FlexConnect VLAN Central Switching and guest WEB Auth

Similar Messages

• FlexConnect local/central switched and Access-Accept Packets

  For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
  •  Full network access, local switched.
  •  Limited network access, central switched:
  ◦       To isolate traffic from the branch’s LAN.
  ◦       To force traffic through a firewall at the central site.
  ▪       To ease access rules management.
  ◦       Internet access only by default.
  ▪       Internet access is located at the central site.
  ▪       We expect to manage some exceptions to the rule.
  We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
  However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
  Authentication Attributes Honored in Access-Accept Packets (Airespace)
  VAP ID
  This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
  Source:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
  We then made an assumption that the following was possible:
  •  Create a second SSID
  ◦       Broadcast not enabled
  ◦       Central Switched
  •  Users would authenticate using the first SSID
  •  In it’s access-accept packet, the RADIUS server would return an
  Airespace-WLAN-Id attribute with the value of the second SSID.
  •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
  So far, our tests showed no results.
  •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
  •  If not, what would you recommend?
  For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
  Thank you very much,

  Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
  Is the user part of this AD group and is this user on WLAN ID=1.
  You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika

• WLC2112 with Guest / Web-Auth and vlan

  Hi
  I'm trying to configure my WLC with guest SSID and vlan 10.
  The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
  Please help.
  Management IP Address 192.168.14.252
  Software Version 6.0.182.0
  Emergency Image Version
  I have tried with ver. 5.2 also -

  I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
  Don't know if that helps, or not.

• Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

  Hello Experts
  We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
  My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
  Questions:
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Thanks.

  Hi
  The LAN subnet is same for both Buildings connected via a dark fiber.
  If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
  Anyway if you want to do this & here is the answer for your specific queries.
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
  This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
  BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Enable Session Timeout - Guest web-auth

  Hi All,
  Just a quick one. If this timer expires when using web-auth on a guest wlan in the following way
  PC --Ap -- WLC (campus) -- Anchor WLC (DMZ) --- www
  Does the web session break and the user will be redirected to the web authentication page?
  Many thx indeed,
  Ken

  Hi there.
  http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5users.html#wp1048408
  Thanks for the doc above. It has the info in there. Many many thx for your help.
  Ken
  The smaller of this value or the session timeout for the guest WLAN, which is the WLAN on which the guest account is created, takes precedence. For example, if a WLAN session timeout is due to expire in 30 minutes but the guest account lifetime has 10 minutes remaining, the account is deleted in 10 minutes upon guest account expiry. Similarly, if the WLAN session timeout expires before the guest account lifetime, the client experiences a recurring session timeout that requires reauthentication.

• WiSM and GUEST web authentication

  I have a WiSM and we use Cisco open web
  authentication with a user email address.
  When performing  this command via CLI:
  >config network secureweb disable
  >save config
  > reset system
  Will this make the web authentication come up HTTP instead of HTTPS ?

  That command is in order that you manage the unit.
  However there used to be a workaround that when you disable HTTPS and SSH and you reboot the WLC the web authentication will be showed as http and no https.
  Let me know if it works for you

• Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

  Hello at all,
  is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
  All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
  To be more detailed:
  At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
  Thank you,
  Christian

  Hi Christian.
  This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
  "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
  In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
  FlexConnect VLAN Central Switching Summary
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
  •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
  •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
  Enjoy your weekend & I am sure you will be able to get this working.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Dot1x (Switch) Question with MAC bypass & Web Auth

  Is it possible to configure dot1x with MAC Auth bypass along with web authentication?
  The goal is to first try dot1x
  If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
  From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
  There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
  Help is much appreciated.
  Thanks,
  Jason

  Is it possible to configure dot1x with MAC Auth bypass along with web authentication?
  The goal is to first try dot1x
  If machine doesn't support dot1x, then use MAC address. If MAC isn't in list, redirect through a web browser.
  From what I read, it sounds like MAC bypass gives me half of what I need and using web auth as a fall back to dot1x gives me the other half. Can these be using in conjunction to accomplish what is needed here?
  There is also Web Auth with Automatic MAC Check, but there is mention of this only working in "web auth standalone mode." Can anyone comment on this?
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/sw8021x.html#wp1281903
  Help is much appreciated.
  Thanks,
  Jason

