01-13-2012 01:08 PM - edited 07-03-2021 09:22 PM
Sharath K.P.
Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions on wired guest access with expert Sharath K.P. Wired guest access enables guest users to connect to the guest access network from a wired Ethernet connection designated and configured for guest access. Sharath K.P. is a Customer Support Engineer specialized in wireless and switching technologies at the Technical Assistance Center in Cisco Bangalore. He has been troubleshooting wireless and switching networks and management tools since 2009. Sharath has a bachelor's degree in Electrical Electronics Engineering from P.E.S College of Engineering (PESCE), VTU at Belgaum. India. He holds CCNP certifications in R&S and Wireless.
Remember to use the rating system to let Sharath know if you have received an adequate response.
Sharath might not be able to answer each question due to the volume expected during this event.
Remember that you can continue the conversation on the Wireless and Mobility sub-community discussion forum shortly after the event. This event lasts
through January 27, 2012. Visit this forum often to view responses to your questions and the questions
of other community members.
01-17-2012 03:02 AM
Hi Sharath,
Thanks for opening up this forum, I have a question around having multiple LAN based WLCs, utilising an Anchor controller within a DMZ for Wired Guest connections.
Say we have 4 LAN based controllers, each with a Guest LAN configured utilising Vlan 111, this vlan is then trunked down to our User access switches, whereby we have a user machine connected into a switchport in vlan 111. When the client initially connects, traffic will be forwarded from the client on Vlan 111, and trunked across the network into one of the WLCs - If there are 4 WLCs configured with the Guest LAN, how is the decision made as to which WLC the client will connect too?Obviously, this connectivity all happens at Layer 2, but in my mind, there isn't any particular MAC address or IP address that could be used to base a load-balancing decision on.
I've looked within the Cisco documentation, and have not been able to find anything describing how the above works.
Appreciate your feedback
Thanks
01-17-2012 10:35 AM
Sharath,
I have been wondering the same exact thing. At many of our sites, we have two 5508 series controllers, one being the primary and one being the secondary. The controllers are both configured the same, however we put all the access points on one controller to avoid inter-controller roaming. The secondary exists in case the primary fails.
The guest wired and wireless network is a Cisco textbook design. I have noticed that wired clients often end up on the secondary controller. I too am wondering how it works.
Thanks in Advance!
01-17-2012 10:45 AM
Helping Sharath out.
As it's a broadcast from the client, the first WLC to get the packet is the one that will respond. that is the WLC the wired guest will associate with, and tunnel it's traffic to, if you are anchoring.
Steve
01-17-2012 10:51 AM
Steve I know you worked for Cisco TAC. What is your input about the round-robin ?
01-17-2012 06:22 PM
Hi tdennehy ,
So as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
We have already opened a bug for the same (Little late though )
BUG ID :CSCtw44999
The WLC Config Guide should clarify our support for redundancy options for wired guestSymptom: Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will generate unpredictable results.
However what you see in you network ,where wired guest clients show up on the secondary WLC is
normal behavoiur .
Criteria would be that nearest WLC on the broadcast domain (Layer 2) would respond to the client associtation request .
Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0) Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile 00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
Regards,
Sharath K.P.
01-18-2012 12:21 PM
Sharath,
I am using the screenshot below for simplicity. A small campus with two 5508-500s in it, one is the primary and one is the secondary. The primary controller has all the APs on it, the secondary sits there with nothing, but configured the same, waiting for the primary to fail so it can take over. Each controller configured for three corporate WLANs and one guest WLAN.
Both controllers are configured for guest wireless just like the drawing depicts, with an anchor controller in the DMZ.
Both controllers are configured for guest wired as well. Does CSCtw44999 state that configuring both controllers for guest wired networking is not supported?
Thanks in advance,
Tim
01-17-2012 10:45 AM
I will wait for the response as well. However, I will comment in the mean time based on what I have experienced. If you have a foreign controller and she is anchored to 2 anchor controllers. The foreign controller will "round robin" these users wired or wireless. That has been my experience.
Example:
User 1 --> Anchor 1
User 2 --> Anchor 2
User 3 --> Anchor 1
USer 4 -->Anchor 2
I asked TAC months ago if this could be changed and was told no. But there was a feature enhancement request in the furture.
