Layer 2 security with WLAN auto-anchor mobility

Similar Messages

• Auto anchor mobility WLAN interface

  Hello, I'm in doubt if I can associate the mgmt interface to my GUEST WLAN in anchor controller also. I know that must do it on foreign controller. Since my mgmt interface on ANCHOR CONTROLLER are configured in my DMZ if I realy need to configure the GUEST WLAN with a dynamic interface, I will need to create other Vlan and this make no sense. 

  Hi a.azambuja,
  Yes - you can associate your guest WLAN to your management interface - however I would not recommend this.
  You would be much better off creating a new VLAN that will manage the guest user traffic so that it is segmented away from any managemnt traffic.
  Cheers,

• WLAN and ESET Mobile Security

  A few weeks ago, I had a problem with WLAN on my phone Nokia E71; I was using the application ESET Mobile Security, and when i delete this application, the WLAN don´t work. Now, I reinstalled this application and WLAN is working fine. I recommend be carefull with this antivirus.

  phonehacker wrote:
  LOL you don't need antivirus. read this http://3lib.ukonline.co.uk/viruses.htm
  is this applied all S60 devices, such as S60 5th edition? (X6,N97,5800,etc.)
  Glad to help

• Flexconnect AP with auto anchor at head office

  hi All,
    I have a head quarters with two WLC5508 anchored to another 5508 on the DMZ. Now we want to roll out wireless guest to the branches with local switching of guest wireless traffic. The guest ssid used at head quarters is anchored to the guest controller and using webauthentication.
  Question 1: Can i use the same guest SSID for branch also in this case ?
  Question 2 : If i only enable "HREAP local switching" feature on the guest SSID, will the other HQ SSID's still be broadcast in the HREAP branch AP's ?
  I am assuming the guest ssid at branch will take IP address from local IP subnet since its local switched, webauthentication will happen on the HQ guest controller ? and once webauth completes, guest SSID traffic will be locally switched . Is this correct ?
  regards
  Joe

  1. client sends DHCP request and gets IP on locally defined VLAN on the HREAP AP
  during this, the controller get to know of the client association via the CAPWAP control message from HREAP AP
  Yes, but the WLC will not get any client data since the traffic isn't going back to the WLC.
  2. Client opens browser and enter website address (google.com) and gets the controller webauth login page
  is this step happening in the capwap tunnel or outside it ? the TCP communication between client and WLC
  This happens all inside the mobility tunnel back to the anchor wlc.
  3. Client enters username and password for webauth
  but the wlc virtual IP is not routed anywhere, so how will the username and password reach the wlc ? (through the capwap tunnel ? )
  The WLC uses it VIP, client doesn't care.  If you have a 3rd party certificate, you need to make sure the FQDN is resolvable with the VIP address or you will get a certificate error.
  4. controller checks the username/password eiither locally defined or can be on a nac guest server or ISE ?
  if the username/password reaches the controller, it should be able to verify the credentials wtih an external entity like NGS oR ISE ?
  Well what is hosting the webauth... the WLC or NGS or ISE.... only one can do this and that is what you have to decide.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Hi! I`'m from Russia and i want to buy the new unlocked iPhone 4S in the U.S. in November, but i need to know, am i need this doc's?"What to Bring with You  Your old mobile phone, if you're replacing it. Social Security number of the account holder. etc"

  Hi! I'm from Russia and i want to buy the new unlocked iPhone 4S in the U.S. in November, but i need to know, am i need this doc's?
  What to Bring with You
  Your old mobile phone, if you’re replacing it.
  Social Security number of the account holder.
  Valid government-issued photo ID.
  Carrier account password, if you have one.
  Your Apple ID and password.

  http://www.apple.com/iphone/LTE/
  According to Apple's list (link above) you will probably want to pick up a Sprint or US Cellular model. HOWEVER, as I mentioned above I know that the Verizon iPhones come unlocked from the factory (assuming it will be the same for iPhone 6 and 6+). I DO NOT KNOW if the Sprint and US Cellular models come unlocked. But I am sure some quick internet research will lead you to the answer.
  I think your goal would be to get a Sprint or US Cellular version. Also I believe a law was just recently passed that allows someone to have a phone unlocked by the carrier no questions asked. So even if the Sprint and US Cellular iPhones are locked you can have them unlocked.
  Update:
  http://www.cbsnews.com/news/obama-signs-bill-unlocking-cellphones/

