fofanah78
asked on
Configuring VLan for Internet Only Traffic
I’m looking for a solution to have my wireless clients on Location 2 with internet only access, but at the same time my AP can pull a DHCP address from my internal server. Location 2 internet access is thru Location 1 ASA. I will really appreciate your help.
Location 1 WLC 2504 is connected to ASA and Core 3650
Location 2 WLC 2504 connected to a Core 3650 no ASA firewall.
Location 1 WLC 2504 is connected to ASA and Core 3650
Location 2 WLC 2504 connected to a Core 3650 no ASA firewall.
Craig Beck
Can you give a bit more info? For example, are clients at Location 2 using the same subnet/VLAN as the APs at Location 2?
ASKER
@ Graig Beck
Location 1 WLC1 2504 is connected to ASA and Core 3650
Previously Location 1 WLC had all the APs for Location 1 and location 2.
All the internet traffic from Location 2 is going thru Location 1
Location1 WLC1/ APs are on Vlan5 192.168.5.0/24
Previously setup Location 2 /APs are were all on the same subnet.
I bought a new Cisco 2504 WLC2 for location 2, now I want to move the APs from L1 to L2. I want to create a Guest-WIFI access on L2 for only internet access, but at the same time pull DHCP address from location 2 DHCP server.
I hope this help. I I'm really new with wireless and controllers concept.
Location 1 WLC1 2504 is connected to ASA and Core 3650
Previously Location 1 WLC had all the APs for Location 1 and location 2.
All the internet traffic from Location 2 is going thru Location 1
Location1 WLC1/ APs are on Vlan5 192.168.5.0/24
Previously setup Location 2 /APs are were all on the same subnet.
I bought a new Cisco 2504 WLC2 for location 2, now I want to move the APs from L1 to L2. I want to create a Guest-WIFI access on L2 for only internet access, but at the same time pull DHCP address from location 2 DHCP server.
I hope this help. I I'm really new with wireless and controllers concept.
Is Location 2 going to remain on VLAN5, except for the guest users?
It sounds like you need to create a VLAN, we'll call it VLAN6. Within the WLC for Location 2, you need to define an SSID that when users connect to it, end up on VLAN6. Is the Cisco equipment going to serve as the DHCP server, or do you have a server physically in Location 2 that will handle DHCP duties?
It sounds like you need to create a VLAN, we'll call it VLAN6. Within the WLC for Location 2, you need to define an SSID that when users connect to it, end up on VLAN6. Is the Cisco equipment going to serve as the DHCP server, or do you have a server physically in Location 2 that will handle DHCP duties?
ASKER
@ Masnrock
created the vlan on L2 called: vlan6
I have a Test SSID defined
I have a physical server that handles DHCP addresses for the APs
Now I need SSID Test to only access the internet from L1.
SSIS Test works fine for internal and external.
How can allow this the SSID Test to just internet nothing else?
created the vlan on L2 called: vlan6
I have a Test SSID defined
I have a physical server that handles DHCP addresses for the APs
Now I need SSID Test to only access the internet from L1.
SSIS Test works fine for internal and external.
How can allow this the SSID Test to just internet nothing else?
You could've done this with one WLC, providing you have less than 75 APs. How is Location 1 connected to Location 2?
Wait a second. You started off saying that L2 gets to the internet through L1. Now you're saying you need to test that the new VLAN only gets to the internet from L1. We need more details on your setup. Is there a Point to Point connection between locations or do you have a VPN tunnel going? I went under the assumption you have a point to point.
ASKER
@ Masnrock
This is a point to point connection between L1 - L2.
This is a point to point connection between L1 - L2.
So Location 2 is just an extension of Location 1?
You're only moving the APs from Location 1 that need to connect to the WLC at Location 2, yes?
Why do you want guest users to get an IP from Location 2 if they need to use the internet via Location 1?
You're only moving the APs from Location 1 that need to connect to the WLC at Location 2, yes?
Why do you want guest users to get an IP from Location 2 if they need to use the internet via Location 1?
Craig asked the exact question that I had.
Do you now want this guest wireless network to work from both L1 and L2? If so, then you should have created it at L1 (probably from the ASA), and made sure that it was accessible at both sides. However, the question is whether the server you mentioned should be acting as the DHCP server for just the guest network or for multiple networks. A number of things require some clarity to give the best answer.
Do you now want this guest wireless network to work from both L1 and L2? If so, then you should have created it at L1 (probably from the ASA), and made sure that it was accessible at both sides. However, the question is whether the server you mentioned should be acting as the DHCP server for just the guest network or for multiple networks. A number of things require some clarity to give the best answer.
@mansrock - The guest has to terminate at L1 in any event as there's no ASA at L2. I think we're on the same track though.
@fafanah78 - This is a Cisco WLAN using a Cisco WLC so we can tunnel all the guest traffic to an interface on the ASA and keep it secure (assuming we have a spare interface, otherwise we can use a subinterface). There's no need for guests to get an IP from the L2 DHCP server (it's actually making it insecure). We can still allow trusted clients to drop their traffic to the local switch at L2 if we use FlexConnect mode on the APs.
Saying that, you didn't really need to buy a new WLC for this.
@fafanah78 - This is a Cisco WLAN using a Cisco WLC so we can tunnel all the guest traffic to an interface on the ASA and keep it secure (assuming we have a spare interface, otherwise we can use a subinterface). There's no need for guests to get an IP from the L2 DHCP server (it's actually making it insecure). We can still allow trusted clients to drop their traffic to the local switch at L2 if we use FlexConnect mode on the APs.
Saying that, you didn't really need to buy a new WLC for this.
ASKER
Think I found a solution that might work. Don't know what you guys think.
I will use the Guest wireless SSID WLAN, Anchor it to the main L1 WLC1 to my DMZ.
I will use the Guest wireless SSID WLAN, Anchor it to the main L1 WLC1 to my DMZ.
Is the L1 WLC in your DMZ? It doesn't sound like it is.
ASKER
I created a DMZ on L1 yesterday.
So does the L1 WLC have any APs connected to it?
ASKER
@ Craig. Yes I have about 16 APs on L1.
So you shouldnt really anchor to the L1 WLC, especially if you use LAG.
I would connect all APs to the L1 WLC and install the new WLC as a pure anchor in the DMZ.
I would connect all APs to the L1 WLC and install the new WLC as a pure anchor in the DMZ.
ASKER
Craig,
The only problem with this is we have to deploy 3 more to different locations. I'm having problem right now on L2. The APs are pull the dhcp addresses from the data vlan. I setup the L2 controller as a switch access port and the APs as trunk ports. I tried putting a helper address on the APs vlan they still not pulling dhcp addresses from that dhcp. Any idea.
The only problem with this is we have to deploy 3 more to different locations. I'm having problem right now on L2. The APs are pull the dhcp addresses from the data vlan. I setup the L2 controller as a switch access port and the APs as trunk ports. I tried putting a helper address on the APs vlan they still not pulling dhcp addresses from that dhcp. Any idea.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Craig!!