Guest Anchor
Hi All,
I have a question if a guest anchor can support multiple VLANs for one SSID over EoIP? With AP groups this is possible, for example one SSID can be the same in different locations (meaning different VLANs/dynamic interfaces) but can this be done with a guest anchor?
To setup a guest EoIP tunnel the interfaces are defined as Management (on foreign WLC) and a guest-dmz interface (on the anchor WLC). If you are using say web-authentication and try agin to use the same ssid with another interface (guest-dmz2) there seems to be some problem. anyone come across this before or know of a solution? i could configure different ssids to the different interfaces but wonder if it could be possible using the same ssid...there seems to be some limitation
Any suggestions?
Cheers
Matt
No.
AP-Groups only work with the APs, and since mobility is passed with the controller IP, there is no way for AP groups to function on the Anchor.
Now an interesting feature request might be to do a controller-group override, so that all clients from controller X go to one interface, and controller Y go to another, but I've never heard anyone ask for it.
Bottom line, as far as i know, is that you're going to need two different SSIDs to have clients in different interfaces on the Anchor
Similar Messages
-
Guest Anchor with web auth using ISE guest portal
Hello All,
Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
massive thanks to anyone that can assist.
JS.Thanks for the reply RikJonAtk.
so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again. So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
Thanks in Advanced,
JS -
Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508
DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
and the internal controller must match. Else, DHCP request from clients are dropped and you
see this error message on the internal controller......
However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
Many Thanks
KamWell it should still work... dhcp proxy is required on the WLC that has a dhcp scope. With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.
-
Multicasting with a guest anchor configuration.
Hi All
First time posting. :-)
I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
In case of Auto Anchor:
Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
Could someone advise?
Thank you in advance!!Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
unofortunately it seems that multicast over EoIP does not work. -
Mobility Group Requirements for Guest Anchor WLC
Hello -
I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups. However, I was told recently (without much detail) that this is possible. So I have set out to test this.
I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group. I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down. Each campus is it's own mobility group. In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu. This is because it's not in the same mobility group. So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
To me it doesn't seem possible without significant configuration changes. I don't want to reconfigure/recreate mobility groups.
Thanks
ChuckNot only is it possible, I would recommend it. However, you may be confusing some concepts.
The Mobility Group is different than the Mobility Domain. I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC, but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
Does that make sense? -
Guest anchor across different versions
Hi all,
I'm looking for information on the issues that could arise or what the impact is of a guest anchor between WLC's with different versions.
There is a 4400 in the core running 7.0 and a 2504 in a branch running 7.2. I need to extend a web auth guest SSID to the branch.
7.2 is required because of 2602 AP's.
Looking for information and experiences.
Cheers
Darren
Sent from Cisco Technical Support iPhone AppHere is a compatibility matrix
http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp102554
Sent from Cisco Technical Support iPhone App -
Using 2504 as Guest Anchor.
So I've got a few 7510 Flex Controllers and am looking to setup a mobility anchor for guest networks. I see this functionality has recently been extended to the 2504. However there is one thing I am curious about: the QoS profile, I have a QoS profile configured on my Guest WLAN, customized the bronze profile, from what I remember about the 2504 is it does not support the QoS functionality that is supported on the larger WLC models, and I know WLAN settings must match between WLC's and their anchors, so I don't know what happens with my QoS profile or if I can even utilize the 2504 as a mobility anchor for the 7510 due to this QoS issue.
Has anyone tested this, or stumbled any documents about 2504's being mobility anchors?
CCNP, CCIP, CCDP, CCNA: Security/Wireless
Blog: http://ccie-or-null.net/Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
Good to see my blog helps you & thanks for the comment.
HTH
Rasika
**** Pls rate all useful responses **** -
Guest access to the Internet with Guest Anchor Controller
Hi;
We are doing our initial implementation of an enterprise wireless system. I deployed a WLC 5508 connected to our data center core switch using LAG. The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices. Employee wireless access has been rolled out and is working well.
I am designing guest access. As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet. We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508? A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
Thanks for the assistance! Glenn Morrisonyou'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
HTH,
Steve -
Web Auth using 5760 Guest Anchor and ISE
I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor. ISE is being used as the guest auth server.
