Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
696
Views
5
Helpful
4
Replies

New mobility IP assignment

Go to solution
Subash Sharma
Level 1
Level 1

‎11-17-2015 03:39 AM - edited ‎07-05-2021 04:14 AM

Dear Forum Members,

Apologies if i am asking a foolish question. I have no prior experience in new mobility architecture. I am working on a design which includes the following.

3 x 3850 (acting as MA)

1 x 5508 (acting as MC) - Foreign Controller

1 x 5508 (acting as Guest Anchor)

We need to have 2 vlan's, one ofr guest access and other for staff access. i am planning the vlan & IP address assignment and i am confued with new mobility. Please correct me if my below understnading is wrong.

At 3850, i need to create 2 vlans

vlan 1 - staff ssid

vlan 2 - wifi Mgmt

At Foreign controller side (i.e MC)

vlan 1 - staff ssid

vlan 2 - wifi mgmt

At Guest anchor controller,

vlan 3 - guest ssid

vlan 2 - wifi mgmt.

Please correct me if my understnading is wrong. I guess, that the guest vlan would work the same as in centralized access in which all the vlan traffic is encrypted back to the guest anchor. so i do not need to create that vlan in switch/ MC

Also, does this Mgmt vlan needs to be L2? the guest anchor would be in DMZ and so it wouldnt be on the same vlan as foreign controller.

Please help if you can provide some inputs.There is no lab facility for me to test.

thanks nd regards,

dathan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP
In response to Subash Sharma

‎11-17-2015 09:16 PM

So, do i need to create SVI for guest vlan in the 3850 MA? I know that we need to have the SVI for staff vlan since the 3850 terminates the CAPWAP.

SVI needs to define on your L3 switch, not in all MA switches. MA will simply terminate capwap & handover traffic as L2 in respective vlan. All your wireless users vlans need to exist on MA switches, L3 SVI can be on a different switch.

Regarding Guest,  you can map this to a dummy vlan in your MA switches. Something similar to this

wlan Guest 20 Guest
 aaa-override
 band-select
 client vlan <dummy_vlan_name/number>
 ip dhcp required
 mobility anchor <Guest Anchor_Mgmt_IP>
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no security ft over-the-ds
 security web-auth
 security web-auth authentication-list default
 session-timeout 14400
 no shutdown

I think in MC,you may not  require SSID configuration, simply MC & GA need to be in the mobility list.

HTH

Rasika

*** Pls rate all useful responses ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Rasika Nayanajith
VIP
VIP

‎11-17-2015 11:11 AM

Hi

I would suggest few things here.

Do not use 5508 as MC, going forward 8.1 onward this functionality is not supported in AireOS controllers. see below

http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn81.html

  • With Release 8.1 in a New Mobility environment, Cisco WLCs running Cisco Wireless software cannot function as mobility controllers (MC). However, the Cisco WLCs can function as guest anchors.

Here are the answer to other queries

does this Mgmt vlan needs to be L2? the guest anchor would be in DMZ and so it wouldnt be on the same vlan as foreign controller.

No, two WLC can have different management vlans

I guess, that the guest vlan would work the same as in centralized access in which all the vlan traffic is encrypted back to the guest anchor. so i do not need to create that vlan in switch/ MC.

MC is the one peering with Guest Anchor, so MC required to have the Guest WLAN created. Refer below 

http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/117742-configure-wlc-00.html

HTH

Rasika

*** Pls rate all useful responses ***

Go to solution
Subash Sharma
Level 1
Level 1
In response to Rasika Nayanajith

‎11-17-2015 08:57 PM

Thank you Rasika for your detailed response.

So, do i need to create SVI for guest vlan in the 3850 MA? I know that we need to have the SVI for staff vlan since the 3850 terminates the CAPWAP.

I assume the SSID <-> interface/ Vlan mapping for guest ssid happens in guest anchor. In MC and MA, i can map the guest SSID to the management interface.

Please correct if my understnading is wrong. Thanks a lot in advance.

Regards,

dathan

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to Subash Sharma

‎11-17-2015 09:16 PM

So, do i need to create SVI for guest vlan in the 3850 MA? I know that we need to have the SVI for staff vlan since the 3850 terminates the CAPWAP.

SVI needs to define on your L3 switch, not in all MA switches. MA will simply terminate capwap & handover traffic as L2 in respective vlan. All your wireless users vlans need to exist on MA switches, L3 SVI can be on a different switch.

Regarding Guest,  you can map this to a dummy vlan in your MA switches. Something similar to this

wlan Guest 20 Guest
 aaa-override
 band-select
 client vlan <dummy_vlan_name/number>
 ip dhcp required
 mobility anchor <Guest Anchor_Mgmt_IP>
 no security wpa
 no security wpa akm dot1x
 no security wpa wpa2
 no security wpa wpa2 ciphers aes
 no security ft over-the-ds
 security web-auth
 security web-auth authentication-list default
 session-timeout 14400
 no shutdown

I think in MC,you may not  require SSID configuration, simply MC & GA need to be in the mobility list.

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Go to solution
Subash Sharma
Level 1
Level 1
In response to Rasika Nayanajith

‎11-19-2015 02:59 AM

Hi Rasika,

Thanks a lot for your valued respnses. Your advices really helped me a lot.

Regards,

dathan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card