Solved: wired vlan on controller

suthomas1 · ‎11-25-2012

Hi,

We are setting a single wireless controller to authenticate lan ( wired ) users using the web page.
With help from cisco documents, configuration has been done partly. However, slightly stuck at a point where the egress has to be configured on wlc.

It says , the interfaces needs to be a non-guest wlan type. This is fine, but how do we exactly proceed from here.

Appreciate inputs.

Our lan users ( vlan 198 - 192.168.111.0/24 ) need to be redirected to wlc for webauth whenever they plug into our lan network.

The controller is on vlan 151.

thanks in advance!

Scott Fella · ‎11-25-2012

You create an interface on the WLC as a guest lan which is a layer 2 interface. This is the wired vlan 198. So basically you are pushing the wired vlan to the WLC. After a successful authentication, then your guest users will be placed on a dynamic interface you have created. This can be vlan 199 or maybe a vlan in the DMZ. It's up to you. Did you look at this doc?

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎11-25-2012

You create an interface on the WLC as a guest lan which is a layer 2 interface. This is the wired vlan 198. So basically you are pushing the wired vlan to the WLC. After a successful authentication, then your guest users will be placed on a dynamic interface you have created. This can be vlan 199 or maybe a vlan in the DMZ. It's up to you. Did you look at this doc?

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

suthomas1 · ‎11-25-2012

Thanks Scott for the link.

so couple of queries from this, i'm little confused on the configuration for the guest lan portion:-

Our case ; user vlan is 198(192.168.111.0/24), controller is on vlan 151, Core switch is trunked with few access switches.

dhcp server is distributing the ip address for both wired and wireless users

1. so, the ip address we need to provide in Guest LAN dynamic interface, does it have to be live anywhere
on the network or is it a dummy.

can i just put 10.56.21.0 /22 there as an ip , this is not existent in any part of the network?

2. the second dynamic interface, is this the L3 interface for wired users?
Currently the user vlan 198 is on the core switch, does it needs to be removed from core switch and created on WLC?

appreciate your inputs.

Scott Fella · ‎11-25-2012

Okay... First off the vlan the guest user are connected to on the switch is a layer 2 vlan only. There will be no layer 3 interface defined for this. So lets call this guest wired vlan 49. Create a dynamic interface and mark it is as a “Guest LAN.” When you create this dynamic interface in the current release, you need to provide an IP address and default gateway, even though it does not exist since it is a layer-2 VLAN; you need not provide any DHCP address. Wired guests clients are physically connected to this VLAN.

Create another dynamic interface where the wired guest clients receive an IP address, which we will call it vlan 110. This also is a real subnet.

On the wired guest WLAN; map the ingress interface to the “Guest LAN”, and the egress interface the dynamic interface, which we called vlan 110.

Makes sense? There is no dummy vlans and or subnets. These have to be active on the switches and the WLC will have these trunked to it.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

suthomas1 · ‎11-25-2012

Thanks Scott. Do we required 802.1x to be enabled on the switch ports where lan users are connected, so that the users will be prompted by the page. or is it taken care by this wlc only.

Scott Fella · ‎11-25-2012

No... The switch port the wired guest users will be on is a simple access port. If you enabled 802.1x on the switch port, these users would fail to get on the network. Leave it a simple access port with portfast enabled and the WLC will take care of the rest.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

suthomas1 · ‎01-02-2013

Scott/ Gurus,

Sorry, i am trying to do this but again confused. Here is my network:

-User vlan 198 ( 192.168.111.0/24) exists as SVI on the core switch and as Layer 2 on access switches

- wireless Vlan 151 (192.168.121.0/24) exists as SVI on core

- Both vlan 198 wired users and vlan 151 wireless users acquire dhcp ip address from a dhcp server in the network connected on vlan 171 ( 192.168.181.0/24)

Query:-

1. can i use user vlan 198 as the same L2 guest vlan on the network for this setup, as lan users will connect to this segment or do i need to create another specific guest vlan(eg. vlan 49 ) as layer 2 on the network?

2. Then how do i create the other dynamic interface required ?

3. the existing dhcp server on the network is 192.168.181.11 and is this ip is configured as helper address on both the wired lan and wireless SVI vlan on the core switch.

OR can i use vlan 198 as the dynamic interface and create another layer 2 interface as guest vlan?

It will be great if i get a brief config based on my setup above.

Appreciate your inputs on this doubt. Thank you