Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4622
Views
40
Helpful
31
Replies

WLAN configuration when WLC is behind a FW

Go to solution
TrickTrick
Level 3
Level 3

‎04-06-2022 07:04 AM

Hi,

In a scenario I'm working on, I have a WLC located behind a FW in a dedicated DMZ (let's say vlan 100), created a management interface to manage APs (interface in vlan 100, with FW ip as a GW in that vlan)

APs are located in the inside, in a different vlan, and are able to register with the WLC no issues.

now I want clients to get valid IPs from DHCP (VLAN 200 in the inside), but I can't create a WLAN interface in the same subnet as the VLAN in the inside part of the network (obviously when I do that the WLC becomes unreachable, and of course it's not recommended to extend the L2 network between the DMZ and the inside)

I think there's a way to create WLANS in the WLC with a subnet mapping between those wlans in the DMZ and the correspondent VLANS in the inside of the network, so the wireless clients can get IPs from the dedicated dhcp scope in the DHCP server (windows server) located in the inside as well

How can I achieve this please ? any document or information is highly appreciated 

Thank you

Labels:
31 Replies 31

Go to solution
Rich R
VIP
VIP

‎04-07-2022 06:24 AM

So as already pointed out the WLC is layer 2 - think of it as a LAN switch.  You can't put a firewall between 2 switches on a VLAN (actually you can with layer 2 bump in the wire but I assume that's NOT what you're trying to do).  So trying to route your client layer 2 traffic through the firewall to the WLC is probably not a good idea at all (and why anyway - it serves no useful purpose).

So either you connect/trunk everything to WLC at layer 2 - local mode APs all centrally switched on WLC

OR

AP in flex mode with the WLANs local switching.  Then your traffic never even goes to the WLC - it's trunked direct from APs to the switchport they're connected to in the relevant VLAN.  Then DHCP and everything else works exactly the way it would for a LAN user.  This way no interface is needed on the WLC at all.

So decide what model you prefer and design accordingly.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
TrickTrick
Level 3
Level 3
In response to Rich R

‎04-07-2022 06:58 AM

Hi,

Thank you for your input,

You pointed out exactly my problem, I was always wondering why a WLAN should be extended behind the FW if that's how a WLC works (I understood from FLavio in the comments that CAPWAP will tunnel that vlan traffic to its interface in he WLC), but the Flexconnect is here to solve that, I understand from you that  I don't need to create an interface dedicated to that WLAN and select the management interface for all the WLANs created instead, but, the AP are broadcasting different SSIDs (of different WLANs), how a client will get the right ip of its vlan in flexconnect mode ?

 

Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card