Implementing Two Guest Anchor WLCs

Hello -
I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor.
I am looking to bring my current guest service onto the DMZ. Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP. We do not use our corporate internet service for guest. In any event. The DMZ design I am working on would include two WLCS sitting on our DMZ. I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border. Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border. So I would need to configure both anchors on the guest WLAN of each WLC. I'm just wondering if this is possible and if the failover will actually work.
Any input is appreciated. I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....
Thanks
Chuck

Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.
When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.
As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.
Does that answer your question?

Similar Messages

Connect an AP to a Guest Anchor WLC?

We have two WLC 5508 and one foreign guest anchor WLC at the primary data center, also a 5508 box. I would like to connect an AP directly to the guest anchor WLC through its guest VLAN interface, so that the same configuration is applied to it as other APs connected to frontend WLCs connecting users.
Would this work or should I create a separate interface on the guest anchor WLC to connect the local AP?
Thanks
Sankung

Not a best practice but as long as your AP is just for guest traffic it would be fine. If your also want to have it like your other APs and have other SSID's, then I wouldn't do that since you have to pole holes in your firewall to allow traffic inside unless you do a reverse anchor to the foreign WLC. You might be better to just use FlexConnect and AP Groups and have the AP terminate to the foreign WLC, but I don't know your setup.
Sent from Cisco Technical Support iPhone App

Mobility Group Requirements for Guest Anchor WLC

Hello -
I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible. So I have set out to test this.
I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu. This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups.
Thanks
Chuck

Not only is it possible, I would recommend it. However, you may be confusing some concepts.
The Mobility Group is different than the Mobility Domain. I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC, but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
Does that make sense?

Guest-Anchor-WLC and NAC integration guide

I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

Guest Anchor N+1: Multiple guest WLANs and Mobility List

Hi Experts,
We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
And between these two new anchor WLCs, do they need to add each other to Mobility List?
Or maybe I should ask first, does it matter if they are in the same mobility group or not?
Thanks
Cedar

N+1 for guest anchors isn't what N+1 was designed for. N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors. This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
Guest anchors should have a different mobility group name from the foreign WLC's. You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s). The redundant guest anchors do not need to have each other in the mobility group list.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Guest Anchor N+1: Failover Time

Hi Wireless Experts,
Wondering if any one tested how fast a foreign WLC would detect an internet guest anchor WLC went down and switch the internet traffic to the EoIP tunnel to the other guest anchor WLC?
From the end user experience, I assume the guests would expect service interruption and a new login screen to reconnect. Is it correct?
Thanks
Cedar

Usually it will switch once the mobility is shown as down. The foreign wlc will then have to send the traffic to the other anchor WLC and if your using webauth or possibly a different subnet, then that is the amount of time it will take. WebAuth, the clients will have to authenticate again.
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****

Guest Cert problems ISE and Anchor WLC

I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
1.1.1.1 is the Virtual interface of the Anchor WLC.
How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
This is when the problems started happening, I was using the default ISE Authorization profile
cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
The next step I tried was to change the Authorization Profile to
(wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
and the internal controller must match. Else, DHCP request from clients are dropped and you
see this error message on the internal controller......
However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
Many Thanks
Kam

Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope. With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

GUest WLAN with Anchor WLC - roaming problems

Hello,
my wireless network consists in 3 WLC 4402 which manage 40 APs.
I have a fourth WLC which I installed on my DMZ for guest vlan anchoring and web autentication.
Everiting works fine but I have a problem:
If my client associates with an AP and then I authenticate I'm ready to make traffic. As soon as my client roams to an AP managed by a differnt WLC I need to authenticate again. If I roam back to the first AP i need to reauthenticate.
In my guest WLAN I use WEB authentication provided by the internal web server of the Anchor WLC.
Thnks everybody

Here are the output of show mobility summary.
The last WLC is the anchor.
WLC1
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
WLC2
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
WLC3
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up
WLCAnchor
(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Disabled
Symmetric Mobility Tunneling (after reboot) ..... Disabled
Mobility Protocol Port........................... 16666
Mobility Security Mode........................... Disabled
Default Mobility Domain.......................... mob1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x392f
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 4
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Sta
tus
00:23:04:7d:3e:e0 10.25.1.21 mob1 0.0.0.0 Up
00:23:04:7d:62:a0 10.20.1.22 mob1 0.0.0.0 Up
00:23:04:7d:73:20 10.20.1.21 mob1 0.0.0.0 Up
00:23:04:7d:79:80 10.20.2.21 mob1 0.0.0.0 Up

25 APs / Port Anchor WLC versus Guest WLC

Greetings, first timer here.
We're adding public internet access to our existing wireless network. We are using a 4402 WLC for our guest controller, and our secure WLC is a 4404.
Cisco recommends placing a limit of 25 APs per distribution port, and we utilize that practice on our 4404. My question is, once we add the guest controller, which uses the same APs as the Anchor controller, do we have to re-apply the 25 AP/port rule to the guest controller?
The 4404 obviously has 4 distribution ports giving a max of 100 APs, and the 4402 has 2 resulting in only 50 APs. We've got all of our APs covered by the best practice on the 4404, but would exceed that on the 4402.
I thought that because the data is moving between the WLCs via the ether tunnel, I was covered by the 4404.
Thoughts or suggestions?
I can't seem to find anything in the white papers or best practices.
Thanks to all
Larry

