Switch6
vlan 777
name WLAN_MGMT
!
hostname SW6
!
!
ip dhcp excluded-address 192.10.10.1 192.10.10.199
ip dhcp excluded-address 192.10.20.1 192.10.20.199
!
ip dhcp pool VLAN10
network 192.10.10.0 255.255.255.0
default-router 192.10.10.1
!
ip dhcp pool VLAN20
network 192.10.20.0 255.255.255.0
default-router 192.10.20.1
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/2
negotiation auto
!
interface Vlan10
ip address 192.10.10.1 255.255.255.0
!
interface Vlan20
ip address 192.10.20.1 255.255.255.0
!
interface Vlan777
ip address 192.10.77.1 255.255.255.0
!
ip route 192.168.0.0 255.255.248.0 192.10.10.10
ip route 192.168.0.0 255.255.248.0 192.10.20.10
ip route 192.168.1.0 255.255.255.0 192.10.10.10
ip route 192.168.77.0 255.255.255.0 192.10.10.10
ip route 192.168.77.0 255.255.255.0 192.10.20.10 2
ip route 192.168.78.0 255.255.255.0 192.10.10.10
ip route 192.168.78.0 255.255.255.0 192.10.20.10 2
C9800L-Internal
hostname 9800INT
!
vlan 777
name WLAN_MGMT
!
interface GigabitEthernet1
switchport trunk native vlan 777
switchport mode trunk
negotiation auto
no mop enabled
no mop sysid
!
interface Vlan777
ip address 192.10.77.11 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.10.77.1
!
wireless mobility group member mac-address 001e.bd43.10ff ip 192.168.77.10 public-ip 192.168.77.10 group 9800DMZ
wireless mobility group name 9800INT
wireless mobility mac-address 001e.7a88.19ff
wireless management interface Vlan777
ASAv-Internal
hostname ASAvInt
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.10
vlan 10
nameif INSIDE_10
security-level 100
ip address 192.10.10.10 255.255.255.0
!
interface GigabitEthernet0/0.20
vlan 20
nameif INSIDE_20
security-level 100
ip address 192.10.20.10 255.255.255.0
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1.30
vlan 30
nameif OUTSIDE_30
security-level 0
ip address 192.13.30.10 255.255.255.0
!
interface GigabitEthernet0/2
nameif INSIDE_LAB
security-level 100
ip address 10.0.0.61 255.255.255.192
!
route INSIDE_LAB 10.0.14.0 255.255.255.192 10.0.0.11 1
route INSIDE_LAB 10.0.206.0 255.255.255.192 10.0.0.11 1
route INSIDE_10 172.18.10.0 255.255.255.0 192.10.10.1 1
route INSIDE_20 172.18.10.0 255.255.255.0 192.10.20.1 2
route INSIDE_10 172.18.20.0 255.255.255.0 192.10.10.1 1
route INSIDE_20 172.18.20.0 255.255.255.0 192.10.20.1 2
route INSIDE_10 192.10.77.0 255.255.255.0 192.10.10.1 1
route INSIDE_20 192.10.77.0 255.255.255.0 192.10.20.1 2
route OUTSIDE_30 192.168.0.0 255.255.248.0 192.13.30.1 1
route OUTSIDE_30 192.168.77.0 255.255.255.0 192.13.30.1 1
route OUTSIDE_30 192.168.78.0 255.255.255.0 192.13.30.1 1
SW100
hostname SW100
!
vlan 30,778
!
interface Loopback0
ip address 192.168.0.1 255.255.255.0
!
interface Loopback1
ip address 192.168.1.1 255.255.255.0
!
interface Loopback2
ip address 192.168.2.1 255.255.255.0
!
interface Loopback3
ip address 192.168.3.1 255.255.255.0
!
interface Loopback4
ip address 192.168.4.1 255.255.255.0
!
interface Loopback5
ip address 192.168.5.1 255.255.255.0
!
interface Vlan30
ip address 192.13.30.1 255.255.255.0
!
interface Vlan778
ip address 192.168.78.2 255.255.255.192
!
ip route 0.0.0.0 0.0.0.0 192.168.78.1
ip route 192.10.10.0 255.255.255.0 192.13.30.10
ip route 192.10.20.0 255.255.255.0 192.13.30.10
ip route 192.10.77.0 255.255.255.0 192.13.30.10
WLAN_DMZ_SWITCH
hostname WLAN_SWITCH
!
vlan 10
name DMZ_WLAN_GUEST
!
vlan 20
name BYOD
!
vlan 777
name WLAN_MGMT
!
vlan 778
name DMZ_MGMT
!
interface Port-channel17
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
!
interface GigabitEthernet0/0
switchport trunk encapsulation dot1q
switchport mode trunk
negotiation auto
!
interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
negotiation auto
channel-group 17 mode on
!
