Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1835
Views
0
Helpful
5
Replies

Configuring WLC at remote site to tunnel traffic from WLC at main site

r.stockton
Level 1
Level 1

‎09-21-2012 10:32 AM - edited ‎07-03-2021 10:42 PM

To say the documentation regarding mobility groups/anchors/lists is an understatement (such that I'm not even sure this scenario is valid). Nonetheless, here goes...

At the main site, I have 3 5508 WLCs each part of a mobility group (wlcMain-MG).  In NCS, under "System/Mobility Groups" for each controller, I see each controller listed as "local" with the other Controllers listed with the group name "wlcMain-MG".  None of the SSIDs are "anchored".

I have a new site with a 2500 series WLC that I would like to push out 2 SSIDs.  This site contains two customers.  One customer is the Main customer with the second customer leasing space.

I have the Cust2 WLAN at the remote site set to have traffic egress out of a local interface on the 2500 WLC (this traffic is then tunnelled back to their Main location via an ASA which houses the DHCP scope for that vlan).    I can connect to this SSID, obtain an IP Address off the ASA and am tunnelling without issue.

For the Cust1 WLAN at the remote site, I would like to broadcast an SSID from the Main location on those same APs which are registered to the 2500.  It is my understanding, that I anchor the SSID at the Main site and identically configure the SSID at the remote site.  This will allow the end user to authenticate to the RADIUS server at the Main site and be placed upon the correct vlan (we are using DOT1x and dynamic vlans).

For my test, I am starting simple.  I have created a test WLAN with no authentication. At the main site, on 5508 WLC3, I have created the test WLAN, and placed the interface into a low security vlan (call it VLAN-low).  I have anchored this test WLAN to that controller.  At the remote site, I have created the same WLAN (but placed it into the management interface for now - the VLAN-low does not exist at the remote site) and configured that WLAN to anchor back to the WLC3 at the main site.  I am unable to obtain an IP address from the remote site.  I have placed the remote site WLC in the wlcMain-MG as well.

Suggestions?  Is this able to be accomplished?  How close does the code need to be on the controllers - the 5508s are at 7.0.116.0 and the 2500 is at

7.0.220.0? What could I be missing?

Thanks for any efforts in assistance.

-Robert

Labels:
0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎09-21-2012 12:15 PM

Okay.. so the WLAN is configured exactly the same with the exception of the interface. On the 2504 wlan CUST1 ssid, you have that anchored to the WLC at HQ. At the WLC at HQ, you have the SSID anchored back to itself (local)? Do you see the client on the anchor wlc at HQ?

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
0 Helpful

r.stockton
Level 1
Level 1
In response to Scott Fella

‎09-21-2012 01:13 PM

After a while, this is now working.  Not sure why, but it is.

My next question, then, what is the ramification of anchoring the SSID?  The design for HQ is n+1 (WLC1, WLC2 both Failover to WLC3.  If I anchor the "live" ssid to one of the WLCs - are there roaming ramificatinos between the HQ WLCs?

-Robert

0 Helpful

Peter Nugent
Cisco Employee
Cisco Employee
In response to r.stockton

‎09-21-2012 01:50 PM

You can anchor the SSID to multiple controllers. Why would there be roaming issues on the HQ WLCs.

Sounds a little complex? Maybe a diagram would help but I dont see an issue if you anchored it to the 3 HQ wlcs. It will distribute the traffic across them.

0 Helpful

r.stockton
Level 1
Level 1
In response to Peter Nugent

‎09-24-2012 07:19 AM

I don't know why there would be roaming issues for the Campus HQ users - I thought I would ask...

So, I have an open SSID working, however, once I apply the same setup to the "live" SSID, this does not work.  The live SSID uses the following:

WPA2/PEAP/MSCHAPv2

RADIUS (Microsoft NPS) to A/D Authentication.

Dynamic VLAN Association (based on userID - the group info is passed from A/D back to NPS for VLAN assignment).

-Robert

0 Helpful

r.stockton
Level 1
Level 1

‎09-24-2012 09:40 AM

Ok, folks.

I found out from Cisco that Dynamic VLAN assignment is not currently supported on Anchored WLANs.

The resolution is to register my APs back to HQ and push out that WLAN (the Cust1).  Then, I would anchor the Cust2 the other way back to the 2504.  Thing is, the 2500s cannot be an anchor point for a WLAN (this is in a future rev...possibly 7.4). So, I have to pull a 5508 from the lab and bring this to the remote site until they come out with new code for e 5508s.

Thank you for your help and discussions.  Hopefully, this thread will be of assistance to someone.

-Robert

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card