cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
673
Views
0
Helpful
7
Replies

Anchoring guest traffic

elite2010
Level 3
Level 3

Hi,

If don't want to put anchor controller in DMZ ,how can i anchor guest traffic .

Thanks

7 Replies 7

Brett Verney
Level 1
Level 1

Hi there,

You can anchor guest traffic to any WLC, but the whole point is to seperate guest users from the internal/ciritcal data traffic. It doesn't technically have to be in a DMZ segment, but you would want to install it in a location where the guest clients won't be sharing the infrastructure as your critical data.

I've had clients allocate an entire new Internet Connection, WLC, routers and switches used for guest wireless only.

Brett

Scott Fella
Hall of Fame
Hall of Fame

Just to add to Brett's post. You don't call it anchoring if you are not using a WLC for guest "anchoring".  How you achieve placing traffic depends on your setup which you never mentioned. I say this, because if your using local mode, that is different from if your design is for FlexConnect and then also if your doing MESH.  Tell us more of your design and what you are trying to accomplish and we can help you out better.

-Scott

-Scott
*** Please rate helpful posts ***

Hi,

Thank you for your reply .

"Tell us more of your design and what you are trying to accomplish and we can help you out better."

Guest user should have access to particular web servers  and ofcourse internet (needs to shape traffic).

for some reason some websites are in INSIDE zone . if we need to give access guest users  to the web hosted  at INSIDE ? . Or we should not give access  ?

And dhcp and dns also INSIDE . 

And as you said i am confused now about the anchoring 

What differnce it can make  if mode is flex and MESH

Thanks again 

Are those 'INSIDE' web servers accessible by clients on the Internet via some form of NAT? If so you could anchor the clients in the DMZ and NAT the clients to the servers in the same way. This way you wouldn't have to use internal DNS or DHCP servers. Point your clients to OpenDNS/Google servers for DNS, and use an IOS DHCP server or do it on the anchored WLC.

If your 'guest' SSID is anchored to another WLC, it will no longer be locally switched on the FlexConnect AP.

An AP in Flex + Bridge mode will also still tunnel the 'Guest' SSID to the anchor WLC if you are going for the anchor solution.

Hope this helps,

Brett

Hi,

Thank you for the info . Unfortunately I donā€™t have a wlc to designate as anchored wlc.

I have two wlc which is member of HA  (active ā€“standby mode.)

Thanks again

The Cisco 2504 WLCs now do guest anchoring, and you can pick them up quite cheap.

You can create a guest SSID on the internal WLCs, but it is obviously not as secure. You will be relying on some pretty basic security features to ensure that guests can't access your internal subnets.

If you go down this path, remember to assign an ACL to the interface or WLAN denying ALL traffic to internal subnets, permit traffic to DNS and DHCP, then grant access to the internet (or allow only HTTP/HTTPs for example).

You could also think about disabling LACP on the internal WLCs. This will allow you to map certain SSID's to specified physical ports. You could connect these ports to your DMZ subnet. Again, not usually recommended. However the WLC is not a router and there is no chance of 'bridging' the DMZ and internal networks.

-Brett

Just to add in the Brett's comments.  You should not need to have guest users have access to anything but the internet. If you do, then they are really not guest users and your better off placing them on the inside and using ACL to allow access to certain ip and ports. 

The purpose of an anchor controller is to be able to push guest traffic to another controller without having the traffic touch your inside network. Now you could create a layer 2 subnet that you send to the DMZ if you want, but you will need to extend that layer 2 subnet from the switch the controller is connected, to the DMZ.

-Scott

-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card