In this post we will learn how to implement wired guest access with only one WLC.
A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.
Here is my Topology:
To provide the wired guest access, the ports in the Layer 2 access layer switch must be configured on the guest VLAN. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller.
Switch Configuration:
Switch# interface FastEthernet0/10 description *** Wired Guest Access *** --> PC connected here switchport switchport access vlan 999 switchport mode access end Switch# interface range GigabitEthernet1/5-6 description *** WLC1 *** switchport trunk encapsulation dot1q switchport trunk native vlan 10 switchport trunk allowed vlan 10,17,999 switchport mode trunk Channel-group 1 mode on
So let’s see the complete process. Mainly we need 5 steps to Configuring Wired Guest Access:
- Configure a dynamic interface (VLAN) for wired guest user access.(Ingress)
- Configure a normal dynamic interface in which we want to assign IP to guest.(Egress)
- Create a wired LAN for guest user access.
- Create a test users locally on WLC
- Verification
Step1: Configure a dynamic interface for wired Guest user access (Ingress)
We don’t need any IP and gateway for this VLAN on switch or anywhere.
On WLC1, create a dynamic interface VLAN999.
Go to Controller > Interfaces
In the interface configuration page, check the “Guest LAN” box. As soon as we check this box, fields such as IP address or gateway disappear. The only thing your WLC needs to know about this interface is that “there will be client traffic coming from VLAN 999.
Step2: Configure a normal dynamic interface in which we want to assign IP to guest. (Egress)
Create another dynamic interface where the wired guest clients receive an IP address.
In this example we have VLAN 17 for clients to get IP address named as guest.
Step3: Create a wired LAN for guest user access.
Add a new WLAN: Type must be “Guest LAN”
WLAN > WLANs, and then Create New WLAN.
Enable the WLAN; map the ingress interface to the “vlan999” created in Step 1, and the egress interface to guest interface created in Step 2.
***Remember that Layer2 security is not supported in Wired LANs.
Then we will select layer 3 web authentications.
Here I am using Customized web auth.
Step 4: Create a local test user to testing.
Security > AAA > Local Net Users
That’s it for the configuration.
Step 5: Verification
Testing time:
Now we should connect a Laptop/PC to port Fa0/10 which is in VLAN 999 and see what happens there. I got the IP in VLAN17 (Guest interface): 192.168.17.5
If you have correct DNS resolution then a pop webpage will appear otherwise we have to manually open our WLC virtual interface (https://1.1.1.1/login.html). There we have to use the credential created in Step 4.
Great post. but does this work if the computer is one or more layer 3 hops away from the controller? Could you have more than one guest vlan, with each getting separate DHCP pools? Thanks!
is it possible that guest and users’ have different SSID and same vlan ?
Yes you can have different SSIDs with same VLAN.
Regards
RSCCIEW
In the second example (single WLC), can we use the internal WLC DHCP server for wired clients? If so, we define a new DHCP scope for it?
Yes you need to create a DHCP scope and also don’t forget to put WLC mgmt interface IP address in Dynamic interface config “under the DHCP server box”.
Regards
RSCCIEW
I have the same setup and users are getting IP addresses from the egress VLAN, however users cannot ping the gateway… what could be causing that ?
1.Check the default gateway configuration on DHCP scope.
2. Check if any ACL is blocking!!!