Guest Anchor N+1: Failover Time

Similar Messages

• ASA Active/Active Failover with Redundant Guest Anchors

  Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
  The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
  Regards,
  Scott

  In addition to what you have, you should add to each unit the global configuration command "failover".
  We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

• Guest Anchor with web auth using ISE guest portal

  Hello All,
  Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
  I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
  massive thanks to anyone that can assist.
  JS.

  Thanks for the reply RikJonAtk.
  so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
  Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
  Thanks in Advanced,
  JS

• Multicasting with a guest anchor configuration.

  Hi All
  First time posting. :-)
  I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
  Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
  In case of Auto Anchor:
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
  Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
  Could someone advise?
  Thank you in advance!!

  Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
  Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
  A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
  unofortunately it seems that multicast over EoIP does not work.

• DHCP loadsharing with redundant Guest Anchor Controllers

  Hi
  I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
  This is how I tried to distribute
  network. 10.1.0.0/23
  gateway: 10.1.1.254
  Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
  Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
  As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
  I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
  Any suggestion will be greatly appreciated.
  Regards

  Thanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
  I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts?

• How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

  How can I set up a guest access point with a Time Capsule and an Airport Extreme? I am using a Telus router with the Time Capsule used as a wireless access point (bridge mode). I don't want the guest access point to have access to my network.

  The Guest Network function of the Time Capsule and AirPort Extreme cannot be enabled when the device is in Bridge Mode. Unfortunately, with another router...the Telus...upstream on your network, Bridge Mode is indicated as the correct setting for all other routers on the network.
  If you can replace the Telus gateway with a simple modem (that performs no routing functions), you should be able to configure either the Time Capsule or the AirPort Extreme....whichever is connected to the modem....to provide a Guest Network.

• EA6100 AC1200 Blocking Guest internet access during specific times?

  I see that you can disable guest internet access for specific times but only for specific devices. What I want to do is turn off Guest access for all devices during specific times. 
  I am using this in an environment  where I will have different guests at different times with different devices and can't go in to block each one each time. 

  I think your only option at this time is to manually disable the Guest Wireless network when wanted.
  Please remember to Kudo those that help you.
  Linksys
  Communities Technical Support

• Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

  DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
  In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
  and the internal controller must match. Else, DHCP request from clients are dropped and you
  see this error message on the internal controller......
  However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
  Many Thanks
  Kam

  Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

• Mobility Group Requirements for Guest Anchor WLC

  Hello -
  I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
  I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
  To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
  Thanks
  Chuck

  Not only is it possible, I would recommend it. However, you may be confusing some concepts.
  The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
  The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
  If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
  Does that make sense?

• Guest anchor across different versions

  Hi all,
  I'm looking for information on the issues that could arise or what the impact is of a guest anchor between WLC's with different versions.
  There is a 4400 in the core running 7.0 and a 2504 in a branch running 7.2. I need to extend a web auth guest SSID to the branch.
  7.2 is required because of 2602 AP's.
  Looking for information and experiences.
  Cheers
  Darren
  Sent from Cisco Technical Support iPhone App

  Here is a compatibility matrix
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp102554
  Sent from Cisco Technical Support iPhone App

• Guest Anchor

  Hi All,
  I have a question if a guest anchor can support multiple VLANs for one SSID over EoIP? With AP groups this is possible, for example one SSID can be the same in different locations (meaning different VLANs/dynamic interfaces) but can this be done with a guest anchor?
  To setup a guest EoIP tunnel the interfaces are defined as Management (on foreign WLC) and a guest-dmz interface (on the anchor WLC). If you are using say web-authentication and try agin to use the same ssid with another interface (guest-dmz2) there seems to be some problem. anyone come across this before or know of a solution? i could configure different ssids to the different interfaces but wonder if it could be possible using the same ssid...there seems to be some limitation
  Any suggestions?
  Cheers
  Matt

  No.
  AP-Groups only work with the APs, and since mobility is passed with the controller IP, there is no way for AP groups to function on the Anchor.
  Now an interesting feature request might be to do a controller-group override, so that all clients from controller X go to one interface, and controller Y go to another, but I've never heard anyone ask for it.
  Bottom line, as far as i know, is that you're going to need two different SSIDs to have clients in different interfaces on the Anchor

• Using 2504 as Guest Anchor.

  So I've got a few 7510 Flex Controllers and am looking to setup a mobility anchor for guest networks. I see this functionality has recently been extended to the 2504. However there is one thing I am curious about: the QoS profile, I have a QoS profile configured on my Guest WLAN, customized the bronze profile, from what I remember about the 2504 is it does not support the QoS functionality that is supported on the larger WLC models, and I know WLAN settings must match between WLC's and their anchors, so I don't know what happens with my QoS profile or if I can even utilize the 2504 as a mobility anchor for the 7510 due to this QoS issue.
  Has anyone tested this, or stumbled any documents about 2504's being mobility anchors?
  CCNP, CCIP, CCDP, CCNA: Security/Wireless
  Blog: http://ccie-or-null.net/       

  Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
  Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
  Good to see my blog helps you & thanks for the comment.
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Guest access to the Internet with Guest Anchor Controller

  Hi;
  We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
  I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
  What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
  Thanks for the assistance!  Glenn Morrison

  you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
  HTH,
  Steve

• Web Auth using 5760 Guest Anchor and ISE

  I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
  When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
  As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
  Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

  I hope this may help you
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Guest Anchor N+1: Multiple guest WLANs and Mobility List

  Hi Experts,
  We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
  I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
  And between these two new anchor WLCs, do they need to add each other to Mobility List?
  Or maybe I should ask first, does it matter if they are in the same mobility group or not?
  Thanks
  Cedar

  N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
  Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"