Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
10
Helpful
3
Replies

Guest access the management interface and guest anchor.

daswann
Level 1
Level 1

‎01-21-2022 09:25 AM

While reviewing our organizations WLC.s for best practice I notices that some of our sites have the guest SSID mapped to the management interface. Per the 8.5 config guide - Do not map a guest WLAN to the management interface. If the EoIP tunnel breaks, the client could obtain an IP and be placed on the management subnet. We are using guest anchor for these sites and they terminate on a different interface not management on the anchor WLC. 
In this scenario are we still at risk to the above issue mentioned in the 8.5 config guide? 

 

Thanks in advance

 

 

1 person had this problem
Labels:
0 Helpful
3 Replies 3

daswann
Level 1
Level 1

‎01-21-2022 09:44 AM

I just ran across this, anyone have thoughts on this for resolution to my question above:

The default interface used by the foreign WLC for the guest WLAN is the management interface. If the EoIP tunnel cannot be established with the anchor, the foreign controller will disassociate any wireless clients that were previously associated with the unreachable anchor and then assign new clients and reassociate clients to the interface configured under the guest WLAN of the foreign itself. Therefore, it is recommended to link the guest WLAN on the foreign to a non-routable network, or alternatively configure the DHCP server of the management interface with an unreachable IP address. If the anchor becomes unreachable, this prevents the guest clients to gain access to the management network.

 

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎01-21-2022 12:25 PM

In the past when configuring guest anchor, I have always created a bogus interface like vlan666 or whatever and that doesn't reside in the trunk at all.  This way if the tunnel breaks, the traffic is placed on the vlan.  In my example, vlan666.

-Scott
*** Please rate helpful posts ***

Arshad Safrulla
VIP Alumni
VIP Alumni

‎01-24-2022 09:05 AM

On top of @Scott Fella's great advise, some generic design guidelines I use

  • disabling management over wireless
  • segregate guest wireless and wired subnets
  • disable DHCP on management Interface or configure an completely unreachable network as DHCP scope.
  • make use of CPU ACL to protect the WLC Management Access
  • use IP DHCP required option in the WLAN

Finally what ever the WLAN mode don't use management interface. 

If you need more tips

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKEWN-2014.pdf

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card