Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
10
Helpful
2
Replies

Mobility express AP routing traffic with 2 different subnet

key_tone_9926
Level 1
Level 1

‎01-23-2022 10:21 AM

Hi is there anyway that  using mobility express on AP’s it would be able to route traffic to two different networks. 

 

At the moment the AP’s  have a (corp) SSID and are on a  10.1.1.0/24 subnet with a default gateway of 10.1.1.1 which is the core router. Dhcp for this network is passed on and handled by the core network. 

 

Now I’m looking to add another SSID (Regional) On the same AP’s but this time using the DHCP built in the MOBILITY EXPRESS with an ip address range of 192.168.1.0/24 with a default gateway of 192.168.1.1 which will be handed out to the devices on this SSID. 

This new SSID can’t be routed to the core network, but to a DMZ Firewall which will have the ip address for the default gateway.   

 

Can this be done, is there a way to have 2 networks on the same AP using mobility express, as at the moment the AP’s only have 1 subnet  and default gateway. 

Is there a way to get the AP to route traffic with the (Regional) SSID to a different  network so it would route to the DMZ. As at the moment any traffic that is outside of the 10.1.1.0 subnet will go to the CORE. 

 

Thanking you in advance.

Labels:
0 Helpful
2 Replies 2

Flavio Miranda
VIP
VIP

‎01-23-2022 02:57 PM

Hi

 As you have only one interface, you are going to need to work with trunk on the uplink between AP and Core and allow 2 VLANs. One for the current SSID and one to the new SSID.

Then, you can choose one port on your core to connect do the Firewall  and put this port on the VLAN you created on the AP.

 

Arshad Safrulla
VIP Alumni
VIP Alumni

‎01-23-2022 03:02 PM

DHCP in ME is not recommended, but yes you can have a new DHCP scope defined for the WLAN. Make sure that you run a supprted firmware.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-4/b_cisco_mobility_express_8_4/b_cisco_mobility_express_8_4_chapter_011.pdf

By design Mobility Express is similar to Cisco FlexConnect, but client data is only bridged locally at the access point. Therefor it is perfectly possible that you can create a new WLAN, tag that with a VLAN where the gateway is in the DMZ of the Firewall. DMZ to Core router traffic flows can be blocked from the firewall as required, I would suggest not to add routing as well. In the DHCP scope make sure to define the gateway as your DMZ VLAN interface IP.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-2/b_Mobility_Express_Deployment_guide/b_Mobility_Express_Deployment_guide_chapter_0111.html

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card