06-23-2009 08:19 AM - edited 07-03-2021 05:45 PM
I am trying to figure out a way to do a Guest Network without using an ACL tied to the SSID. (Customer's request) Its a layer 3 network and they suggested creating a DMZ zone off their ASA and connecting the WLC there that way its outside their network and can go straight to the internet.
I have never done this before ... so does anyone know if this would work? Any config guides or explanations would be great.
Thanks
06-23-2009 08:59 AM
The wlan/vlan combo for the guests can reside in the dmz and use the ASA dmz interface as the gateway
The wlc port will connect to a switch via trunk and only the necessary vlans can be allowed over the trunk
06-23-2009 09:03 AM
So the WLC itself doesn't have to reside outside the Core SW ... it can still be connected to the Core SW via a trunk config to allow only the wlan vlans and just have the guest interface be configured to use the ASA dmz interface as the DF Gateway ... is this correct?
06-23-2009 09:58 AM
We run port 1 of the guest anchor on the trusted network, and port 2 is connected to a "DMZ" type zone. Foreign anchor traffic terminates on port 1, and guest internet traffic flows out port 2. Not sure if this is officially supported by Cisco, but it works.
06-23-2009 06:59 PM
Often times, when you hear about a controller in the DMZ, it is part of a pair of internal/external controllers. The internal controller sits within your network and a guest wlan tunnels to the external(dmz) controller (which doesn't actually have any APs on it).
If you have only one controller, then doing either the trunked vlan, or port 2 straight to the DMZ will work.
I often see the guest in VLAN 10 (for example), and instead of vlan 10 having a routed interface on the network, it is only layer 2 with a port in access vlan10 that connects to the DMZ of the firewall.
06-26-2009 07:10 AM
I only have one controller and installing 30 - 40 APs so if I use one port to connect to the DMZ wouldn't I lose 25 APs?
06-26-2009 10:23 AM
Seems like the old rule was 48 APs per port. Alternatively you could LAG both ports and dot1q your guest traffic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide