Multicasting with a guest anchor configuration.

Hi All
First time posting. :-)
I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
In case of Auto Anchor:
Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
Could someone advise?
Thank you in advance!!

Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
unofortunately it seems that multicast over EoIP does not work.

Similar Messages

  • ASA Active/Active Failover with Redundant Guest Anchors

    Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
    The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
    Regards,
    Scott

    In addition to what you have, you should add to each unit the global configuration command "failover".
    We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

  • DHCP loadsharing with redundant Guest Anchor Controllers

    Hi
    I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
    This is how I tried to distribute
    network. 10.1.0.0/23
    gateway: 10.1.1.254
    Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
    Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
    As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
    I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
    Any suggestion will be greatly appreciated.
    Regards

    Thanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
    I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts?

  • Guest Anchor

    Hi All,
    I have a question if a guest anchor can support multiple VLANs for one SSID over EoIP? With AP groups this is possible, for example one SSID can be the same in different locations (meaning different VLANs/dynamic interfaces) but can this be done with a guest anchor?
    To setup a guest EoIP tunnel the interfaces are defined as Management (on foreign WLC) and a guest-dmz interface (on the anchor WLC). If you are using say web-authentication and try agin to use the same ssid with another interface (guest-dmz2) there seems to be some problem. anyone come across this before or know of a solution? i could configure different ssids to the different interfaces but wonder if it could be possible using the same ssid...there seems to be some limitation
    Any suggestions?
    Cheers
    Matt

    No.
    AP-Groups only work with the APs, and since mobility is passed with the controller IP, there is no way for AP groups to function on the Anchor.
    Now an interesting feature request might be to do a controller-group override, so that all clients from controller X go to one interface, and controller Y go to another, but I've never heard anyone ask for it.
    Bottom line, as far as i know, is that you're going to need two different SSIDs to have clients in different interfaces on the Anchor

  • Guest Anchor with web auth using ISE guest portal

    Hello All,
    Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
    I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
    massive thanks to anyone that can assist.
    JS.

    Thanks for the reply RikJonAtk.
    so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
    Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
    Thanks in Advanced,
    JS

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • Guest access to the Internet with Guest Anchor Controller

    Hi;
    We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
    I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
    What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
    Thanks for the assistance!  Glenn Morrison

    you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
    HTH,
    Steve

  • Mobility Group Requirements for Guest Anchor WLC

    Hello -
    I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
    I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
    To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
    Thanks
    Chuck

    Not only is it possible, I would recommend it. However, you may be confusing some concepts.
    The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
    The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
    If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
    Does that make sense?

  • Guest anchor WLAN and DHCP

    hi,
    I am trying to setup a guest WLAN using a local controller and  a controller in my DMZ using the mobility-anchor configuration.
    Ideally I'd like to use an external DHCP server in my DMZ, but for now, I'd be happy getting the local DHCP server on the DMZ controller working.
    Local Controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest" - assigned it to the management interface.
    Have tried the following with regards to DHCP on this WLAN.
         Set it to "override" and specified the DMZ controller's mangement interface
         Set DHCP to "assignment required" and specified the DMZ controller's management interface for the DHCP server for the local controller's management      interface
         Left DHCP server blank on the local controller's management interface
    Setup the DMZ controller as the mobility anchor for the "guest" WLAN
    DMZ controller config
    Configured mobility-groups, verified mobility group is working
    Created WLAN called "guest"
    Created a dynamic interface called "guest" associated to the "guest" WLAN
    Setup mobility anchor for the "guest" interface,  mobility-anchor = local controller
    Created an internal DHCP server scope and enabled it
    Have tried the following with regards to DHCP on the "guest" WLAN
         Set DHCP to "assignment required" and specified the IP address of the controllers management interface as the DHCP server on the "guest"      dynamic interface
         Set DHCP to "assignment required" and specified the IP address of the  controllers "guest" dynamic interface as the DHCP server on the "guest"       dynamic interface
         Set DHCP to "override" and specified the DMZ controller's management interface IP
         Set DHCP to "override" and specified the DMZ controller's "guest" interface IP
    After all this,  my client still cannot get an IP address via DHCP.  I verfiied the client is associating to the AP.
    Any help would be appreciated.
    Thanks
    Lee

    on the DMZ controller, what is the output of a debug client < mac address of the client>  You may also want to capture debug mobility handoff enable, from both WLC.
    For the guest, the DHCP is going to come from the DMZ controller, so there is no real need to configure anything on the internal WLC.  One thing of note, the WLAN config on both the DMZ and Internal must match exactly with the exception of the linked interface, otherwise you will not anchor.
    while runnign the debug, show dhcp proxy, for the WLC to be the DHCP server, proxy needs to be enabled.

  • Using 2504 as Guest Anchor.

    So I've got a few 7510 Flex Controllers and am looking to setup a mobility anchor for guest networks. I see this functionality has recently been extended to the 2504. However there is one thing I am curious about: the QoS profile, I have a QoS profile configured on my Guest WLAN, customized the bronze profile, from what I remember about the 2504 is it does not support the QoS functionality that is supported on the larger WLC models, and I know WLAN settings must match between WLC's and their anchors, so I don't know what happens with my QoS profile or if I can even utilize the 2504 as a mobility anchor for the 7510 due to this QoS issue.
    Has anyone tested this, or stumbled any documents about 2504's being mobility anchors?
    CCNP, CCIP, CCDP, CCNA: Security/Wireless
    Blog: http://ccie-or-null.net/       

    Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
    Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
    Good to see my blog helps you & thanks for the comment.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Is local EAP + Web Authentication possible in Auto Anchor Configuration

    Hi,
    I have a wireless network setup in an auto-anchor configuration with the foreign and anchor controllers. Due to the foreign controller being owned and managed by another company, I have an interesting authentication scenerio I would like to acheive. We can't implement full EAP-TLS as we would have to allow authentications from the foreign controller which is owned and managed by another company.
    Currently Web Authentication is working correctly for the Wireless Network. As another layer of security, I want to know if its possible for the wireless clients to trust a certificate installed on the foreign controller?  If so, are you able to point me in the direction of a user guide to implement.
    I found the following document which describes local EAP configuration . Would this work with Web Authentication?
    Thanks

    so, kinda but no.  EAP is a layer 2 authentication that uses encryption as well.
    WebAuth is a layer3 authentication only.
    Now the kinda....you can create guest/network users on the WLC local database, and if someone logins to the webauth portal with those credentials they will be able to get on.
    I'm not really sure what you are looking to do based on your post.
    Personally, if I had users that were going to roam to this controller, I'd work with that companies IT and get it linked to my AAA server and keep the EAP-TLS that I had working already going. Just because that WLC would be able to communicate to your AAA doesn't mean their users would be able to get on, as they wouldn't have the machine or client certificate nor the Root CA cert on their machines.
    HTH,
    Steve

  • Clients not connecting with AP 1600 after configuration

    Hi there!!
    I'm configuring a new Aironet 1600. I have to configure two SSIDs: Emplyees (vlan 40) and guests (vlan 45). Authentication for Employees is 802.1x against a RADIUS server and Guest is just WAP2. I'm trying to test the AP with the guest SSID (because I dont have the RADIUS server in my network), but the clients wont connect to the guest SSID. This is my first configuration and I used the web interface, not sure what I'm missing. Can you help?
    dot11 ssid ECSA
       vlan 40
       band-select
       authentication open eap eap_methods
       authentication network-eap eap_methods
       mbssid guest-mode
       mobility network-id 1
    dot11 ssid ECSA_GUEST
       vlan 45
       band-select
       authentication open
       authentication key-management wpa version 2
       guest-mode
       mbssid guest-mode
       mobility network-id 2
       wpa-psk ascii 7 106B050D1737065B0611393F74
    interface Dot11Radio0
     no ip address
     encryption vlan 45 mode ciphers aes-ccm
     encryption vlan 40 mode wep optional
     ssid ECSA
     ssid ECSA_GUEST
     antenna gain 0
     stbc
     beamform ofdm
     mbssid
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio0.40
     encapsulation dot1Q 40
     bridge-group 40
     bridge-group 40 subscriber-loop-control
     bridge-group 40 spanning-disabled
     bridge-group 40 block-unknown-source
     no bridge-group 40 source-learning
     no bridge-group 40 unicast-flooding
    interface Dot11Radio0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
    interface Dot11Radio1
     no ip address
     encryption vlan 45 mode ciphers aes-ccm tkip
     encryption vlan 40 mode wep optional
     ssid ECSA
     ssid ECSA_GUEST
     antenna gain 0
     peakdetect
     dfs band 3 block
     stbc
     beamform ofdm
     mbssid
     channel dfs
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Dot11Radio1.40
     encapsulation dot1Q 40
     bridge-group 40
     bridge-group 40 subscriber-loop-control
     bridge-group 40 spanning-disabled
     bridge-group 40 block-unknown-source
     no bridge-group 40 source-learning
     no bridge-group 40 unicast-flooding
    interface Dot11Radio1.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 subscriber-loop-control
     bridge-group 45 spanning-disabled
     bridge-group 45 block-unknown-source
     no bridge-group 45 source-learning
     no bridge-group 45 unicast-flooding
    interface GigabitEthernet0
     no ip address
     duplex auto
     speed auto
     bridge-group 1
     bridge-group 1 spanning-disabled
     no bridge-group 1 source-learning
    interface GigabitEthernet0.40
     encapsulation dot1Q 40
     bridge-group 40
     bridge-group 40 spanning-disabled
     no bridge-group 40 source-learning
    interface GigabitEthernet0.45
     encapsulation dot1Q 45
     bridge-group 45
     bridge-group 45 spanning-disabled
     no bridge-group 45 source-learning
    interface BVI1
     mac-address f07f.0654.1e8b
     ip address dhcp
    radius server 172.16.15.10
     address ipv4 172.16.15.10 auth-port 1645 acct-port 1646
     key 7 032178382658780D1658
    THANKS!

