Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
522
Views
0
Helpful
2
Replies

Question - Guest in the DMZ

creserva1
Level 1
Level 1

‎09-29-2018 06:59 AM - edited ‎09-29-2018 07:00 AM

We are still in testing our Guest services that is directly connected to DMZ, 

 

Employee laptop wireless to SSID Employee VLAN998 AP -> SW -> FW -> ISP1 -> Internet

Employee laptop wired to VLAN997 -> SW -> FW -> ISP1 -> Internet

Guest laptop wireless connecting to SSID Guest VLAN999 AP -> SW -> FWvirtual -> ISP2 -> Internet

Guest laptop wired connecting to VLAN999 -> SW -> FW -> ISP -> Internet2

 

Is it recommended to use Foreign and Anchor controllers to encapsulate the frame using capwap mobility tunnel and dropped it off to DMZ zone? 

 

0 Helpful
2 Replies 2

Aravind Ravichandran
Level 3
Level 3

‎10-01-2018 04:41 AM

Hi,

Its depends on the design. Anchor controller is flexible, easy-to-implement method for deploying wireless guest access by using Ethernet in IP within the centralized architecture. Ethernet in IP is used to create a tunnel across a Layer 3 topology between two WLC endpoints. The benefit of this approach is that there are no additional protocols or segmentation techniques that must be implemented to isolate guest traffic from the enterprise.

Anchor controller is responsible for terminating EoIP tunnels that originate from other campus WLCs(foreign) throughout the network. These "foreign" controllers are responsible for termination, management, and standard operation of the various WLANs provisioned throughout the enterprise, including one or more guest WLANs. Guest WLANs, instead of being switched locally to a corresponding VLAN, are instead transported via an EoIP tunnel to the anchor controller. Specifically, guest WLAN data frames are encapsulated using LWAPP from the AP to the foreign controller and then encapsulated in EoIP from the foreign WLC to a guest VLAN defined on the anchor WLC. In this way, guest user traffic is forwarded to the Internet transparently, with no visibility by, or interaction with, other traffic in the enterprise

 

you can refer this link for more info:https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob41dg/emob41dg-wrapper/ch10GuAc.html

-Aravind
0 Helpful

paul
Level 10
Level 10

‎10-01-2018 06:03 AM

If your WLCs are located in the same location as the DMZs and you can make the DMZ VLANs present on the LAG connection to your WLC there is no need for an anchor controller.  I personally prefer not to use an anchor controller unless I have to.  Have the VLANs all be present on the WLC the client is connecting to gives you the full range of options to do interface/VLAN moves when clients connect to any SSID.

0 Helpful
Customers Also Viewed These Support Documents