25 APs / Port Anchor WLC versus Guest WLC

Greetings, first timer here.
We're adding public internet access to our existing wireless network. We are using a 4402 WLC for our guest controller, and our secure WLC is a 4404.
Cisco recommends placing a limit of 25 APs per distribution port, and we utilize that practice on our 4404. My question is, once we add the guest controller, which uses the same APs as the Anchor controller, do we have to re-apply the 25 AP/port rule to the guest controller?
The 4404 obviously has 4 distribution ports giving a max of 100 APs, and the 4402 has 2 resulting in only 50 APs. We've got all of our APs covered by the best practice on the 4404, but would exceed that on the 4402.
I thought that because the data is moving between the WLCs via the ether tunnel, I was covered by the 4404.
Thoughts or suggestions?
I can't seem to find anything in the white papers or best practices.
Thanks to all
Larry

I have no factual information to back up what I am about to say and it may be partially incorrect, but this is how I always explained the process of guest anchoring:
So the 25AP suggestion per interface I think is because of the fact that if you had more than 25 APs on one port, you could theoretically be over subscribing the bandwidth than the port could provide (25AP@40mbps = 1000mbps)....
Anyhow, unless you plan on actually sending a gig worth of traffic to your Guest Controller, I don't think there is any real need to split your anchor. I'm pretty sure Guest Controllers are usually for internet access and 1Gb worth of internet bandwidth sure seems like alot to me..
Also, I had always thought of the anchor tunnel similar in nature to an AP LWAPP tunnel. The controller that supports 25 APs is designed to support 25 LWAPP tunnels. The 50AP model, supports 50 LWAPP tunnels. This same logic could be applied to the WLAN Anchor tunnels. Think of each WLAN Anchor Tunnel as an AP connected to a controller.
When a guest is anchored to the Public Controller, it isn't the AP that is tunneled there nor the client, it is the WLAN. So you could have 25 APs with the same guest WLAN, but really it is still just 1 WLAN anchored to the controller. If for some reason you wanted to do more than 25 different WLANs, then I would suggest splitting those WLANS between your interfaces...
I think the bottom line though is that if you aren't worried about over-subscribing your interface on the anchor controller, there shouldn't be any concerns.

Similar Messages

  • Can't ping, telnet, SSH or find APs in ARP, but associated to WLC & has clients

    Hi All,
    I have an interesting problem. I have a Cisco 2504 WLC, and six Access Points that are associated to it.  I can reach 4 of the access points, which are connected to Cisco 300 POE switches, but the other 2 I cannot ping, telnet, SSH or find in the ARP table on the network.  However, they are both associated to the WLC and as far as I can tell, they have clients associated to them.  If I reboot them from the WLC, they find their way back to the correct WLC, and the WLC sees them in CDP, but I still can't access them in any way.
    The two problem APs appear to be connected to ports 3 & 4 on the WLC, which are the POE ports. I read some documentation that says that those ports don't support Access Points but basically that you can still connect them and have it work, but don't expect any help from Cisco if you run into problems.  I've confirmed that POE is being supplied in the port configs, and I have other sites with WLC's that are configured identically with APs on ports 3 & 4 that are up and not having any issues.
    Wondering if anyone has had similar issues and if so, can you shed any light on this strange behavior?
    Thanks.

    please
    https://supportforums.cisco.com/discussion/11288621/2500-wlc-attach-ap

  • Guest WLC not talking to ISE it is in a DMZ

    I have allowed all IP to the ISE servers from the DMZ the Guest 5508 WLC sits. I see requests coming in from a WLAN configured on the inside WLC but nothing from the SSID that comes from the WLC within the DMZ it is a mobility anchor for the guest network on all my WLC's.  What needs to be opened for this communication? or will the mobility anchor type setup not work in the ISE world?  I have uploaded the config of the guest WLC we are on 7.6.130

    Does the anchor controller send this request? I see nothing from teh WLC thru the monitor in my ASA firewall for any WLAN traffic. Only talking back to the other controllers.  I'm confused over how this traffic flows, the main WLC holds the SSID's the Guest is handed off to the Guest controller thru the mobility but does the request to the radius or ISE servers come from the guest controller or the main controller the AP's belong to?

