Redundant guest anchor/office extend 5508 controllers

Hello,
We are looking to deploy 2 guest anchor/office extend 250 AP 5508 Controllers.
The first 5508 would be primary for both public wireless and office extend AP's.  The second 5508 would not be used unless the first controller fails.
What is best practice when it comes to the certificate for public wireless.  Should I create single certificate for both controllers or have two different certificates?
Thanks

This makes sense.  What would I need to do so that the networks don't overlap on both controllers for guest?  Would I need to make new networks on the secondary controller:
Primary Controller

Similar Messages

  • DHCP loadsharing with redundant Guest Anchor Controllers

    Hi
    I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centres with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
    This is how I tried to distribute
    network. 10.1.0.0/23
    gateway: 10.1.1.254
    Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
    Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
    As the user loadbalancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
    I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP loadbalancing and having full redundancy at the same time?
    Any suggestion will be greatly appreciated.
    Regards

    Thanks Scott, I understand that it's quite obvious to get an external DHCP Server, unfortunately it's not an option for us The weired thing is, it seems when a client joins the guest WiFi, both the Anchor Controllers (both functioning as DHCP servers with mutually exclusive IP Address space) are providing IP addresses. While the client accepts only one the other Controller still reserves the IP address unused and hence depleting the DHCP Pool.
    I thought for load balancing (in the very beginning) the Foreign controller will forward the DHCP request to only one of tthe Anchor Controllers, but in reality it's forwarding it to both. I have tested this with only one test AP, so mobility doesn't seem to be an issue here. Any thoughts?

  • ASA Active/Active Failover with Redundant Guest Anchors

    Does anyone know how an ASA and a guest anchor 5508 will interact if I setup an Active/Active failover pair with physical interface redundancy?  I see from documentation that I can create a logical group in the ASA to bond physical interfaces together, but it doesn't describe what protocol is being used to manage that bundle.  Do I assume etherchannel?  If I were to create this scenario, can I run the 5508 in LAG mode?
    The current failover configuration example is for PIX, and old code at that.  I'm referencing an ASA/PIX guide ISBN:1-58705-819-7 beginning on page 531.
    Regards,
    Scott

    In addition to what you have, you should add to each unit the global configuration command "failover".
    We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

  • Guest Anchor with web auth using ISE guest portal

    Hello All,
    Before launching into my exact issues, could anyone confirm if they have completed a wireless Guest anchor setup using 2504 controllers on 7.4 as the anchor (5508 is the foreign) with webauth external redirection at ISE 1.1.3 using ISE Guest Services?
    I am attempting this for an internal POC and have hit a couple of issues. Firstly I am looking for correct configuration confirmation prior to going in depth with a couple of the issues. I've been using the TrustSec 2.1 how to guides to build the parts I am not strong on so if anyone has actual completed this setup, I'd love to go through it with you.
    massive thanks to anyone that can assist.
    JS.

    Thanks for the reply RikJonAtk.
    so to start with, based on the trust sec documents, of the guest WLAN on the anchor I need to configure mac filtering at the layer 2 security menu as well as enable RADIUS NAC under the Advanced tab. But when I do this, I get an error message that states that mac filitering and RADIUS NAC cannot be enable at the same time.
    Additionally, if I just enable the RADIUS NAC setting under the Advanced tab in the WLAN, I get another error message that states that the priority order for Web-Auth can only be set for radius, so I go to the AAA server tab and send local and LDAP to the not use column and hit apply. If I move to another menu then check the priority order again under the AAA servers tab, the local and LDAP have been moved back to the menu field to be used again.  So I initially though it might be a bug, but I was hoping to find someone here that has done this already and can look at my issues and maybe walk me through their configs, which I'll mirror and see how it goes.
    Thanks in Advanced,
    JS

  • Guest Anchor N+1: Multiple guest WLANs and Mobility List

    Hi Experts,
    We are going to replace two guest anchor controllers WLC4402 sitting in different DMZs with two WLC5508 as N+1 redundant pair in one DMZ.
    I assume each guest anchor controller should support multiple guest WLANs. Is it correct?
    And between these two new anchor WLCs, do they need to add each other to Mobility List?
    Or maybe I should ask first, does it matter if they are in the same mobility group or not?
    Thanks
    Cedar

    N+1 for guest anchors isn't what N+1 was designed for.  N+1 was designed for redundancy for WLC's supporting access points, not mobility anchors.  This solution might work, but I really doubt Cisco will support this setup, but I can be wrong.... you can always talk with your local Cisco SE or open a TAC case and ask.
    Guest anchors should have a different mobility group name from the foreign WLC's.  You do need the foreign to have both guest anchors and the guest anchor to just have the foreign WLC(s).  The redundant guest anchors do not need to have each other in the mobility group list.
    Thanks,
    Scott
    Help out other by using the rating system and marking answered questions as "Answered"

  • Can i use Internal DHCP on WLC Guest Anchor (5508) with Foreign HA 5508

    DHCP Proxy is required in order to use local WLC DHCP Pool (Guest Anchor), however reading Wireless Q&A (http://www.cisco.com/image/gif/paws/107458/wga-faq.pdf) states that both foreign and guest anchors must have :
    In a Wireless guest access setup, the DHCP proxy setting in the Guest Anchor controllers
    and the internal controller must match. Else, DHCP request from clients are dropped and you
    see this error message on the internal controller......
    However if you have N+1 you cannot use internal DHCP, does this also "grey" out the DHCP Proxy global setting? If so will the Guest Anchor still work with a internal DHCP pool even though foreign and guest controllers have a mismatch in DHCP Proxy (global) setting?
    Many Thanks
    Kam

    Well it should still work... dhcp proxy is required on the WLC that has a dhcp scope.  With the newer code versions, you can enable dhcp proxy on a per interface do this doens't have to be global.

  • 5508 Guest Anchor 7.4MR2

    We are upgrading all Foreign 5508 WLC's to 7.4MR2.  Out Guest Anchor is currently on 7.0.235.  Any reason not to upgrade the Guest Anchor to 7.4MR2?  Has anyone encountered any issues doing this?  We are not having any issues on 7.0, and I just did not want to introduce any.

    mine is with the following. Still trying to figure out why.
    *osapiBsnTimer: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireCallback (apf_ms.c:626) Expiring Mobile!
    *apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 apfMsExpireMobileStation (apf_ms.c:6655) Changing state for mobile f8:16:54:07:a8:78 on AP 00:e1:6d:b2:a6:90 from Associated to Disassociated
    *apfReceiveTask: Mar 17 12:58:05.949: f8:16:54:07:a8:78 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *annyway, i've tried increasing the Session Timeout to 8hours and still testing it .. As my problem is not consistent, i have to monitor and see if its solved.

  • Virtual WLAN Controller Guest Anchor

    We are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
    We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.
    I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and can anyone advise if thsi is a supprted deployment model.

    Well you can use the vWLC to anchor to a 5508, but not the other way around. So if you use the DMZ 5508 for OfficeExtend, you will not be able to anchor the traffic back to the inside. Cisco doesn't support reverse anchoring for a Remote-LAN in OfficeExtend and requires you to actually have the OfficeExtend AP's connect to an inside WLC. In v7.0.x you were able to do this reverse anchor, but it was removed on later codes.
    Sent from Cisco Technical Support iPhone App

  • Using 2504 as Guest Anchor.

    So I've got a few 7510 Flex Controllers and am looking to setup a mobility anchor for guest networks. I see this functionality has recently been extended to the 2504. However there is one thing I am curious about: the QoS profile, I have a QoS profile configured on my Guest WLAN, customized the bronze profile, from what I remember about the 2504 is it does not support the QoS functionality that is supported on the larger WLC models, and I know WLAN settings must match between WLC's and their anchors, so I don't know what happens with my QoS profile or if I can even utilize the 2504 as a mobility anchor for the 7510 due to this QoS issue.
    Has anyone tested this, or stumbled any documents about 2504's being mobility anchors?
    CCNP, CCIP, CCDP, CCNA: Security/Wireless
    Blog: http://ccie-or-null.net/       

    Do you know if it's possible to keep the 3850's as MC and MA's and deploy a 5760/5508/WiSM2 as just a guest anchor.
    Yes, this is possible & what I have done in my production network (5760 as MC & Guest Anchor where 3850 as MA). In your case you can have 3850 MC/MA while 5508 as Guest Anchor.
    Good to see my blog helps you & thanks for the comment.
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Guest access to the Internet with Guest Anchor Controller

    Hi;
    We are doing our initial implementation of an enterprise wireless system.  I deployed a WLC 5508 connected to our data center core switch using LAG.  The 5508 is configured in FlexConnect mode since it is serving APs deployed to a handful of remote offices.  Employee wireless access has been rolled out and is working well.
    I am designing guest access.  As is typical, I want to enforce a policy that guest wireless traffic is forwarded to the Internet Edge in our DMZ and directed out to the Internet.  We do not plan to deploy a Guest Anchor controller in the first phase of the roll out.
    What is the best way to enforce forwarding of guest traffic towards the Internet Edge once the guest traffic arrives at the 5508?  A guest VLAN between the core switch and the Internet Edge isn't feasible since there is a firewall between the core and DMZ that is configured in Routed mode.
    Thanks for the assistance!  Glenn Morrison

    you'd have to do a VLAN between the core and the firewall for the guest traffic until you get the anchor installed.
    HTH,
    Steve

  • Implementing Two Guest Anchor WLCs

    Hello -
    I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor. 
    I am looking to bring my current guest service onto the DMZ.  Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP.   We do not use our corporate internet service for guest.   In any event.  The DMZ design I am working on would include two WLCS sitting on our DMZ.  I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border.   Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border.   So I would need to configure both anchors on the guest WLAN of each WLC.   I'm just wondering if this is possible and if the failover will actually work.
    Any input is appreciated.   I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....
    Thanks
    Chuck

    Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.
    When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.
    As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.
    Does that answer your question?