• WLC Mobility Auto-Anchor Code Matrix

  Hi guys,
  I am involved with a project where I will be upgrading WiSM1s with WiSM2s and moving to the 7.2 code to support the funky new 3600 APs
  The question I have is that there are some other foreign controllers of differing flavours 5508/4402 and maybe others that are tunnelled back to the WiSM1s and using these as an auto-anchor - So what are the compatibility options I have here for code support please?
  I have been told there is a compatibility matrix but all I can find is the software compatibility matrix, but this does not have anchor specific code details. Maybe this means it dosen't matter but I know it had certain limitations in the past and is now opened up to differing code support since 5.2 (I think), but just not sure now whether things may change again given the next generation 7.2 code now being out.
  Thanks
  Rocky

  Hi Scott,
  Thanks for that, I was hoping someone had already set it up!
  I was looking at that matrix earlier but it didn't look right to me as according to the table it is supported back to 4.2? I am positive I read this feature only kicked in at 5.2.
  Thanks again
  Rocky
  Sent from my BlackBerry® wireless device

• I have a MacBook Air with OS X and am having trouble accessing the ADT Pulse Home Security System cameras.  The mobile (iPhone and iPad) apps allow access no problem, but I can't get a picture on the MacBook.  Have tried Safari and Firefox browsers.

  I have a MacBook Air with OS X and am having trouble accessing the ADT Pulse Home Security System cameras.  The mobile (iPhone and iPad) apps allow access no problem, but I can't get a picture on the MacBook.  Have tried Safari and Firefox browsers.  Anyone have any ideas?  Thanks.

  From a Catherine to Katherine -- Had the exact same problem!!  I had to enable Java twice - both in Safari and then on the MacBookAir itself.

• Multicasting with a guest anchor configuration.

  Hi All
  First time posting. :-)
  I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
  Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
  In case of Auto Anchor:
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
  Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
  Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
  Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
  Could someone advise?
  Thank you in advance!!

  Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
  Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
  A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
  unofortunately it seems that multicast over EoIP does not work.

• Anchor mobility between WLC 5508 and Aruba/Clearpass

  Hello. I have a question regarding the abiltiy to configure anchor mobility between a 5508 WLC and an Aruba controller. To date, my understanding is it has never been possible and I have never found any documentation that says it can be done.
  Scenario: My organization and a partner organization co-own a hospital. We coexist on a large campus, with each org having a number of buildings that the owning org maintains the network presence in. We also maintain back-to-back firewalls between us and do not hand-off any direct layer 2 interfaces to each other. However, the two orgs do partner to provide each others business SSID's in each other's WiFi networks using anchor mobility. Our current solution utilizes an A/M tunnel between my org's 5508 controllers and the partner orgs 2504 controller and we explicitly permit the tunnel traffic between partner controllers for A/M to work. Last year, the partner org retired some old WiSM's and changed their wireless solution to Aruba and recently implemented Clearpass. In order to maintain A/M with us they left a 4404 operational, but due to the newer code we were running they were forced to purchase a 2504. So now they are only maintaining a limited footprint in their network with a few Cisco AP's and the rest of their coverage areas use Aruba AP's and they have indicated that they want to completely retire their Cisco WLC's. Because we host some of their SSID's on our controllers and can tunnel them to their 2504, they get all of their WiFi traffic coming from our network, however my org can only connect to our SSIDs on their campus in certain areas.
  The solution I have been asked to provide is to find a way to continue providing some sort of anchor mobility services between our WLC's and their Aruba controllers. My org maintains that we do not want to simply hand them a layer 2 interface for security reasons, but they want our SSIDs to be available in all areas of the partner org's campus and vice versa. So far I have stalled the partner org's plans to retire their WLC's by telling them that retiring their WLC's will completely break WiFi between orgs, but they are adamant that some sort of A/M solution must be found.
  Is there any way to do some sort of A/M between a WLC and Aruba controller and if so, is there any documentation showing configuration examples etc?
  Thanks,
  John

  Hi John,
  I do not think it will work. Even if it get working somehow, it will be operation nightmare to troubleshoot & fix a issue since both vendor will say it is NOT supported solution.
  What about if you ask them to advertise your SSID (assuming it is dot1x) on their APs as another SSID on their network, but pointing it to your RADIUS & DHCP for IP connectivity (you do not have layer 2 requiremnt for this & can do this as long as you have L3 communication between each other)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Is local EAP + Web Authentication possible in Auto Anchor Configuration

  Hi,
  I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
  Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller?  If so, are you able to point me in the direction of a user guide to implement.
  I found the following document which describes local EAP configuration . Would this work with Web Authentication?
  Thanks

  so, kinda but no.  EAP is a layer 2 authentication that uses encryption as well.
  WebAuth is a layer3 authentication only.
  Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
  I'm not really sure what you are looking to do based on your post.
  Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
  HTH,
  Steve

