce1000,

thank you for your quick help. Then would it work like this?

I currently have the WLC connected to the switch. A LAN cable
goes from the switch to the FW on a bridged interface. The DHCP
for the internal network runs on this interface, as does a DHCP for
the VLAN 10 interface. Now I have a question, do I have to set the
LAN connection that goes from the switch to the FW as a trunk on
the switch and then the connection to the WLC as a trunk. And then
enter the two VLAN 1 and 10 as Allowed VLAN for both trunk connections?

The normal plan was to set the WLC on the FW to a bridged interface
and to let a second bridged interface of the FW go to the switch.
Unfortunately I get no connection to the DHCP (VLAN 10) server in
my test environment on the virtual FW. That's why I changed the
configuration so that the WLC is connected to the switch and I then
go from the switch to the FW with just one cable.

Flavio Miranda · ‎04-17-2023

Hi,

It depends a little bit how your topology looks like. For example, if you have a Data Center or central office and you want to setup wireless network in a remote office you may have one approach but if you have only the central office, you may have a different approach. Let me suggest "one fits all" topolofy and see what do you thing.

First put your access point as flexconnect on the WLC. The switch port you configure in trunk mode. The management vlan (vlan you use for the AP to talk with WLC you put as native vlan).

Then, on the SSID you can keep the Internal WIFI as central switching. Which means, the traffic will be send to the WLC.

For GuestSSID you check the option "Flexconnect Local switching"

Then you go on the Access Point config, Flexconnect Tab. WLAN to LAN map and put the WLAN ID and the Vlan 10.

And now the Access Point will send the Guest traffic to the switch. On the switch, you might have some interface vlan somewhere. On the interface vlan you can configure ip helper-address pointing to your DHCP server.

But, if this scenario does not fit you, you can also do it differently.

Send all the traffic Guest and Internal to WLC. Keep the switch port config as Access.

On the WLC you create Access Point groups and on the WLC you can create Interface for Guest and for Internal.

On the WLC group you can diferenciate the traffic by associating the WLAN SSID to Interface/Interface group.

Both ways applies and it all depends how you topology was built.

Hans Juergen Guenter · ‎04-18-2023

Hello Flavio Miranda,

thanks for your guidance. I'll go to my home office right away to implement
your instructions there in the test environment. I hope I can do that too.

Maybe I will also post my topology and rough configuration here. So I can
maybe soon be able to put the guest WLAN into operation.

Flavio Miranda · ‎04-18-2023

@Hans Juergen Guenter

Sure. Let us know.

Hans Juergen Guenter · ‎04-18-2023

Hello Flavio Miranda,

Yesterday I configured the appropriate ports as a trunk in my
test environment, but somehow it just doesn't want to work with
the guest WLAN. Somehow I get no IP in the guest WLAN from
the DHCP server.

I'll try to describe my configuration as I currently have it here:

- Firewall is a Sophos (this is virtualized). On this I have the DHCP
server for the internal LAN and the internal WLAN. Here's the
network: 192.168.60.0/23
The internal LAN uses the IP 192.168.60.10 as a gateway.
Then I created another DHCP pool that should only be for the guest
WLAN. To do this, I added a VLAN10 interface to the bridge with
an IP of 192.168.62.10 and then added the 2nd DHCP pool to the
VLAN10 interface.

The WAN interface goes to the router, which then goes to the Internet.
Then I have a LAN interface which goes to the switch. I have connected
2 of the LAN interfaces to a bridge on the Sophos. and then another
virtual VLAN 10 interface connected to this bridge.
In addition, I have 1 more LAN interfaces that are currently not being
used.

- The switch is a Layer3 switch. On this I have also configured VLAN 1
with an IP so that I can access it via https for administration.
In addition, I created the interface VLAN 10 because the guest WLAN
should actually have its network traffic in this VLAN.
I currently have the following connected to this switch:
- the Sophos FW (port is trunk dot1q)
- the WLC (port is trunk dot1q)
- an AP (port is accessport)
- Test laptop (port is accessport)

The internal network gets an IP. If I connect to the internal WLAN I also
get an IP. However, when I connect to the guest WiFi, I don't get an IP
and therefore no access to the Internet.

Do you now know where I can start, because I've slowly reached the
end of my knowledge and all the instructions I've already read are really
confusing. I would be happy if you could help me so that I can get the
guest WLAN to work.