  • Sizing guest anchor controller

    40 locations, around 20-30 APs per location, 1 gig back from each site to the main site, minimizing cost. Trying to size the guest anchor controller. Redundancy is not required. As I understand correctly 4402/4404/5508 controller supports up to around 70 EOP tunnels. My limitation is bandwidth. Is it safe to say that if Internet bandwidth is <100Mbps, then 4402 will suffice? Only if Internet bandwidth was above >1Gbps when I'd need to go to 4404 (bandwidth is used twice, so 1Gbps guest traffic would result at approximately 2Gbps throughput)

    You could always port-channel a 4402 and use LAG on your anchor controller for 2gb.
    I use a 4402-12 for our anchor's as the BW is adequate, and AP license count is not a factor for anchors.

  • Will the 4404 Controller support Office Extend

    According to the The Software release bulletin
    http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/product_bulletin_c25-530367_ps10315_Products_Bulletin.html
    We just purchased a 4404 controller. The document above states 4404 controllers have the capability to be upgraded to the new 6.0 software which supports Office extend. Does anyone have any idea whether it will be possible to purchase a wplus (wireless plus) license to enable office extend on a 4404 controller?
    Thanks

    Regarding Office Extend is a new "feature" with the new 5508 controller running the new IOS, 6.X and Office Extend license. No one as yet knows if the Office Extend feature will be extended to the WLC200/2100, 4400 or the WiSM. I am suspecting that because Office Extend is a license feature, I have no doubt that this will be exclusive to the 5508.
    Because the 5508 can AP support license can support 25, 50, 100 and 250, anticipate the End-Of-Sale announcement of the WLC 2100 and the WLC 4400.

  • Multicasting with a guest anchor configuration.

    Hi All
    First time posting. :-)
    I have a guest anchor controller in our DMZ servicing Apple devices. We are looking at options for using Apple TV to display/stream presentations from executive iPads and such. Since it uses bonjour (multicast) would I be able to utilize the new features available in 7.0.116.0 to implement this solution? I have 4 WiSM 1s servicing the headquarters building and one 4402 guest anchor. I believe this is possible based on the note in the document: VLAN Select and Multicast Optimization Features Deployment Guide; specifically the section:
    Note: In a Guest Tunneling scenario, roaming between export foreign and export foreign is supported. However, roaming between export foreign and export anchor is not supported with VLAN Select.
    In case of Auto Anchor:
    Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface group, will receive an IP address in round robin method inside the interface group.
    Clients joining a foreign WLC, which is exported to an anchor WLC and mapped to a interface only, will receive an IP address from that interface only.
    Clients roaming between two or more foreign controllers mapped to a single anchor WLC with an interface group configured will be able to maintain its IP address.
    Since I only have one guest anchor, I would assume based on this that I would fall under the export foreign - export foreign option and implementing this would be possible.
    Could someone advise?
    Thank you in advance!!

    Thank you for information, I have the same problem. So I made a search on EoIP tunnel and Multicast.
    http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00808b4c61.shtml
    Q I have a guest tunneling, Ethernet over IP (EoIP) tunnel, configured between my 4400 Wireless LAN Controller (WLC), which acts as the anchor WLC, and several remote WLCs. Can this anchor WLC forward subnet broadcasts through the EoIP tunnel from the wired network to wireless clients associated with the remote controllers?
    A. No, the WLC 4400 does not forward IP subnet broadcasts from the wired side to the wireless clients across the EoIP tunnel. This is not a supported feature. Cisco does not support tunneling of subnet broadcast or multicast in guest access topology. Since the guest WLAN forces the client point of presence to a very specific location in the network, mostly outside the firewall, tunneling of subnet broadcast can be a security problem.
    unofortunately it seems that multicast over EoIP does not work.

  • Mobility Group Requirements for Guest Anchor WLC

    Hello -
    I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
    I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
    To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
    Thanks
    Chuck

    Not only is it possible, I would recommend it. However, you may be confusing some concepts.
    The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
    The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
    If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
    Does that make sense?

Maybe you are looking for