ā11-22-2015 10:27 PM - edited ā07-05-2021 04:17 AM
Hi,
If don't want to put anchor controller in DMZ ,how can i anchor guest traffic .
Thanks
ā11-29-2015 08:07 PM
Hi there,
You can anchor guest traffic to any WLC, but the whole point is to seperate guest users from the internal/ciritcal data traffic. It doesn't technically have to be in a DMZ segment, but you would want to install it in a location where the guest clients won't be sharing the infrastructure as your critical data.
I've had clients allocate an entire new Internet Connection, WLC, routers and switches used for guest wireless only.
Brett
ā11-29-2015 10:50 PM
Just to add to Brett's post. You don't call it anchoring if you are not using a WLC for guest "anchoring". How you achieve placing traffic depends on your setup which you never mentioned. I say this, because if your using local mode, that is different from if your design is for FlexConnect and then also if your doing MESH. Tell us more of your design and what you are trying to accomplish and we can help you out better.
-Scott
ā11-30-2015 06:31 PM
Hi,
Thank you for your reply .
"Tell us more of your design and what you are trying to accomplish and we can help you out better."
Guest user should have access to particular web servers and ofcourse internet (needs to shape traffic).
for some reason some websites are in INSIDE zone . if we need to give access guest users to the web hosted at INSIDE ? . Or we should not give access ?
And dhcp and dns also INSIDE .
And as you said i am confused now about the anchoring
What differnce it can make if mode is flex and MESH
Thanks again
ā11-30-2015 09:21 PM
Are those 'INSIDE' web servers accessible by clients on the Internet via some form of NAT? If so you could anchor the clients in the DMZ and NAT the clients to the servers in the same way. This way you wouldn't have to use internal DNS or DHCP servers. Point your clients to OpenDNS/Google servers for DNS, and use an IOS DHCP server or do it on the anchored WLC.
If your 'guest' SSID is anchored to another WLC, it will no longer be locally switched on the FlexConnect AP.
An AP in Flex + Bridge mode will also still tunnel the 'Guest' SSID to the anchor WLC if you are going for the anchor solution.
Hope this helps,
Brett
ā11-30-2015 09:58 PM
Hi,
Thank you for the info . Unfortunately I donāt have a wlc to designate as anchored wlc.
I have two wlc which is member of HA (active āstandby mode.)
Thanks again
ā11-30-2015 10:41 PM
The Cisco 2504 WLCs now do guest anchoring, and you can pick them up quite cheap.
You can create a guest SSID on the internal WLCs, but it is obviously not as secure. You will be relying on some pretty basic security features to ensure that guests can't access your internal subnets.
If you go down this path, remember to assign an ACL to the interface or WLAN denying ALL traffic to internal subnets, permit traffic to DNS and DHCP, then grant access to the internet (or allow only HTTP/HTTPs for example).
You could also think about disabling LACP on the internal WLCs. This will allow you to map certain SSID's to specified physical ports. You could connect these ports to your DMZ subnet. Again, not usually recommended. However the WLC is not a router and there is no chance of 'bridging' the DMZ and internal networks.
-Brett
ā12-01-2015 06:03 AM
Just to add in the Brett's comments. You should not need to have guest users have access to anything but the internet. If you do, then they are really not guest users and your better off placing them on the inside and using ACL to allow access to certain ip and ports.
The purpose of an anchor controller is to be able to push guest traffic to another controller without having the traffic touch your inside network. Now you could create a layer 2 subnet that you send to the DMZ if you want, but you will need to extend that layer 2 subnet from the switch the controller is connected, to the DMZ.
-Scott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide