Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3879
Views
0
Helpful
6
Replies

Wireless Clients over WAN

Philip T Kurien
Level 1
Level 1

‎05-07-2013 05:02 AM - edited ‎07-04-2021 12:02 AM

Dears,

I have a specific requirement from a client as follows

The client has a branch office and HQ connected over an MPLS cloud. Internet access is provided through the HQ only.

They want to provide guest internet in the branch and want to terminate this subnet for the guest on the firewall in the HQ directly, so that they exit only into the internet.       

Can anybody shed more light on how it can be done? or any other suggestions?

NB: They have only 1 controller, so putting a controller on the DMZ for guest is out of the question.

Regards,

Phil.

Labels:
0 Helpful
6 Replies 6

Scott Fella
Hall of Fame
Hall of Fame

‎05-07-2013 05:04 AM

Well there is no other way unless you setup a VRF from the guest subnet at the remote site that terminates to the DMZ at HQ.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Philip T Kurien
Level 1
Level 1
In response to Scott Fella

‎05-07-2013 05:28 AM

Thanks Scott,

How about a Gre tunnel between the sites? tunnel ingress will be the switch where the svi is created and the egress will be the device just before the firewall?

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Philip T Kurien

‎05-07-2013 06:11 AM

You can do that too... there is just nothing you can do on the wireless side, it has to be done another way using VRF or GRE.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
0 Helpful

mscherting
Level 1
Level 1

‎05-07-2013 03:24 PM

A Guest (or DMZ) vrf would work.

On the WLC, build a dynamic interface in the Guest vrf.  Map a guest wlan to this interface.  In the branch, H-REAP APs can switch internal traffic to a local subnet and tunnel guest traffic back to the WLC's guest interface.

With WLCs at both HQ & branch, each site could have its own subnet & dynamic interface in the guest vrf if desired.

0 Helpful

Abhishek Abhishek
Cisco Employee
Cisco Employee

‎05-09-2013 02:59 PM

Hello Philip,

As per your query i can suggest you the following solution-

As the client has a branch office and HQ connected over an MPLS cloud. Internet access is provided through the HQ only.We need to set up Virtual Route Forwarders (VRF) of GRE as they are connected through MPLS network.

You can set up dynamic interface on Guest VRF and map the guest wlan to this interface.

Hope this will help.

0 Helpful

Philip T Kurien
Level 1
Level 1
In response to Abhishek Abhishek

‎05-21-2013 01:04 PM

Dears,

Luckily everything worked as to plan.

The client already had an existing controller in the HQ, So i created a WLAN anchoring to the HQ WLC. and then to the firewall direct.

Cisco doesnt recommend using the anchor controller to manage APs, however, there are APs in the HQ that are registered to this controller.

Thanks for all the inputs, will be really useful to try out if i didnt have a controller in HQ.

Regards,

Philip.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card