Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
485
Views
0
Helpful
5
Replies

Best place to create the DHCP scope for Guest SSID for remote office connected to HQ Foreign-Anchor controller

vinodjad1234
Level 2
Level 2

‎02-09-2015 10:58 PM - edited ‎07-05-2021 02:28 AM

Hi Experts ,

 

Need help with the respect to understand the best practice to place/create the DHCP scope for remote site Guest SSID which will be connected to HQ Foeign-Anchor controller set-up.

 

how about internet traffic for Guest SSID , which one will be recommanded :

1) Guest SSID gets authenticated from HQ ISE and exposed to the local internet

2) Guest SSID gets authenticated from HQ ISE and exposed to the HQ internet

 

 

Thanks

 

Labels:
0 Helpful
5 Replies 5

George Stefanick
VIP Alumni
VIP Alumni

‎02-09-2015 11:10 PM

Most people that have remote offices will typically anchor guest back to HQ to manage and shap the traffic. Think of having one funnel to do what you please with guest. This is of course if the pipe can handle the guest back. In this case you need a DHCP server in the DMZ. 

 

 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

vinodjad1234
Level 2
Level 2
In response to George Stefanick

‎02-09-2015 11:45 PM

Hi George ,

 

Thanks for your reply ...So you mean, best design would be to create the DHCP scope into DMZ for guest and let it get exposed to HQ internet ...

 

how about if I have another anchor controller in lets say in other  office and I need to anchor the traffic or load balance from HQ foreign controller , in that case if I create DHCP scope into HQ anchor controller and if its down , I will loose the connectivity , how do I achieve fail-over to another anchor ?

Do I need to create secondary scope into another anchor controller and let the client get reauthenticated from other location ISE and get ip address as well from another anchor controller . Is it what you are proposing ?

 

0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to vinodjad1234

‎02-10-2015 06:18 AM

What you typically see is two anchors in the DMZ sharing the guest offload. The foreign controller will round robin the guest onto the controller. Both controllers and share the same guest subnet. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

George Stefanick
VIP Alumni
VIP Alumni
In response to George Stefanick

‎02-10-2015 07:46 AM

On the way into the office i was thinking about your question. If you allow capwap through the FW and the aps can find the WLC and you connect layer 2 to the controller between both networks and you don't LAG you could likely leg into both networks. 

 

but if you have problems and call tac they will give you a hard time .. 

 

get a controller and test it out ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

George D
Level 1
Level 1
In response to vinodjad1234

‎09-29-2016 06:02 PM

sorry to bump an old thread, but we were considering something similar. does the client get a new ip address from the failover controller if it was in another dmz and different scope? 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card