  • Controllers in the same WISM module in the 6500, i'm trying to make one of them anchor controller for guest internet

    I have 2 controller in the same WISM module and I'm trying to make one of them Anchor controller for guest WLAN, but when I give put the anchor controller in a separated non-routed VLAN and connect it to an outside switch by creating VLAN 192 on the core. ( the Internet router is connected to the same switch).-it is showing path down... ( VLAN 192 visitor Internet and VLAN 224 my internal controller management VLAN are not talking)
    there is no routing between these 2 VLAN ( because of security), but i can't get the controller to communicate.
    -if I connect my laptop to this switch I'm able to go out on Internet but my visitor WLAN is not able to get IP address from the router connected to this switch.
    - I called Cisco and one the guys told me that i can leave the management in VLAN 224 for the controller to communicate ( which they did), but the issue I'm having right now is that my visitors are not getting IP addresses from this VLAN at all
    some one please advise
      vlan192   4/1 vlan 192              int g0/0 192.168.2.201
      6500 ----- switch ---- router---------  (outside)
        |         |   |
        |        DHCP server
       WLC

    A couple of questions, is VLAN 192 allowed across the trunk link to the wlc?  Do you have an interface tagged for vlan 192, with a valid address?  What is providing the DHCP?
    Cheers,
    Steve
    If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

  • Best Practice for DHCP when Anchoring to a Guest Wireless LAN Controller

    Hi all,
    I'm interested in the communities opinion in relation to DHCP provisioning when using auto-anchor/guest tunneling.
    As far as I can tell, one cannot use the internal DHCP on the anchor controller when using auto-anchor due to incompatibility between the auto-anchor feature and DHCP Option 82.
    The scenario is as follows:
    Guest controller is the anchor which provides Internet access to guests.
    There is a foreign controller which is configured to anchor to the guest controller.
    The internal DHCP server is configured on the guest anchor controller, therefore DHCP proxy must be enabled for DHCP to work.
    DHCP proxy enables Option 82.
    The guidlines for guest tunneling state that DHCP Option 82 isn't supported. (Ref: Deploying and Troubleshooting Cisco Wireless LAN Controllers - Ch14)
    So, the internal DHCP server requires DHCP proxy to be enabled; this in turn enables Option 82, which stops DHCP leases being made to clients connected to the foreign controller.
    Given that a guest WLC would normally be placed in a DMZ, the internal DHCP server may often be the only DHCP solution available.
    I look forward to hearing your opinions.
    Thanks
    Rhodri Jenkins

    There are a couple of options here if you need to get proxy disabled
    1) pinhole with an ACL that allows dhcp to pass your internal servers
    2) run dhcp on a switch, router, or firewall in the dmz
    3) if you are using a cab,e modem or dsl for the guest users, you can let that do the dhcp
    In general I've seen most of these in play, but I like option 2 myself
    Sent from Cisco Technical Support iPad App

  • WLC 4400 to WLC 5508

    Hi All
    I want to migrate from WLC 4400 to WLC 5508. currently on WLC 4400 we got 10 AP are connected with 5 SSID having different authentication method. On WLC 5508 If I create the same SSID with same key, will I need to reconfigure anything on end user PC and smart devices
    any tool to migrate wlc 4400 config to wlc 5508
    cheers
    Vishal 

    Thanks Scott, some more inquiry
    how to reboot the AP from the controller. ( I see 'Reset AP' -  this option to reboot or something else)
    how to disconnect all users connected to specific SSID from controller
    Can AP model 3702 work with WLC  5508, do we need specific software version
    cheers
    Vishal

  • Migrate WLC 4400 to WLC 5500

    Hi experts,
    I want to Migrate WLC 4400 with WLC 5500, But i don't know how to do this.
    Should i create new configuration or use my  WLC 4400 config ?
    I want to know about IOS for WLC 5500, should I upgrade my Access Point to connect with new WLC ?
    I need a good method to migrate this WLC. So my WLC 5500 can run properly.
    Thankyou for your help.

    I have no idea how Ravi's answer is considered "correct" when he didn't address the most important aspect of your thread.  
    As far as I'm aware, you need to ensure both controllers are running the same firmware or 7.0.250.X. 
    Take a copy or export the config of the 4400 configuration to your TFTP server.  Edit the file and change the necessary settings.  Go to the 5500 and download this configuration file.  Upgrade the firmware and the bootstrap if necessary.

  • WLC 5508 Guest termination Tunnel

    Hi to all,
    I've a question regarding Guest Wireless Access: can the WLC5508 do Guest Termination Tunnel as they do the WLC440X??? I suppose yes...or better say I hope yes ;-)
    What about the AP support? Can I mix as is possible with the 440X where the internal WLC are licensed for 50 AP and the external one for only 12???
    Thanks for a feedback!

