2500 wireless guest anchor, dhcp performance

Hello,
I just read that starting from version 7.4, the 2500 controller can be used to terminate guest anchor tunnels.
This is great news, but i have a question regaring the performance of the internal DHCP server when used in guest environments.
Can it be used and if so, what is its performance ? (ie requests / second)
regards,
Geert

Take a look at the data sheet and it will give you a general understanding of the max client count which is 500 and the throughput which is 500mbps unless you run 7.4 and have LAG enabled which gives you 1gig.  I would only use this for small installs and if its a pretty medium to large guest network, then stick with the 5508.
http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Similar Messages

  • Wireless Guest Users DHCP issue

    Dear all
    We have 2 wism as well as Anchor controller
    Guest users are getting ip address from anchor controller.
    We had created DHCP scope on anchor controller itself.
    We had opened particular ports to communicate between guest controller and inside controller for EOIP tunneling to take place.
    Issue is that some times user is getting IP address in the range of AP management vlan.
    Do we require to open ports for bootpc and bootps as well or do we need to create dhcp scope in the switch.
    If any one has faced the above issue pls reply me at the earliest.
    Regards
    -Danish

    If the anchor goes down, or mobility fails, the user should never egress from the Foreign WLC (in my opinion). However, if you are saying that the user gets an IP from the MGMT Interface of the Foreign WLC (not the Anchor), then it is doing exactly what it shouldn't.
    What version of code is this?
    I've seen a lot of deployments implement a "dummy interface" on the Foreign WLC.  So a fake vlan/subnet is created on the WLC and mapped as the default interface for the Foreign's Guest WLAN.   In the event anchoring does fail and the client sticks to the foreign WLC this dummy interface would actually prevent the user from having network access.
    Are you seeing this often?

  • Guest Anchor with web auth using ISE guest portal

    Hello All,
    Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
    I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
    massive thanks to anyone that can assist.
    JS.

    Thanks for the reply RikJonAtk.
    so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
    Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
    Thanks in Advanced,
    JS

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • Wireless guest access with CWA and ISE using mobility anchor

    My team is trying to demo wireless guest access using CWA with an ISE server.  We appear to be hitting an issue when combining this with mobility anchoring.
    When we don't use a mobility anchor the authentication goes off without a hitch seemingly proving that the ISE configuration is sound.  The test laptop associates and gets redirected, auths, moves to the RUN state and access to the network is granted.
    When the mobility anchor is enabled, the test laptop does get redirected, authentication is successful, but the process does not fully complete, as on the foreign controller the user is in RUN state whereas on the anchor the user is still stuck at CWA required.
    Now, I've read the L2 auth occurs between the foreign controller and ISE, and the L3 auth occurs between the anchor controller and ISE, but this does not appear to borne out in packet captures of the process where both parts of the auth seems to go to and from the foreign controller and ISE.
    I'm curious to know if anyone else has come across this issue, or has ideas where I should be looking in the config or debugs to find the root cause.
    When setting up the controllers and ISE this guide (linked below) was used and the controllers are 2504 controllers on 7.5 series software and ISE is on the latest 1.2 patches:
    http://www.cisco.com/en/US/products/ps11640/products_configuration_example09186a0080bead09.shtml
    To me it seems to be mobility related, but the authentication flow does seem to be off compared with what the guide says.

    FOREIGN
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Adding mobile on LWAPP AP 0c:d9:96:ba:7d:20(1)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Association received from mobile on BSSID 0c:d9:96:ba:7d:2f
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Max Client Trap Threshold: 0  cur: 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Rf profile 600 Clients are allowed to AP wlan
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 0 Quarantine Vlan 0 Access Vlan 0
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfMsConnTask_4: Jan 28 23:04:59.525: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4565 setting Central switched to TRUE
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 In processSsidIE:4568 apVapId = 1 and Split Acl Id = 65535
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying site-specific Local Bridging override for station 00:1e:c2:c0:96:05 - vapId 1, site 'AP-Group-CHEC.default', interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Applying Local Bridging Interface Policy for station 00:1e:c2:c0:96:05 - vlan 84, interface id 0, interface 'management'
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  statusCode is 0 and status is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 processSsidIE  ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 suppRates  statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 apfProcessAssocReq (apf_80211.c:7830) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Idle to AAA Pending
    *apfMsConnTask_4: Jan 28 23:04:59.526: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 20) in 10 seconds
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created for mobile, length = 253
    *radiusTransportThread: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Username entry (00-1E-C2-C0-96-05) created in mscb for mobile, length = 253
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Redirect URL received for client from RADIUS. Client will be moved to WebAuth_Reqd state to facilitate redirection. Skip web-auth Flag = 0
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 255 to 255
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 84
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 Re-applying interface policy for client
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2164)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2185)
    *apfReceiveTask: Jan 28 23:04:59.550: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 0 on mobile
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Initializing policy
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 1800, apfMsTimeOut '1800' and sessionTimerRunning flag is  0
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 1800 seconds
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 1800
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:04:59.551: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:04:59.567: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:01.523: 00:1e:c2:c0:96:05 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 apfMsRunStateInc
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 5793
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Adding Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID = 255,
    *mmMaListen: Jan 28 23:05:02.362: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *mmMaListen: Jan 28 23:05:02.363: 00:1e:c2:c0:96:05 0.0.0.0 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:02.364: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 0.0.0.0 plumbing in FP SCB
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP received op BOOTREQUEST (1) (len 308,vlan 84, port 13, encap 0xec03)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP (encap type 0xec03) mstype 0ff:ff:ff:ff:ff:ff
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP processing DHCP REQUEST (3)
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 5, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.869: 00:1e:c2:c0:96:05 DHCP   requested ip: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP received op BOOTREPLY (2) (len 320,vlan 84, port 13, encap 0xec07)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP processing DHCP ACK (5)
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   xid: 0xafea6bc9 (2951375817), secs: 0, flags: 0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   chaddr: 00:1e:c2:c0:96:05
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   ciaddr: 0.0.0.0,  yiaddr: 10.130.98.8
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   siaddr: 10.30.4.173,  giaddr: 0.0.0.0
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 DHCP   server id: 1.1.1.2  rcvd server id: 1.1.1.2
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) DHCP Address Re-established
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Reached PLUMBFASTPATH: from line 6978
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *DHCP Socket Task: Jan 28 23:05:03.887: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 Assigning Address 10.130.98.8 to mobile
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP success event for client. Clearing dhcp failure count for interface management.
    *DHCP Socket Task: Jan 28 23:05:03.888: 00:1e:c2:c0:96:05 DHCP successfully bridged packet to STA
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:03.889: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4
    *pemReceiveTask: Jan 28 23:05:03.890: 00:1e:c2:c0:96:05 Skip Foreign / Export Foreign Client IP 10.130.98.8 plumbing in FP SCB
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Received SGT for this Client.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 acl from 0 to 255
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Resetting web IPv4 Flex acl from 65535 to 65535
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 AAA redirect is NULL. Skipping Web-auth for Radius NAC enabled WLAN.
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Retaining the ACL recieved in AAA attributes 255 on mobile
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
    *apfReceiveTask: Jan 28 23:05:18.716: 00:1e:c2:c0:96:05 Inserting AAA Override struct for mobile
    MAC: 00:1e:c2:c0:96:05, source 2
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Applying cached RADIUS Override values for mobile 00:1e:c2:c0:96:05 (caller pem_api.c:2307)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Setting session timeout 3600 on mobile 00:1e:c2:c0:96:05
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Session Timeout is 3600 - starting session timer for the mobile
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Applied RADIUS override policy
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Replacing Fast Path rule
      type = Airespace AP Client
      on AP 0c:d9:96:ba:7d:20, slot 1, interface = 13, QOS = 0
      IPv4 ACL ID = 255, IPv6 ACL ID
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 84, Local Bridging intf id = 0
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Not Using WMM Compliance code qosCap 00
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Plumbed mobile LWAPP rule on AP 0c:d9:96:ba:7d:20 vapId 1 apVapId 1 flex-acl-name:
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 10.130.98.8 RUN (20) Change state to RUN (20) last state RUN (20)
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfMsAssoStateInc
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2 (apf_policy.c:333) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from AAA Pending to Associated
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 apfPemAddUser2:session timeout forstation 00:1e:c2:c0:96:05 - Session Tout 3600, apfMsTimeOut '1800' and sessionTimerRunning flag is  1
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Scheduling deletion of Mobile Station:  (callerId: 49) in 3600 seconds
    *apfReceiveTask: Jan 28 23:05:18.717: 00:1e:c2:c0:96:05 Func: apfPemAddUser2, Ms Timeout = 1800, Session Timeout = 3600
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 Sending Assoc Response to station on BSSID 0c:d9:96:ba:7d:2f (status 0) ApVapId 1 Slot 1
    *apfReceiveTask: Jan 28 23:05:18.718: 00:1e:c2:c0:96:05 apfProcessRadiusAssocResp (apf_80211.c:3066) Changing state for mobile 00:1e:c2:c0:96:05 on AP 0c:d9:96:ba:7d:20 from Associated to Associated
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 Set bi-dir guest tunnel for 00:1e:c2:c0:96:05 as in Export Foreign role
    *pemReceiveTask: Jan 28 23:05:18.720: 00:1e:c2:c0:96:05 10.130.98.8 Added NPU entry of type 1, dtlFlags 0x4

  • Wireless Guest Network using Cisco 4402 as an Anchor Controller

    Hello,
    We have recently redesigned our wireless guest network in accordance to Cisco's recommended deployment using the anchor controller in the DMZ. We have created two mobility groups (enterprise and anchor). The anchor controller and DMZ has two subnets (guest managment and guest clients). The guest management subnet is connected to the controller and firewall allowing the mobility groups and EOIP tunnels while the guest client network is also connected to the controller and firewall to push the client traffic directly out the firewall. The setup works well but the one part that I'm not happy with is the DHCP. Currently DHCP is being handled on the firewall because of issues we had with dhcp relay and the controllers internal dhcp service.
    Does anyone have any information on getting DHCP relay working or the internal dhcp service on the controllers when using as a anchor?
    This is basically the setup guide that we followed.
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
    Thanks!

    Hi,
    Make sure you have the IP helper address configured under the VLAN interface on the L3 and also make sure to disable DHCP proxy on both the WLC (Anchor and Foreign).
    This will help us as well..
    lemme know if this answered your question..
    Regards
    Surendra
    ====
    Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

  • Guest Anchors and external DHCP servers

    Hi,
    We are using guest anchors (GA) for supporting wireless guest user.
    Until now we used internal DHCP server on the GA but now we want to move to external.
    For example:
    The guest will reside on 192.168.0.x, this is separated by a firewall from the inside network and is not routable on the inside.(this is the guest interface of the GA)
    The DHCP server will be somewhere on the internal network only reachable by GA's management interface.
    Is it possible for DHCP requests to be forwarded to the DHCP server originating from the management interface?
    If this is not how it should happen, than what other options are there for placing the external DHCP servers?
    Let me know if you need more information regarding our solution..
    Thank you,
    Laszlo

    Hello Laszlo,
    Yes, what you want to do can be done but there are few things that you have to consider.
    First is that you are not going to use the WLC as the DHCP server so you should go to the interface configuration and point the DHCP server to the external one.
    Now, what you want to do here is to make the wireless LAN controller a DHCP relay agent (or proxy), this way the wireless LAN controller is the one handling all the DHCP requests and it is going to be the one asking for an IP address in behalf of the client using the management interface. This behavior is enabled by default and I believe you have it already configured because it is necessary for the internal DHCP server of the WLC to work; it is configured on the "Controller" tab > Advanced > DHCP. On new versions of software this option is configurable by interface.
    There is a catch though, if the DHCP server is an ASA or if the request has to go through an ASA or firewall, this might not work because by design some ASAs will drop every DHCP request comming from a relay agent so just consider this when you do these type of deployments.
    If you have any questions let me know.
    Best regards,
    Marco Gonzalez
    Cisco TAC TL

  • WLC 2500 and WCCP for Wireless Guest Users

    Hi there
    I would like to redirect web traffic from WLANs on a Wireless LAN Controller 2500 to a proxy server in a remote site. I'm using ironport proxy server and Cisco 3560 Layer 3 switch. Basically current scenario is:
    Wireless Guest Users get authenticated by web-auth through Access Point 3501 HREAP configured. Guest client gets an IP address on VLAN 100 in remote site. Once they connect to VLAN 100, I want all web traffic to be redirected to the proxy server. I know PAC file may be the easier solution however our guest clients want seamless solution for internet. I am not sure whether WCCP is supported for this.               
    You advice will be highly appreciated.
    Regards

    For guest wireless traffic redirect to proxy server
    https://supportforums.cisco.com/thread/2126486

  • Guest anchor WLAN and DHCP

    hi,
    I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
    Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
    Local Controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest" - assigned it to the management interface.
    Have tried the following with regards to DHCP on this WLAN.
         Set it to "override" and specified the DMZ controller's mangement interface
         Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
         Left DHCP server blank on the local controller's management interface
    Setup the DMZ controller as the mobility anchor for the "guest" WLAN
    DMZ controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest"
    Created a dynamic interface called "guest" associated to the "guest" WLAN
    Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
    Created an internal DHCP server scope and enabled it
    Have tried the following with regards to DHCP on the "guest" WLAN
         Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
         Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
         Set DHCP to "override" and specified the DMZ controller's management interface IP
         Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
    After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
    Any help would be appreciated.
    Thanks
    Lee

    on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
    For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
    while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

  • DHCP loadsharing with redundant Guest Anchor Controllers

    Hi
    I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
    This is how I tried to distribute
    network. 10.1.0.0/23
    gateway: 10.1.1.254
    Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
    Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
    As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
    I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
    Any suggestion will be greatly appreciated.
    Regards

    Thanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
    I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts?

  • SonicWALL = Guest Wireless, VLANs, and DHCP

    All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
    This topic first appeared in the Spiceworks Community

    Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
    This topic first appeared in the Spiceworks Community

  • Wired + Private Wireless + Guest Networks

    I'm attempting to setup a configuration that I don't seem able to get correct. I have a small wired network at my church with a file server and a couple of dozen users, some of which have laptops and would like to be able to roam wirelessly through the building. In addition, I would like to have an unsecured wireless guest network for visitors which provides access to the internet and does not have access to the file server.
    The specifics are a wired 192.168.1.xxx network with a NAT'd DSL modem/router. I have 4 Airport Extreme dual radio N devices. I've tried setting the first Airport Extreme unit to shared IP, the only setting that allows me to also use a guest network, with a private SSID handing out 172.0.xxx.xxx addresses and a guest network handing out 10.0.xxx.xxx addresses. It seems logical to me that I would want to used bridged mode to allow my private wireless uses to see the server, but the Airport Extreme tells me I can not use a guest network with that setting.
    With this setup, I can not get to my server by name, but I can get to by IP address. I guess that's not a huge problem since I have such a small number of users, I can add the server IP address to a hosts file on each client. What bothers me most is that I can get to the server IP from the guest network as well as the private network. Am I missing something?
    My second point of confusion is when I try to configure the other 3 Airport Extremes to extend the network. The configuration tools asks me which wireless network I want to extend, and allows me to choose only the private network OR the guest network. I thought it should be able to extend both networks simultaneously. Am I mistaken on this as well?
    I'm certain I've left out plenty of information you may need to assist so please ask, I will gather what ever I can. Thanks in advance.

    Hello muellgre. Welcome to the Apple Discussions!
    Unfortunately, Apple does not provide you with very many options when it comes to their Guest network feature. It is basically designed to work with a single AirPort/Time Capsule router in your network configuration.
    As you have found out, it will only be available if you have the AirPort configured as a NAT router and not as a bridge. Also you cannot extend a Guest network. I'm actually surprised that you were given this option.
    Since you have a DSL gateway upstream of your AirPorts that is performing as your primary Internet router, you would want all of your AirPorts to be configured as bridges. Regardless if you were connecting them all back to the DSL gateway by Ethernet or creating a WDS extended network.
    If you go the route of configuring a single Extreme as a router, you will have a Double NAT configuration, which is not bad in itself, but does add some complexity when attempting to share between network segments.
    One option would be to reconfigure the DSL gateway as a bridge, and then, configure one of the Extremes as a router to allow it to handle NAT & DHCP services for the network. This will also give you your guest network. You can also extend this Extreme with the others, but not its guest network ... so, overall, this might not satisfy all of your networking requirements.

  • Unified wireless guest access

    Hi I need help in configuring unified wireless guest access. i have followed the guide
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843.
    But the problem is it still does not work. what i dont get is that the interface for the Guest SSID for the foreign controller is management, does this mean that i have to get an IP address first from the management segment before i can get an IP from the anchor WLC?
    my setup is that i have an anchor controller which is on a different LAN from where my foreign WLC is. the anchor WLC has the DHCP scope and the local net user database. I have already join the two WLC to each other's mobility group. also i have configured the mobility anchor on the WLAN(SSID) of the foreign controller.
    Another thing is that the AP im trying to use is on a different site from where my controller is. Im not sure if this is the one causing problem.
    Can someone help point out my mistake.