• WPA2 security with EAP-TLS user cert auth

  I am investigating the use of EAP-TLS for authenticating clients through a MS NPS radius server for WLC WLAN using WPA-WPA2 for security with 802.1x for auth-key managment. We're trying to decide whether to use PEAP and AD account authentication or require client certificates issued by AD certifcate services. PEAP is working fine if we choose that auth method in our NPS radius network policy, but if we switch this to "smart card or other certificate" for client cert auth it does not work. The wireless profile on the Windows client is set up for WPA2/AES with "Microsoft: smart card or other certificate" for network auth.  The 802.1x settings specify "User Authentication" and a user cert for the logged in user from ADCS is installed on the machine. The failure to connect reports "The certificate required to connect to this network can't be found on your computer". When I switch to Computer Authentication the error changes to "Network authentication failed due to a problem with the user account," though a valid machine cert also exists on the computer. 
  When I attempt to use cert auth I see no auth requests logged on the RADIUS server. I ran MS netmon on both the client and NPS server and I also see no requests coming in from the WLC to NPS. When using PEAP I do see EAP requests and responses between NPS and the WLC and radius requests logged.  On the client end I do see an EAP request to the WAP when attempting cert auth, but no messages between the WLC and NPS.
  It's also interesting that when I change the WLAN to use 802.1x and WEP encryption for layer 2 auth the cert auth  worked first time, though I haven't been able to get that working since. Windows now complains I am missing a cert for that. In any case, what I really want is WPA2/AES with 802.1x cert auth and would like to get this working.
  Is anyone using EAP-TLS with MS NPS radius and a WLC successfully? Any ideas on how to troubleshoot this or why I'm not seeing any traffic between WLC and NPS radius when attempting cert auth?

  Well Well
  WLC or any AAA client acts in pass through mode after initialy generating EAP-identity request so it has nothing to with EAP type. AAA client will behave the same no matter if you use PEAP , EAP-TLS or LEAP .....
  The error message that you have reported is clearly sayign that your client doesn't have certificate to submit agains the back-end authentication server and accordingly the process fails . If you are not saying anything sent from WLC to NPS , it makes sense , because when the WLC initialy generate eap-identity request your client fails to answer and accordingly nothing is being sent to NPS server.
  In order to verify that we need ' debug client < mac address of the client > ' from the WLC while trying to connect to make sure that is the case.
  Also make sure that your client has certificate that is binded to a user account defined on your AD in away or another to have it working.
  Please make sure to rate correct answers

• Anchor mobility configuration getting lost in wlc 5508 ios code 7.4.100.0

  It is observed that in WLC 5508 , ios 7.4.100.0 ,  mobility anchor configuration on wlan  is getting lost .  we configure anchor ip address on  guest wlan > mobility anchor >  Switch IP Address (Anchor).
  We have configured the template on NCS 2.0 to push the anchor mobility ip address on all WLC
  Has anyone oberved this behavoiur. We have more than 100 WLC  , and  everyweek  mobility anchor configuration is lost on some WLC having code  7.4.100.0.

  I am having this exact same problem.  I am running 7.3 on 5508 WLC.   My remote site LAP's are using Flex (HREAP).  The initial access point that my laptop associates to connects with no problem, as soon as I wander out of range of the initial LAP and into the area of another access point, I lose data connectivity.   The was validated like the original post as I start a constant ping on the LAN and watch as the ping latency increases and then ping replies stop.  The only way to correct the problem is resetting of the wireless adapter on the laptop.  Side note my DroidX has no problem wandering from AP to AP.
  Laptop: Windows 7 32bit
  I then returned to my home site and test where I have a secondary controller and the LAP's are configured for local mode, no problems roaming from access point to access point.   Validated with constant ping test.  The pings drop for a second and re-
  continues as the laptop reconnects.
  **Edit: I am going to try the removing the DHCP Addr. Assignment required option, and report that back to the TAC engineer.
  Message was edited by: Michael Dunki-Jacobs
  **Edit Solved:***
  The problem is in deed solved by turning the "DHCP Address Required" but why?

