Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
5
Replies

Wired Guest Access - Design question.

MeMySelfundCisco
Level 1
Level 1

‎06-18-2015 04:49 AM - edited ‎07-05-2021 03:25 AM

Hello guys! 

 

I´m having a small crisis, I am trying to get wired guest Access working for a newly aquirred site. 

 

Setup:

 

Main 5508 WLC in DMZ 

 

3 5508 Onsite WLC´s connected via VPN / MPLS connections (1gb and up) 

 

goal is that all three WLC´s connect to the WLC in the DMZ and are dumped in the VLAN 123, where a Guest solution Server is active. 

 

The DMZ 5508 has a "VLAN 123" Interface configured with ip 192.168.1.2 This VLAN 123 is the EGRESS interface of the Wired Guest Network. Local Anchor is active and up. 

 

The 3 Onsite WLC´s have a VLAN 100" configured for a Wired Guest network, this wired guest interface is the INGRESS interface of the Onsite WLC, and it has a "up up" anchor connection to the DMZ 5508 

Vlan 100 is not routed, and is a local VLAN. Yes All three onsite WLC´s have the same vlan 100 configured as guest network. 

I stumpeled upon this: 

•Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported and may generate unpredictable results.  A true statement, I assure you.
•A wired guest LAN can support multiple anchor controllers. 

(from here: http://justdowifi.blogspot.de/2012/01/do-not-trunk-wired-guest-vlan-to.html) 

And I´m not sure if my DHCP problems are coming from this. How can I get these there Remote "onsite WLC´s" to the same "VLAN 123" on the DMZ WLC - is this possible, or do I need a different setup? 

I´m a bit confused. 

Thanks alot for your help! 

 

Labels:
0 Helpful
5 Replies 5

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎06-18-2015 07:20 AM

The first warning of not trunking to multiple WLC, has to do with multiple WLC at the same location. If your three are at different locations it shouldn't be an issue.

 

Now, for the foreign/local, ingress should be VLAN 100, egress should be management, since you are anchoring the traffic to the DMZ. Then on the anchor/DMZ ingress is management and egress is VLAN 123.

 

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

MeMySelfundCisco
Level 1
Level 1
In response to Stephen Rodriguez

‎06-18-2015 07:30 AM

O.k. we set up the configuration with the 3 Onsite WLC´s in the same VLAN 100, but we where having troubles with DHCP requests not coming through. The Wired Guest Network is a mixed wired / wireless enviroment, with cheap accesspoints bridging wireless clients into the wired guest network. The wireless clients would sometimes not receive a ip. Not always, only sometimes. When I switched everything to one network only, it worked without a hitch. 

 

so now I´m more stumped. :D It should have worked in the first place? What DHCP Proxy option should I use for no cisco Ap´s / clients acting as bridge? 

thanks alot for your help! 

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to MeMySelfundCisco

‎06-18-2015 08:31 AM

First....why put up "cheap AP"? You can just configure a guest WLAN on your existing AP. This way you have a single point of management, and you take the "cheap AP" out of the RF, which could cause some interference and co/adjacent channel interference.

 

When you say 'switched to one network only' are you meaning one WLC having VLAN 100 allowed?

 

For DHCP proxy, if the WLC is not providing the DHCP then you could disable proxy and just let the WLC bridge the packet to the wire. If the WLC is the DHCP server then you have to leave proxy enabled.

 

HTH,

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

MeMySelfundCisco
Level 1
Level 1
In response to Stephen Rodriguez

‎06-18-2015 09:07 AM

The cheap access points are already there, and getting cisco´s is too expensive at the moment. The requirement was "get guest access running, without buying anything" :D So at our main site we have a Guest Access solution, the Site was getting a fiber connection to the main site, so the idea was born to use a 5508 for that task. 

 

Yeah, Before I had 3 sites connecting to the DMZ WLC, and once I switched back to only one of the sites using the Anchor Connection, it suddenly worked!! 

the DHCP is being handled by the Guest Access Solution. So a disabled dhcp proxy option was the correct one?

0 Helpful

Stephen Rodriguez
Cisco Employee
Cisco Employee
In response to MeMySelfundCisco

‎06-18-2015 09:13 AM

ok, so yes disabling proxy is the correct option. There are some solutions for DHCP that don't like the proxy. I helped on another post where the client got an IP but couldn't pass traffic out it's local subnet, disabled proxy and it all started working.
 

Multiple sites going to the same anchor should work so long as it's anchored properly.

 

Remote sites anchor to the DMZ, DMZ anchors to itself. The local guest lan VLAN ID should never be seen by the DMZ WLC so that shouldn't be causing an issue there, as each client MAC is a unique entry in the MSCB.

 

HTH,
Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card