Great question. Cant wait for a response as well.
01-17-2012 10:48 AM
With dual anchors, the 'internal/foreign' will round robin to the anchor. but guest wired is a bit different.
Steve
01-17-2012 10:52 AM
Ok good to know... Is this "wired" side documeted anywhere ?
01-17-2012 11:00 AM
I'd have to look for something more indepth, but there is the configuration guide for it.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
Steve
01-17-2012 06:26 PM
HI George ,
Nice to work with you again
Yes when we have multiple anchor controller the client load balancing is done in a 'ROUND ROBIN' way and as you are aware we have opened a enhancement request for the same . We will work on other options we can provide and which would be feasible .
Your inputs in product feature enhancement is highly appreciated .
Regards ,
Sharath K.P.
01-17-2012 06:17 PM
Hi Daniel ,
Wonderful observation and great question .
Yes, we dont find any recommendation or inputs in Cisco Docs on scenarios where we have multiple foriegn WLC's present .When we go through the Cisco Doc available for Wired Guest Access
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
Two separate solutions are available to the customers:
A single WLAN controller (VLAN Translation mode) - the access switch trunks the wired guest traffic in the guest VLAN to the WLAN controller that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.
Two WLAN controllers (Auto Anchor mode) - the access switch trunks the wired guest traffic to a local WLAN controller (the controller nearest to the access switch). This local WLAN controller anchors the client onto a DMZ Anchor WLAN controller that is configured for wired and wireless guest access. After a successful handoff of the client to the DMZ anchor controller, the DHCP IP address assignment, authentication of the client, etc. are handled in the DMZ WLC. After it completes the authentication, the client is allowed to send/receive traffic.
So as per Cisco best pratices using multiple foreign controllers for the same wired guest VLAN is not supported and the results will be unpredictable
I do understand the confusion regarding such scenario's as this( Multiple foriegn WLC's) is a very general setup which customer would like to deploy .
We have already opened a bug for the same (Little late though )
BUG ID :CSCtw44999
The WLC Config Guide should clarify our support for redundancy options for wired guestSymptom: Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will generate unpredictable results.Some of the other tthat changes we will be making as a part of doc correction would be
1. The WiSM2 needs to be added as a supported controller. (Not sure about the 7500, check with PM) 2. Where it says "Do not attempt to trunk a guest VLAN on the Catalyst 3750G ...", this should read: "Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will generate unpredictable results." 3. Add at least a line mentioning support for multiple anchors for a guest wired LAN.
Now if you already have such deployments , ther criteria would be that nearest WLC on the broadcast domain (Layer 2) would respond to the client associtation request .
Cisco Controller) >Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 Adding mobile on Wired Guest 00:00:00:00:00:00(0) Tue Sep 11 13:27:42 2007: 00:0d:60:5e:ca:62 apfHandleWiredGuestMobileStation (apf_wired_guest.c:121) Changing state for mobile 00:0d:60:5e:ca:62 on AP 00:00:00: 00:00:00 from Idle to Associated .
I hope the above explanation could clarify your doubts to certain extent and also keep you
informed on Cisco's roadmap on this feature .
Regards ,
Sharath K.P.
01-18-2012 04:54 PM
Sharath,
I am using the screenshot below for simplicity. A small campus with two 5508-500s in it, one is the primary and one is the secondary. The primary controller has all the APs on it, the secondary sits there with nothing, but configured the same, waiting for the primary to fail so it can take over. Each controller configured for three corporate WLANs and one guest WLAN.
Both controllers are configured for guest wireless just like the drawing depicts, with an anchor controller in the DMZ.
Both controllers are configured for guest wired as well. Does CSCtw44999 state that configuring both controllers for guest wired networking is not supported?
Thanks in advance,
Tim
01-19-2012 01:26 AM
That's the way I've understood, if you have multiple local controllers, then only one of the them should be configured (or at least be active) for the Guest Wired network.
The way we have our environment configured, is that we have the vlan used for the Guest Wired vlan trunked to all our local controllers, but only one has this network as active on the device - In the event that the active controller failed, then we could simply enable the Guest Wired network on another local controller.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide