Mesh Design Question -- Guest Access

Similar Messages

• Mesh design question

  Dear Sirs.
  My customer plans to extend existing wireless coverage and upgrade to controller based network.
  Let me shortly describe the situation based on the attached network map.
  RAP points are installed on the buildings, they have wired uplink.
  MAP points are installed outdoors (in the IP66 sealed ABB boxes) on the poles (height 5 m), only power is present on the poles, no wired uplink.
  Now MAPs (Non root bridges) are connected to RAPs (Root bridges) via 5 GHz interface in bridge mode.
  Red points: already installed Autonomous APs, 1242AG model.
  Green points: APs planned for installation.
  1. In order to upgrage to controller base network I want to install two 2504-25 controllers in failover mode. I have AP-to-LWAPP-Upgrade-Tool and is familiar with the image upgrade procedure. However, I have a question: if I upgrade all existing RAPs and MAPs to LWAPP mode, how the MAPs without wired uplinks will connect to RAPs and then to controller? Should I have physical access to their console port to issue some CLI commands to connect to RAPs?
  2. Can 2504 controller be configured for operation in mesh network mode without additional licenses?
  3. For network expansion I plan to install 3502E access points in sealed boxes. I chose them due to separate 2.4 and 5 GHz antenna ports, in order to use omni antennas for 2.4 client coverage and 5 GHz directional antennas for wireless uplinks. The distance between APs is abou 100 - 250 meters. Is it recomended to use directional antennas for wireless uplinks or I can take 1602E (or 2602E) access points and dual band omni antennas and install a good working mesh network with 5 GHz uplinks on omni antennas?
  4. Can 2504 controller work together with 1242AG, 1602E and 3502E points?
  5. How should MAPs be preconfigured to begin working in mesh network after powering them up on the poles on site?
  Kind reagrds
  Alexei

  1. In order to upgrage to controller base network I want to install two 2504-25 controllers in failover mode. I have AP-to-LWAPP-Upgrade-Tool and is familiar with the image upgrade procedure. However, I have a question: if I upgrade all existing RAPs and MAPs to LWAPP mode, how the MAPs without wired uplinks will connect to RAPs and then to controller? Should I have physical access to their console port to issue some CLI commands to connect to RAPs?
  > The MESH AP's along with your other access points (lightweight) will obtain their code from the WLC when they join. I would always stage the MESH AP's prior to mounting them to certify they work and they can form a link. You would need to purchase a power injectors for each RAP and get a AC power adapter for each MAP.
  The Upgrade tool is to only convert autonomous AP's to lightweight. They stopped supporting 802.11n access points in that tool.
  2. Can 2504 controller be configured for operation in mesh network mode without additional licenses?
  > With the newer code version you will be using, yes. You can have both MESH and traditional Local mode or FlexConnect mode access points.
  3. For network expansion I plan to install 3502E access points in sealed boxes. I chose them due to separate 2.4 and 5 GHz antenna ports, in order to use omni antennas for 2.4 client coverage and 5 GHz directional antennas for wireless uplinks. The distance between APs is abou 100 - 250 meters. Is it recomended to use directional antennas for wireless uplinks or I can take 1602E (or 2602E) access points and dual band omni antennas and install a good working mesh network with 5 GHz uplinks on omni antennas?
  > If these are going to be exposed to the outdoor elements, then you need an outdoor antenna. It's hard to say what antenna you need, but if your using a 3502e, make sure you get an antenna that is a 3 lead so you can utilize all 3 antenna ports. Patches are directional, so if you are going MAP to MAP to MAP to RAP for example, you would need an omni. Patch works if your going Fromm MAP to RAP.
  4. Can 2504 controller work together with 1242AG, 1602E and 3502E points?
  > Yes they can. The code you run in the WLC, you need to make sure it's supported by the access points. Here is a compatibility matrix
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  5. How should MAPs be preconfigured to begin working in mesh network after powering them up on the poles on site?
  > Stage them first. Please reference these guides.
  http://www.cisco.com/en/US/docs/wireless/technology/mesh/7.4/design/guide/mesh74_chapter_010.html
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_white_paper09186a0080b1c101.shtml
  Sent from Cisco Technical Support iPhone App

• Outdoor Wireless Mesh Design Question

  Hi,
  We have a wireless mesh network which currently is having some connectivity issues.
  One of the main issues we are seeing is with RRM configured the Mesh Access points seem to all select Channel 11 on the 2.4ghz frequency.
  I would ike to modify manually, although wondering if best practice is to use RRM or select manually.
  Thanks
  Brad                  