    sounds like you possibly need another AP in that Conference room
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Guest anchor across different versions

    Hi all,
    I'm looking for information on the issues that could arise or what the impact is of a guest anchor between WLC's with different versions.
    There is a 4400 in the core running 7.0 and a 2504 in a branch running 7.2. I need to extend a web auth guest SSID to the branch.
    7.2 is required because of 2602 AP's.
    Looking for information and experiences.
    Cheers
    Darren
    Sent from Cisco Technical Support iPhone App

    Here is a compatibility matrix
    http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp102554
    Sent from Cisco Technical Support iPhone App

  • Web Auth using 5760 Guest Anchor and ISE

    I am trying to deploy a new guest wireless solution using a 3650s as the MA, a 5760 as the MC, and a 5760 as the guest anchor.  ISE is being used as the guest auth server.
    When no auth requirements are set on the guest wlan, everything works fine.  I get an IP address and can get to the internet, VPN, etc.  As soon as I enter the security web-auth command on the wlan, my client drops and goes into an Acquiring IP Address state.  When I check the client on the controller, it is in a Policy Manager State of START.
    As soon as I remove the security web-auth commamd from the wlan, I connect right up.  It is my understanding that in guest, the client gets an IP address first in order to get redirected to the spoofed external web page, in my case ISE.
    Any thoughts on what I am missing on my guest anchor, or MA config?  Do I need to make any changes to the wlan on the MC?  Any documentation about the relationship between the MA, MC, and guest anchor would be appreciated, I am not 100% sure which devices are required to have the client reach the guest anchor and get connected.

    I hope this may help you
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Guest Anchor N+1: Multiple guest WLANs and Mobility List

    Hi Experts,
    We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
    I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
    And between these two new anchor WLCs, do they need to add each other to Mobility List?
    Or maybe I should ask first, does it matter if they are in the same mobility group or not?
    Thanks
    Cedar

    N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
    Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

Maybe you are looking for

  • Adobe Bridge gives a system error

    Adobe CS4. Installed on my mac. Does not recognize Raw files and when i try to open Bridge says a system error has occured. Adobe Photoshop Version: 11.0 Operating System: Mac OS 10.9.0 Camera Raw 5.0 Please help

  • A little lost here, view doesn't seem to want to show up

    Hi, First of all, let me say that i am not a iPhone or Mac developper although i'm a super good programmer that knows lots of languages (c/c++, java, c#, php, vb, vb.net, etc) I was tasked to add a screen to an iphone app that asks for user acceptanc

  • Source file for MSR

    Hi All,    I m working on a PoC for MSR.I have downloaded the .war file for the same but i dnt have the source file for it.Where can i find the source code to change the customization. Suggest some help. Thx n Regards Priyanka

  • Printout a cluster control

    Hello, has anyone an idea how to printout a cluster control. When I print it with "Append Control Image to Report" the I only have the empty frame printed out. regards Marco

  • Interactivity in muse

    Hi, I am trying to learn Adobe Muse. Just as an excerise, I tried to build this site again using muse http://www.flukyfactory.com. However I am unable to do the interactivity that happens when one clicks "about us", when it becomes a larger rectangle