05-07-2013 05:02 AM - edited 07-04-2021 12:02 AM
Dears,
I have a specific requirement from a client as follows
The client has a branch office and HQ connected over an MPLS cloud. Internet access is provided through the HQ only.
They want to provide guest internet in the branch and want to terminate this subnet for the guest on the firewall in the HQ directly, so that they exit only into the internet.
Can anybody shed more light on how it can be done? or any other suggestions?
NB: They have only 1 controller, so putting a controller on the DMZ for guest is out of the question.
Regards,
Phil.
05-07-2013 05:04 AM
Well there is no other way unless you setup a VRF from the guest subnet at the remote site that terminates to the DMZ at HQ.
Sent from Cisco Technical Support iPhone App
05-07-2013 05:28 AM
Thanks Scott,
How about a Gre tunnel between the sites? tunnel ingress will be the switch where the svi is created and the egress will be the device just before the firewall?
05-07-2013 06:11 AM
You can do that too... there is just nothing you can do on the wireless side, it has to be done another way using VRF or GRE.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
05-07-2013 03:24 PM
A Guest (or DMZ) vrf would work.
On the WLC, build a dynamic interface in the Guest vrf. Map a guest wlan to this interface. In the branch, H-REAP APs can switch internal traffic to a local subnet and tunnel guest traffic back to the WLC's guest interface.
With WLCs at both HQ & branch, each site could have its own subnet & dynamic interface in the guest vrf if desired.
05-09-2013 02:59 PM
Hello Philip,
As per your query i can suggest you the following solution-
As the client has a branch office and HQ connected over an MPLS cloud. Internet access is provided through the HQ only.We need to set up Virtual Route Forwarders (VRF) of GRE as they are connected through MPLS network.
You can set up dynamic interface on Guest VRF and map the guest wlan to this interface.
Hope this will help.
05-21-2013 01:04 PM
Dears,
Luckily everything worked as to plan.
The client already had an existing controller in the HQ, So i created a WLAN anchoring to the HQ WLC. and then to the firewall direct.
Cisco doesnt recommend using the anchor controller to manage APs, however, there are APs in the HQ that are registered to this controller.
Thanks for all the inputs, will be really useful to try out if i didnt have a controller in HQ.
Regards,
Philip.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide