Guest anchor WLAN and DHCP

hi,
I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
Local Controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest" - assigned it to the management interface.
Have tried the following with regards to DHCP on this WLAN.
     Set it to "override" and specified the DMZ controller's mangement interface
     Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
     Left DHCP server blank on the local controller's management interface
Setup the DMZ controller as the mobility anchor for the "guest" WLAN
DMZ controller config
Configured mobility-groups, verified mobility group is working
Created WLAN called "guest"
Created a dynamic interface called "guest" associated to the "guest" WLAN
Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
Created an internal DHCP server scope and enabled it
Have tried the following with regards to DHCP on the "guest" WLAN
     Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
     Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
     Set DHCP to "override" and specified the DMZ controller's management interface IP
     Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
Any help would be appreciated.
Thanks
Lee

on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

Similar Messages

  • SonicWALL = Guest Wireless, VLANs, and DHCP

    All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
    This topic first appeared in the Spiceworks Community

    Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
    This topic first appeared in the Spiceworks Community

  • WLAN and DHCP with WLC controller

    Hi,
    I've a question about how works dhcp for wifi clients.
    On the WLAN edit I've seen that my option are:
    1) DHCP override-> i insert the dhcp server address here
    2) without DHCP override -> the WLAN will use the DHCP server configured under the management interface
    Based upon these informations: why I can configure DHCP server also in other interfaces and not only in the "management" interface ?
    If I configure 2 DHCP servers on a "user interface" ( without the "override" option in WLAN ) my clients will use these DHCP or the DHCP on the "management" interface ?
    Many thanks in advance
    Luigi

    from the on-line help it seems different ;-/
    =====
    DHCP Server (Override)
    When selected, you can enter the IP address of your DHCP server. This is a required field for some WLAN configurations. There are three valid configurations:
    DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Required: Requires all WLAN clients to obtain an IP address from the DHCP Server.
    DHCP Server Override ON, a valid DHCP Server IP address, and DHCP Address Assignment Not Required: Allows all WLAN clients to obtain an IP address from the DHCP Server or use a static IP address.
    DHCP Server Override OFF: Forces all WLAN clients to use the DHCP setting in the Management Interface, not the static address.
    ===========
    It seems that i can Use external DHCP server, putting the address :
    - in the box that appair when i flag the "override" option
    - or in the management interface
    I think documentation is not so clean
    many thanks
    Luigi

  • HREAP, Local Switched WLAN and DHCP Address required

    Hi All,
    if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
    Any Help Welcome.
    Regards, Michael

    I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

  • Guest-Anchor-WLC and NAC integration guide

    I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

    User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • Guest Anchor N+1: Multiple guest WLANs and Mobility List

    Hi Experts,
    We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
    I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
    And between these two new anchor WLCs, do they need to add each other to Mobility List?
    Or maybe I should ask first, does it matter if they are in the same mobility group or not?
    Thanks
    Cedar

    N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
    Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Anchor Guest controller and DHCP configuration

    I checked the cisco documentation about the DHCP configuration but I´m not 100%sure which DHCP server address I must use.
    I  used as example the scope 10.240.97.0/24 for our Guest Users. In this range are the DHCP scope and the Guest interface configured. For the management I used as example the range 10.240.96.0/24.Now I configured our Guest WLC and I insert on the Guest interface as Primary DHCP address the Guest interface address. After I applied I got the message I can´t use this DHCP address. Now I checked the cisco and found following description:
    “If DHCP services are to be implemented locally on the anchor controller, populate the primary DHCP server field with the management IP address of the controller"
    Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface  the IP from the management
    Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
    ( DHCP proxy is on the Guest WLC  enabled ) .
    Thanks
    Al

    For Anchor you can use either internal or external dhcp server.
    Means it now I must insert as the IP for the Primary DHCP Server on the Guest interface  the IP from the management
    Interface and the controller will then forward the traffic to the internal DHCP scope on the Guest subnet and wil sent it back ?
    Yes. WLC forwards the unicast dhcp req to management ip for guest interface. All cpu generated traffic by default uses management interface as source address i.e., snmp, radius, ping...
    Is your question whether you need routing between guest and management interface.
    No, routing is not required in this case bcoz the interface residing on WLC's management. Also for proxy it uses the virtual ip address for dhcp instead of actual dhcp ip. And only wireless client can get ip from WLC's internal dhcp server.
    If you're using dhcp proxy on wlc and having external dhcp server on different vlan then yes you need routing between the two vlans.

