Total throughput and client limitations per guest anchor controller; 7,000 guest clients

Similar Messages

• There is difference between Total vat  and vat as per trail balance

  Dear Gurus,
             I am getting difference between vat payble and vat as per trail balnce,i am attaching below  file.
                 Dr      Cr     Net Balance     VAT Rate     
  410000          SALES - HANDSET     249,500.47     162,055,133.33      161,805,632.86      4%     
  410001          SALES - VODATA     93,422.47     4,897,111.40      4,803,688.93      4%     
  410002          SALES - KITS/CARDS/A     1,389.60     1,391.43      1.83      4%     
  410004          SALES - OTHERS     143.27     562,801.74      562,658.47      4%     
  410005          SALES - FWP          2,597,821.94      2,597,821.94      4%     
  410007          SALES - T SKY     2,665.78     34,655.14      31,989.36      12.50%     
  410051          SALES RET - HANDSETS     271,951.50           (271,951.50)     4%     
  410052          SALES RET - VODATA     3,701.92           (3,701.92)     4%     
                            169,526,139.97           
            Less : Additional Trade discount               960,165.57          
            Net Sale               168,565,974.4          
            VAT @ 4%                6,741,359.40
            VAT @ 12.5%               3998.67
            Total VAT                6,745,358.07
            VAT as per Trial                6,696,095.39
                 Difference           49,262.68

  Hi,
     How to i will check zero vat entries for the revenue G/L accounts,could u give me T.code and example.

• Sizing guest anchor controller

  40 locations, around 20-30 APs per location, 1 gig back from each site to the main site, minimizing cost. Trying to size the guest anchor controller. Redundancy is not required. As I understand correctly 4402/4404/5508 controller supports up to around 70 EOP tunnels. My limitation is bandwidth. Is it safe to say that if Internet bandwidth is <100Mbps, then 4402 will suffice? Only if Internet bandwidth was above >1Gbps when I'd need to go to 4404 (bandwidth is used twice, so 1Gbps guest traffic would result at approximately 2Gbps throughput)

  You could always port-channel a 4402 and use LAG on your anchor controller for 2gb.
  I use a 4402-12 for our anchor's as the BW is adequate, and AP license count is not a factor for anchors.

• 5508 Foreign controller and 4400 Anchor controller

  Hi,
  We have a customer that have 2 5508 as primary and backup controller and a 4400 as an anchor controller.  We plan to upgrade the 5508 to 7.3.112.0 and the 4400 is already 7.0.116.0.  Will there be any issue if the anchor controller is not the same code as the foreign controller?  Do I also have to upgrade the acnhor controller to 7.0.240.0?
  Regards,

  Here is a link to the inter release controller mobility matrix to keep handy
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp123314
  Sent from Cisco Technical Support iPhone App

• DMZ Anchor Controller

  I'm having trouble setting up an Anchor Controller on my DMZ. I have setup everything up and tested it out on my inside network and the Anchor Controller comes up with no problem. When I put the Anchor Controller on the DMZ the data path is up but the control path is down. I can do EPING's but MPINGS fail everytime. The DMZ is secured by a checkpoint firewall. I've made sure ports UDP 16666, 16667 and TCP 97 are open on the firewall. It looks like the traffic is going out to the Anchor controller on the DMZ but not coming back in to establish the tunnel. I've contacted Checkpoint but there support is not the best and I'm wondering if anyone has suppport for a checkpointfirewall. Thanks in advance

  From Chapter 10 of the Enterprise Mobility 4.1 Design Guide -
  http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidance09186a00808d9330.html
  The following verifications and troubleshooting tasks assume the following: •The solution is using the web authentication functionality resident in the anchor controller(s). •User credentials are created and stored locally on the anchor controller(s).
  Before attempting to troubleshoot the various symptoms below, at the very least you should be able to ping from the campus (foreign) controller to the anchor controller(s). If not, verify routing.
  Next, you should be able to perform the following advanced pings. These can only be performed via the serial console interfaces of the controllers: •mping neighbor WLC ip
  This pings the neighbor controller through the LWAPP control channel. •eping neighbor WLC ip
  This pings the neighbor controller through the LWAPP data channel.
  If a standard ICMP ping goes through, but mpings do not, ensure that the default mobility group name of each WLC is the same, and ensure that the IP, MAC, and mobility group name of each WLC is entered in the mobility members list of every WLC.
  If pings and mpings are successful, but epings are not, check the network to make sure that IP protocol 97 (Ethernet-over-IP) is not being blocked.
  Please make sure that the mobility group names are on each other's controller.
  Hope this helps

• Guest ssid with anchor controller and Web policy

  We have a WLC4404 and and anchor controller WLC4402 to provide guest access to the wifi net. We configured both in the same mobility group, and the guest ssid to attach to the mobility anchor 4402. All is working fine until we enable the web policy authentication on the 4402. In this case the client join the guest ssid but neither get an ip address from the dhcp server nor go anywhere. Is we disable the web authentication all works fine again. We are runnig 4.0.206.0 on both WLC. Anyone can help us?

  Two things you might check. (1) The 4404's mobility anchor should point to the 4402, and the 4402 should anchor to itself. (2) Make sure you are configuring the same security policy for the SSID on both the 4402 and 4404. So if the SSID is "guest" and you turn on web authentication on the 4402, make sure "guest" is on the 4404 with web authentication. We are using a similar setup for guest access at several sites.

• WLC user rate limit on guest ssid anchor controller

  Hi,
  I have been looking through the forums & some cisco documents but not found a good example similar to what I am seeking to do so now I am turning to the expertise of my peers.
  We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ.
  Both the foreign and anchor controller are here at my location.
  I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid.
  As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
  We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
  I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
  So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
  Thanks guys!           
  Oh and here is my hardware & software levels.
  5508wlc - forgeign
  4402wlc - anchor
  Software Version
  7.0.230.0

  Amjad,
  Thank you for taking the time to respond as well as the document link.
  It was pretty clear on the steps and what it would impact.
  Two things that push me for a different solution (assuming their is one).
  Note The values that you configure for the per-user bandwidth contracts affect only the amount of bandwidth going downstream (from the access point to the wireless client). They do not affect the bandwidth for upstream traffic (from the client to the access point).
  As you can see from the above note taken out of the linked document the roll based rate limit doesnt really rate limit the T1 traffic any guest user consumes it only limits usage from the AP down to the client.
  #1 I am looking for a solution that limits the users up & down streams (if possible) & also before it leaves the AP for the T1.
  The idea is to limit WAN utilization.
  #2 I read in the forums here others asking about the "user role" and saw some comments saying it is not considered "best practice" to use user roles.
  Let me clarify that our guest ssid's are using the http webpage pass through for authentication and it is really only the tic mark to indicate they understand the terms and conditions of using our internet as a guest service. No actual user accounts are used on the guest ssid's.
  ***One last question about this and any other changes***
  Will any change I make be on the "Foreign, Anchor" or both Controllers?

• Using ISE for guest access together with anchor controller WLC in DMZ

  Hi there,
  I setup a guest WLAN in our LAB environment. I have one internal WLC connection to an anchor controller in our DMZ. I'm using the WLC integrated web-auth portal which works fine.
  To gain more flexibility regarding guest account provisioning and reporting my idea is to use Cisco Identity Services Engine (ISE) for web-authentication. So the anchor controller in the DMZ would redirect the guest clients to the ISE portal.
  As the ISE is located on the internal network while the guest clients end up in the DMZ network this would mean that I have to open the web-auth portal port of ISE for all guest client IPs in order to be able to authenticate.
  Does anyone know of a better solution for this ? Where to place the ISE for this scenario, etc ?
  Thx
  Frank

