Solved

Configuring VLan for Internet Only Traffic

Posted on 2016-10-04
19
57 Views
Last Modified: 2016-10-14
I’m looking for a solution to have my wireless clients on Location 2 with internet only access, but at the same time my AP can pull a DHCP address from my internal server.  Location 2 internet access is thru Location 1 ASA.  I will really appreciate your help.

Location 1 WLC 2504 is connected to ASA and Core 3650

Location 2 WLC 2504 connected to a Core 3650 no ASA firewall.
0
Comment
Question by:fofanah78
  • 8
  • 8
  • 3
19 Comments
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41828084
Can you give a bit more info?  For example, are clients at Location 2 using the same subnet/VLAN as the APs at Location 2?
0
 

Author Comment

by:fofanah78
ID: 41828507
@ Graig Beck
Location 1 WLC1 2504 is connected to ASA and Core 3650
Previously Location 1 WLC had all the APs for Location 1 and location 2.
All the internet traffic from Location 2 is going thru Location 1
Location1 WLC1/ APs are on Vlan5 192.168.5.0/24
Previously setup Location 2 /APs are were all on the same subnet.

I bought a new Cisco 2504 WLC2 for location 2, now I want to move the APs from L1 to L2.  I want to create a Guest-WIFI access on L2 for only internet access, but at the same time pull DHCP address from location 2 DHCP server.

I hope this help.  I I'm really new with wireless and controllers concept.
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41828750
Is Location 2 going to remain on VLAN5, except for the guest users?

It sounds like you need to create a VLAN, we'll call it VLAN6. Within the WLC for Location 2, you need to define an SSID that when users connect to it, end up on VLAN6. Is the Cisco equipment going to serve as the DHCP server, or do you have a server physically in Location 2 that will handle DHCP duties?
0
 

Author Comment

by:fofanah78
ID: 41828799
@ Masnrock
created the vlan on L2 called: vlan6
I have a Test SSID defined
I have a physical server that handles DHCP addresses for the APs
Now I need SSID Test to only access the internet from L1.
SSIS Test works fine for internal and external.  
How can allow this the SSID Test to just internet nothing else?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41829411
You could've done this with one WLC, providing you have less than 75 APs.  How is Location 1 connected to Location 2?
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41829823
Wait a second. You started off saying that L2 gets to the internet through L1. Now you're saying you need to test that the new VLAN only gets to the internet from L1. We need more details on your setup. Is there a Point to Point connection between locations or do you have a VPN tunnel going? I went under the assumption you have a point to point.
0
 

Author Comment

by:fofanah78
ID: 41829843
@ Masnrock
This is a point to point connection between L1 - L2.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41829997
So Location 2 is just an extension of Location 1?

You're only moving the APs from Location 1 that need to connect to the WLC at Location 2, yes?

Why do you want guest users to get an IP from Location 2 if they need to use the internet via Location 1?
0
 
LVL 20

Expert Comment

by:masnrock
ID: 41830042
Craig asked the exact question that I had.

Do you now want this guest wireless network to work from both L1 and L2? If so, then you should have created it at L1 (probably from the ASA), and made sure that it was accessible at both sides. However, the question is whether the server you mentioned should be acting as the DHCP server for just the guest network or for multiple networks. A number of things require some clarity to give the best answer.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 45

Expert Comment

by:Craig Beck
ID: 41830266
@mansrock - The guest has to terminate at L1 in any event as there's no ASA at L2.  I think we're on the same track though.

@fafanah78 - This is a Cisco WLAN using a Cisco WLC so we can tunnel all the guest traffic to an interface on the ASA and keep it secure (assuming we have a spare interface, otherwise we can use a subinterface).  There's no need for guests to get an IP from the L2 DHCP server (it's actually making it insecure).  We can still allow trusted clients to drop their traffic to the local switch at L2 if we use FlexConnect mode on the APs.

Saying that, you didn't really need to buy a new WLC for this.
0
 

Author Comment

by:fofanah78
ID: 41832428
Think I found a solution that might work.  Don't know what you guys think.
I will use the Guest wireless SSID WLAN, Anchor it to the main L1 WLC1 to my DMZ.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41832526
Is the L1 WLC in your DMZ? It doesn't sound like it is.
0
 

Author Comment

by:fofanah78
ID: 41833588
I created a DMZ on L1 yesterday.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41834243
So does the L1 WLC have any APs connected to it?
0
 

Author Comment

by:fofanah78
ID: 41836767
@ Craig.  Yes I have about 16 APs on L1.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41837617
So you shouldnt really anchor to the L1 WLC, especially if you use LAG.

I would connect all APs to the L1 WLC and install the new WLC as a pure anchor in the DMZ.
0
 

Author Comment

by:fofanah78
ID: 41837634
Craig,
The only problem with this is we have to deploy 3 more to different locations.  I'm having problem right now on L2. The APs are pull the dhcp addresses from the data vlan. I setup the L2 controller as a switch access port and the APs as trunk ports.  I tried putting a helper address on the APs vlan they still not pulling dhcp addresses from that dhcp.  Any idea.
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 41838325
The APs should be on their own VLAN if you can.  They can pull DHCP from wherever the SVI for that VLAN is configured to use as the IP helper.  You can use FlexConnect on each AP to put user traffic on a VLAN local to the site and send all Guest traffic to the anchor WLC in the DMZ at L1.

In any event you shouldn't use a WLC as an anchor if it has APs connecting to it.  It should be just an anchor.
0
 

Author Closing Comment

by:fofanah78
ID: 41843645
Thanks Craig!!
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now