• Problem with Web Auth

  hi
  i have two wireless networks,one for the guests and the other one extends the corporate network.i created two vlan on my 6509 swicth and mapped the vlns to to the wlans.All is working fine but when i enable web auth for guest i can no longer ping my gateway or browse and even web auth is not authenticating against the internal users configured on the WLC...web auth just wont work.
  what could be wrong..i really need to authenticate using web auth.

  ok, SO this is what i need
  send me show custom-web details
  S if you open the page do you get the default cisco webauth redirected page ; are you able to put the user name and password ?
  can you send me the screen shot of events
  Regards
  Seema

• Override centrally switched WLAN

  Hello.
  I need some advice on configuring a guest access for several remote sites on a 5508 WLC.
  I set up a guest WLAN which is centrally switched and authenticated. That works fine for the main location and most of the remote sites. My problem is now, that for some ( but not all ) remote sites, this WLAN has to be locally switched because of a different law situation. The access points in the remote sites are already configured as FlexConnect access points.
  Is there a way to override the central switching for some remote sites?
  Thanks in advance!
  Sven

  Sven,
  you can do this by configuring additional WLAN Profiles which contain the same SSIDs like your existing ones, but use local switching instead of central switching. You should use WLAN numbers > 16 so that the new profiles are not in the default group, then create a new ap group, configure your new profiles and add your APs.
  Let us know if you need a more detailed how-to.
  Regards
  Stefan

• Central switching NOT work.

  Good mooring,
  My lab is:
  1)  Virtual controller 7.3.112  is OK
  2)  N° 2 LAP 1130 e 1240   is Joined to controller OK
  3)  flexconnect in localswitch is OK
  4)  flexconnect in central switch IS NOT work.
  please can you help me to find the problem.

  I fixed the problem.
  the problem was "Promiscuous Mode" of the "data port" Port-group.
  this is very impacted solution, because this requirements t is not married to the same logic virtualization.
  I have the hypervisor implemented as " best practics" of Cisco and VmWare:
  only one port-channel on vswitch with aggregation of ALL NiC ( in only one VSwitch) of the server for I/O traffic client-server.
  I can not reserve the Phisycal interface for to made new Vswitch dedicated to this news virtual machine.
  this is and requirements very strange for virtualization implementation.

• Different VLAN for AP and WLC

  I have a problem when I rebulid my client's wireless network
  My client's AP is using static IP address on AP1131AG in VLAN 50, but the controller is at VLAN 100
  A DHCP with option 43 and 60 is running on core switch, that's meaning if the AP is no IP setting that will work fine with on DHCP with option 43 and 60, this point I understood.
  But in the AP which using static IP address, there has no DNS / WLC IP address setting can be found on the it, why the AP can associate to the controller without DNS / WLC IP address? I checked the configuration many times but no luck, hope someone can explain this to me, thanks a lot!

  Thanks for your reply, i am asking why is it working......
  As all APs have associated to the controller at the moment, I don't know why it's work on day one, as no broadcast forwarding setting on the corss VLAN L3 switch, and the DNS is no CAPWAP / LWAPP entry for WLC, so it's a big question mark to me, how the AP which running static IP is work fine even I shut it down for 10 hours and bring it back.
  As you said, once the AP is joined the WLC, the AP won't to proceed the discovery, then....
  Where is the WLC IP address stored in the AP? I used show run command but cannot found any ascii or hex value for WLC IP address
  If I need to add a new AP in this enviroment, am i need to configura a static IP address and enable the boardcast forwarding on the L3 switch? But in case I enabled the boardcast forwarding, how's the AP in VLAN 50 can communicate with VLAN 100 through CAPWAP and join the WLC? and how is the AP can find the WLC IP address with no DNS IP configured in the APs.
  I think the guys who setup this enviroment was enabled the boardcast forwarding, but disabled it after all of the APs joined the WLC, is it possible? I am looking forward for your reply, thanks!

