Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4624
Views
40
Helpful
31
Replies

WLAN configuration when WLC is behind a FW

Go to solution
TrickTrick
Level 3
Level 3

‎04-06-2022 07:04 AM

Hi,

In a scenario I'm working on, I have a WLC located behind a FW in a dedicated DMZ (let's say vlan 100), created a management interface to manage APs (interface in vlan 100, with FW ip as a GW in that vlan)

APs are located in the inside, in a different vlan, and are able to register with the WLC no issues.

now I want clients to get valid IPs from DHCP (VLAN 200 in the inside), but I can't create a WLAN interface in the same subnet as the VLAN in the inside part of the network (obviously when I do that the WLC becomes unreachable, and of course it's not recommended to extend the L2 network between the DMZ and the inside)

I think there's a way to create WLANS in the WLC with a subnet mapping between those wlans in the DMZ and the correspondent VLANS in the inside of the network, so the wireless clients can get IPs from the dedicated dhcp scope in the DHCP server (windows server) located in the inside as well

How can I achieve this please ? any document or information is highly appreciated 

Thank you

Labels:
31 Replies 31

Go to solution
TrickTrick
Level 3
Level 3
In response to Flavio Miranda

‎04-07-2022 06:27 AM - edited ‎04-07-2022 06:28 AM

Thank you, I got your point, I've put the WLC<=>SW as a trunk, for the the rest I have it already as mentioned in the diagram, for now I'm trying to use only the internal DHCP to avoid any misconfig in the DHCP server itself since I don't have a control over it, but still no success !

 

Access point can stay in access mode right? (no need to trunk it as well)

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to TrickTrick

‎04-07-2022 07:00 AM

For local mode, central switching, everything is tunnelled to WLC over CAPWAP and the switchport can be an access port because it's only being used for the AP's CAPWAP connection to the WLC.

For flexconnect local switching it must be a trunk port.  The native VLAN is your CAPWAP/management VLAN (whatever you configured for the access port) and the rest of the VLANs are tagged for the WLAN traffic to break out locally on the switchport.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
TrickTrick
Level 3
Level 3
In response to Rich R

‎04-07-2022 07:32 AM

Thank you, learned something new today,

so in that case, let's say I will choose local mode, the CAPWAP is able to tunnel vlans to WLC even if those vlans are not extended to the DMZ to point on their respective interfaces there ?

in Flex mode, I don't need interfaces in the WLC since everything is locally switched, but how the AP/switch will differentiate a mobile user from another to give the right IP from the right vlan, because in local mode I think it's the interface of the WLAN itself which does that job as the ip helper of that subnet

Also, in flexconnect mode, is it possible to use the internal DHCP of the WLC or, since everything is locally switched, the LAN DHCP should be used.

Thank you 

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to TrickTrick

‎04-07-2022 08:19 AM - edited ‎04-07-2022 08:21 AM

> so in that case, let's say I will choose local mode, the CAPWAP is able to tunnel vlans to WLC even if those vlans are not extended to the DMZ to point on their respective interfaces there ?

Yes but it would be completely pointless if you terminated them on the WLC which didn't have them connected to anything!

 

> in Flex mode, I don't need interfaces in the WLC since everything is locally switched, but how the AP/switch will differentiate a mobile user from another to give the right IP from the right vlan, because in local mode I think it's the interface of the WLAN itself which does that job as the ip helper of that subnet

Local switched traffic is just dumped onto the VLAN (layer 2) just like for a LAN connected user.  So you need the IP interface on a switch or router on that VLAN and that's where the helper address will be.  The AP and WLC play no part in that.

 

> Also, in flexconnect mode, is it possible to use the internal DHCP of the WLC or, since everything is locally switched, the LAN DHCP should be used.

Flexconnect allows LOCAL SWITCHING for the WLAN (you can still have other centrally switched WLANs on a flex AP).  Locally switched WLANs should use the LAN DHCP.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
TrickTrick
Level 3
Level 3
In response to Rich R

‎04-12-2022 03:48 AM

Thank you for your explanations, Gor it fixed by applying what you explained

sorry for asking again, I still have an issue understanding flexconnect mode, is there any blog explaining the details of that mode and how it works so I can get it (i've seen in some deployments flexconnect mode deployed and at the same time we have interfaces created for the WLANs)

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to TrickTrick

‎04-12-2022 04:36 AM

Google is your friend - plenty of info to be found if you look ...

