Solved: Re: Wireless DMZ with foreign wlc -> EoIP -> anchor wlc

Gandeleg.G · ‎02-01-2013

Hi,

We are trying to setup a a segregated DMZ wireless network.

I've attached a simple topology to illustrate. So we have foreign controller and anchor controller. Firewall ports UDP16666,16667 and IP97 have been enabled and EoIP tunnel itself is up.

The client is also able to connect to the TEST ssid and obtain IP address from the DHCP server. But the client can't reach the gateway or any other network. The client's gateway is the firewall where the Anchor is connected.

Does anyone have experience setting up EoIP tunnels and DMZ wireless? What could be the issue?

I've been reading the Cisco guide and searching all over the internet without any success.

Any help will be appreciated.

Regards,

Delgee

Scott Fella · ‎02-01-2013

Yes it terminates in your interface in the DMZ. Is your dhcp handing out address with internal dns servers or external. The easiest way to test is to connect your laptop to the same vlan the guest wireless users are connecting on the DMZ switch. See if you have Internet or not. This eliminates the wireless side.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎02-01-2013

Doesn't look like your tunnel
Is working. If you didn't open up dhcp from the DMZ to the dhcp server and back, the clients should not be able to get a dhcp address. Look to make sure the mobility is up between the foreign and the anchor. Also you should see the client on both the foreign and the anchor. The WLAN SDID's also need to be exactly the same for e caption of the interface and you need to anchor the foreign SSID to the anchor wlc and the anchor wlc SSID to itself.

Review this doc as it e plains what needs to be done on both WLCs

http://www.cisco.com/en/US/docs/wireless/technology/guest_access/technical/reference/4.1/GAccess_41.html

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Gandeleg.G · ‎02-01-2013

The tunnel is up, I've enabled DHCP traffic between the DMZ subnet and the DHCP server on the firewalls that sit between them. The client is able to obtain IP address from the DHCP server and connect to the wireless network.

Also the client is shown on both the foreign and anchor controllers. The mobility says up, both data and control path.

I'm just wondering how the traffic actually terminates after reaching the anchor wlc through the eoip tunnel. My understanding is that it is supposed to terminate directly to the interface specified under the WLAN but I'm sure.

Scott Fella · ‎02-01-2013

Yes it terminates in your interface in the DMZ. Is your dhcp handing out address with internal dns servers or external. The easiest way to test is to connect your laptop to the same vlan the guest wireless users are connecting on the DMZ switch. See if you have Internet or not. This eliminates the wireless side.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Gandeleg.G · ‎02-03-2013

Thanks, I'll test that and see how it goes.

I'm thinking of doing some packet capture on the wireless client, any advise you can provide?

Regards,

Delgee

Gandeleg.G · ‎02-06-2013

The problem has been fixed.

May be useful tonpeople who have same issue - the configuration and setup was perfectly fine and only the client couldn't access the network. The problem was with the Anchor WLC. Rebooting the anchor wlc fixed the problem.

It seems after mobility anchor settings are configured, the wlc (only anchor, not foreign) need to be rebooted.

Delgee

Sent from Cisco Technical Support iPhone App

Scott Fella · ‎02-06-2013

Thanks for the fololow up... this will help other who have ran into the same issue as you.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***