• Guest tunnel/auto-anchor from 2100 to 4400 WLC

  We’d like to extend our current Guest LAN from a 4400 WLC in our data center to a 2100 WLC located at a remote facility. However, we cannot get the foreign controller to pass traffic to the anchor controller – or so it seems. The catch is that we’re not actually trying to extend the SSID itself to provide wireless access, but instead flub it so that we can provide local wired access tunneled to the Guest LAN on the anchor WLC. I’m not entirely sure if this is possible, because I’ve read that before the EoIP tunnel will come up a guest client must associate to the foreign WLC.
  We’ve followed the instructions we could find that go over setting up this type of scenario, but unfortunately they only cover setting up back-to-back 4400 controllers and as such, some functions described (notably being able to create a Guest LAN) are not possible on the 2100. We haven’t been able to find a clear and concise guide on the scenario we want to set up.
  Here’s some detail:
  Mobility group is up/up between both WLCs. Both WLCs are running 6.0.x code.
  Anchor WLC – 3750G-24WS-S25 (a 4400 WLC w/ integrated 3750G-24)
  Guest LAN WLAN “wired-guest” created; Ingress is “none” and Egress is our existing “dirtnet” – i.e. outside access. The “dirtnet” interface is *not* a Guest LAN interface. Mobility anchor is set as local.
  Remote WLC – WLC2106
  WLAN “wired-guest” created; Interface is “wired” w/ an IP address on the same subnet as the anchor “dirtnet” and associated with port 2. Mobility anchor is set to the anchor WLC and is up/up. I have a laptop connected to port 2 with a statically assigned IP address on the same subnet as “dirtnet.” I am able to ping the local port 2 address, but I can’t ping across the tunnel to the anchor WLC. I also cannot ping the anchor WLC "dirtnet" interface from the foreign WLC’s Ping tool.
  Are we missing something?

  Sean,
  Wired guest access is not supported on WLC2106.
  Reference:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#configs
  Please consider using a WISM, WLC4400, 3750 integrated WLC or a WLC5500

• WLC2x06 auto-anchor to 4400 appears to fail

  Hi, has anyone seen this problem, or is this a bug:
  Auto-anchor is configured for guest mobility and has been working fine on a number of 4400 controllers in a mobility group. Guests get auto-anchored to a 4400 with access to the guest DMZ
  we have now introduced both 2006 and 2106 controllers into the mobility group, however clients are net getting DHCP when coming through these controllers.
  debugs show an apparent disinterest on the part of the 4400 to respond to mobility anchor requests from the 2x06, and mobility statistics report increase in 'ignored' requests
  mobility debug on 4400 for unsuccessful request from 2106:
  Wed May 23 15:31:34 2007: Mobility packet received from:
  Wed May 23 15:31:34 2007: 192.168.156.2, port 16666, Switch IP: 192.168.156.2
  Wed May 23 15:31:34 2007: type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 200 seq: 200 len 120
  Wed May 23 15:31:34 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
  Wed May 23 15:31:34 2007: mobile MAC: 00:19:d2:d5:eb:39, IP: 0.0.0.0, instance: 0
  Wed May 23 15:31:34 2007: VLAN IP: 192.168.156.2, netmask: 255.255.255.0
  Wed May 23 15:31:35 2007: Mobility packet received from:
  Wed May 23 15:31:35 2007: 192.168.156.2, port 16666, Switch IP: 192.168.156.2
  Wed May 23 15:31:35 2007: type: 3(MobileAnnounce) subtype: 0 version: 1 xid: 200 seq: 200 len 120
  Wed May 23 15:31:35 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
  Wed May 23 15:31:35 2007: mobile MAC: 00:19:d2:d5:eb:39, IP: 0.0.0.0, instance: 0
  Wed May 23 15:31:35 2007: VLAN IP: 192.168.156.2, netmask: 255.255.255.0
  Wed May 23 15:31:36 2007: Mobility packet received from:
  Wed May 23 15:31:36 2007: 192.168.156.2, port 16666, Switch IP: 192.168.156.2
  Wed May 23 15:31:36 2007: type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 201 seq: 201 len 244
  Wed May 23 15:31:36 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
  Wed May 23 15:31:36 2007: mobile MAC: 00:19:d2:d5:eb:39, IP: 0.0.0.0, instance: 0
  Wed May 23 15:31:36 2007: VLAN IP: 192.168.156.2, netmask: 255.255.255.0
  Wed May 23 15:31:36 2007: Received Anchor Export request: 00:19:d2:d5:eb:39
  from Switch IP: 192.168.156.2
  Mobility debug on 4400 with successful request/resonse from another controller:
  Wed May 23 15:31:41 2007: Mobility packet received from:
  Wed May 23 15:31:41 2007: 192.168.160.13, port 16666, Switch IP: 192.168.160.13
  Wed May 23 15:31:41 2007: type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 243028 seq: 29509 len 244
  Wed May 23 15:31:41 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
  Wed May 23 15:31:41 2007: mobile MAC: 00:12:f0:82:57:00, IP: 0.0.0.0, instance: 0
  Wed May 23 15:31:41 2007: VLAN IP: 192.168.160.13, netmask: 255.255.255.0
  Wed May 23 15:31:41 2007: Received Anchor Export request: 00:12:f0:82:57:00
  from Switch IP: 192.168.160.13
  Wed May 23 15:31:41 2007: Received Anchor Export policy update, valid mask 0x0:
  Qos Level: 3, DSCP: 0, dot1p: 0 Interface Name: , ACL Name:
  Wed May 23 15:31:41 2007: Mobility packet sent to:
  Wed May 23 15:31:41 2007: 192.168.160.13, port 16666, Switch IP: 192.168.160.12
  Wed May 23 15:31:41 2007: type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 243028 seq: 40918 len 272
  Wed May 23 15:31:41 2007: group id: dedbb34b 687b56c2 633f1d4d 73ed6709
  Wed May 23 15:31:41 2007: mobile MAC: 00:12:f0:82:57:00, IP: 192.168.191.16, instance: 1
  Wed May 23 15:31:41 2007: VLAN IP: 192.168.191.2, netmask: 255.255.255.192
  Wed May 23 15:31:41 2007: 00:12:f0:82:57:00 192.168.191.16 WEBAUTH_REQD (8) Plumbing duplex mobility tunnel to 192.168.160.13
  as Export Anchor (VLAN 191)
  all help appreciated!
  Graeme