I have no factual information to back up what I am about to say and it may be partially incorrect, but this is how I always explained the process of guest anchoring:
So the 25AP suggestion per interface I think is because of the fact that if you had more than 25 APs on one port, you could theoretically be over subscribing the bandwidth than the port could provide (25AP@40mbps = 1000mbps)....
Anyhow, unless you plan on actually sending a gig worth of traffic to your Guest Controller, I don't think there is any real need to split your anchor. I'm pretty sure Guest Controllers are usually for internet access and 1Gb worth of internet bandwidth sure seems like alot to me..
Also, I had always thought of the anchor tunnel similar in nature to an AP LWAPP tunnel. The controller that supports 25 APs is designed to support 25 LWAPP tunnels. The 50AP model, supports 50 LWAPP tunnels. This same logic could be applied to the WLAN Anchor tunnels. Think of each WLAN Anchor Tunnel as an AP connected to a controller.
When a guest is anchored to the Public Controller, it isn't the AP that is tunneled there nor the client, it is the WLAN. So you could have 25 APs with the same guest WLAN, but really it is still just 1 WLAN anchored to the controller. If for some reason you wanted to do more than 25 different WLANs, then I would suggest splitting those WLANS between your interfaces...
I think the bottom line though is that if you aren't worried about over-subscribing your interface on the anchor controller, there shouldn't be any concerns.

Guest VLAN - FlexConnnect Central Switching vs Anchor WLC

I have a general question about securing the guest WLAN in FlexConnect deployment -
Option 1: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and the guest VLAN is trunked from that WLC to the firewall DMZ through a switch
Option 2: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC but tunneled to an anchor WLC in DMZ
Option 3: In the Centralized WLC deployment scenario, the guest VLAN is centrally switched to the datacenter WLC and an ACL is applied to the Guest interface/VLAN in the WLC itself
What would be the best option in the FlexConnect Centralized WLC deployment to restriect guest traffic from accessing corporate network? What are the advantages and disadvantages of those three options?
I would highly appraciate your input on this topic.
Thank you.

Yes, you're right.
Once anchor/tunnel goes down, all the L3 services will be initiated for guest wlan from the Foreign until the Anchor comes up.
On Anchor down situation - Need to configure the foreign WLC's guest wlan mapped to dummy interface, this way guest clients will have no network access.
If multiple Anchors are mapped to the datacenter's foreign on the guest wlan then the guest users will tunnel the traffic to available anchor, by default it'll round robin among anchors.

3850's using WLC 2504 as a guest anchor

Hi,
Does anyone know if it's possible to use a WLC2504 as a guest anchor when we have deployed 3850's for regular corporate WLAN?
The corporate stuff is all up and running OK using 3850's but i've now to come to look at the guest provisioning and i'd like it to terminate on a guest anchor in the DMZ if possible, just wondering if it's possible to do this with that setup?
Thanks,
Ian.

Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
Good to see my blog helps you & thanks for the comment.
HTH
Rasika
**** Pls rate all useful responses ****

Multicasting with a guest anchor configuration.

Hi All
First time posting. :-)
I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
In case of Auto Anchor:
Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
Could someone advise?
Thank you in advance!!

Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
unofortunately it seems that multicast over EoIP does not work.

Access point register on anchor wlc in DMZ

Hello,
I have an environment in which two WLC 4400 are connected to an anchor WLC 4400 in DMZ, This WLC in DMZ pass the Guest Wlan to other two WLC and terminate tunnel CAPWAP. The Ap in the remote sites, that are configure to register to WLCs in the remote sites, usually are registered on the two WLCs but sometimes they register to WLC in DMZ, how is possible if between WLC in DMZ and other WLC there is a firewall that block all the traffic except CAPWAP traffic?
If I reboot the APs they register on the two correct WLCs in remote sites.
Thanks

AP also uses CAPWAP. you should only allow capwap connection from internal controllers only on the fw.

Guest Anchor

Hi All,
I have a question if a guest anchor can support multiple VLANs for one SSID over EoIP? With AP groups this is possible, for example one SSID can be the same in different locations (meaning different VLANs/dynamic interfaces) but can this be done with a guest anchor?
To setup a guest EoIP tunnel the interfaces are defined as Management (on foreign WLC) and a guest-dmz interface (on the anchor WLC). If you are using say web-authentication and try agin to use the same ssid with another interface (guest-dmz2) there seems to be some problem. anyone come across this before or know of a solution? i could configure different ssids to the different interfaces but wonder if it could be possible using the same ssid...there seems to be some limitation
Any suggestions?
Cheers
Matt

No.
AP-Groups only work with the APs, and since mobility is passed with the controller IP, there is no way for AP groups to function on the Anchor.
Now an interesting feature request might be to do a controller-group override, so that all clients from controller X go to one interface, and controller Y go to another, but I've never heard anyone ask for it.
Bottom line, as far as i know, is that you're going to need two different SSIDs to have clients in different interfaces on the Anchor

Implementing Two Guest Anchor WLCs

Similar Messages

Maybe you are looking for