• Not Working-central web-authentication with a switch and Identity Service Engine

  on the followup the document "Configuration example : central web-authentication with a switch and Identity Service Engine" by Nicolas Darchis, since the redirection on the switch is not working, i'm asking for your help...
  I'm using ISE Version : 1.0.4.573 and WS-C2960-24PC-L w/software 12.2(55)SE1 and image C2960-LANBASEK9-M for the access.
  The interface configuration looks like this:
  interface FastEthernet0/24
  switchport access vlan 6
  switchport mode access
  switchport voice vlan 20
  ip access-group webauth in
  authentication event fail action next-method
  authentication event server dead action authorize
  authentication event server alive action reinitialize
  authentication order mab
  authentication priority mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  spanning-tree portfast
  end
  The ACL's
  Extended IP access list webauth
      10 permit ip any any
  Extended IP access list redirect
      10 deny ip any host 172.22.2.38
      20 permit tcp any any eq www
      30 permit tcp any any eq 443
  The ISE side configuration I follow it step by step...
  When I conect the XP client, e see the following Autenthication session...
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
             Interface:  FastEthernet0/24
            MAC Address:  0015.c549.5c99
             IP Address:  172.22.3.184
              User-Name:  00-15-C5-49-5C-99
                 Status:  Authz Success
                 Domain:  DATA
         Oper host mode:  single-host
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
       URL Redirect ACL:  redirect
           URL Redirect: https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  AC16011F000000490AC1A9E2
        Acct Session ID:  0x00000077
                 Handle:  0xB7000049
  Runnable methods list:
         Method   State
         mab      Authc Success
  But there is no redirection, and I get the the following message on switch console:
  756005: Mar 28 11:40:30: epm-redirect:IP=172.22.3.184: No redirection policy for this host
  756006: Mar 28 11:40:30: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  I have to mention I'm using an http proxy on port 8080...
  Any Ideas on what is going wrong?
  Regards
  Nuno

  OK, so I upgraded the IOS to version
  SW Version: 12.2(55)SE5, SW Image: C2960-LANBASEK9-M
  I tweak with ACL's to the following:
  Extended IP access list redirect
      10 permit ip any any (13 matches)
  and created a DACL that is downloaded along with the authentication
  Extended IP access list xACSACLx-IP-redirect-4f743d58 (per-user)
      10 permit ip any any
  I can see the epm session
  swlx0x0x#show epm session ip 172.22.3.74
       Admission feature:  DOT1X
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
  And authentication
  swlx0x0x#show authentication sessions interface fastEthernet 0/24
       Interface:  FastEthernet0/24
       MAC Address:  0015.c549.5c99
       IP Address:  172.22.3.74
       User-Name:  00-15-C5-49-5C-99
       Status:  Authz Success
       Domain:  DATA
       Oper host mode:  multi-auth
       Oper control dir:  both
       Authorized By:  Authentication Server
       Vlan Group:  N/A
       ACS ACL:  xACSACLx-IP-redirect-4f743d58
       URL Redirect ACL:  redirect
       URL Redirect:  https://ISE-ip:8443/guestportal/gateway?sessionId=AC16011F000000510B44FBD2&action=cwa
       Session timeout:  N/A
       Idle timeout:  N/A
       Common Session ID:  AC16011F000000160042BD98
       Acct Session ID:  0x0000001B
       Handle:  0x90000016
       Runnable methods list:
       Method   State
       mab      Authc Success
  on the logging, I get the following messages...
  017857: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_qualify ...
  017858: Mar 29 11:27:04: epm-redirect:epm_redirect_cache_gen_hash: IP=172.22.3.74 Hash=271
  017859: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: CacheEntryGet Success
  017860: Mar 29 11:27:04: epm-redirect:IP=172.22.3.74: Ingress packet on [idb= FastEthernet0/24] matched with [acl=redirect]
  017861: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Enqueue the packet with if_input=FastEthernet0/24
  017862: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: In epm_host_ingress_traffic_process ...
  017863: Mar 29 11:27:04: epm-redirect:IDB=FastEthernet0/24: Not an HTTP(s) packet
  What I'm I missing?

• Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

  I have a general question about securing the guest WLAN in FlexConnect deployment -
  Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
  Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
  Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
  What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
  I would highly appraciate your input on this topic.
  Thank you.

  Yes, you're right.
  Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
  On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
  If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.