  • Guest Anchors and external DHCP servers

    Hi,
    We are using guest anchors (GA) for supporting wireless guest user.
    Until now we used internal DHCP server on the GA but now we want to move to external.
    For example:
    The guest will reside on 192.168.0.x, this is separated by a firewall from the inside network and is not routable on the inside.(this is the guest interface of the GA)
    The DHCP server will be somewhere on the internal network only reachable by GA's management interface.
    Is it possible for DHCP requests to be forwarded to the DHCP server originating from the management interface?
    If this is not how it should happen, than what other options are there for placing the external DHCP servers?
    Let me know if you need more information regarding our solution..
    Thank you,
    Laszlo

    Hello Laszlo,
    Yes, what you want to do can be done but there are few things that you have to consider.
    First is that you are not going to use the WLC as the DHCP server so you should go to the interface configuration and point the DHCP server to the external one.
    Now, what you want to do here is to make the wireless LAN controller a DHCP relay agent (or proxy), this way the wireless LAN controller is the one handling all the DHCP requests and it is going to be the one asking for an IP address in behalf of the client using the management interface. This behavior is enabled by default and I believe you have it already configured because it is necessary for the internal DHCP server of the WLC to work; it is configured on the "Controller" tab > Advanced > DHCP. On new versions of software this option is configurable by interface.
    There is a catch though, if the DHCP server is an ASA or if the request has to go through an ASA or firewall, this might not work because by design some ASAs will drop every DHCP request comming from a relay agent so just consider this when you do these type of deployments.
    If you have any questions let me know.
    Best regards,
    Marco Gonzalez
    Cisco TAC TL

  • Guest WLAN and Web Auth?

    Hi Guys,
    Maybe someone can help me out?
    I just finished setting up a trial "Cisco Virtual Wireless Controller" with nearly the same configuration as our Physical
    "Cisco Wireless Controller" with the exception of having 2 ports.  Anyhow, I managed to get everything working except for the WEB AUTH on the Guest WLAN.  When a client connects, he gets a DHCP address from our ASA but when we try to get to a website, we never reach the WEB AUTH page. 
    What I tried so far is..
    add a DNS Host Name to the virtual interface and assign it to our internal DNS server.dns name was resolving but we were unable to ping 1.1.1.1
    changed the virtual ip from 1.1.1.1 to 2.2.2.2 and modified the DNS entrydns name resoved but still could not ping 2.2.2.2(I think this is normal)
    changed the virtual IP to a private address of 192.168.102.1 and modified the dns entrysame result
    I've attached some screenshots of our configuration.

    Troubleshooting Web Authentication
    After you configure web authentication, if the feature does not work as expected, complete these
    troubleshooting steps:
    Check if the client gets an IP address. If not, users can uncheck
    DHCP Required
    on the WLAN and
    give the wireless client a static IP address. This assumes association with the access point. Refer to
    the
    IP addressing issues
    section of
    Troubleshooting Client Issues in the Cisco Unified Wireless
    Network for troubleshooting DHCP related issues
    1.
    On WLC versions earlier than 3.2.150.10, you must manually enter
    https://1.1.1.1/login.html
    in
    order to navigate to the web authentication window.
    The next step in the process is DNS resolution of the URL in the web browser. When a WLAN client
    connects to a WLAN configured for web authentication, the client obtains an IP address from the
    DHCP server. The user opens a web browser and enters a website address. The client then performs
    the DNS resolution to obtain the IP address of the website. Now, when the client tries to reach the
    website, the WLC intercepts the HTTP Get session of the client and redirects the user to the web
    authentication login page.
    2.
    Therefore, ensure that the client is able to perform DNS resolution for the redirection to work. On
    Windows, choose
    Start > Run
    , enter
    CMD
    in order to open a command window, and do a  nslookup
    www.cisco.com" and see if the IP address comes back.
    On Macs/Linux: open a terminal window and do a  nslookup www.cisco.com" and see if the IP
    address comes back.
    If you believe the client is not getting DNS resolution, you can either:
    Enter either the IP address of the URL (for example, http://www.cisco.com is
    http://198.133.219.25)

    Try to directly reach the controller's webauth page with
    https:///login.html. Typically this is http://1.1.1.1/login.html.