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport trunk native vlan 777
switchport mode trunk
negotiation auto
channel-group 17 mode on
!
interface GigabitEthernet0/3
switchport trunk encapsulation dot1q
switchport trunk native vlan 778
switchport mode trunk
negotiation auto
!
interface Vlan10
ip address 172.16.10.1 255.255.255.0
!
interface Vlan20
ip address 172.16.20.1 255.255.255.0
!
interface Vlan777
ip address 192.168.77.1 255.255.255.0
!
interface Vlan778
ip address 192.168.78.1 255.255.255.0
!
ip forward-protocol nd
!
ip http server
!
ip route 192.10.10.0 255.255.255.0 192.168.78.2
ip route 192.10.20.0 255.255.255.0 192.168.78.2
ip route 192.10.77.0 255.255.255.0 192.168.78.2
ip route 192.13.30.0 255.255.255.0 192.168.78.2
ip route 192.168.0.0 255.255.248.0 192.168.78.2
9800DMZ
hostname 9800DMZ
!
vlan 10,20,777
!
interface Port-channel17
switchport trunk native vlan 777
switchport trunk encapsulation dot1q
switchport mode trunk
no mop enabled
no mop sysid
!
interface GigabitEthernet1
switchport trunk native vlan 777
switchport mode trunk
negotiation auto
no mop enabled
no mop sysid
channel-group 17 mode on
!
interface GigabitEthernet2
switchport trunk native vlan 777
switchport mode trunk
negotiation auto
no mop enabled
no mop sysid
channel-group 17 mode on
!
interface GigabitEthernet3
negotiation auto
no mop enabled
no mop sysid
!
interface Vlan1
no ip address
no mop enabled
no mop sysid
!
interface Vlan777
ip address 192.168.77.10 255.255.255.0
no mop enabled
no mop sysid
!
ip route 0.0.0.0 0.0.0.0 192.168.77.1
ip route 192.10.77.11 255.255.255.255 192.168.77.1
ip route 192.10.78.0 255.255.255.0 192.168.77.1
!
ASAv-External
hostname ASAvEXT
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/0.10
vlan 10
nameif INSIDE10
security-level 100
ip address 172.16.10.10 255.255.255.0
!
interface GigabitEthernet0/0.20
vlan 20
nameif INSIDE20
security-level 100
ip address 172.16.20.10 255.255.255.0
!
route INSIDE10 192.13.30.0 255.255.255.0 172.16.10.1 1
route INSIDE20 192.13.30.0 255.255.255.0 172.16.20.1 2
route INSIDE10 192.168.0.0 255.255.248.0 172.16.10.1 1
route INSIDE20 192.168.0.0 255.255.248.0 172.16.20.1 2
route INSIDE10 192.168.77.0 255.255.255.0 172.16.10.1 1
route INSIDE20 192.168.77.0 255.255.255.0 172.16.20.1 2
Test ICMP and SSH connectivity between the internal and DMZ WLCs
Allow ICMP and SSH
Mobility Tunnel
C9800 Internal
wireless mobility group member mac-address 001e.bd43.10ff ip 192.168.77.10 public-ip 192.168.77.10 group 9800DMZ
wireless mobility group name 9800INT
wireless mobility mac-address 001e.7a88.19ff
C9800 DMZ
wireless mobility group member mac-address 001e.7a88.19ff ip 192.10.77.11 public-ip 192.10.77.11 group 9800INT
wireless mobility group name 9800DMZ
wireless mobility mac-address 001e.bd43.10ff
Test reachability from the internal WLC to internal networks
9800INT# tclsh
9800INT(tcl)# foreach VAR {
+>
+>192.168.0.1
+>192.168.1.1
+>192.168.2.1
+>192.168.3.1
+>192.168.4.1
+>192.168.5.1
+>192.168.78.2
+>
+>
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 61/79/109 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 54/78/96 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 45/72/135 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 41/53/80 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.4.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 38/51/61 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.5.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 43/71/120 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.78.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 68/119/179 ms
9800INT(tcl)#
Test reachability from the internal WLC to external firewall networks
9800INT(tcl)# foreach VAR {
+>
+>172.16.10.10
+>172.16.20.10
+>
+>} { puts [exec "ping $VAR"] }
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/86/113 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 73/81/85 ms
9800INT(tcl)#