Cisco recommended architecture for guest access to internet

neil_titchener · ‎04-01-2025

Hi All,

We're about to upgrade our WiFi network architecture. Currently we have a Foreign/Anchor setup for direct internet access. Is this the current Cisco recommended architecture? A colleague has suggest a new architecture removing the Anchor and running a GRE tunnel from the Foreign controller to the external firewall. Is this a recommended design in an Enterprise network?

Any URLs you know of regarding WiFi architecture would be greatly appreciated.

Thanks in advance for taking the time to reply

Scott Fella · ‎04-02-2025

I wouldn't say there are recommendations except for "how you want to delivery the guest traffic withouth touching any other part of your network." Guest anchors work fine and are pretty easy to deploy if you have the budget for them. GRE, VRF, etc. being able to tunnel guest traffic from a site to another location for internet egress is another option. At time, if the site has a local egress, you don't need either and can just send traffic out the foreign controller to a vlan that is dedicated to that local internet egress. You design it the best way that you can afford and your team can support.

-Scott
*** Please rate helpful posts ***

Rich R · ‎04-02-2025

This is the official Cisco Design Guide:
https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-campus-lan-wlan-design-guide.html#Guestwireless

It suggests the anchor design or local direct internet access - as Scott has also suggested - so it's really down to your own requirements/preferences. Sometimes it just comes down to company policy about how guest traffic is handled where insistence on anchor design seems to be much less prevalent these days as the security folks have started to trust/accept that VLANs really do keep traffic effectively separated.

ps: If you decide you want to go for an EoGRE solution (or just want to understand it) then refer to:
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-2/deployment-guide/c9800-eogre-deployment-guide-rel-17-2.pdf
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_wl_eogre.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390