  Hello Bradley,
  We'll, if you have WCS then a mismatch would happen with the cnofig template on WCS (if you have one).
  There could possibly be an AP template on the WCS to set the radio for the APs automatically.
  This is from Configure -> AP Configuration Templates -> Lightwieght AP.
  From this location you can configure a template with the AP settings and push it to the APs you want. You can also schedule the time at which the template will be applied. A recurrence also can be configured.
  So make sure that:
  - No mismatch between WCS and WLCS (you can go to Configure -> Controllers and try to audit differences between WLC and WCS).
  - Save your configuraiton on WLC if you apply it from WLC.
  - Make sure that there are no AP templates on WCS with recurrence configured.
  To avoide any mismatch in the future, I suggest you do all your configuration from WCS. This way you'll save time (if you have more than one WLC) and you'll also make sure configuration is consistent among all controllers.
  HTH
  Amjad

• Ask the Experts: Wired Guest Access

  Sharath K.P.
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
  Remember to use the rating system to let Sharath know if you have received an adequate response. 
  Sharath might not be able to answer each question due to the volume expected during this event.
  Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
  through January 27, 2012. Visit this forum often to view responses to your questions and the questions
  of other community members.

  Hi Daniel ,
  Wonderful observation and great question .
  Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios  where  we  have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  Two separate solutions are available to the customers:
  A single WLAN controller (VLAN Translation mode) - the access switch  trunks the wired guest traffic in the guest VLAN to the WLAN controller  that provides the wired guest access solution. This controller carries  out the VLAN translation from the ingress wired guest VLAN to the egress  VLAN.
  Two WLAN controllers (Auto Anchor mode) - the access switch trunks  the wired guest traffic to a local WLAN controller (the controller  nearest to the access switch). This local WLAN controller anchors the  client onto a DMZ Anchor WLAN controller that is configured for wired  and wireless guest access. After a successful handoff of the client to  the DMZ anchor controller, the DHCP IP address assignment,  authentication of the client, etc. are handled in the DMZ WLC. After it  completes the authentication, the client is allowed to send/receive  traffic.
  So  as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
  I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
  We have already opened a bug for the same (Little late though )
  BUG ID :CSCtw44999
  The WLC Config Guide should clarify our support for redundancy options for wired guest
  Symptom:
  Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results.
  Some of the other tthat changes we will be making as a part of doc correction would be
  http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
  1. The WiSM2 needs to be added as a supported controller.  (Not sure about the 7500, check with PM)
  2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read:
  "Do not trunk a wired guest VLAN to multiple foreign controllers.  This is not supported, and will
  generate unpredictable results."
  3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
  Now  if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would  respond to the client associtation request .
  Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0)
  Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile
  00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
  I hope the above explanation could clarify your doubts to certain extent and also keep you
  informed on Cisco's  roadmap on this feature .
  Regards ,
  Sharath K.P.

• SharePoint Designer 2013 cannot access workflows in Office 365 Site

  I have an Office 365 SharePoint site with a number of workflows that I have created on my machine with SPD 2013. After a number of weeks I was unable to access the workflows from my machine through SPD (while still being able to access pages, site assets
  etc.), getting the following error: (Am restricted from submitting images)
  "Server-side activities have been updated. You need to restart SharePoint Designer to use the updated version of activities"
  Restarting SPD doesn't help, after clicking OK I get the "SharePoint Designer cannot display the item" screen, prompting me to refresh. 
  When I do refresh, I get the following:
  "Windows Workflow Foundation, part of .Net Framework 3.0, must be installed to use this feature"
  This is happening on my machine, Windows 7 64 Bit, SPD 2013 64 Bit, but on a colleague's machine, Win 7 64 Bit, SPD 2013 64 Bit I can access the workflows. 
  I get the same error if I try to create a new Workflow on my machine but I can create it on my colleague's machine.
  I downloaded SPD 2013 on a 32 bit laptop I have access to, in which I can create a workflow. One existing workflow can be accessed, updated etc. with no issue, one opens to a prompt to "Insert a stage" and one tells me that it "Failed to load
  the workflow definition for the workflow", then the "SharePoint Designer cannot display the item" screen. All of these workflows can be accessed from my colleague's machine.
  Here are the actions that I have taken to date on my own machine:
  Cleared the caches multiple times
  Checked for updates
  Installed .Net Framework 4.5
  Re-installed .Net Framework 4.0 (which contains 3.0)
  Uninstalled and re-installed SPD 2013 
  Due to issues with a workflow on the site I am in contact with MS Support who are aware of this issue, they sent me a link to a hot fix that was already installed but they have no concrete idea of what might be going on.
  I was convinced that it was an issue on my machine, but I don't know what the issues that I have seen on the 32 bit SPD on the new laptop mean.
  I have been searching the internet for a fix with no success, I would appreciate any help.
  Thanks
  Mick