When no auth requirements are set on the guest wlan, everything works fine. I get an IP address and can get to the internet, VPN, etc. As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state. When I check the client on the controller, it is in a Policy Manager State of START.
As soon as I remove the security web-auth commamd from the wlan, I connect right up. It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
Any thoughts on what I am missing on my guest anchor, or MA config? Do I need to make any changes to the wlan on the MC? Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.I hope this may help you
http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
HTH
Rasika
*** Pls rate all useful responses **** -
Guest Anchor N+1: Failover Time
Hi Wireless Experts,
Wondering if any one tested how fast a foreign WLC would detect an internet guest anchor WLC went down and switch the internet traffic to the EoIP tunnel to the other guest anchor WLC?
From the end user experience, I assume the guests would expect service interruption and a new login screen to reconnect. Is it correct?
Thanks
CedarUsually it will switch once the mobility is shown as down. The foreign wlc will then have to send the traffic to the other anchor WLC and if your using webauth or possibly a different subnet, then that is the amount of time it will take. WebAuth, the clients will have to authenticate again.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"***** -
Guest Anchor N+1: Multiple guest WLANs and Mobility List
Hi Experts,
We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
And between these two new anchor WLCs, do they need to add each other to Mobility List?
Or maybe I should ask first, does it matter if they are in the same mobility group or not?
Thanks
CedarN+1 for guest anchors isn't what N+1 was designed for. N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors. This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
Guest anchors should have a different mobility group name from the foreign WLC's. You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s). The redundant guest anchors do not need to have each other in the mobility group list.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered" -
DHCP loadsharing with redundant Guest Anchor Controllers
Hi
I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
This is how I tried to distribute
network. 10.1.0.0/23
gateway: 10.1.1.254
Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
Any suggestion will be greatly appreciated.
RegardsThanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts? -
5508 Guest Anchor 7.4MR2
We are upgrading all Foreign 5508 WLC's to 7.4MR2. Out Guest Anchor is currently on 7.0.235. Any reason not to upgrade the Guest Anchor to 7.4MR2? Has anyone encountered any issues doing this? We are not having any issues on 7.0, and I just did not want to introduce any.
mine is with the following. Still trying to figure out why.
*osapiBsnTimer: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
*apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile f8:16:54:07:a8:78 on AP 00:e1:6d:b2:a6:90 from Associated to Disassociated
*apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
*annyway, i've tried increasing the Session Timeout to 8hours and still testing it .. As my problem is not consistent, i have to monitor and see if its solved. -
Connect an AP to a Guest Anchor WLC?
We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
Thanks
SankungNot a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
Sent from Cisco Technical Support iPhone App -
Cisco documentation recommends using a dedicated controller for the guest anchor controller function becuase it needs to be located in the DMZ. However, if I have spare capacity on an existing controller (ie one used to manage APs) then perhaps I can also use it as the guest anchor. Instead of being physically connected to the DMZ, I would just extend a guest user VLAN from the guest anchor controller to the DMZ. I would welcome feedback on the validity & security of this alternate solution.
Thanks.Hi Marvin,
Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.
Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.
In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.
I hope this helps.
Does this make sense?
Maybe you are looking for
-
Insert column into shopping cart status screen
Hi, I need to insert a column into the shopping cart status screen table control( search results).(BBPSC04). Can u pls let me know whether i can achieve this by adding an append structure or standard screen modification? Cheers Rajeev
-
Hai, can any 1 explain me how many queries can we maintain in workbooks?
-
Hello everyone I need your help. I created an epub and inside it use the standard fonts (Times-Simoncini) with the addition of these two fonts: JLSSmilesSampler.otf Courier.otf These two fonts are displayed on various types sony reader, .... but when
-
Can't find adobe reader on computer - download won't work - says already downloaded
can't find adobe reader on computer - download won't work - it says it's already downloaded!
-
Editing the properties of the Rich text editor in WebCenter Portal
I have a requirement to modify the properties and also to all a new plugin to the CKeditor (Or the Rich Text Editor) that we have in Webcenter. The rte-taglib.jar has the config.js where the change is required. How can this fiel and use the modified