    Does entering this URL bring up the web page? If yes, it is most likely a DNS problem. It might also
    be a certificate problem. The controller, by default, uses a self−signed certificate and most web
    browsers warn against using them.
    3.
    For web authentication using customized web page, ensure that the HTML code for the customized
    web page is appropriate.
    You can download a sample Web Authentication script from Cisco Software Downloads. For
    example, for the 4400 controllers, choose
    Products > Wireless > Wireless LAN Controller >
    Standalone Controllers > Cisco 4400 Series Wireless LAN Controllers > Cisco 4404 Wireless
    LAN Controller > Software on Chassis > Wireless Lan Controller Web Authentication
    Bundle−1.0.1
    and download the
    webauth_bundle.zip
    file.
    These parameters are added to the URL when the user's Internet browser is redirected to the
    customized login page:
    4.
    ap_mac The MAC address of the access point to which the wireless user is associated.

    switch_url The URL of the controller to which the user credentials should be posted.

    redirect The URL to which the user is redirected after authentication is successful.

    statusCode The status code returned from the controller's web authentication server.

    wlan The WLAN SSID to which the wireless user is associated.

    These are the available status codes:
    Status Code 1: "You are already logged in. No further action is required on your part."

    Status Code 2: "You are not configured to authenticate against web portal. No further action
    is required on your part."

    Status Code 3: "The username specified cannot be used at this time. Perhaps the username is
    already logged into the system?"

    Status Code 4: "You have been excluded."

    Status Code 5: "The User Name and Password combination you have entered is invalid.
    Please try again."

    All the files and pictures that need to appear on the Customized web page should be bundled into a
    .tar file before uploading to the WLC. Ensure that one of the files included in the tar bundle is
    login.html. You receive this error message if you do not include the login.html file:
    Refer to the Guidelines for Customized Web Authentication section of Wireless LAN Controller Web
    Authentication Configuration Example for more information on how to create a customized web
    authentication window.
    Note:
    Files that are large and files that have long names will result in an extraction error. It is
    recommended that pictures are in .jpg format.
    5.
    Internet Explorer 6.0 SP1 or later is the browser recommended for the use of web authentication.
    Other browsers may or may not work.
    6.
    Ensure that the
    Scripting
    option is not blocked on the client browser as the customized web page on
    the WLC is basically an HTML script. On IE 6.0, this is disabled by default for security purposes.
    7.
    Note:
    The Pop Up blocker needs to be disabled on the browser if you have configured any Pop Up
    messages for the user.
    Note:
    If you browse to an
    https
    site, redirection does not work. Refer to Cisco bug ID CSCar04580
    (registered customers only) for more information.
    If you have a
    host name
    configured for the
    virtual interface
    of the WLC, make sure that the DNS
    resolution is available for the host name of the virtual interface.
    Note:
    Navigate to the
    Controller > Interfaces
    menu from the WLC GUI in order to assign a
    DNS
    hostname
    to the virtual interface.
    8.
    Sometimes the firewall installed on the client computer blocks the web authentication login page.
    Disable the firewall before you try to access the login page. The firewall can be enabled again once
    the web authentication is completed.
    9.
    Topology/solution firewall can be placed between the client and web−auth server, which depends on
    the network. As for each network design/solution implemented, the end user should make sure these
    ports are allowed on the network firewall.
    Protocol
    Port
    HTTP/HTTPS Traffic
    TCP port 80/443
    CAPWAP Data/Control Traffic
    UDP port 5247/5246
    LWAPP Data/Control Traffic
    (before rel 5.0)
    UDP port 12222/12223
    EOIP packets
    IP protocol 97
    Mobility
    UDP port 16666 (non
    secured) UDP port 16667
    (secured IPSEC tunnel)
    10.
    For web authentication to occur, the client should first associate to the appropriate WLAN on the
    WLC. Navigate to the
    Monitor > Clients
    menu on the WLC GUI in order to see if the client is
    associated to the WLC. Check if the client has a valid IP address.
    11.
    Disable the Proxy Settings on the client browser until web authentication is completed.
    12.
    The default web authentication method is PAP. Ensure that PAP authentication is allowed on the
    RADIUS server for this to work. In order to check the status of client authentication, check the
    debugs and log messages from the RADIUS server. You can use the
    debug aaa all
    command on the
    WLC to view the debugs from the RADIUS server.
    13.
    Update the hardware driver on the computer to the latest code from manufacturer's website.
    14.
    Verify settings in the supplicant (program on laptop).
    15.
    When you use the Windows Zero Config supplicant built into Windows:
    Verify user has latest patches installed.

    Run debugs on supplicant.

    16.
    On the client, turn on the EAPOL (WPA+WPA2) and RASTLS logs from a command window, Start
    > Run > CMD:
    netsh ras set tracing eapol enable
    netsh ras set tracing rastls enable
    In order to disable the logs, run the same command but replace enable with disable. For XP, all logs
    will be located in C:\Windows\tracing.
    17.
    If you still have no login web page, collect and analyze this output from a single client:
    debug client
    debug dhcp message enable
    18.
    debug aaa all enable
    debug dot1x aaa enable
    debug mobility handoff enable
    If the issue is not resolved after you complete these steps, collect these debugs and use the TAC
    Service Request Tool (registered customers only) in order to open a Service Request.
    debug pm ssh−appgw enable
    debug pm ssh−tcp enable
    debug pm rules enable
    debug emweb server enable
    debug pm ssh−engine enable packet

  • Web Auth using 5760 Guest Anchor and ISE

    I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
    When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
    As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
    Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

    I hope this may help you
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • DHCP loadsharing with redundant Guest Anchor Controllers

    Hi
    I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
    This is how I tried to distribute
    network. 10.1.0.0/23
    gateway: 10.1.1.254
    Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
    Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
    As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
    I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
    Any suggestion will be greatly appreciated.
    Regards

    Thanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
    I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts?

  • Guest WLAN and a Office WLAN on 1242AG

    Hi All,
    I have managed to add two WLANS, one for the Office Wireless clients(Staff laptops) and another one for Guests. I have bassicaly created two SSIDs, one broadcasting, other one not(Staff one).
    The AP is a 1242AG and is going to connect to a Catalyst 3750 48T, which is connected to Cisco 877. How can I make the DHCP assignments to both Guest WLAN and Staff WLAN and also do I have to create trunk port in the Switch ( I am thinking like this as I got Two VLANs.)
    Does anyone know or got a sample running config ( in a Switch and in a similar AP)...really appriciate it. Time is running out for me!!!
    Reg
    ND

    Hi,
    here is a config example for exactly you are looking for:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665ceb.shtml.
    HTH,
    Tiago

  • 2500 wireless guest anchor, dhcp performance

    Hello,
    I just read that starting from version 7.4, the 2500 controller can be used to terminate guest anchor tunnels.
    This is great news, but i have a question regaring the performance of the internal DHCP server when used in guest environments.
    Can it be used and if so, what is its performance ? (ie requests / second)
    regards,
    Geert

    Take a look at the data sheet and it will give you a general understanding of the max client count which is 500 and the throughput which is 500mbps unless you run 7.4 and have LAG enabled which gives you 1gig.  I would only use this for small installs and if its a pretty medium to large guest network, then stick with the 5508.
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps11630/data_sheet_c78-645111.html
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Virtual WLAN Controller Guest Anchor

    We are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
    We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.
    I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and can anyone advise if thsi is a supprted deployment model.

    Well you can use the vWLC to anchor to a 5508, but not the other way around. So if you use the DMZ 5508 for OfficeExtend, you will not be able to anchor the traffic back to the inside. Cisco doesn't support reverse anchoring for a Remote-LAN in OfficeExtend and requires you to actually have the OfficeExtend AP's connect to an inside WLC. In v7.0.x you were able to do this reverse anchor, but it was removed on later codes.
    Sent from Cisco Technical Support iPhone App

Maybe you are looking for