Hi,
Rather than do the routing on the controller for guests access, I was looking into just dropping the unauthenticated guest onto a dedicated vlan in a DMZ, which hands off to a dedicated guest router within a firewall complex, which forwards DHCP to a remote server also an amigopod for guest auth - two less things for the controller to worry about so it can focus on wireless and enforcement and scale up well.
When attached via a wire to this DMZ you can get to the web (dhcp, dns and http(s) work ok as I connected a laptop to this vlan)
This avoids difficult decisions about default routes. (pity there's no VRF support)
Now I labbed this and it all seemed to work really well, very happy, really nice and clean solution for the firms needs. I got an IP on the VLAN interface, as I found in the lab through sniffers I needed this as it uses this for the connection to amigopod (i disable intervlan routing) - but, for some reason on the production controller things don't work out ok.
Datapath session table show a loss of state, and are denying traffic, user-role is configure to permit traffic it is denying (even used an allow-all to test, sometimes works sometimes not). Interestingly enough it did work on the lab (same code different platform) - anyone had similar issues?
I worry I need a fresh set of eyes, hence the post. If I am not doing anything too stupid here I'll go to TAC
Thanks in advance,