06-11-2013 09:35 AM - edited 07-04-2021 12:13 AM
Hello,
I have a couple of question regarding office extend deployment. We have an existing WLC 5508 with 30 access points; now we’d like to deploy 3 offices extend antennas in home offices, to provide the same SSID as in the main office. We got a WLC 2504 which I think is the best to place it in the DMZ. I read I have to open the ports udp/5246 and udp/5247 on the outside firewall in direction to the DMZ. What ports do I have to open from the DMZ to my inside network?
When I configure the WLC 2504 as an anchor controller is all the traffic send then first to the internal controller? If so which ports are involved?
Thanks in advanced
Alex
Solved! Go to Solution.
06-11-2013 10:21 AM
Hi Alex
I would get up to speed by reading the OE config guide
http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml
I also created a quick cheat sheet here:
Keep in mind, you dont need all those ports open. You can anchor the traffic to the inside controllers (foreign) and provide the security there. I drop by in the DMZ.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
06-17-2013 06:41 AM
Yes it does. Confirm by looking at the mobility tunnels are they "up"?
You then need go into the anchor controller and select wlans. Next to your oe WLAN there is a blue box you then to select anchor and then select the inside controller .
You need to do the same on your inside controller. Select the WLAN and then anchor to itself (local) ..
Did you do that ?
Sent from Cisco Technical Support iPhone App
06-11-2013 10:21 AM
Hi Alex
I would get up to speed by reading the OE config guide
http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml
I also created a quick cheat sheet here:
Keep in mind, you dont need all those ports open. You can anchor the traffic to the inside controllers (foreign) and provide the security there. I drop by in the DMZ.
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
06-15-2013 01:47 AM
Hello George,
this was exactely what i was looking for. thanks a lot
Alex
06-16-2013 04:10 PM
Good deal .. Stop back if you have issues ..
Sent from Cisco Technical Support iPhone App
06-17-2013 04:05 AM
Hi George, i think i got some new issues now.
i configured an WLAN via NCS and deployed it to the WLC in the inside network and the WLC in my DMZ. My client sees the SSID and get successfully authenticated, it just doesn't an IP address. I can see in the logs of the WLC in the DMZ that it sends a DHCP discover message to my DHCP server.
I thought it tunnels the request and sends it to the wlc in the inside network, from there the request is sent to the DHCP server. Does it means also i have to enable all data traffic from the WLC in the DMZ to the inside network?
Maybe i understand the concept of the anchor wrong?
And another strange behaviour is that my internal antennas are sending traffic on port upd/5246 to the controller in the DMZ although they not supposed to send data to the DMZ WLC.
thanks
Alex
06-17-2013 04:32 AM
You need to create a reverse anchor. Do from the DMZ WLC, the WLAN should anchor to the foreign WLC and the foreign WLC WLAN should anchor to itself. The WLAN's also need to match identically except for the interface it is mapping to.
Sent from Cisco Technical Support iPhone App
06-17-2013 04:40 AM
Hi Scott, in this scenario which one is the foreign wlc?
thanks
06-17-2013 04:44 AM
It's reversed. So the DMZ WLAN anchors to the inside WLC and the inside WLC WLAN anchors to itself.
Sent from Cisco Technical Support iPhone App
06-17-2013 04:45 AM
Hi Scott,
you mentioned reverse anchor is not supported any more in threat https://supportforums.cisco.com/thread/2186736
regards
Alex
06-17-2013 05:50 AM
Reverse anchor is one way if doing it. I think what Scott means is you can't drive the wired traffic back into the foreign wlc ..
Let's step back for a moment. You have a oe ap deployed. That ap phones home to a anchor wlc in the DMZ.
You can either drop the traffic right there in the DMZ and police it back into the network. Or you can anchor that WLAN to the inside controller also called the foreign controller. In this design the traffic hits the DMZ controller and then passed through to the foreign via anchoring ..
The reverse anchor simple means you are pushing the traffic by anchoring the WLAN to the inside controller. It's the opposite of what you would do for a guest WLAN.
Make sense so far ?
Me, I drop my oe traffic in the DMZ ..
Sent from Cisco Technical Support iPhone App
06-17-2013 06:29 AM
Hi George, i am still struggeling with my wireless lan segements. I'd like to send client data from the oe ap through the firewall to the foreign controller (in my inside lan) before it is sent to the final destination in my LAN segments. I think thats the reverse achor scenaria.
i already configured a default mobility group on the foreign controller called wifi and on the anchor i have the default mobility group oeap.
then i configured on the foreign controller a new mobility group named oeap with the ip address of the controller in the dmz
and on the controller in the dmz i configured a new mobility group name wifi with name wifi and the ip address of controller inside.
is this correct?
regards
Alex
06-17-2013 06:41 AM
Yes it does. Confirm by looking at the mobility tunnels are they "up"?
You then need go into the anchor controller and select wlans. Next to your oe WLAN there is a blue box you then to select anchor and then select the inside controller .
You need to do the same on your inside controller. Select the WLAN and then anchor to itself (local) ..
Did you do that ?
Sent from Cisco Technical Support iPhone App
06-17-2013 06:19 AM
Wireless WLAN's you can anchor to the inside, wired from the OEAP600 you can't anchor. So depending in if you want to also use the wired port on the OEAP600, you would need your OEAP600 to join your inside WLC's.
Sent from Cisco Technical Support iPhone App
06-17-2013 09:02 AM
Hello Scott,
i finally could make it run. I missed the blue square anchor thing. It's working fine for my wireless. No chance to get the wired lan up and running with the wlc in the dmz. It's quite disapointing, have to get now wireless phones instead of wired ones.
anyways thanks a lot, you guys helped me a lot, so i can fly to Cisco Live without headache
regards
Alex
06-17-2013 09:17 AM
You can drop the wired traffic in the DMZ. This is what I do .. If you do use wireless see my blog post about OE and cisco phones...
Going to Live ? I will be presenting with Cisco on 802.11ac on Tuesday. Stop by and say Hi .. Scott will be there as well. Steve is still up in the air ..
__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: