This is where I'm at.
VLAN ID | Network | Subnet |
61 | 192.168.61.0 | /24 |
62 | 192.168.62.0 | /24 |
63 | 192.168.63.0 | /24 |
64 | 192.168.64.0 | /24 |
65 | 192.168.65.0 | /24 |
Create above guest VLANs on master and local controllers.
Don’t assign guest VLANs to an interface.
Assign DHCP helper address on Guest VLANs on master (windows server is doing DHCP)
Add the guest VLANs to the Guest VAP
Create a GRE tunnel from local controller to master (tunnel ID 1,2,3,4,5,6,etc)
Assign guest VLANs to the GRE tunnel
Make GRE tunnel trusted on local end and untrusted on master
Default gateway on guest VLANs should be master controller
Source NAT the VLANs on the master controller
The gateway on interface which guest traffic goes out over is ISA server (guest proxy server)
- This can be done by changing the default gateway on the master to be the ISA server
Commands to create GRE tunnel
- conf t
- int tunnel 1
- tunnel vlan 61,62,63,64,65
- mtu 1492 (to ensure GRE tunnel "fits" in IPSEC tunnel)
- trusted (untrusted on master)
- tunnel src & dst on local
- tunnel dest <master controller IP>
- tunnel source <local controller IP>
- tunnel src & dst on master
- tunnel dest <local controller IP>
- tunnel source <master controller IP>
ip cp-redirect-address 192.168.0.254 (IP on a VLAN on master)
show int tunnel <ID> (to ensure the tunnel is up)
To scale this solution do the following:
- Add extra guest VLANs to master and all local controllers
- Add the extra guest VLANs to the GRE tunnels
- Add the extra guest VLANs to the guest virtual AP profile on the master controller
- Add extra DHCP scopes on Windows server for these extra guest VLANs
Anyone see any issues with that?
James