  Hi,
  According to your post, my understanding is that SharePoint Designer 2013 cannot access workflows in Office 365 Site.
  There was an issue recently when a service release was implemented that incremented the version number in the HTML header on some SharePoint online sites to '16' when SPD was expecting '15'. 
  I suggest to install internet explore 10 and install a patch for IE10. Then test with "open with windows explore" then opened in SPD from sharepoint online.
  In addition, I suggest that in SPD go to Account > Switch Account and type in the credentials of the site you are trying to open (it defaults to your Microsoft Login).
  If the issue persists, to troubleshoot this issue, you can uninstall all versions of SharePoint Designer on workstation, clear cache and then reinstalling the latest SharePoint Designer. For the detailed information, you can refer to the
  article: http://support.microsoft.com/kb/2794961
  Here are two similar threads for you to take a look at:
  http://social.msdn.microsoft.com/Forums/sharepoint/en-US/15fd1436-3166-4e43-8b22-cdb480091548/cant-open-sharepoint-online-site-in-sharepoint-designer-2013
  http://community.office365.com/en-us/forums/154/t/149314.aspx?PageIndex=2
  By the way, you can also post the question in Office 365 forum and more experts will assist you.
  Office 365 forums
  :http://community.office365.com/en-us/forums/default.aspx
  More information:
  SharePoint
  Designer 2013: Server-side activities have been updated:
  http://www.andreasthumfart.com/2013/08/sharepoint-designer-2013-server-side-activities-have-been-updated/
  Best Regards,
  Linda Li
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Design question for database connection in multithreaded socket-server

  Dear community,
  I am programming a multithreaded socket server. The server creates a new thread for each connection.
  The threads and several objects witch are instanced by each thread have to access database-connectivity. Therefore I implemented factory class which administer database connection in a pool. At this point I have a design question.
  How should I access the connections from the threads? There are two options:
  a) Should I implement in my server class a new method like "getDatabaseConnection" which calls the factory class and returns a pooled connection to the database? In this case each object has to know the server-object and have to call this method in order to get a database connection. That could become very complex as I have to safe a instance of the server object in each object ...
  b) Should I develop a static method in my factory class so that each thread could get a database connection by calling the static method of the factory?
  Thank you very much for your answer!
  Kind regards,
  Dak
  Message was edited by:
  dakger

  So your suggestion is to use a static method from a
  central class. But those static-methods are not realy
  object oriented, are they?There's only one static method, and that's getInstance
  If I use singleton pattern, I only create one
  instance of the database pooling class in order to
  cionfigure it (driver, access data to database and so
  on). The threads use than a static method of this
  class to get database connection?They use a static method to get the pool instance, getConnection is not static.
  Kaj

• Wireless guest access

  Hi Guys, I have a wireless requirement from a customer and the customer is looking for the below: 1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected. 2. Customer is looking to add their own logo and change the formatting of the captive portal. Questions: 1. For email verification, does this feature come straight from the WLC standalone box or must ISE be purchased? 2. If the WLC is able to do this without ISE, any online guides that is able to do this? 3. For security reasons, am I able to limit the number of concurrent users using this captive portal? 4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal? 5. Can I customize the captive portal page on the WLC and how do I go about doing it?

  Hi Mohanak,
  It looks like the formatting ran out. Anyway, not sure if we are on the right topic here but let me get this straight. Customer has a Cisco 2504 Wireless LAN Controller. So, they would like to achieve the below features:
  1. Wireless guest access that requires user to input email into the captive portal. But the email address must be verified that it contains certain selected domain names (e.g. example.com or example.org). Any other domain names will be rejected.
  2. Customer is looking to add their own logo and change the formatting of the captive portal.
  So, some of the questions I have are:
  Questions:
  1. There is a configuration on the WLC that allows guest users to login using email verification only. Does this feature come straight from the WLC standalone box or must ISE be purchased.
  2. If the WLC is able to do this without ISE, is the WLC able to check if the inputted field is a valid email? And can I configure in such a way a particular domain is allowed? (e.g. example.com is permitted but example.org and anything else is reject).
  3. For security reasons, am I able to limit the number of concurrent users using this captive portal?
  4. How do a configure the age-out for each connected users after they have successfully logged into the captive portal?
  5. Can I customize the captive portal page on the WLC and how do I go about doing it?