    It sounds like you're running into the same project as me. I have all 4402's and was considering upgrading to a 5508 for our headquarters. This happens to be our guest anchor as well. To ensure that mobility will work, which is a requirement for guest, carefully read the version 6 release notes. In a nutshell though, I've found that this will work with 4.2 code and up to version 6 on a 5508. I'd check the release notes to be exactly sure of the 4.2 release though. 4.2.205.0 has been working well for me. I don't have our 5508 yet, but I'll provide an update once it gets here. In a perfect world, having the same version 6 release on the 4402's and the 5508 will ensure you don't have anchor / mobility problems.
    As far as the different AP licenses go on the controllers, this will only affect the size of the network you can have at each site (because it restricts the number of AP's, ie. 25 versus 12). You can definitely use guest on a 50 AP controller with a 12AP controller at the other site. They don't have to match...

  • APs Controlled from Agent instead of WLC?

    I have 8 APs directly connected to a stack of 3850 switches operating as the WLC. I have 4 more APs connected to another 3850 stack on a different floor operating as a wireless mobility agent. I have a trunk link directly between the two 3850 stacks. If I log into the GUI for each of the stacks, I can see the APs that are connected to each stack, respectively. I have no visibility from the WLC to the APs that are connected to the agent.
    Is this the normal behavior? Do I have to do my management of AP groups and WLANs at both the WLC and the agent? Was I mistaken in my understanding that the WLC operates as a central point of control? Below is the wireless mobility summary output from each stack:
    WLC Stack:
    Mobility Controller Summary:
    Mobility Role                                  : Mobility Controller
    Mobility Protocol Port                          : 16666
    Mobility Group Name                            : default
    Mobility Oracle IP Address                      : 0.0.0.0
    DTLS Mode                                      : Enabled
    Mobility Domain ID for 802.11r                  : 0xac34
    Mobility Keepalive Interval                    : 10
    Mobility Keepalive Count                        : 3
    Mobility Control Message DSCP Value            : 60
    Mobility Domain Member Count                    : 1
    Link Status is Control Link Status : Data Link Status
    Controllers configured in the Mobility Domain:
    IP              Public IP        Group Name      Multicast IP    Link Status
    10.10.60.3      -                default          0.0.0.0          UP  : UP
    Switch Peer Group Name            : SPG1
    Switch Peer Group Member Count    : 1
    Bridge Domain ID                  : 60
    Multicast IP Address              : 0.0.0.0
    IP              Public IP            Link Status
    10.10.60.2      10.10.60.2            UP  : UP
    Agent Stack:
    Mobility Agent Summary:
    Mobility Role                                  : Mobility Agent
    Mobility Protocol Port                          : 16666
    Mobility Switch Peer Group Name                : SPG1
    Multicast IP Address                            : 0.0.0.0
    DTLS Mode                                      : Enabled
    Mobility Domain ID for 802.11r                  : 0xac34
    Mobility Keepalive Interval                    : 10
    Mobility Keepalive Count                        : 3
    Mobility Control Message DSCP Value            : 60
    Switch Peer Group Members Configured            : 1
    Link Status is Control Link Status : Data Link Status
    The status of Mobility Controller:
    IP              Public IP            Link Status
    10.10.60.3      10.10.60.3          UP  : UP
    Switch Peer Group members:
    IP              Public IP            Data Link Status
    10.10.60.2      10.10.60.2          UP

    That's all well and good if the controller can be pinged. What is usually the case here is that there is no route to the management interface of the controller or the ap manager interface as well. Check to see if there are IP address conflicts with those two interfaces. Next, make sure that you have not exceeded the total number of APs per physical interface. If you have add a LAG group or a second ap management interface. Verify security certificates are on the APs and that the date and time on the controller is accurate. Lastly, make sure you have no PoE issues or CDP. You're beating a dea horse here guys.

  • WLC 2504 Guest Wifi

    Hi
    Need some help. I have setup guest access on the controller and this is not working at the moment.
    DHCP server setup on the controller for the Guest users.
    You are able to connect (get ip address from controller) and the browser gets redirected to 1.1.1.1 but then page can not be displayed instead of the login page.
    Need to know how to fix this.
    Regards
    Chris

    Hi,
    Is the WLC connected to a Cisco Switch or 3rd party switch ?
    For trouble shooting purposes if you disable security are the wireless clients able to go out to the internet ?
    If you are workign with VLANS or different subnet on the WLC have you configured the switch with a trunk port and set the same native vlan or untagged vlan as the WLC and make sure that the guest vlan from the switch is able to go out to the internet ?

