WLAN – DMZ Logic

Switch6
vlan 777
 name WLAN_MGMT
!
hostname SW6
!
!
ip dhcp excluded-address 192.10.10.1 192.10.10.199
ip dhcp excluded-address 192.10.20.1 192.10.20.199
!
ip dhcp pool VLAN10
 network 192.10.10.0 255.255.255.0
 default-router 192.10.10.1
!
ip dhcp pool VLAN20
 network 192.10.20.0 255.255.255.0
 default-router 192.10.20.1
!
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 negotiation auto
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 777
 switchport mode trunk
 negotiation auto
!
interface GigabitEthernet0/2
 negotiation auto
!
interface Vlan10
 ip address 192.10.10.1 255.255.255.0
!
interface Vlan20
 ip address 192.10.20.1 255.255.255.0
!
interface Vlan777
 ip address 192.10.77.1 255.255.255.0
!
ip route 192.168.0.0 255.255.248.0 192.10.10.10
ip route 192.168.0.0 255.255.248.0 192.10.20.10
ip route 192.168.1.0 255.255.255.0 192.10.10.10
ip route 192.168.77.0 255.255.255.0 192.10.10.10
ip route 192.168.77.0 255.255.255.0 192.10.20.10 2
ip route 192.168.78.0 255.255.255.0 192.10.10.10
ip route 192.168.78.0 255.255.255.0 192.10.20.10 2
C9800L-Internal
hostname 9800INT
!
vlan 777
 name WLAN_MGMT
!
interface GigabitEthernet1
 switchport trunk native vlan 777
 switchport mode trunk
 negotiation auto
 no mop enabled
 no mop sysid
!
interface Vlan777
 ip address 192.10.77.11 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.10.77.1
!
wireless mobility group member mac-address 001e.bd43.10ff ip 192.168.77.10 public-ip 192.168.77.10 group 9800DMZ
wireless mobility group name 9800INT
wireless mobility mac-address 001e.7a88.19ff
wireless management interface Vlan777
ASAv-Internal
hostname ASAvInt
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.10
 vlan 10
 nameif INSIDE_10
 security-level 100
 ip address 192.10.10.10 255.255.255.0
!
interface GigabitEthernet0/0.20
 vlan 20
 nameif INSIDE_20
 security-level 100
 ip address 192.10.20.10 255.255.255.0
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.30
 vlan 30
 nameif OUTSIDE_30
 security-level 0
 ip address 192.13.30.10 255.255.255.0
!
interface GigabitEthernet0/2
 nameif INSIDE_LAB
 security-level 100
 ip address 10.0.0.61 255.255.255.192
!
route INSIDE_LAB 10.0.14.0 255.255.255.192 10.0.0.11 1
route INSIDE_LAB 10.0.206.0 255.255.255.192 10.0.0.11 1
route INSIDE_10 172.18.10.0 255.255.255.0 192.10.10.1 1
route INSIDE_20 172.18.10.0 255.255.255.0 192.10.20.1 2
route INSIDE_10 172.18.20.0 255.255.255.0 192.10.10.1 1
route INSIDE_20 172.18.20.0 255.255.255.0 192.10.20.1 2
route INSIDE_10 192.10.77.0 255.255.255.0 192.10.10.1 1
route INSIDE_20 192.10.77.0 255.255.255.0 192.10.20.1 2
route OUTSIDE_30 192.168.0.0 255.255.248.0 192.13.30.1 1
route OUTSIDE_30 192.168.77.0 255.255.255.0 192.13.30.1 1
route OUTSIDE_30 192.168.78.0 255.255.255.0 192.13.30.1 1
SW100
hostname SW100
!
vlan 30,778
!
interface Loopback0
 ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
 ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
 ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
 ip address 192.168.3.1 255.255.255.0
!
interface Loopback4
 ip address 192.168.4.1 255.255.255.0
!
interface Loopback5
 ip address 192.168.5.1 255.255.255.0
!
interface Vlan30
 ip address 192.13.30.1 255.255.255.0
!
interface Vlan778
 ip address 192.168.78.2 255.255.255.192
!
ip route 0.0.0.0 0.0.0.0 192.168.78.1
ip route 192.10.10.0 255.255.255.0 192.13.30.10
ip route 192.10.20.0 255.255.255.0 192.13.30.10
ip route 192.10.77.0 255.255.255.0 192.13.30.10
WLAN_DMZ_SWITCH
hostname WLAN_SWITCH
!
vlan 10
 name DMZ_WLAN_GUEST
!
vlan 20
 name BYOD
!
vlan 777
 name WLAN_MGMT
!
vlan 778
 name DMZ_MGMT
!
interface Port-channel17
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 777
 switchport mode trunk
!
interface GigabitEthernet0/0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 negotiation auto
!
interface GigabitEthernet0/1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 777
 switchport mode trunk
 negotiation auto
 channel-group 17 mode on
!
interface GigabitEthernet0/2
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 777
 switchport mode trunk
 negotiation auto
 channel-group 17 mode on
!
interface GigabitEthernet0/3
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 778
 switchport mode trunk
 negotiation auto
!
interface Vlan10
 ip address 172.16.10.1 255.255.255.0
!
interface Vlan20
 ip address 172.16.20.1 255.255.255.0
!
interface Vlan777
 ip address 192.168.77.1 255.255.255.0
!
interface Vlan778
 ip address 192.168.78.1 255.255.255.0
!
ip forward-protocol nd
!
ip http server
!
ip route 192.10.10.0 255.255.255.0 192.168.78.2
ip route 192.10.20.0 255.255.255.0 192.168.78.2
ip route 192.10.77.0 255.255.255.0 192.168.78.2
ip route 192.13.30.0 255.255.255.0 192.168.78.2
ip route 192.168.0.0 255.255.248.0 192.168.78.2
9800DMZ
hostname 9800DMZ
!
vlan 10,20,777
!
interface Port-channel17
 switchport trunk native vlan 777
 switchport trunk encapsulation dot1q
 switchport mode trunk
 no mop enabled
 no mop sysid
!
interface GigabitEthernet1
 switchport trunk native vlan 777
 switchport mode trunk
 negotiation auto
 no mop enabled
 no mop sysid
 channel-group 17 mode on
!
interface GigabitEthernet2
 switchport trunk native vlan 777
 switchport mode trunk
 negotiation auto
 no mop enabled
 no mop sysid
 channel-group 17 mode on
!
interface GigabitEthernet3
 negotiation auto
 no mop enabled
 no mop sysid
!
interface Vlan1
 no ip address
 no mop enabled
 no mop sysid
!
interface Vlan777
 ip address 192.168.77.10 255.255.255.0
 no mop enabled
 no mop sysid
!
ip route 0.0.0.0 0.0.0.0 192.168.77.1
ip route 192.10.77.11 255.255.255.255 192.168.77.1
ip route 192.10.78.0 255.255.255.0 192.168.77.1
!

