1 ACCEPTED SOLUTION
Hi Martin,
Why do we all use the VLAN 666 for Internet ?
Is the authentication done via the NAC?
Could you share the screenshots concerning the config and the authentication of the captive portal?
What is the role and the VLANID/DHCP subnet at the second location?
Mig
Thanks all for posting a reply.
Hi Mig, thanks also. Will aim to answer your questions. Apologies, was trying keep it simple but get your point.
What I was trying to achieve predominantly was to clear the error I was getting with policy verification on XMC.
This was due to the fact the synchronisation was broken between the EWC’s to accommodate the difference in VLAN. This further lead me to consider what would be the best approach to configuring redundant internal EWC captive portal that is not managed by ExtremeControl (more detail below) but the Guest polices are managed by XMC i.e. the answer would lead to a variation in approaches I could consider.
Bear in mind I am coming into something already there, rather than from scratch.
So the customer has two EWC in two different geographic locations. The introduction of Guest internet access via EWC internal captive portal was introduced, but customer only had one internet connection at one location at the time, so all the AP’s had been homed to one controller to provide the service.
Later internet connectivity was introduced to the other location. Seems the VLAN ID’s where different at the other location, so to combat that the synchronisation was disabled on the guest polices to accommodate the difference in VLAN ID.
The same subnet range is being used in both locations, the EWC just splits the DHCP scope into two, one half one side one half the other side. This means the topology cannot be sync’ed either.
That said the failover works really well, albeit not completely straight under the hood.
The guest traffic bridges at the controller to esa1, which I believe is VLAN’ed to a dedicated internet firewall in the network somewhere. I unfortunately do not have much detail on this, other then so long as I drop traffic onto the guest internet VLAN, supply the default gateway (firewall) to hosts via EWC DHCP scope, its good to go
There is only L3 connectivity between the two sites.
Yes, there is an Extreme Control sitting behind the scenes, but as the EWC is using internal captive portal and the customer doesn’t need to be aware of end-system joining that network (ie be visiable in XMC) so its not being used for guest traffic.
That said, EWC with NAC is being used for corporate SSID’s, so polices are being managed by XMC, including guest polices, hence the query.
I’ve provided some screenshots, so hopefully the above and these provide the detail you need, let me know if you need anything else. The screenshots are taken from one controller but they are pretty much the same on both sides except the topology, the other side has a different L3 IP (172.31.255.202) and the other half of the DHCP scope for the same subnet.
In the screen shots the Guest polices are now in sync, as although the topology for the guest VLAN shows tagged on this controller the other side wasn’t. That meant I could just change the ID to be the same. Now they are in sync.
That does answer my primary question but I don’t think this is the best approach, hence opening up the conversation for ideas.
Many thanks in advance.