• Wired Guest Access

  Hi!
  I enabled Wired Guest Access to connect Wired Ethernet Users to WLC. It doesn't explained on user guide how WLC does? If WLC strips 802.3 frame and encapsultes it with 802.11 or not. Any way, I couldn't redirect the ethernet flux to WLC and then to the external controller authenticator (Captive portal authentication).  Need a help!
  Cheers!

  In order to provide the wired guest access, the designated ports in the layer-2 access layer switch need to be configured on the guest VLAN by the administrator. The guest VLAN must be separate from any other VLANs that are configured on this switch. The guest VLAN traffic is trunked to the nearest WLAN local controller. The local controller tunnels the guest traffic across a EoIP tunnel to a DMZ Anchor controller. This solution requires at least two controllers.
  Here is the URL for the Wired Guest Access using Cisco WLAN Controllers Configuration
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml#ancwlan

• LWA Guest Access with ISE and WLC

  Hi guys,
  Our Company try to implement Guest Access with ISE dan WLC with Local Web Auth Method. But there is problem that comes up with the certificate. This is the scenario :
  1. Guests try to connect wifi with SSID Guest
  2. Once it connect, guests open the browser and try to open a webpage (example: cisco.com)
  3. Because, guests didn't login, so it redirect to "ISE Guest Login Page" (url became :
  https://ise-hostname:8443/guestportal/Login.action?switch_url=https://1.1.1.1/login.html&wlan=Guest&redirect=www.cisco.com/
  4. If there is no ISE Guest Login Page installed, message Untrusted Connection message will appear, but it will be fine if they "Add Exception and install the certificate"
  5. After that the Guest Login Page will appear, and guests input their username and password.
  6. Login success and they will be redirected to www.cisco.com and there is pop up from 1.1.1.1 (WLC Virtual Interface IP) with logout button.
  The problem happen in scenario 6, after login success, the webpage with ISE IP address and message certificate error for 1.1.1.1 is appear.
  I know it happened when guests didn't have the WLC Login Page Certificate...
  My Question is, is there a way to tunneling WLC Certificate on ISE ? Or what can we do to make ISE validate WLC Certificate, so guests doesn't need to install WLC Certificate/ Root Certificate before connect to Wifi ?
  Thx 4 your answer and sorry for my bad English....

  Thx for your reply Peter, your solution is right,
  i don't choose CWA, because their DNS is not stable...
  i've found the problem...
  the third-party CA is revoked, so there is no way it will success until it fixed...
  and there is no guarantee, they will fix it soon..
  so solution that we choose is by disable "HTTPS" on WLC...
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable".
  "config network web-auth secureweb disable"
  thank you all...

• Wireless Guest Access with 802.1X (PEAP/MSCHAPv2) and ISE?

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

  Hi,
  I have a setup based on WLC 5508, Catalyst 3750-X and AP3600i.
  The WLCs are running 7.3 and ISE is 1.1.1
  I'm trying to setup wireless guest access, where the guests connect to a SSID with 802.1X using PEAP/MSCHAPv2.
  They should receive their username/password either from a sponsor directly (corporate AD user which prints the credentials) or through a SMS.
  The credentials will be created by the sponsor, using the sponsor portal on the ISE.
  Now to the questions:
  Is it correct that the foreign WLC (i.e. the WLC within the internal corporate network), should be set to no L2 and L3 security on the guest WLAN, to avoid having the foreign WLC contact the ISE and all traffic be forwarded directly to the anchor WLC?
  Is it correct that the anchor WLC (i.e. the WLC in the DMZ), should be configured with 802.1X/WPA2 L2 security and the ISE servers as the RADIUS servers on the guest WLAN, to ensure that the client is correctly authenticated/authorized by the ISE?
  When a guest logs on, how can I ensure that only one device (MAC address) is allowed per user?
  As it is now, a guest is able to log on with (I assume) an unlimited number of devices, using the credentials they have received.
  Thankyou very much :-)
  Best Regards,
  Niels J. Larsen

• Guest access with CWA on ISE

  Hi support community
  we just implemented CWA for wireless guest access using ISE. however we have an issue, the redirect URL is a name, not an IP address, and the guest dhcp scope use public DNS servers, so CWA doesn't work unless we set the company DNS servers.
  so my question... is there a way to configure ISE to send the ip address instead the name for redirection in CWA?
  Many thanks in advance...

