The Cisco WLC supports guest access in addition to the normal user SSID/VLAN combinations. They’ve actually buitl a very nice implementation of it. You can force a splash screen (captive portal) through a web page to force guests to sign in and/or accept an Acceptable Use Policy. Providing Guest access requires a sensitivity to security issues though. It wouldn’t be wise to run the Guest VLAN right into the middle of the network. In the situation I ran into I created a VLAN that didn’t terminate to any interfaces inside the network. The SSID for Guests had access to the VLAN and a physical port in the same VLAN was connected to a “DMZ” port on the firewall. That port on the firewall (PIX) was then set with a security level just below that of the outside interface. Works great except how do you get DHCP to the wireless Guest clients?
I tried configuring a DHCP scope on the PIX to no avail. I believe the PIX wasn’t allowing the forwarding of DHCP information from the Controller. Since the Controller acts as a proxy of sorts it would be similar to using a broadcast helper pointing at the PIX. I haven’t checked to see if that’s why it was broken but it makes sense. The other alternative is to either allow DHCP through the PIX back to the LAN, or to configure a virtual interface and a helper. Either way the Guest client is touching an internal DHCP server and we have to be sure the ACL’s are dead on so that nothing else gets through. I don’t like that idea.
A third alternative is to use the built in DHCP server on the Controller. Tried that, didn’t work. Shane thinks he’s found out why. Each virtual interface inside the controller that’s tied to an SSID/VLAN combination has the option for “DHCP Override”. Naturally I tried this on the interface for the Guest SSID/VLAN. It would seem that the proper place is on the Management interface instead. The scope is still created for the Guest subnet but it’s forwarded by the Management interface to the internal DHCP server. That might make some sense. The LWAPP encapsulated packets are arriving on the Management interface before getting processed and shipped to the appropriate VLAN. As a helper of sorts it would stand to reason it needs to be on the incoming interface. Just seemed counter-intuitive to me.
That’s a little tongue in cheek. Obviously they aren’t. But what I’ve learned over the last few weeks is that there are fundamental differences in how you order an LWAPP solution.
First is power. This isn’t so much a problem with the Controller as it is with the 1000 series AP. The 1000′s are directly from the Airespace acquisition and as all Cisco acquisition’s go they are different than the rest of the product, at least for a revision or two. Case in point- The 1000′s use 802.3af for power. No problem you say, you have a POE switch. Great, but what if you don’t have a switch and are only deploying, say, 9 AP’s? A dedicated switch for 9 AP’s might be a little overkill so injectors are your next choice. Here’s where it’s different. Older Cisco AP’s include a transformer for providing local power. This is great if you have one or two AP’s. The 1000′s don’t include any transformer. Also, if you want to use an injector with your older Cisco AP you buy a less expensive injector that’s little more than an “injector”. You still have to take the transformer that was included with your AP and plug it into the injector. The POE injectors for the 1000 series are actually transformers too! This jacks the price to double the normal injector price!
Another caveat with the Controller is related to the physical ports for connecting the box. With the 4402 and I think the 4404 also there are several ports available. The service port (rj45) is basic and not useful for much more than startup configuration. The Serial port (db9) is the primary method for accessing the startup wizard. I think you have additional functionality there but let’s face it, this thing was designed to be used through the web interface. The remaining three ports are for network connectivity including user VLAN’s and the management VLAN/interface. Now here’s the part that’s hidden deep in a Cisco document with only one small asterisk. One port is RJ45 and the other two are SFP’s. The RJ45 is labeled “Utility”. This port looks like it could be a user port just like the two SFP’s. It’s even 10/100/1000 so you’d think they were intending it to carry user traffic. In fact there’s nothing to suggest it can’t be 1 of 3 ports. Except it can’t. This asterisk note suggests that it’s for future use only. Talk about needle in a haystack! The port provides link, looks like it’s working, but does absolutely nothing. What the hell! Moral of the story, don’t think you can get away with copper GE links for the Controller!
Otherwise, the Controller is very easy to work with and does some very cool stuff. More on that later.
Yep, that’s right. I hit the big 3-4 a couple of days ago. Why didn’t I post about the momentous occasion at that time? I was partying of course! If you consider working late on your birthday partying. Yes, I’m officially at the point where my birthday just doesn’t matter much any more. And I’m cool with that. In fact, it really has become “all about the kids” and I’m even more ok with that.
The only problem is I feel so old at times. This body ain’t getting any younger. And I have to wonder, if I feel like this now, how will I feel when I’m 40, 50, 60.
Still, for all the griping, things are pretty good. I’m incredibly fortunate to live in the USA during a highly properous and safe time. To have a wonderful wife that I love very much. To have pretty good kids (most of the time!). To have a decent job that I enjoy (even if I wish they paid me more). To have a loving family around me.
Yeah…maybe 34 isn’t so bad after all.
