I have a specific requirement from a client as follows
The client has a branch office and HQ connected over an MPLS cloud. Internet access is provided through the HQ only.
They want to provide guest internet in the branch and want to terminate this subnet for the guest on the firewall in the HQ directly, so that they exit only into the internet.
Can anybody shed more light on how it can be done? or any other suggestions?
NB: They have only 1 controller, so putting a controller on the DMZ for guest is out of the question.
Well there is no other way unless you setup a VRF from the guest subnet at the remote site that terminates to the DMZ at HQ.
Sent from Cisco Technical Support iPhone App
How about a Gre tunnel between the sites? tunnel ingress will be the switch where the svi is created and the egress will be the device just before the firewall?
You can do that too... there is just nothing you can do on the wireless side, it has to be done another way using VRF or GRE.
Help out other by using the rating system and marking answered questions as "Answered"
A Guest (or DMZ) vrf would work.
On the WLC, build a dynamic interface in the Guest vrf. Map a guest wlan to this interface. In the branch, H-REAP APs can switch internal traffic to a local subnet and tunnel guest traffic back to the WLC's guest interface.
With WLCs at both HQ & branch, each site could have its own subnet & dynamic interface in the guest vrf if desired.
As per your query i can suggest you the following solution-
As the client has a branch office and HQ connected over an MPLS cloud. Internet access is provided through the HQ only.We need to set up Virtual Route Forwarders (VRF) of GRE as they are connected through MPLS network.
You can set up dynamic interface on Guest VRF and map the guest wlan to this interface.
Hope this will help.
Luckily everything worked as to plan.
The client already had an existing controller in the HQ, So i created a WLAN anchoring to the HQ WLC. and then to the firewall direct.
Cisco doesnt recommend using the anchor controller to manage APs, however, there are APs in the HQ that are registered to this controller.
Thanks for all the inputs, will be really useful to try out if i didnt have a controller in HQ.