  • WLC for GUEST network hangs and requires restart

    I have a remote site customer that is getting support calls saying that guest users cannot login to the wireless "guest" network. When they try to access it, the browser hangs up when trying to load the redirect page.
    When they restart the controller, it begins working again. The WLC version is 5.0.148.0. Has anyone seen this issue? If not, what would be the best way to troubleshoot?
    Thanks for any help.

    5.0.148.0 has a lot of bugs, suggest you to keep on using 4.2.112 at this moment until the maintenance release of version 5 comes out. This is one of its bug: CSCsm98250.
    Symptom:
    Webauth and controller access via HTTP or telnet/SSH stop working.
    Conditions:
    After the controller was upgrade to 5.0, ramdomly webauth, and controller access via HTTP or telnet/SSH stop working.
    Workaround:
    Reboot controller.

  • Wlc 5508 : guest users to be configured only give access for internal SAP application

    Hi,
    I have one new requirement with one of the client.
    I have wlc 5508 with 6.0 firmware. I need to have one guest wlan which will have access only for internal SAP application.
    I have gone through cisco document for internet guest users , where web page will be redirected with user name and password once it is authenticated , we can access internet.
    Provided if we have access list configured in wlc ...  for internet access only /
    what about this mentioned scenario ?
    can anybody suggest on the same ?

    Hi Vinod,
    Go for the ACL on any Router or the switch.. i prefer not on the WLC..
    http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml
    Here is the link as well to do it on the WLC
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807810d1.shtml
    Lemme know if this answered ur question..
    Regards
    Surendra

  • WLC 2504, guest user life time

                       Hi ,
                        Cant we create a guest user login with more than 30 days lifetime? In the lifetime field we can enter maximum 99 but it only allows up to 30
                            any idea?
                        Thanks.

    Hi, no the limit is 30days if the user is created in the WLC.
    Info from the user guide = Range: 5 minutes to 30 days
    You'd configure a longer lifetime if you use the WCS/NCS.
    If you configure 90 days via the WCS/NCS you also see on the WLC 30days but the WCS/NCS will update this unitil the 90days are over.
    Kind regards,
    Ron

  • Radius Attributes Supported by WLC? Guest bandwidth limiting

    Hello all..
    I've seen several mentions of limited guest user traffic usage by QoS settings and policy maps.. But my issue with this is, it's a global setting for that SSID. In my case, I have a 'Submit' button our Guest Internet page that does a hidden login of the user Guest. In the past, I would apply a sesion time out of 3hours and limit the bandwidth by quite a bit. However, for vendors and visitors that come in, there was a login section that they could input their uesr/pass given to them by the helpdesk and with radius attributes have an extended time out with greater bandwidth. However, I haven't been able to get this to work on the Controller based service, other then the time-out attribute. Is anyone doing it this way? What attributes does the WLC support?

    Have you looked at the v4.2 code? You can create different QoS Roles, and then assign different people to different roles.
    I've never tried this through RADIUS though.
    Regards,
    Richard

  • WLC 2100 guest access with local web authentification

    Hello I tried to create a guest acces with local web authentification.
    My Laptop is connected to the Wlan but My Browser don't ask my login and password

    Please refer to the following links:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/69340-web-auth-config.html
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/115951-web-auth-wlc-guide-00.html

Maybe you are looking for

  • Can't download iTunes "Service Apple Mobile Device failed to start.

    I have a new computer and I am unable to download iTunes.  I get the following message "Service 'Apple Mobile Device' failed to start. Verify that you have suffiecient privileges to start system services."  Please note, iTunes is not installed at thi

  • Gmail sent messages are being continously moved to Outbox in OS X mail.

    Gmail sent messages are being moved to Outbox in OS X mail. You can not be sure whether they have been sent or going to be sent anyway. No network problems or SMTP problems exist, a variety of IOS and Windows equipment uses gmail without glitches.(OS

  • Selection of Currency in the report

    Hi Experts, I've a web report in which there is a structure cotaining different columns (around 10 columns) all with KeyFig as 'Amount in LC'. There is a requirement that the user should be able to choose whether they want to see the data in LC or LC

  • Using a Pause in Contact's Number

    We have two iPhones in our house - one new 3G and an original with the latest 2.0 firmware upgrade. Neither phone will dial a number for a contact in which we've saved a "pause," or comma. I know how to create the pause, and it accepts it, but when I

  • How can i get iOS 5 on my iPad2 no prompting in itunes

    i updated itunes to the lastest version, okay so i plug in my ipad and there are no directions to update to iOS5 help