Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 92
  • Last Modified:

Configuring VLan for Internet Only Traffic

I’m looking for a solution to have my wireless clients on Location 2 with internet only access, but at the same time my AP can pull a DHCP address from my internal server.  Location 2 internet access is thru Location 1 ASA.  I will really appreciate your help.

Location 1 WLC 2504 is connected to ASA and Core 3650

Location 2 WLC 2504 connected to a Core 3650 no ASA firewall.
0
fofanah78
Asked:
fofanah78
  • 8
  • 8
  • 3
1 Solution
 
Craig BeckCommented:
Can you give a bit more info?  For example, are clients at Location 2 using the same subnet/VLAN as the APs at Location 2?
0
 
fofanah78Author Commented:
@ Graig Beck
Location 1 WLC1 2504 is connected to ASA and Core 3650
Previously Location 1 WLC had all the APs for Location 1 and location 2.
All the internet traffic from Location 2 is going thru Location 1
Location1 WLC1/ APs are on Vlan5 192.168.5.0/24
Previously setup Location 2 /APs are were all on the same subnet.

I bought a new Cisco 2504 WLC2 for location 2, now I want to move the APs from L1 to L2.  I want to create a Guest-WIFI access on L2 for only internet access, but at the same time pull DHCP address from location 2 DHCP server.

I hope this help.  I I'm really new with wireless and controllers concept.
0
 
masnrockCommented:
Is Location 2 going to remain on VLAN5, except for the guest users?

It sounds like you need to create a VLAN, we'll call it VLAN6. Within the WLC for Location 2, you need to define an SSID that when users connect to it, end up on VLAN6. Is the Cisco equipment going to serve as the DHCP server, or do you have a server physically in Location 2 that will handle DHCP duties?
0
Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

 
fofanah78Author Commented:
@ Masnrock
created the vlan on L2 called: vlan6
I have a Test SSID defined
I have a physical server that handles DHCP addresses for the APs
Now I need SSID Test to only access the internet from L1.
SSIS Test works fine for internal and external.  
How can allow this the SSID Test to just internet nothing else?
0
 
Craig BeckCommented:
You could've done this with one WLC, providing you have less than 75 APs.  How is Location 1 connected to Location 2?
0
 
masnrockCommented:
Wait a second. You started off saying that L2 gets to the internet through L1. Now you're saying you need to test that the new VLAN only gets to the internet from L1. We need more details on your setup. Is there a Point to Point connection between locations or do you have a VPN tunnel going? I went under the assumption you have a point to point.
0
 
fofanah78Author Commented:
@ Masnrock
This is a point to point connection between L1 - L2.
0
 
Craig BeckCommented:
So Location 2 is just an extension of Location 1?

You're only moving the APs from Location 1 that need to connect to the WLC at Location 2, yes?

Why do you want guest users to get an IP from Location 2 if they need to use the internet via Location 1?
0
 
masnrockCommented:
Craig asked the exact question that I had.

Do you now want this guest wireless network to work from both L1 and L2? If so, then you should have created it at L1 (probably from the ASA), and made sure that it was accessible at both sides. However, the question is whether the server you mentioned should be acting as the DHCP server for just the guest network or for multiple networks. A number of things require some clarity to give the best answer.
0
 
Craig BeckCommented:
@mansrock - The guest has to terminate at L1 in any event as there's no ASA at L2.  I think we're on the same track though.

@fafanah78 - This is a Cisco WLAN using a Cisco WLC so we can tunnel all the guest traffic to an interface on the ASA and keep it secure (assuming we have a spare interface, otherwise we can use a subinterface).  There's no need for guests to get an IP from the L2 DHCP server (it's actually making it insecure).  We can still allow trusted clients to drop their traffic to the local switch at L2 if we use FlexConnect mode on the APs.

Saying that, you didn't really need to buy a new WLC for this.
0
 
fofanah78Author Commented:
Think I found a solution that might work.  Don't know what you guys think.
I will use the Guest wireless SSID WLAN, Anchor it to the main L1 WLC1 to my DMZ.
0
 
Craig BeckCommented:
Is the L1 WLC in your DMZ? It doesn't sound like it is.
0
 
fofanah78Author Commented:
I created a DMZ on L1 yesterday.
0
 
Craig BeckCommented:
So does the L1 WLC have any APs connected to it?
0
 
fofanah78Author Commented:
@ Craig.  Yes I have about 16 APs on L1.
0
 
Craig BeckCommented:
So you shouldnt really anchor to the L1 WLC, especially if you use LAG.

I would connect all APs to the L1 WLC and install the new WLC as a pure anchor in the DMZ.
0
 
fofanah78Author Commented:
Craig,
The only problem with this is we have to deploy 3 more to different locations.  I'm having problem right now on L2. The APs are pull the dhcp addresses from the data vlan. I setup the L2 controller as a switch access port and the APs as trunk ports.  I tried putting a helper address on the APs vlan they still not pulling dhcp addresses from that dhcp.  Any idea.
0
 
Craig BeckCommented:
The APs should be on their own VLAN if you can.  They can pull DHCP from wherever the SVI for that VLAN is configured to use as the IP helper.  You can use FlexConnect on each AP to put user traffic on a VLAN local to the site and send all Guest traffic to the anchor WLC in the DMZ at L1.

In any event you shouldn't use a WLC as an anchor if it has APs connecting to it.  It should be just an anchor.
0
 
fofanah78Author Commented:
Thanks Craig!!
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 8
  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now