  So i ran into a similar scenario on a recent deployment:
  We had the following:
  WLC-A on private network (Inside)
  ISE Servers ISE01 and ISE02 (Inside)
  WLC-B Anchor in DMZ for Guest traffic (DMZ)
  ISE Server 3 (DMZ)
  ISE01 and ISE02 are used for 802.1X for the private network WLAN.
  Customer does not allow guest traffic to move from a less secure network to a more secure network (Compliance reasons).
  The foreign controller (WLC-A) must handle all L2 authentication and it must use the same policy node that the clients will hit for web auth.  Since we want to do CWA, we use Mac Filtering with ISE as the radius server.  If you send this traffic RADIUS authentication for Mac Filtering to ISE01/ISE02, it will use https://ise01.mydomain.com/... to redirect the client to.  Since we don't allow traffic to traverse from the DMZ with the anchor in it back inside to the network where ISE01 and ISE02 are, client redirection fails.  (This was a limitation of ISE 1.1.  Not sure if this persists in 1.2 or not.
  So what now?  In our deployment we decided to use a 3rd ISE policy node (ISE03 in the DMZ) for guest authentiction from the Foreign controller so that the client will use a DNS of https://ise03.mydomain.com/... to redirect the client to.  Once the session is authenticated, ISE03 will send a CoA back to the foreign which will remove the redirect for the session.  Note, you do have to allow ISE03 to send a CoA.
  In summary, if you can't allow guest traffic to head back inside the network to hit the CWA portal, you must add a policy node in a DMZ to use for the CWA portal so they have a resolvable and reachable policy node.

• AP Groups - Guest Access - Anchor Controller

  Need clarification - I think it does work
  Does the AP Group feature work with the anchor controller guest access feature
  SSID guest --- LWAP -- LWAPP -- Foreign WLC --- EoIP --- Anchor Controller --- VLAN 10 or VLAN 11
  ie
  Guests in Building 1
  SSID guest VLAN 10
  Guests in Building 2
  SSID guest VLAN 11
  Mark

  Hi,
  As far as I know, AP Group only works locally in each controller, and the mapping between SSID and VLAN is done in the anchor controller.
  Therefore, all clients will end up in the same VLAN, even if access points are in different AP Groups in the first WLC.
  Kind regards
  Johan

• Wireless Guest Network using Cisco 4402 as an Anchor Controller

  Hello,
  We have recently redesigned our wireless guest network in accordance to Cisco's recommended deployment using the anchor controller in the DMZ. We have created two mobility groups (enterprise and anchor). The anchor controller and DMZ has two subnets (guest managment and guest clients). The guest management subnet is connected to the controller and firewall allowing the mobility groups and EOIP tunnels while the guest client network is also connected to the controller and firewall to push the client traffic directly out the firewall. The setup works well but the one part that I'm not happy with is the DHCP. Currently DHCP is being handled on the firewall because of issues we had with dhcp relay and the controllers internal dhcp service.
  Does anyone have any information on getting DHCP relay working or the internal dhcp service on the controllers when using as a anchor?
  This is basically the setup guide that we followed.
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
  Thanks!

  Hi,
  Make sure you have the IP helper address configured under the VLAN interface on the L3 and also make sure to disable DHCP proxy on both the WLC (Anchor and Foreign).
  This will help us as well..
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Guest Anchor Controller DNS issues