  Hi, thanks for answering...
  Yes the problem is that public DNS servers obiously can't resolve ISE servers names. Additionaly the guest VLAN has an ACL blocking all the traffic destined to internal resourses with some exceptions (DHCP, DNS and ISE port for CWA).
  however, guest can access to some company services, but as if they were located on internet, ie through the public ip address, so if we use internal servers, they resolve the internal ip address and connections fails. the Muhammad suggestions could be the solution for the problem....but now is something to discuss with the DNS server administrator...
  thanks

• Guest Access in 4.2.112/130 code

  I've just upgraded our controllers from 4.1.185 to 4.2.130 and have noticed some new settings and features for Guest access, specifically on the interfaces and the wlans. Can some one point me to an updated guide on the explanation of these new additions and the recommend setup now? Until I see an explanation on paper so as I can fully understand it, I don't want to change my current setup. i.e. Guest Lan, Ingress Interface, Egress Interface.

  Here is an even better link:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
  the nutshell....
  "A growing number of companies recognizes the need to provide Internet access to its customers, partners, and consultants when they visit their facilities. With the new Wired Guest Access feature support on the Cisco WLAN Controllers that uses Cisco Unified Wireless Software Release 4.2.61.0 and later, IT managers can provide wired and wireless secured and controlled access to the Internet for guests on the same wireless LAN controller.
  Guest users must be allowed to connect to designated Ethernet ports and access the guest network as configured by the administrator after they complete the configured authentication methods. Wireless guest users can easily connect to the WLAN Controllers with the current guest access features. In addition, WCS, along with basic configuration and management of WLAN Controllers, provides enhanced guest user services. For customers who have already deployed or plan to deploy WLAN Controllers and WCS in their network, they can leverage the same infrastructure for wired guest access. This provides a unified wireless and wired guest access experience to the end users."

• Guest access to the Internet with Guest Anchor Controller

  Hi;
  We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
  I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
  What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
  Thanks for the assistance!  Glenn Morrison

  you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
  HTH,
  Steve

• How do I disable guest access on E1000?

  I want to disable the guest access connection on E1000 wireless router but this option is not in the firmware menu.  So, now I read that I need to use Cisco Connect on the CD to change this feature.  When I run the Cisco Connect software, it says it can't configure the router (probably because I already have it configured).  Why doesn't the Cisco Connect software simply take me to the settings where I can change the guest access feature?  Why does it try to re-configure the router?  Whoever designed this at Cisco was probably smokin some medical MJ because it doesn't make any sense that I have to go through so many hoops to do something so simple.
  Solved!
  Go to Solution.

  Hard reset the router by pressing the reset button in back for 30 seconds and release.  Wait 10 seconds and power cycle the router.  Remove Cisco Connect from your computer completely.  Now re install Cisco Connect and configure the router and turn off the Guest Access.

• Centralized WLC Design Question

  Dears,
  In my scenario, i am designing CEntralized WLC deployment. I have 30 AP in Buidling X(200 Users) and 20 AP in Buidling Y(150 Users). I am planning to install HA WLC CLuster where Pimary & Secondary WLC will reside in physically different Data Centers A & B. 
  I have a wireless Design Question and i am not able to get clear answers. Please refer to the attached drawing and answer the following queries:
  If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
  If Building X & Y Users want to access the internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
  I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failver traffic volume if Primary WLC goes down and secondary controller takes over?
  My Reason to go for Centralized deployment is that i want to achieve Centralized Authentication with Local Switching. Please give your recommendations and feedback
  Regards,
  Rameez

  If Buidling X users want to talk to building Y Users, then how Control & Data Traffic flow will happen between Buidling X & Y. Would all the traffic will go to Primary WLC from Bldg X APs first and then it will be Re Routed back to Buidling Y APs? Can i achieve direct switching between Bldg X&Y APs without going toward WLC?
            Traffic flows to the WLC that is the primary for the AP's, then its routed over your network.
  If Building X & Y Users want to access the Internet, how would be traffic flow? Would the traffic from X&Y AP will go tunnel all the traffic towards WLC and then it will be routed to Internet gateway?is it possible for Bldg X&Y AP to directly send traffic towards Internet Gateway without going to controllers?
            The WLC isn't a router, so you would have to put the Internet traffic an a subnet and route.
  I have planned to put WLC at physically different locations in different DC A & B. Is it recommended to have such a design? What would be the Failover traffic volume if Primary WLC goes down and secondary controller takes over?
  Like I mentioned... earlier, the two HA WLC has to be on the same layer 2 subnet in order for you to use HA.  The guide mentions an Ethernet cable to connect both the HA ports on the WLC.
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"