Guest anchor mobility group

Similar Messages

• !! Warning !! Guest anchor mobility fails in 5.0.48, Single Foreign

  Finally some 5.0 chat showing up so I'll add this nugget. All controllers migrated from 4.2 to 5.0.48. All site (foreign) controllers = MOBGRP-CORP, anchor controller in central dmz = MOBGRP-DMZ..
  Found that my first site where I implemented Guest via anchor mobility worked ok. Tried to bring up 2 new sites with their own foreign controller against same (working) anchor. NO GO. All debugs & shows indicate mobgroup, mobgroup anchor, etc all good. Debugs reveal mobility anchoring messages never being initated by foreign to anchor.
  Reviewed with TAC for 3 hours last night. Finally found a bugID that related against 5.0.48.
  Bottom line is that our site that was working had 2 foreign controllers. Site that wouldn't come up only had 1 foreign. Weird bug that if site has only 1 mobility member (beside anchor definition) then mob anchor plumbing messages won't exchange from foreign to anchor. Instead, debugs show foreign as anchor. Workaround = move anchor controller into same mobility group as the internal (foreign) controllers. All good now.
  Hope this helps someone avoid 3 hrs w/ TAC. (And I felt I had a GOOD tac guy).
  Now if I could just figure out how to have multiple profile/wlan definitions on anchor controller but have the same ssid on them all so that our guest ssid @ sites can be uniform. Currently won't let me define multiple wlans on anchor with same ssid, even if profile name is unique. Guess despite it not running APs it's still checking wlans for uniqueness. Not very 'enterprise' as we want to have each site a) Have standard guest ssid and b) Have their own IP address space for firewall log purposes, etc. A & B seemingly mutually exclusive in current situation, assuming central anchor controllers of course.

  Well I guess now I need to follow up on my own post. After moving dmz anchor controller into "internal' mobility group, we ran into some weird issues.
  1) New APs at the site we were bringing on were somehow getting joined up to another site's controller. Only thing in common between sites was mobgrp name and the fact that they both anchored guest to the same central anchor controller.
  2) At the new site, guest seemed to work OK now but we were experiencing problems with hosts on one of the controllers internal wlans. They were not getting IPs. Debugs revealed that foreign (site) controller was bringing up guest tunnel to itself for this local, non-anchored wlan.
  Opened another tac case. This tac engineer advises that while bug CSCsm71840 exists, the other engineer should not have told us the workaround was to put dmz anchor controller into internal mobility group. Rather, he advised, we should go into any controller (on dmz anchor end or internal foreign end) where there was only 1 controller in the mobility group and add a 'dummy' entry into the mobility group.
  We changed the dmz anchor back to his own mobility group and then made the dummy entries and the mobility anchor worked correctly & so far appears that previously problematic internal wlan also works correctly.
  This whole thing should make for some 'interesting' conversation with the BU shortly.

• Mobility Group Requirements for Guest Anchor WLC

  Hello -
  I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
  I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
  To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
  Thanks
  Chuck

  Not only is it possible, I would recommend it. However, you may be confusing some concepts.
  The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
  The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
  If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
  Does that make sense?

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Replace WLC Mobility Group Anchor

  We have 2 5508 and 1 4402 WLCs and all belong to the same mobility group. The 4402 does not have any access points and does nothing more than serve as a mobility anchor for our public wireless SSID. We are planning to replace the 4402 with a new 2504 unit which will have the same configuration including IP as the 4402. Is there anything I need to do with the mobility groups when we remove the 4402?
  Thanks for any help.
  Jeff

  you'll need to add the MAC of the 2504 to the mobility group, and remove the entry for the 4402.
  Out of Curiosity...how many concurrent guest users to you have usually?
  Steve

• WLC 7.3.101.0 Mobility group peer cannot up.

  Hi Guys,
  It seems the 7.3.101 version Mobility group peer cannot up,: refer to the attach,
  Peer 1: version: 7.3.101
  Peer 2: version 7.0.98
  Peer3: version 7.2.103
  Today we got new two WLC for Anchor use, and config the mobility group, but it's failed and cannot up, the ping is ok.

  Chris is right here. One thing I tell my clients is to allow everything between the foreign and the anchor WLC's just to verify that the mobility can come up, then lock it down. Here is some links that explain what test is for what port.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00809a30cc.shtml#qa8
  Anchor Controller Positioning
  Because the anchor controller is responsible for termination of guest WLAN traffic and subsequent access to the Internet, it is typically positioned in the enterprise Internet DMZ. In doing so, rules can be established within the firewall to precisely manage communications between authorized controllers throughout the enterprise and the anchor controller. Such rules might including filtering on source or destination controller addresses, UDP port 16666 for inter-WLC communication, and IP protocol ID 97 Ethernet in IP for client traffic. Other rules that might be needed include the following:
  •TCP 161 and 162 for SNMP
  •UDP 69 for TFTP
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Depending on the topology, the firewall can be used to protect the anchor controller from outside threats.
  For the best possible performance and because of its suggested positioning in the network, it is strongly recommended that the guest anchor controller be dedicated to supporting guest access functions only. In other words, the anchor controller should not be used to support guest access in addition to controlling and managing other LWAPP APs (LAPs) in the enterprise.
  Sent from Cisco Technical Support iPhone App

