Wired Guest Access with two WLC

In this post we will learn how to implement wired guest access with only two WLC.

DMZ and Internal WLC Scenario:

Here is my Topology:

WiredGuest2wlc1

Foreign WLC Configuration:

  1. Configure a dynamic interface (in my case: wiredguestin) for wired guest user access on foreign WLC.
  2. Create a WLAN and assign the Ingess interface to wiredguestin(created in last step) and egress interface to management.
  3. Assign Mobility anchor to WLAN.

Foreign WLC:

Step1: Create a wired interface on WLC2:

WiredGuest2wlc2

Step2: WLAN creation on WLC2:

WiredGuest2wlc3

Step3: Assign the mobility anchor for right WLAN:

WiredGuest2wlc4

 

Anchor WLC Configuration:

  1. Configure a normal dynamic interface(In my cast it is guest) in which we want to assign to have IP for guest.( already created )
  2. Create a wired LAN for guest user access.
  3. Assign the mobility anchor to self(Means local)
  4. Create a test users locally on WLC
  5. Verification

Anchor WLC (WLC1):

I have already created a guest interface on my WLC to have internet access.

Step1: Skip

Step2: Create a WLAN (Same as we did on WLC2-Foreign WLC). Make sure that here we assign the interface in which we want to put clients (In my case its guest)

Assign Ingress interface as None and Egress as guest

WiredGuest2wlc5

Step3: Assign Mobility anchor to self (Means local 🙂

WiredGuest2wlc6

Step4: Local guest user creation

WiredGuest2wlc7

Verification:

Foreign WLC (WLC2):

WiredGuest2wlc8

Anchor WLC (WLC1):

WiredGuest2wlc9

WiredGuest2wlc10

 

 

Advertisements

Wired Guest Access Solution with Single WLC

In this post we will learn how to implement wired guest access with only one WLC.

A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.

Here is my Topology:

WiredGuest1

To provide the wired guest access, the ports in the Layer 2 access layer switch must be configured on the guest VLAN. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller.

Switch Configuration:

Switch#
interface FastEthernet0/10
description *** Wired Guest Access *** --> PC connected here
switchport
switchport access vlan 999
switchport mode access
end
Switch#
interface range GigabitEthernet1/5-6
description *** WLC1 ***
switchport trunk encapsulation dot1q
switchport trunk native vlan 10
switchport trunk allowed vlan 10,17,999
switchport mode trunk
Channel-group 1 mode on

So let’s see the complete process. Mainly we need 5 steps to Configuring Wired Guest Access:

  1. Configure a dynamic interface (VLAN) for wired guest user access.(Ingress)
  2. Configure a normal dynamic interface in which we want to assign IP to guest.(Egress)
  3. Create a wired LAN for guest user access.
  4. Create a test users locally on WLC
  5. Verification

Step1: Configure a dynamic interface for wired Guest user access (Ingress)

We don’t need any IP and gateway for this VLAN on switch or anywhere.

On WLC1, create a dynamic interface VLAN999.

Go to Controller > Interfaces

In the interface configuration page, check the “Guest LAN” box. As soon as we check this box, fields such as IP address or gateway disappear. The only thing your WLC needs to know about this interface is that “there will be client traffic coming from VLAN 999.

WiredGuest2

Step2: Configure a normal dynamic interface in which we want to assign IP to guest. (Egress)

Create another dynamic interface where the wired guest clients receive an IP address.

In this example we have VLAN 17 for clients to get IP address named as guest.

WiredGuest3

Step3: Create a wired LAN for guest user access.

Add a new WLAN: Type must be “Guest LAN

WLAN > WLANs, and then Create New WLAN.

Enable the WLAN; map the ingress interface to the “vlan999” created in Step 1, and the egress interface to guest interface created in Step 2.

WiredGuest4

 

WiredGuest5

***Remember that Layer2 security is not supported in Wired LANs.

WiredGuest6

Then we will select layer 3 web authentications.

WiredGuest7

Here I am using Customized web auth.

Step 4: Create a local test user to testing.

Security > AAA > Local Net Users

WiredGuest8

That’s it for the configuration.

Step 5: Verification

Testing time:

Now we should connect a Laptop/PC to port Fa0/10 which is in VLAN 999 and see what happens there. I got the IP in VLAN17 (Guest interface): 192.168.17.5

If you have correct DNS resolution then a pop webpage will appear otherwise we have to manually open our WLC virtual interface (https://1.1.1.1/login.html). There we have to use the credential created in Step 4.

WiredGuest9

WiredGuest10