Hello George,

this was exactely what i was looking for. thanks a lot

Alex

Hi George, i think i got some new issues now.

i configured an WLAN via NCS and deployed it to the WLC in the inside network and the WLC in my DMZ. My client sees the SSID and get successfully authenticated, it just doesn't an IP address. I can see in the logs of the WLC in the DMZ that it sends a DHCP discover message to my DHCP server.

I thought it tunnels the request and sends it to the wlc in the inside network, from there the request is sent to the DHCP server. Does it means also i have to enable all data traffic from the WLC in the DMZ to the inside network?

Maybe i understand the concept of the anchor wrong?

And another strange behaviour is that my internal antennas are sending traffic on port upd/5246 to the controller in the DMZ although they not supposed to send data to the DMZ WLC.

thanks

Alex

Hi Scott, in this scenario which one is the foreign wlc?

thanks

It's reversed. So the DMZ WLAN anchors to the inside WLC and the inside WLC WLAN anchors to itself.

Sent from Cisco Technical Support iPhone App

Hi Scott,

you mentioned reverse anchor is not supported any more in threat https://supportforums.cisco.com/thread/2186736

regards

Alex

Reverse anchor is one way if doing it. I think what Scott means is you can't drive the wired traffic back into the foreign wlc ..

Let's step back for a moment. You have a oe ap deployed. That ap phones home to a anchor wlc in the DMZ.

You can either drop the traffic right there in the DMZ and police it back into the network. Or you can anchor that WLAN to the inside controller also called the foreign controller. In this design the traffic hits the DMZ controller and then passed through to the foreign via anchoring ..

The reverse anchor simple means you are pushing the traffic by anchoring the WLAN to the inside controller. It's the opposite of what you would do for a guest WLAN.

Make sense so far ?

Me, I drop my oe traffic in the DMZ ..

Sent from Cisco Technical Support iPhone App

Hi George, i am still struggeling with my wireless lan segements. I'd like to send client data from the oe ap through the firewall to the foreign controller (in my inside lan) before it is sent to the final destination in my LAN segments. I think thats the reverse achor scenaria.

i already configured a default mobility group on the foreign controller called wifi and on the anchor i have the default mobility group oeap.

then i configured on the foreign controller a new mobility group named oeap with the ip address of the controller in the dmz

and on the controller in the dmz i configured a new mobility group name wifi with name wifi and the ip address of controller inside.

is this correct?

regards

Alex

Hello Scott,

i finally could make it run. I missed the blue square anchor thing. It's working fine for my wireless. No chance to get the wired lan up and running with the wlc in the dmz. It's quite disapointing, have to get now wireless phones instead of wired ones.

anyways thanks a lot, you guys helped me a lot, so i can fly to Cisco Live without headache

regards

Alex

You can drop the wired traffic in the DMZ. This is what I do .. If you do use wireless see my blog post about OE and cisco phones...

https://supportforums.cisco.com/community/netpro/wireless-mobility/wireless-voice-video/blog/2013/02/26/bug-csctn75346-7925-phone-loses-5-ghz-connection-intermittently-with-oeap600

Going to Live ? I will be presenting with Cisco on 802.11ac on Tuesday. Stop by and say Hi .. Scott will be there as well. Steve is still up in the air ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."