    Its rare that I have a difference in opinion from both of you guys but let me share with you an issue I had.
    If you map the foreign controller to the management interface and the tunnel breaks for whatever reason the clients will get dumped on the management interface, even though the WLAN is anchored to the DMZ controller.
    I know this becuase I seen this for my self when I had anchor issues.
    I opened a tac case and it was suggested to use a "dummy interface" on the foreign controller. I forget who I spoke to, this is over a year now. But I then followed up witha Cisco SE on the Advance Wireless team and he commented this is what they do as well. And to add further, a large hospital system here in the Tex Med center had Cisco advance team install their controllers and they too had dummy interfaces for the foreign controllers for guest.
    Just my 2 cents ... Add a dummy interface call he dummy_guest_interface and tie it to 222.222.222.222 or something like ... no need to add anything on the wired.

  • Wireless Guest Internet Only Access

    We just got our 4402 WLC with 1131ag access points up and running. We would now like to set up guest access with only internet access. Our vendor has suggested setting up a dmz on our checkpoint firewall and have it do dhcp and then setting up a wlan on our controller for the guest access. My question is: what do I need to do on the switch side to set this up? Is is just as simple as creating a vlan and giving it an ip address in the dmz range? Or is there another way of setting up internet only guest access?
    Any suggestions would be appreciated.
    Thanks in advance.
    Jeff

    It depends if all you are wanting to do is Internet-only on you controller. If thats it, then you can place your controller in a dmz. Have a device handout the dhcp information to your clients. Set your controller for layer-3 mode. Have your APs connect to your controller (make sure you have the correct ports allowed through your firewall between the APs and the controller). I would recommend placing the APs on a seperate VLAN than other internal traffic with the appropriate LWAPP options configured in the DHCP scope.
    The clients will then associate to the SSID you have setup. They will pull an IP address from the DMZ.
    A few years ago on my first LWAPP deployment, I did this setup and it worked perfectly. I would also recommend having the DHCP server in the DMZ assaign an IP address that is not routable in your internal network. That way, if somebody makes a mistake and their is leakage, the traffic can't be routed anywhere since the source IP address of the wireless client isnt routable. You can use this DMZ controller access for Internet only which can also be used by internal people to VPN back to you internal network if you have that permitted.
    If however, you are planning to do both direct connection to your internal network and an internet-only connection (two different SSIDs) the best way is to get a small controller for your DMZ (like a 4402-12) and a larger controller for internal (4402-25 or 4404-100). Have your DMZ controller be a guest internet controller that is setup as the guest "anchor". There are lots of docs on the Cisco web site. This solution works great. I use a 4402-12 as a DMZ anchor and have about 20 4404-100s that are anchored to it.

  • Wireless Guest Network, iPADS and MAC Filteing

    Hello, I have a question regarding our wireless guest network and using iPADs
    Our wireless network consist of (3) 5508 WLC’s running 6.0.188. 2 internal WLC and 1 external anchor WLC for guest.  Presently we are only using one of the internal controllers for users the second is only used for fail over.  The anchor controller is set up as the DHCP server for guest. We also have a Cisco NAC Guest Server in the DMZ for guest authentication.
    We have (10) iPads that need Internet access though our guest portal. We do not want these iPADs to have to enter any credentials just pass through to the internet. We do not want any other device to be able to connect to this SSID.  Here’s my question; Getting to the Internet is no problem however when I try to set up a MAC filter just for these devices, they never receive an IP address and never get connected.  I have tried setting the filter on both the internal controller and the anchor controller identically and in about every combination I can think of.  Does anyone know how to set up a MAC filter on a guest network configured as per Cisco’s recommendation?  I also plan to use WPA2 and 802.1x once I get the MAC filter to work.  Any help would be appreciated.
    Thank You
    John

    Not all layer 2 and layer 3 security mechanisms are compatible. Refer to this doc
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080987b7c.shtml#matrix
    What security settings have you configured. The settings also need to be identical on both the internal and anchor controller.

Maybe you are looking for