topic Yes you are right. in Wireless

Guest Anchor - DMZ firewall rule changes

rahul nair — Mon, 05 Jul 2021 11:15:31 GMT

Hi all ,

I am setting up a Guest anchor at my office.

Now guest wireless internet traffic will be sent out to the internet locally , than using my offshore anchor which was being used till now .

Just to give you guys an idea about the topology ::

This Anchor is connected to the DMZ switch , on a switchport which is put in a DMZ VLAN ( for eg gi 1/0/1 ) .

I have another switchport ( gi 1/0/2-3 ) in the DMZ VLAN which is in turn connected to the DMZ interfaces on my firewall cluster .

Now i have to convey to my Security team , what rules should i have them configured inroder to establish the EOIP tunnel betwwen my Anchor and my Mobility controller.

What changes should i be asking them to make on the Firewall ?

From what i have read and understood :

A. Data - 12222/Control - 12223 - LWAPP

B .Data - 5247/Control - 5246 - CAPWAP

C. Mobility traffic - 16666/16667

Is there anything else necessary for both the controllers to communicate ?

Thanks in advance.

If a firewall is involved,

Sandeep Choudhary — Wed, 18 Nov 2015 07:30:59 GMT

If a firewall is involved, ports 16666 (16667 if using secure mobility) and protocol 97 must be allowed bidirectionally between the IP addresses of the controller management interfaces.

– UDP 16666 for tunnel control traffic

– IP Protocol 97 for user data traffic

Regards

Dont forget to rate helpful posts

Hi Sandeep ,

rahul nair — Wed, 18 Nov 2015 07:38:36 GMT

Hi Sandeep ,

Thanks for the reply .

And apart from this , i think i should be getting a rule created so that both Anchor and Mobility controllers can reach other . Am i right ?

So if my understanding is correct , all guest internet traffic originating from the client , would first hit the AP.

Being a Centrally switched WLAN , then it would hit the foreign controller which will be then tunnelled to the Anchor controller . Then to my internet router.

Am i getting this correct ?

Thanks ,

Rahul.

Yes you are right.

Sandeep Choudhary — Wed, 18 Nov 2015 07:51:47 GMT

Yes you are right.

The Guest traffic, however, is sent to the anchor controller in the DMZ via an Ether IP tunnel, and the anchor controller bridges it to the DMZ network. The network firewall is configured to allow UDP 16666 and Protocol 97 traffic between the two controllers. Because the anchor controller handles client DHCP and authentication, the laptop of the visitor has an IP in the DMZ VLAN range.

Here is the flow:

Client > AP > WLC > Guest WLC > DMZ > Internet

Regards

Dont forget to rate helpful posts

Thanks a lot .

rahul nair — Wed, 18 Nov 2015 07:57:49 GMT

Thanks a lot .

Just to confirm once more , the actual physical flow should be like :

Client > AP > WLC >FW> Guest WLC > DMZ > Internet ?

And all the guest traffic , including DHCP request/ack would be originating from the IP address of the Foreign WLC right ? As the packets' source Ip address?

I am asking this , so that just one rule enabling both WLCs to talk to each other would do the trick.

Lastly is there a final test that i can do from both the WLCs do ensure that is effectively achieved from both the end ? Like a command or something ?

yes you are correct....

Sandeep Choudhary — Wed, 18 Nov 2015 08:20:24 GMT

yes you are correct.... Traffic flow with firewall will be :

Client > AP > WLC >FW> Guest WLC > DMZ > Internet

yes it(DHCP req) will start form forein wlc.

During the anchoring scenario the client’s DHCP is handled by the anchor controller as the client data is tunneled within an EoIP tunnel between the foreign and anchor controllers.

yes you can do the mobilty eping/moing test to ensure that data and control path are up and working:

https://rscciew.wordpress.com/2014/07/10/mobility-configuring-on-wlc/

http://revolutionwifi.blogspot.de/2010/10/auto-anchor-mobility-fundamentals.html

Regards

Dont forget to rate helpful posts

Thanks Sandeep .

rahul nair — Wed, 18 Nov 2015 08:32:18 GMT

Thanks Sandeep .

I think it is clear now !