cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4611
Views
40
Helpful
31
Replies

WLAN configuration when WLC is behind a FW

TrickTrick
Level 3
Level 3

Hi,

In a scenario I'm working on, I have a WLC located behind a FW in a dedicated DMZ (let's say vlan 100), created a management interface to manage APs (interface in vlan 100, with FW ip as a GW in that vlan)

APs are located in the inside, in a different vlan, and are able to register with the WLC no issues.

now I want clients to get valid IPs from DHCP (VLAN 200 in the inside), but I can't create a WLAN interface in the same subnet as the VLAN in the inside part of the network (obviously when I do that the WLC becomes unreachable, and of course it's not recommended to extend the L2 network between the DMZ and the inside)

I think there's a way to create WLANS in the WLC with a subnet mapping between those wlans in the DMZ and the correspondent VLANS in the inside of the network, so the wireless clients can get IPs from the dedicated dhcp scope in the DHCP server (windows server) located in the inside as well

How can I achieve this please ? any document or information is highly appreciated 

Thank you

1 Accepted Solution

Accepted Solutions

For local mode, central switching, everything is tunnelled to WLC over CAPWAP and the switchport can be an access port because it's only being used for the AP's CAPWAP connection to the WLC.

For flexconnect local switching it must be a trunk port.  The native VLAN is your CAPWAP/management VLAN (whatever you configured for the access port) and the rest of the VLANs are tagged for the WLAN traffic to break out locally on the switchport.

View solution in original post

31 Replies 31

you can configure required DHCP server in WLAN settings. make sure dhcp server has connectivity to wlc.

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Use Sub Interface in ASA
Native VLAN for the WLC
other VLAN for Client
VLAN for DHCP Server 

I have already that,

in the inside, I have all the needed vlans (1 for Aps management and 1 for Wireless clients and 1 for DHCP server), in the other side (DMZ) I have only 1 vlan which is the management vlan of the WLC

I tried even to use the local DHCP of the WLC, no luck

this is Flex or Local ?

Tried both, now in Flex mode

FOR FLEX MODE
AP-SW-ASA
AP-Trunk-SW must include both native VLAN for AP management and connect to WLC and VLAN of Client.
SW-ASA
config the ASA sub interface for VLAN of AP management and VLAN of Client.
DHCP-SW-ASA
config the ASA sub interface for DHCP 

IF THE SECURITY LEVEL FOR ALL THESE SUB-INTERFACE IS SAME THEN YOU NEED 
same-security-traffic permit inter-interface

Sorry, im a bit confused here,

Do you mean in the switch facing the ap I should specify the native vlan (ap management vlan) and the client's vlan ? As far as i know, access points can be behind a acces ports (ap mgmt vlan) and all the ssids are tunneled through the capwap tunnel, so we dont need to add any users vlan in the switch ports, 
In the Fw there's the users SVI, and the aps svi, both are routed to the wlc behind the Fw, my question is which ip adressing  should i use in the wlc wlan interface to let the ssid work with the vlan in the insidr and give users dhcp leases... client's vlan does not exist on the dmz zone

You are going to need trunk between WLC and FW to acomodate the Management vlan and clients vlans. Enable LAG on the WLC and put the firewall interface as trunk. I dont know if you have a switch in between, probably not.

You can map WLAN to VLAN in two ways. You can do it on the man page of WLAN, General, there´s a Interface/Interface Group(G) and there you can map you wlan to a vlan.

The second way you can do it by using AP group as well. When you create an AP group, there will be an option of mapping the SSID to a  interface or interface group which is the same as vlan.

 

On the firewall side, you probably are going to run the command:

same-security-traffic permit intra-interface

 

Hi flavio,

I got your point partially,

I'm using trunk between the fw and the sw to which is connected the wlc, in that interface theirs only 1 vlan created which is the vlan in the dmz zone dedicated for wifi, in the other side of the fw there's an inside zone, in which there's all the SVIs of the LAN vlans, including ap management vlan and wifi vlan ( used only for internet), what shoudl i do in the wlc side do mobile users can get ip adresses and connect to their ssid?, in standard architectures in which yhe wlc is not behind a fw, i create for each vlan a wlan interface that is reacheable for the core switch, and put on each of it a dhcp information so users can get ips depending on the ssid selected, in the actual scenario i can't create an interface in the wlc simply because i can't have the same vlan in the inside zone and behind the fw.. i can make a drawing to make it clearer

 

You can put a topology here to make it easier. Firstly, I though the WLC was connected to the firewall.   But, I think I got the point and I believe what you are try to achieve is not possible.

If you want to segregate the WLC in a DMZ, what you can do is to add a second WLC and work with Anchor and Foreign WLC.

WLC is a Layer 2 device, so, if you want to segment traffic, you need vlans and trunk.

Wich Mobility Anchor, you achieve what you intend, but you need to have a second device.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/WirelessNetwork_GuestAccessService.html 

Hi flavio, attached a topology of the actual config, i'll check the shared link, but we have only 2 WLCs for redundancy

Thank you 

Alright.

 Then you just need to create a trunk between WLC and Switch. As you already have trunk between switch and Firewall.  You also need trunk between Firewall and the second switch.

After that, you need to create the interfaces vlan on the WLC and put on it ip address, mask, gateway (which will be the interface vlan on Firewall) and DHCP server.

On the firewall you also create interface vlan, put the IP address, just like you did on the WLC.  The firewall will send the DHCP request to the DHCP. If DHCP server is direct connected, OK. But if not, you need ip helper address.

Thats it.

O edited your topoloy, take a look

My mistake in the diagram, you're right, it's already the case in the configuration in the WLC and switch (I have vlan 100 in the DMZ zone as you mentioned and its GW in the firewall), I have a question though, the vlan 100 is for management, when creating a WLAN should I map it to the same interface (management) or create its own interface, if it's its own interface, what subnet should I use, definitlt not the one of vlan 200 because it's in the inside

my second question, I will trunk the port between WLC and sw, but what else will go through that link ? for now I have only 1 subnet created in the WLc which is the management subnet for AP provisioning

 

Thank you

Right.

Forget about the mgmt interface. Its done and working as it should.

 

"my second question, I will trunk the port between WLC and sw, but what else will go through that link ? for now I have only 1 subnet created in the WLc which is the management subnet for AP provisioning"

 

On this trunk will pass the mgmt vlan and all other vlans you create on the WLC for clientes.  Let´s say you have three SSID:

Corp-PC - vlan 300

Corp-Phone - vlan 400

Guest - vlan 500

 

On the WLC, you need to create all this three vlans and associate it one with its respective SSIDs.

When a user connect ont eh Corp-PC, its traffic will get to the WLC through the capwap tunnel stablished between the WLC and AP through vlan mgmt.  Then, the WLC will send the client traffic through the vlan 300 towards the Firewall.

 

The firewall also need to have that vlan, after all, it is the gateway.

Got it?

 

Review Cisco Networking for a $25 gift card