• Mobility group membership

  I have 4 WLC's deployed :
  1. AnchorWLC - WLC4402 anchor in a DMZ for guest access
  2. WLCA1 - WLC4402 on SiteA
  3. WLCB1 - WLC2006 on SiteB
  4. WLCB2 - WLC2006 on SiteB
  SiteA & SiteB are geographically separated.
  On all WLC's there is the same mobility group 'group1' with the following group members:
  1.on AnchorWLC: group1 members:WLCA1,WLCB1,WLCB2
  2.on WLCA1: group1 members: anchorWLC
  3.on WLCB1: group1 members: WLCB2,anchorWLC
  4.on WLCB2: group1 members:WLCB1,anchorWLC
  As SiteA and SiteB are geographically separated I have not included internal(non-anchor) WLC's that are on siteA in the mobility group created on WLC's on SiteB and vice versa . The only WLC that has all controllers added to his mobility group is the AnchorWLC as guest access is needed from both siteA and siteB.
  Is this a valid config(anayway it is working...) or is it recommended to have 2 different mobility groups, one for each site(A & B) and create 2 seperate mobility groups on the anchorWLC ?

  I would recommend going for two separate mobility groups. Even though it is working since it is geographically separated, its always better to have different mobility groups.

• WLC Mobility Group Confusion

  Can some please clarify how Mobility groups work and when to use them. I have 2 data centers, each with a WLC, for centralized control. I just want to provide simple redundancy.
  When should I use an Anchor group.
  Thanks for your help.

  To make it simple, any wlc's that will be a primary, secondary or tertiary WLC for lap's will need to be placed in the same mobility group. Now if you have a guest anchor controller for guest, then that will need to be added in the same mobility group. Bottom line, when users roam from AP to AP from WLC to another even getting tunneled (anchor) the WLC's need to be aware of the roaming and that is what mobility group does.
  Anchor is if you want to tunnel users to a specific controller like in a guest wireless situation when the WLC is located in the DMZ. There are other reasons, but this is most likely why.

• Guest anchor WLAN and DHCP

  hi,
  I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
  Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
  Local Controller config
  Configured mobility-groups, verified mobility group is working
  Created WLAN called "guest" - assigned it to the management interface.
  Have tried the following with regards to DHCP on this WLAN.
       Set it to "override" and specified the DMZ controller's mangement interface
       Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
       Left DHCP server blank on the local controller's management interface
  Setup the DMZ controller as the mobility anchor for the "guest" WLAN
  DMZ controller config
  Configured mobility-groups, verified mobility group is working
  Created WLAN called "guest"
  Created a dynamic interface called "guest" associated to the "guest" WLAN
  Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
  Created an internal DHCP server scope and enabled it
  Have tried the following with regards to DHCP on the "guest" WLAN
       Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
       Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
       Set DHCP to "override" and specified the DMZ controller's management interface IP
       Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
  After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
  Any help would be appreciated.
  Thanks
  Lee

  on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
  For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
  while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

• Guest Anchor

  Hi All,
  I have a question if a guest anchor can support multiple VLANs for one SSID over EoIP? With AP groups this is possible, for example one SSID can be the same in different locations (meaning different VLANs/dynamic interfaces) but can this be done with a guest anchor?
  To setup a guest EoIP tunnel the interfaces are defined as Management (on foreign WLC) and a guest-dmz interface (on the anchor WLC). If you are using say web-authentication and try agin to use the same ssid with another interface (guest-dmz2) there seems to be some problem. anyone come across this before or know of a solution? i could configure different ssids to the different interfaces but wonder if it could be possible using the same ssid...there seems to be some limitation
  Any suggestions?
  Cheers
  Matt

  No.
  AP-Groups only work with the APs, and since mobility is passed with the controller IP, there is no way for AP groups to function on the Anchor.
  Now an interesting feature request might be to do a controller-group override, so that all clients from controller X go to one interface, and controller Y go to another, but I've never heard anyone ask for it.
  Bottom line, as far as i know, is that you're going to need two different SSIDs to have clients in different interfaces on the Anchor

• 5508 Mobility Groups

  Hello.
  2 questions
  1) Is it possible for 2 WLCs installed in seperate data centres with L3 seperation to be joined in a mobility group? We will have aps in the branch offices split between controllers so we want to make sure roaming work ok. Also all guest access should be anchored to data centre 2.
  2) in flexconnect local switching mode, do I need to create flexconnect groups if I'm only using radius servers in the data centre with no requirement to use local radius as a backup?

