Showing results for 
Search instead for 
Did you mean: 

Cisco Guest Access Using WLC with Anchor setup – Release 7.0





    In this document Cisco TAC engineer "Varun Ajmani" has explained how to configure Wireless Guest Access with Anchor setup on release 7.0.

    The controller provides guest user access on WLANs for which we can use the foreign anchor controller setup. The Anchor controller can be put in Demilitarized Zone(DMZ) to segregate the traffic.

    More Information

    Cisco recommends the use of a controller dedicated to guest traffic. This controller is known as the guest anchor controller.

    The guest anchor controller is usually located in an unsecured network area, often called the demilitarized zone (DMZ). Other internal WLAN controllers from where the traffic originates are located in the enterprise LAN. An EoIP tunnel is established between the internal WLAN controllers and the guest anchor controller in order to ensure path isolation of guest traffic from enterprise data traffic. Path isolation is a critical security management feature for guest access. It ensures that security and quality of service (QoS) policies can be separate, and are differentiated between guest traffic and corporate or internal traffic.

    An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific guest anchor controller within the network. All traffic—both to and from a mapped WLAN—traverses a static EoIP tunnel that is established between a remote controller and the guest anchor controller.

    Using this technique, all associated guest traffic can be transported transparently across the enterprise network to a guest anchor controller that resides in the unsecured network area.


    Follow the steps below to achieve this:

    1. Create a WLAN on Foreign controller



    2. Enable the WLAN and set the Layer 2 security to None.





    3. Set the layer 3 security to Web Policy where we get multiple options of choosing the type of authentication we want. In this document, we will focus on Web Authentication.



    We can set the QOS to Bronze as it is the guest WLAN, however it depends on the requirement. Leave all the options to default.

    4. Setup the same WLAN on Anchor controller. Make sure the config matches exactly with the foreign controller.

    5. Now we need to setup the Mobility between the two controllers.

    Go to Foreign Controller -> Mobility Management -> Mobility groups

    Add the Anchor controller’s IP address, Burned in MAC Address (which can checked under Controller->Inventory) and the Mobility Domain Name



    Repeat the same procedure for adding Foreign Controller on the Anchor controller. The mobility should come up within a minute.


    6. We need to setup the auto anchoring for the SSID we created. Go to WLANs -> guestanchor WLAN and hover over the right blue arrow, click on Mobility Anchors.



    The Anchor controller’s IP should show under the drop down of Switch IP Address (Anchor). Select that and hit Mobility Anchor Create.

    Whereas, on the Anchor controller, go to the same option under SSID and add local for auto anchoring.






    7. In case we want to use the Anchor controller as the DHCP server, we can create a DHCP scope under Controller -> Internal DHCP Server -> DHCP Scope.

    Make sure about the following options once we do that:

    DHCP server under the management interface/or the interface selected for guest anchor WLAN, should be set as the Anchor controller’s IP address

    DHCP proxy is enabled under Controller -> Advanced

    8. Create a user under Security -> Local Net users




    9. We can use the Internal/External/Customized web auth page.




    10. Now we’re done with the config and are ready to test the client.




    Connect to the guestanchor WLAN

    Once you get an IP address, open a browser and type

    Please note that is the Virtual interface IP address and if you have the correct DNS entry in the DHCP server, you should be redirected to the login page



    Enter the credentials and you should see the auth successful page.




    Total throughput and client limitations per guest anchor controller are as follows:

    • Cisco 2504 Wireless LAN Controller – 4 * 1 Gbps interfaces and 1000 guest clients
    • Cisco 5508 Wireless LAN Controller (WLC) – 8 Gbps and 7,000 guest clients
    • Cisco Catalyst 6500 Series Wireless Services Module (WiSM-2) – 20 Gbps and 15,000 clients
    • Cisco 8500 Wireless LAN Controller (WLC) – 10 Gbps and 64,000 clients

    Note: Cisco 7500 WLCs cannot be configured as a guest anchor controller.


    Additional Information

    Wireless Guest Access FAQ

    Deployment Guide: Cisco Guest Access Using the Cisco Wireless LAN Controller



    I am very new to Cisco Wireless controllers.

    we can do the guest configuration with mobility anchor in a single stand alone Wireless controller.

    we have a stand alone Cisco 2504 WLC and 9 Numbers of AIR-AP3702i-UXK9, we want to configure the mobility anchor for guest users.

    is that possible? if yes please guide me a link to check the configuration.

    your help will be grateful for me.



    Hall of Fame Master

    Mobility anchor is only used if you have more than one controller. If you only have one 2504, then you will not be using this feature. You will just need to create your guest portal in that 2504.


    *** Please rate helpful posts ***


    Q1- If I use the 5520 controller, do I need to order an AP license or just the AIR-CT5520-K9 SKU?

    Q2- If I want to use the CMX capabilities in this scenario. Which controller will be responsible to communicate with CMX? The anchor controller or foreing?




    Thanks for the information.



    Hi Scot,

    Can i create a mobility anchor between Cisco 5500 WLC with a 2504 controller. I already have  a 5500 in the network and would like to add 2504 as a guest. Would i need a downtime or a reboot.

    Hall of Fame Master

    As long as the 2504 is on v7.4 or later, it can be used as an anchor. Now you need to look at the capabilities of the 2504 and make sure that you are not going to hit the max user the 2504 support as that would be the limitations on using a 2504 vs a 55xx.



    Hi Scott,

    Thanks for getting back on the same.

    I have a 5500 in the production setup using subnets and have AP's in place associated with this subnet. I have another network within the company using We have a new requirement wherein a team wants the to be used via the existing AP with another SSID. So we decided to go ahead with Anchor mobility controller. What all factors should i take into account before proceeding.

    Thanks for your help in advance.

    Community Member

    Hello Vinay,

    thank you, very informative document.  Question, can the guest anchor provide Internet access to guests through an open wireless SSID, with web authentication access control for single users and Group users (like a classroom) ?

    thank you!

    CreatePlease to create content
    Content for Community-Ad

    Cisco COVID-19 Survey