Configuring Wireless Cisco Networks and Wireless Controllers.
Hello allI have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports.. 4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?Sorry for the long post..Raj
Lets see if I can help anything...Client connects to Guest SSID on AP connected to Controller AController A anchors the SSID/WLAN to DMZ Controller at Site BSo, basically, client is actually hanging off the network port of the DMZ Controller (so all IP/Routing needs to be assigned from the standpoint of the ethernet port on the DMZ controller). The Client Gateway should be the gateway of Controller B, not the IP of Controller B..... When client makes Web-Request, the request is hijacked by a web-authentication device (your NAC in site C?) and once authenticated, the client is allowed on the internet back at Site B.With all that said, no traffic should be going to Site C once authenticated. So traffic flow should be (after authenticated):Client > AP Site A > Site A Controller > Site B DMZ Controller > DMZ Controller Gateway to wherever.....Is that clarifying anything? I don't think there is a reason to create more WLAN SSID's for guests unless you need different authentication methods or if for some reporting reason you want different. Number of users I don't think will be a limiting factor
Hello wesleythanks for the clarification. that solves almost all my design related questions... ur explanation means that:1) I will not need any layer 3 vlans, for guest, on the local L3 switched network, in site A, right ? i have close to 7 closets, which trunk onto the core switch in site A. each closet has around 10 AP's, which communicate with 2 x WLC 4404 (100 k9).. the core switch is connected to WAN router, through which routing happens to site B.. 2)can i define the dhcp server locally on the anchor controller ? in this aspect, i hope the dhcp broadcast is sent through EoIP ? does it have any dependency on knowing the DNS server ?Thanks again.. have u implemented this ? Do u have any working configs ? I have seen wireless SRND, and have a basic config template, for all devices.. any other links which u can suggest ?Raj
Hi,1. You should not do any VLAN for L3 network on side A for Guests. However you have to tailor guest WLAN on foreign controller with some dynamic interface. For security purpose it is wise to create dummy vlan on foreign controller. Tailor it with Guest WLAN and not allowed on trunk connection between foreign controller and core switch.2. Yes you can use DHCP server on Anchor Controller...and yes I have some experience with whole stuff you mentioned ;-)CheersGregory
GregThanks again.. that was useful too. One last query.. and this was grilling my head:1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)Raj