  Mobility groups can work when the WLC's are in different subnet asl long as UDP 16666 and IP 97 allowed between the two WLC's.
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mobil.html#wp1102312
  You will not be able to configure for guest, what wlc is primary or secondary.  The foreign WLC will decide which guest anchor controller (if there is two) it will use.
  You don't need to use flexconnect groups if you don't want to.  If your devices are not cckm compliant, then I wouldn't worry about it personally.  Here are the numbers, but some has changed with the 7.3.
  The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following:
  •Up to 100 FlexConnect groups for a Cisco 5500 Series Controller
  •Up to 1000 FlexConnect groups for a Cisco Flex 7500 Series Controller. The Cisco Flex 7500 Series Controller can accommodate up to 50 access points per FlexConnect group.
  •Up to 20 FlexConnect groups with up to 25 access points per group for the remaining platforms.
  https://supportforums.cisco.com/docs/DOC-26778#Increased_scale_for_Cisco_Flex_7500_Series_Controllers_668166
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• What will happen when I remove controllers from mobility groups?

  Hi,
  I'm wondering what exactly will happen when I remove a controller from a mobility group?
  1) Will it require a reboot? (I don't think so, nothing I've found says so)
  2) Will it deauth/reauth the AP's connected (I don't think so, nothing I've found says so)
  3) Will it do anything else goofy?
  I have 2 RF groups spanning continents over low speed links. All that is transmitted over mobility groups is session data correct? Not usernames, not ??? What am I missing here? I'm banging my head against the wall because I can't figure out why someone would configure the system in this way.
  Setup:
  WLC 4404, WLC 2100's
  WCS 5.2.148
  11xx series AP's
  Radius Auth for domain users
  a few SSID's, one guest SSID, no DHCP on any of the controllers
  Thanks in advance,

  Hi,
  I'm wondering what exactly will happen when I remove a controller from a mobility group?
  1) Will it require a reboot? (I don't think so, nothing I've found says so)
  2) Will it deauth/reauth the AP's connected (I don't think so, nothing I've found says so)
  3) Will it do anything else goofy?
  I have 2 RF groups spanning continents over low speed links. All that is transmitted over mobility groups is session data correct? Not usernames, not ??? What am I missing here? I'm banging my head against the wall because I can't figure out why someone would configure the system in this way.
  Setup:
  WLC 4404, WLC 2100's
  WCS 5.2.148
  11xx series AP's
  Radius Auth for domain users
  a few SSID's, one guest SSID, no DHCP on any of the controllers
  Thanks in advance,

• Multicasting with a guest anchor configuration.

  Hi All
  First time posting. :-)
  I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
  Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
  In case of Auto Anchor:
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
  Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
  Could someone advise?
  Thank you in advance!!

  Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
  Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
  A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
  unofortunately it seems that multicast over EoIP does not work.

• Anchor mobility configuration getting lost in wlc 5508 ios code 7.4.100.0

  It is observed that in WLC 5508 , ios 7.4.100.0 ,  mobility anchor configuration on wlan  is getting lost .  we configure anchor ip address on  guest wlan > mobility anchor >  Switch IP Address (Anchor).
  We have configured the template on NCS 2.0 to push the anchor mobility ip address on all WLC
  Has anyone oberved this behavoiur. We have more than 100 WLC  , and  everyweek  mobility anchor configuration is lost on some WLC having code  7.4.100.0.

  I am having this exact same problem.  I am running 7.3 on 5508 WLC.   My remote site LAP's are using Flex (HREAP).  The initial access point that my laptop associates to connects with no problem, as soon as I wander out of range of the initial LAP and into the area of another access point, I lose data connectivity.   The was validated like the original post as I start a constant ping on the LAN and watch as the ping latency increases and then ping replies stop.  The only way to correct the problem is resetting of the wireless adapter on the laptop.  Side note my DroidX has no problem wandering from AP to AP.
  Laptop: Windows 7 32bit
  I then returned to my home site and test where I have a secondary controller and the LAP's are configured for local mode, no problems roaming from access point to access point.   Validated with constant ping test.  The pings drop for a second and re-
  continues as the laptop reconnects.
  **Edit: I am going to try the removing the DHCP Addr. Assignment required option, and report that back to the TAC engineer.
  Message was edited by: Michael Dunki-Jacobs
  **Edit Solved:***
  The problem is in deed solved by turning the "DHCP Address Required" but why?

• WLC 7.4.100.0 Mobility group control and data path down

  Hi All,
  Today i am facing issue with mobility group. i checked and found  control and data path is down on foreign controller.I am able to ping anchor controller. Required ports are open on firewall but mping and eping fails. Any idea whats wrong. On Anchor controller, i have 7 foreign controller configured and among these 3 are working fine. Having problem with 4 foreign controller. Previously all are working fine and there is no changes made on network or firewall.            

  Post output of "show mobility summary" of your Anchor WLC & a non-working WLC. Also "show sysinfo" of those two controllers.
  Regards
  Rasika