  Hello
  I don?t think the 20x6 controller support that.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn40216.html#wp44028
  These software features are not supported on 2000 and 2100 series controllers:
  ?Termination of guest controller tunnels (origination of guest controller tunnels is supported)

• !! Warning !! Guest anchor mobility fails in 5.0.48, Single Foreign

  Finally some 5.0 chat showing up so I'll add this nugget. All controllers migrated from 4.2 to 5.0.48. All site (foreign) controllers = MOBGRP-CORP, anchor controller in central dmz = MOBGRP-DMZ..
  Found that my first site where I implemented Guest via anchor mobility worked ok. Tried to bring up 2 new sites with their own foreign controller against same (working) anchor. NO GO. All debugs & shows indicate mobgroup, mobgroup anchor, etc all good. Debugs reveal mobility anchoring messages never being initated by foreign to anchor.
  Reviewed with TAC for 3 hours last night. Finally found a bugID that related against 5.0.48.
  Bottom line is that our site that was working had 2 foreign controllers. Site that wouldn't come up only had 1 foreign. Weird bug that if site has only 1 mobility member (beside anchor definition) then mob anchor plumbing messages won't exchange from foreign to anchor. Instead, debugs show foreign as anchor. Workaround = move anchor controller into same mobility group as the internal (foreign) controllers. All good now.
  Hope this helps someone avoid 3 hrs w/ TAC. (And I felt I had a GOOD tac guy).
  Now if I could just figure out how to have multiple profile/wlan definitions on anchor controller but have the same ssid on them all so that our guest ssid @ sites can be uniform. Currently won't let me define multiple wlans on anchor with same ssid, even if profile name is unique. Guess despite it not running APs it's still checking wlans for uniqueness. Not very 'enterprise' as we want to have each site a) Have standard guest ssid and b) Have their own IP address space for firewall log purposes, etc. A & B seemingly mutually exclusive in current situation, assuming central anchor controllers of course.

  Well I guess now I need to follow up on my own post. After moving dmz anchor controller into "internal' mobility group, we ran into some weird issues.
  1) New APs at the site we were bringing on were somehow getting joined up to another site's controller. Only thing in common between sites was mobgrp name and the fact that they both anchored guest to the same central anchor controller.
  2) At the new site, guest seemed to work OK now but we were experiencing problems with hosts on one of the controllers internal wlans. They were not getting IPs. Debugs revealed that foreign (site) controller was bringing up guest tunnel to itself for this local, non-anchored wlan.
  Opened another tac case. This tac engineer advises that while bug CSCsm71840 exists, the other engineer should not have told us the workaround was to put dmz anchor controller into internal mobility group. Rather, he advised, we should go into any controller (on dmz anchor end or internal foreign end) where there was only 1 controller in the mobility group and add a 'dummy' entry into the mobility group.
  We changed the dmz anchor back to his own mobility group and then made the dummy entries and the mobility anchor worked correctly & so far appears that previously problematic internal wlan also works correctly.
  This whole thing should make for some 'interesting' conversation with the BU shortly.