  Hi,
  I have an anchor controller (4402) is running version 4.0.219.0 in our DMZ
  The main service we use is a guest service which uses the anchor controller in the DMZ for access to the internet. Authentication is via the WEB re-direct feature. We currently have a subnet assigned to the Guest SSID with a 22 bit mask providing just over 1000 ip addresses to clients.
  Change required (which were attemped).
  1. Move the dhcp server to a dedicated dhcp server and off the anchor controller.
  2. Increase the address space to /21 thereby providing about 2000 addresses for clients. (By changing the ip address mask on the SSID interface).
  Problems
  The provision of dhcp from the new dhcp server worked fine and clients were able to pick up dhcp addresses when they associated to the wireless SSID.
  The problem was that only some clients were being re-directed to the web-redirect page for authentication. Any clients who were re-directed were able to authenticate correctly.
  Diagnosis
  It appears that only some client's dns requests were being passed on from the anchor controller. A capture of packets between the anchor controller and the DMZ firewall did not pick up dns packets from an assiocated and connected client even when running dns queries manually from the wireless client.
  A reboot of the controller did not make any difference.
  Is there any throttling effect on dns queries which may have being implemented on the anchor controller by default once the subnet mask was increased? I noticed authentication successes of about 1 a minute while normally we would see authentication rates of 1 every couple of seconds.
  Are there any bugs or known reason why an interface mask of /21 would be problematic on the controller?
  We had to roll back the changes to the original configuration in order to bring the service back on-line.

  Hello Eoin
  Where is the external dhcp server ? in the same DMZ or on the inside network ? we have a /19 subnet allocated to the guests and I dont foresee any throttling on the dns queries.. The connectivity anyway till the anchor controller is on EoIP, and is just like the client connecting onto a local controller..
  laptops which had issues -> was the problem interim or its just that they are not able to get the web redirect page at all ?
  Check the release notes for any bugs on this software:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn402190.html#wp170104
  Raj

• Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

  Hi Experts ,
  Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.
  how about internet traffic for Guest SSID , which one will be recommanded :
  1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet
  2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet
  Thanks

  Hi George ,
  Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...
  how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?
  Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

• Is there a recommended limit on the number of custom sections and the cells per table so that there are no performance issues with the UI?

  Is there a recommended limit on the number of custom sections and the cells per table so that there are no performance issues with the UI?

  Thanks Kelly,
  The answers would be the following:
  1200 cells per custom section (NEW COUNT), and up to 30 custom sections per spec.
  Assuming all will be populated, and this would apply to all final material specs in the system which could be ~25% of all material specs.
  The cells will be numeric, free text, drop downs, and some calculated numeric.
  Are we reaching the limits for UI performance?
  Thanks

• Dunning Key and minimum amount per dunning level

  Dear Friends,
  Can any one please explain the dunnig key functions?
  While defining the minimum amout their is two terms one is open item and another one is total amount.
  The definintion of total amount is all the items in an account means the items which are paid also? because I am confuse to understand the differece between total amount and open items. Please expain the both the terms.
  Thanks in advance,
  Regards,
  Mahendra Dev

  Dear Rajeev,
  Lots of thanks for your reply.
  as per my understanding on behalf of your explanation.
  Total Open item can be total of item in grace period and also the item which is in dunning level
  and the total item only the total of item which is in dunning level.
  I am in the mid of chapter of Minimum amount per dunning level.
  and want to clear the term the relation between the total amount and the total open items be greater than a minimum percentage.
  Please confirm. Lots of thanks in advance.
  Regards,
  Mahendra Dev

• MDOP 2013: App-V 5 SP2 Application Publishing and Client Interaction Guide Now Available

  Hello App-V forum users,
  Do you want to understand the details of how App-V publishes and runs applications? See
  this Springboard Series blog post, which describes the newly available App-V 5 SP2 Application Publishing and Client Interaction Guide.
  Enjoy!
  -Tony
  IT Pro Audience Manager for Web Forums

  Hello,
  I am truely confused by how you are attempting to achieve things.
  1. The Office 2013 package is only supported if deployed globally
  2. AppLocker is the way to restrict users from starting different applications
  3. Office 2013 is not supported to be published to users
  It seems you have issues with #3. Which is not supported. I am not saying it "doesn't" work, but considering you have issues with it - perhaps we can start by not doing it?
  Ok, so what do we have left;
  Per your statement, Office 2013 is published globally. Ergo, all shortcuts and applications should be available to all users.
  Is this true?
  Nicke Källén | The Knack| Twitter:
  @Znackattack