cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1553
Views
0
Helpful
10
Replies

Guest Access with Inter-vlan Mobility

sprosons
Level 1
Level 1

I have a setup as follows

Two datacenters each with one wlc5500, one guest access server and one internet circuit with firewall.

LWAPs connect to the data centres over a WAN.

Each LWAP has two SSIDs one guest with web auth and one private with 802.1x.

Site1 has 40 APs and site2 has 10 APs.

The best scenario would be to have 30 APs on each controller but this means that there would be a mix of APs centrally switched on different VLANs for the guest wlan.

Is there any way to anchor clients that intially associate to WLC1 so that if they roam on to WLC2 they keep the same IP address from datacentre 1. Similarly those that associate to WLC2 keep their IP from datacentre 2 if they roam to WLC1. Finally if either WLC1 or WLC2 fail then all clients re-associate to the active WLC at one DC. All the config guides so far only depict one internet circuit so I can't work out if this is possible yet. So far with both WLCs active the client changes address as they roam to the other WLC.

I would like to avoid creating a L2 link beween DCs if possible

10 Replies 10

Stephen Rodriguez
Cisco Employee
Cisco Employee

Ok, so that should work, it's just a L3 roam.

But the question here is, how far apart are the two sites?  By default the idle timeout is 300 seconds ( five minutes ) so if it takes longer than that to get from one site to another, it's not going to matter.

Now, for this to work, you would need to make sure the WLC are in the same mobility group.  That really should be it.  So long as they are in the same mobility group, when the cliet associates, there is a mobility message sent to see if any WLC in the group knows of the client.  If there is a response, the client should be anchored/L3 roam, between them.  So long as there is an entry in teh MSCB of the WLC still, see above.

Cheers,
Steve

--

If  this helps you and/or answers  your question please mark the question as "answered" and/or rate it, so  other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

The user sites are geographically separate so roaming between sites is not an issue.

In this scenario there are multiple APs at one site that connect to different WLCs. Both WLCs are in the same mobility group but if the clients are associated to an LWAP on WLC1 and they roam to an LWAP on WLC2 then the IP address of the client changes and they move from the internet vlan at DC1 to the internet vlan at DC2. In this setup if I go the the monitor menu I only ever see clients on one WLC at any time. If I configure WLC1 as the mobility anchor for SSID guest then they roam fine but all clients go to DC1. If I add the second WLC as an anchor then it behaves as if none is configured and the clients are move to the to internet vlan local to the associatedc WLC.

That shouldn't be the case. If they are in the same mobility group, and the WLAN is the same, there should be a L3 roam done between the controllers.

Can you grab a show mobility summary from both controllers?  Does this only affect the guest WLAN?

Cheers,
Steve

--

If  this helps you and/or answers   your question please mark the question as "answered" and/or rate it, so   other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks for the response.

It occurs on both vlans but I have setup HREAP for the private SSID because the clients talk to a local server. The guest SSID is internet only so traffic has to go via the data centres so that one is centrally switched.

Here is the output

WLC1


(Cisco Controller) >show mobility
Incorrect usage. Use the '?' or key to list commands.
(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... Mobile1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x1eff
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
c4:71:fe:97:f8:60 10.253.128.10 Mobile1 0.0.0.0 Up
c4:71:fe:97:fc:c0 10.18.227.10 Mobile1 0.0.0.0 Up
(Cisco Controller) >

WLC2

(Cisco Controller) >show mobility summary
Symmetric Mobility Tunneling (current) .......... Enabled
Symmetric Mobility Tunneling (after reboot) ..... Enabled
Mobility Protocol Port........................... 16666
Default Mobility Domain.......................... Mobile1
Multicast Mode .................................. Disabled
Mobility Domain ID for 802.11r................... 0x1eff
Mobility Keepalive Interval...................... 10
Mobility Keepalive Count......................... 3
Mobility Group Members Configured................ 2
Mobility Control Message DSCP Value.............. 0
Controllers configured in the Mobility Group
MAC Address IP Address Group Name Multicast IP Status
c4:71:fe:97:f8:60 10.253.128.10 Mobile1 0.0.0.0 Up
c4:71:fe:97:fc:c0 10.18.227.10 Mobile1 0.0.0.0 Up
(Cisco Controller) >

ok, that looks fine, can you do a show wlan  < wlan id> for the two guest netowrks?

Cheers,
Steve

--

If  this helps you and/or answers   your question please mark the question as "answered" and/or rate it, so   other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Thanks for looking

(Cisco Controller) >show wlan 3
 
WLAN Identifier.................................. 3
Profile Name..................................... guest
Network Name (SSID).............................. GUEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
NAC-State...................................... Disabled
Quarantine VLAN................................ 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ guest-vlan
WLAN ACL......................................... unconfigured
DHCP Server...................................... 10.18.227.10
DHCP Address Assignment Required................. Enabled
--More-- or (q)uit
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
 
--More-- or (q)uit
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
--More-- or (q)uit
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
 
(Cisco Controller) >?
(Cisco Controller) >show wln 3
Incorrect usage. Use the '?' or key to list commands.
(Cisco Controller) >
(Cisco Controller) >


(Cisco Controller) >
(Cisco Controller) >show wlan 3
 
WLAN Identifier.................................. 3
Profile Name..................................... guest
Network Name (SSID).............................. GUEST
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
NAC-State...................................... Disabled
Quarantine VLAN................................ 0
Number of Active Clients......................... 1
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ guest-vlan
WLAN ACL......................................... unconfigured
DHCP Server...................................... 10.253.128.10
DHCP Address Assignment Required................. Enabled
--More-- or (q)uit
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11b and 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
 
--More-- or (q)uit
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
2............................................... radius
3............................................... ldap
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
--More-- or (q)uit
Mobility Anchor List
WLAN ID IP Address Status
------- --------------- ------
 
(Cisco Controller) >?

Try this.

Under the WLAN remove the DHCP server override setting.  And make sure to configure the DHCP server under the interface.  The mismatch between the servers could be enough to stop the auto anchoring from happening.

Cheers,
Steve

--

If  this helps you and/or answers   your question please mark the question as "answered" and/or rate it, so   other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

No it's still the same

C:\Documents and Settings\user.1>ipconfig
Windows IP Configuration

Ethernet adapter Wireless Network Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.101.41
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.101.1
Ethernet adapter Local Area Connection 2:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.10.10.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.10.1
Ethernet adapter Local Area Connection 3:
        Media State . . . . . . . . . . . : Media disconnected
C:\Documents and Settings\user.1>ipconfig
Windows IP Configuration

Ethernet adapter Wireless Network Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.102.40
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.102.1
Ethernet adapter Local Area Connection 2:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 10.10.10.50
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 10.10.10.1
Ethernet adapter Local Area Connection 3:
        Media State . . . . . . . . . . . : Media disconnected
C:\Documents and Settings\user.1>^A

Steve

Thanks for the help. Now II know it should work the way I want I can keep on trying. I am going to set up without the web authentication next and see how that goes.

Steve

It works without web authentication.

Thanks Steve

Review Cisco Networking for a $25 gift card