Some examples:

https://www.kareemccie.com/2017/08/what-is-flexconnect.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-1/Enterprise-Mobility-8-1-Design-Guide/Enterprise_Mobility_8-1_Deployment_Guide/ch7_HREA.html

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/flexconnect.html

https://networklessons.com/cisco/ccna-200-301/cisco-wireless-ap-modes#FlexConnect

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to TrickTrick

‎04-07-2022 02:20 AM - edited ‎04-07-2022 02:26 AM

You config FLEX AP
1- Local Switching
This can easily done even if WLC behind the WLC 
VLAN management <- this already config in SW and FW
VLAN DHCP <- this already config in SW and FW
VLAN USER <-  1-config VALN in SW
                         2-config subinterface in FW
                         3- since the DHCP is not in same Broadcast with VLAN of USER and there is FW you need
                         DHCP reply in each VLAN USER to convert Broadcast to unicast and send it to DHCP Server.

that it friend this all you need
2- Central Switching 
this hard to config because you need for each WLAN VLAN and hence SVI and sub interface in DMZ.

note:-need this in FW
same-security-traffic permit inter-interface

0 Helpful

Go to solution
TrickTrick
Level 3
Level 3
In response to MHM Cisco World

‎04-07-2022 03:54 AM

please check the diagram attached to my reply, it's my actual configuration, what I missed compared to what you have mentioned ?

Thank you

Preview file
42 KB
0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to TrickTrick

‎04-07-2022 04:25 AM

Management WLC VLAN is 200 and also it native VLAN of SW1
Management AP VLAN is 50 and also it native VLAN of SW2 or tag ? Just to be sure are you use AP management "AP get this IP from DHCP" to build the CAPWAP tunnel ? the tunnel is UP and AP can join the WLC "behind FW"?

Any way as mention before, 

1-FLEX MODE 

2-WLAN is LOCAL SWITCHING 
3-DHCP VLAN 100, and also config the sub interface in FW
4-VLAN 200 subinterface in FW config DHCP reply to convert broadcast to unicast forward to DHCP server in VLAN 100

that it.

Go to solution
ammahend
VIP Alumni
VIP Alumni

‎04-06-2022 10:32 PM

Now I want clients to get valid IPs from DHCP (VLAN 200 in the inside), but I can't create a WLAN interface in the same subnet as the VLAN in the inside part of the network.

 

You can try and create a dynamic interface for vlan 200 on WLC, map it to a dedicated port on WLC and connect the port to inside interface on Firewall, which also will be the gateway for vlan 200. 

 

-hope this helps-

Go to solution
TrickTrick
Level 3
Level 3
In response to ammahend

‎04-07-2022 02:15 AM

I got your point, the client won't accept it though because it will bypass the firewall, my main question now is, should i absolutely have a wlan interface in the same network as the vlan i want to create ssid for ? What architectures do in such design?

 

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to TrickTrick

‎04-07-2022 05:14 AM - edited ‎04-07-2022 05:21 AM

bypass FW!!!! how that ??

the SVI GW of user VLAN is config in FW
the SVI GW of DHCP VLAN is config in FW
the traffic pass through FW how it bypass?

Again this for local not central SW.
Central SW need to config the sub interface in DMZ not in INSIDE

0 Helpful

Go to solution
ammahend
VIP Alumni
VIP Alumni
In response to TrickTrick

‎04-07-2022 06:45 AM - edited ‎04-07-2022 06:45 AM

I haven't tried it myself, was just telling a way to do it, seems like you are still in design phase of this, so lets take a step back, why you planning to have WLC in DMZ ?

-hope this helps-
0 Helpful

Go to solution
TrickTrick
Level 3
Level 3
In response to ammahend

‎04-07-2022 07:03 AM

Hmm, We are not in the design phase, the client wanted all its servers to be centralized in the DC, and have only some admins from the inside to have access to them (DHCP, DNS in a zone... Applications in a separated zone, ISE and Prime in a zone, And WLC in a separate zone on its own), all of these zones are in the FW created for security and visibility purpose 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card