Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
6
Replies

WLC sitting in a DMZ zone on an ASA

mjohnson1914
Level 1
Level 1

‎06-23-2009 08:19 AM - edited ‎07-03-2021 05:45 PM

I am trying to figure out a way to do a Guest Network without using an ACL tied to the SSID. (Customer's request) Its a layer 3 network and they suggested creating a DMZ zone off their ASA and connecting the WLC there that way its outside their network and can go straight to the internet.

I have never done this before ... so does anyone know if this would work? Any config guides or explanations would be great.

Thanks

Labels:
0 Helpful
6 Replies 6

ericgarnel
Level 7
Level 7

‎06-23-2009 08:59 AM

The wlan/vlan combo for the guests can reside in the dmz and use the ASA dmz interface as the gateway

The wlc port will connect to a switch via trunk and only the necessary vlans can be allowed over the trunk

0 Helpful

mjohnson1914
Level 1
Level 1
In response to ericgarnel

‎06-23-2009 09:03 AM

So the WLC itself doesn't have to reside outside the Core SW ... it can still be connected to the Core SW via a trunk config to allow only the wlan vlans and just have the guest interface be configured to use the ASA dmz interface as the DF Gateway ... is this correct?

0 Helpful

Darren Ramsey
Level 4
Level 4
In response to mjohnson1914

‎06-23-2009 09:58 AM

We run port 1 of the guest anchor on the trusted network, and port 2 is connected to a "DMZ" type zone. Foreign anchor traffic terminates on port 1, and guest internet traffic flows out port 2. Not sure if this is officially supported by Cisco, but it works.

0 Helpful

weterry
Level 4
Level 4

‎06-23-2009 06:59 PM

Often times, when you hear about a controller in the DMZ, it is part of a pair of internal/external controllers. The internal controller sits within your network and a guest wlan tunnels to the external(dmz) controller (which doesn't actually have any APs on it).

If you have only one controller, then doing either the trunked vlan, or port 2 straight to the DMZ will work.

I often see the guest in VLAN 10 (for example), and instead of vlan 10 having a routed interface on the network, it is only layer 2 with a port in access vlan10 that connects to the DMZ of the firewall.

0 Helpful

mjohnson1914
Level 1
Level 1
In response to weterry

‎06-26-2009 07:10 AM

I only have one controller and installing 30 - 40 APs so if I use one port to connect to the DMZ wouldn't I lose 25 APs?

0 Helpful

Darren Ramsey
Level 4
Level 4
In response to mjohnson1914

‎06-26-2009 10:23 AM

Seems like the old rule was 48 APs per port. Alternatively you could LAG both ports and dot1q your guest traffic.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card