cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1401
Views
5
Helpful
7
Replies

Wireless network segmentation with ASA

Mark Mattix
Level 2
Level 2

Hopefully I'm posting this in the correct area... I plan to use my 5515X ASA to filter and segment my wireless traffic from wired in all areas of my network. One thing I currently don't understand is how to setup the WLC. I've provided a diagram of how it's currently setup. The WLC is in a DMZ with a security level of 11. For this example I'm trying to provide filtering for a remote site that connects via a DMVPN to a router that's also in a DMZ with a security level of 20. If a remote site would like to access my inside network it goes out a different port on the DMVPN router with a security level of 30.

My problem is creating interfaces in the WLC. Do i need to create virtual interfaces for each remote site? If so should the WLC virtual interface have an IP that's on the remote subnet or will the interface have an IP of the subnet that the physical connects to? I believe I attempted giving the virtual and IP in the same subnet as the physical and it failed.

If I have to create an interface for every remote network can I still only use 1 SSID throughout my agency or will every interface require it's own unique SSID? Every remote site will have separate VLANs for wired clients and wireless clients, my goal is to segment this traffic with my firewall back at headquarters.

Any help is very much appreciated! If you need further explanation please let me know.

7 Replies 7

SOcchiogrosso
Level 4
Level 4

Well the below options come to mind first.

 

Configure the single WLAN for Central Switching so everything get tunneled back to the WLC.

Or

Configure your the DMZ WLC as a mobility anchor and anchor your WLAN to the WLC in the DMZ.

 

You may also want to have a DHCP & possible a DNS server in the DMZ to handle that traffic, if it desired to have the keep that traffic off the internal network to.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

Thanks for your reply Steve! 

I need to read up more on what Mobility anchors actually do and the benefits but it sounds like central switching is the way I want to go. One thing that still confused me is, will all of my remote networks be able to have different subnets for their WLANs and if so can i create 1 WLAN in the controller to support these different subnets?

 

Thanks again!

With Central Switching all traffic is tunneled back to the WLC via the CAPWAP tunnel, so the CAPWAP tunnels acts like an Overlay or GRE tunnel in this case. The wired network is completely obviously of the what the WLAN traffic because all the wired traffic sees is CAPWAP data. 

The real client data is encapsulated within CAPWAP. Once the WLC receives the data encapsulated within the CAPWAP tunnel the WLC with the decapsulate the traffic. Once the data decapsulated at the WLC it is then routed/switched like normal traffic.

Due to this your WLAN will use one subnet, so the IP Subnet will span across all the locations, this is doing with a single WLAN if that is desired design.

 

Something also to keep in mind the CAPWAP encapsulation adds an additional 8 bytes of header information. Just something to keep in mind if this traffic will be traversing IPSec/GRE/DMVPN tunnels.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/

So I believe the Central switching method is what I would like to use. This morning I deployed an AP at a remote site and I'm having a problem with it contacting the WLC. I believe the issue may be at the firewall. Data from the remote site comes from the DMVPN DMZ interface on the firewall then it goes to the lower security level where the WLC to become CAPWAP decapsulated and I've allowed the remote site from the WLC DMZ to the inside network. However, for my firewall to get back to the remote site wireless network I put a static path pointing back to the WLC DMZ. The destination network isn't really in this DMZ but data going back to the remote must be CAPWAP encapsulated, right? That's why it made sense for me to point the traffic back to the WLC but after the WLC encapsulates data, it needs to go back to the DMVPN to be encapsulated with GRE then sent back to the remote site.

Basically, how do i tell data going back to the remote site to first hit the WLC to encapsulate back into CAPWAP and then go to the DMVPN to make it to the destination?

Thanks a lot!  -Mark

Well I made an adjusted in my firewall route and I got the AP to locate my WLC in the DMZ. I still have a question about it though, When a wireless client at a remote site needs a service on my main headquarter subnet I believe their traffic goes to the AP then from the AP in a CAPWAP tunnel to the WLC. The WLC decapsulates the data and sends it to the main headquarter subnet. However when headquarters wants to send data back to the client I thought data would first have to go to the WLC to be encapsulated? Yet in my firewall I have the static route that says to get to the wireless LAN at the remote site take the DMVPN router, it seems like it's bypassing the WLC. If it's bypassing the WLC how is data being CAPWAP encapsulated?

Thanks a lot for the help!

The only logical answer I can come up with is, the WLC receives the request from the client and acts as a proxy which then changes the source IP of the request, to that of the WLC. Then I could see how data would flow back to the WLC to be CAPWAP encapsulated and then sent back to the remote site.

Does anyone know if this is how it works? Thank you!

The response back to the wireless client will following normal L2 / L3 switching.

The subnet the WLAN client is one should be connected to the same IP Subnet that the associated WLC Interface is configured, this way traffic is sent back to the WLC and the encapsulated in CAPWAP back to the appropriate AP where is transmitted over the RF/Wireless.

-- CCNP, CCIP, CCDP, CCNA: Security/Wireless Blog: http://ccie-or-null.net/
Review Cisco Networking for a $25 gift card