ASAv-External
hostname ASAvEXT
!
interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/0.10
 vlan 10
 nameif INSIDE10
 security-level 100
 ip address 172.16.10.10 255.255.255.0
!
interface GigabitEthernet0/0.20
 vlan 20
 nameif INSIDE20
 security-level 100
 ip address 172.16.20.10 255.255.255.0
!
route INSIDE10 192.13.30.0 255.255.255.0 172.16.10.1 1
route INSIDE20 192.13.30.0 255.255.255.0 172.16.20.1 2
route INSIDE10 192.168.0.0 255.255.248.0 172.16.10.1 1
route INSIDE20 192.168.0.0 255.255.248.0 172.16.20.1 2
route INSIDE10 192.168.77.0 255.255.255.0 172.16.10.1 1
route INSIDE20 192.168.77.0 255.255.255.0 172.16.20.1 2
Test ICMP and SSH connectivity between the internal and DMZ WLCs
Allow ICMP and SSH

Mobility Tunnel

C9800 Internal


wireless mobility group member mac-address 001e.bd43.10ff ip 192.168.77.10 public-ip 192.168.77.10 group 9800DMZ
wireless mobility group name 9800INT
wireless mobility mac-address 001e.7a88.19ff

C9800 DMZ

wireless mobility group member mac-address 001e.7a88.19ff ip 192.10.77.11 public-ip 192.10.77.11 group 9800INT
wireless mobility group name 9800DMZ
wireless mobility mac-address 001e.bd43.10ff

Test reachability from the internal WLC to internal networks
9800INT# tclsh
9800INT(tcl)#  foreach VAR {
+>
+>192.168.0.1
+>192.168.1.1
+>192.168.2.1
+>192.168.3.1
+>192.168.4.1
+>192.168.5.1
+>192.168.78.2
+>
+>
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 61/79/109 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 54/78/96 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/72/135 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 41/53/80 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 38/51/61 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 43/71/120 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/119/179 ms

9800INT(tcl)#

Test reachability from the internal WLC to external firewall networks
9800INT(tcl)#  foreach VAR {
+>
+>172.16.10.10
+>172.16.20.10
+>
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/86/113 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 73/81/85 ms

9800INT(tcl)#

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.