note: Screenshots and configuration examples are using a Cisco 2500 series WLAN controller (aka WLC). The Cisco 2500 series controller is connected to a cisco 3750 or 3650 L3 switch. This article assumes that inter-VLAN routing is already working and only the WLAN controller needs to be configured.
Usually, enterprise networks are on multiple VLAN environment. The Wifi access points provide access to each of these different VLANs by broadcasting different SSIDs attached to different WLAN profiles. Let's say we want to configure our WLAN controller to broadcast two SSIDs namely:
1. GUEST on VLAN 5 (10.8.5.0/24);
2. IT-Department on VLAN 13 (10.8.6.0/24);
Also, let's assume VLAN 219 is pre-configured with the following information:
1. VLAN 219 is NETWORK-VLAN @10.8.219.0/24)
2. interface vlan 219 IP address is 10.8.219.1
3. a DHCP server located in VLAN 219 with IP address 10.8.219.50/24.
4. WLAN controller will be configured with IP address 10.8.219.251 in VLAN 219
5. the Access Points (APs) 10.8.219.248-250, also in VLAN 219.
There are two parts to this task. First is the VLAN configuration required in our 3750/3650 layer 3 switch which will be discussed in this article. Part 2 is configuring our WLAN controller with the WLAN profiles, SSID, and interfaces. For brevity, I will skip discussion on inter-VLAN configuration and assume that that the network converges, and inter-VLAN routing is configured properly.
Part 1: Configure the 3750/3650 layer 3
1. Configure the port interface in our L3 switch as a trunk:interface GigabitEthernet1/0/23
description *** LINK TO WIRELESS-CONTROLER ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 5, 13
switchport mode trunk
!The next commands are optional
switchport trunk native vlan 219
udld port aggressive
- "switchport trunk allowed VLAN <ID>" command explicitly defines what VLANs are only allowed in the interface. In this case, only VLANs 5 (Guest) and 13 (IT-Department) are allowed. This can be optional but I would recommend you do this to minimize broadcasts traversing through the trunk.
- "switchport trunk native vlan <ID>" command changes the native VLAN. By default, the Native VLAN is 1. But this is already expected so we change it. The native VLAN is where all vlan traffic converges and traverses. This command is optional.
- "udld port aggressive" is an optional configuration. It detects if the link is uni-directional and adjusts accordingly to avoid spanning-tree loops. All ports should support UDLD aggressive mode in order to work.
2. Configure the the VLANs.
In this example (for simplicity), we will only create 2 VLANs with /24 subnet. First we create the VLANs. I usually create VLANs with names so I can easily identify them.
Cisco 3750(config)#vlan 5
Cisco 3750(config-vlan)#name GUEST
Cisco 3750(config-vlan)#vlan 13
Cisco 3750(config-vlan)#name IT
Cisco 3750(config-vlan)#exit
Cisco 3750(config)#
Then verify if the the VLANs where created:
Cisco 3750(config)#end
Cisco 3750#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
5 GUEST active
13 IT active
219 NETWORK-VLAN active Gi1/0/24
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
== output truncated for brevity ==
Then, we create the VLAN interfaces and assign the IP addresses. The "ip helper-address" command is necessary if the DHCP server is not in the same VLAN as the interface we are configuring.
interface Vlan5
description GUEST
ip address 10.8.5.254 255.255.255.0
ip access-group DENY_VLAN_5 out
ip helper-address 10.8.6.10
interface Vlan13
description IT-DEPARTMENT
ip address 10.8.6.1 255.255.255.0
no ip unreachables
ip helper-address 10.8.219.50
3. Configure the Access-list to allow GUEST VLAN to communicate directly to internet, and not through the internal LAN
ip access-list extended DENY_VLAN_5
permit ip 10.8.50.0 0.0.0.255 host 10.8.219.50 eq 67, 68
deny ip 10.8.5.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip any any
In this access-list, notice that the only allowed traffic to the 10.8.0.0/16 network is to 10.8.219.50 on ports 67 and 68 (DHCP required ports). The configuration does not allow traffic through DNS! That is because the DHCP should be configured to assign a public DNS (i.e. 8.8.8.8). This is to minimize the traffic to the internal 10.8.0.0/16 network.
Next, we assign the ACL to interface VLAN 5 (GUEST):
interface Vlan5
description GUEST
ip address 10.8.5.254 255.255.255.0
ip access-group DENY_VLAN_5 out
ip helper-address 10.8.6.10
4. <Alternative Configuration> - Configure a DHCP for the GUEST VLAN, then configure an Access-List that will ensure GUEST VLAN only communicates to the internet
Usually, if a Guest VLAN is concerned, I do not use a DHCP server. This is because, as mentioned in item number 3 above, I do not want ANY communication to my internal network 10.8.0.0/16 from the Guest VLAN. So I assign the DHCP configuration
ip dhcp pool GUEST
network 10.8.5.0 255.255.255.0
default-router 10.8.5.1
dns-server 8.8.8.8 4.2.2.2
If I configure the switch based DHCP for GUEST, then my GUEST VLAN Access-list is simplified to:
ip access-list standard Deny_VLAN_5
deny ip 10.0.0.0 0.255.255.255
permit ip any any
interface Vlan5
description GUEST
ip address 10.8.5.254 255.255.255.0
ip access-group DENY_VLAN_5 out
ip helper-address 10.8.6.10
Isn't this much simpler? Now, all required configuration in the L3 switch is complete. We will now configure our WLAN Controller.
No comments:
Post a Comment