Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7130
Views
0
Helpful
6
Replies

Guest Anchor - DMZ firewall rule changes

Go to solution
rahul nair
Level 1
Level 1

‎11-17-2015 08:58 PM - edited ‎07-05-2021 04:15 AM

Hi all ,

I am setting up a Guest anchor at my office.

Now guest wireless internet traffic will be  sent out to the internet locally , than using my offshore anchor which was being used till now .

Just to give you guys an idea about the topology ::

This Anchor is connected to the DMZ switch , on a switchport which is put in a DMZ VLAN ( for eg gi 1/0/1 ) .

I have another switchport  ( gi 1/0/2-3 ) in the DMZ VLAN which is in turn connected to the DMZ interfaces on my firewall cluster .

Now i have to convey to my Security team , what rules should i have them configured inroder to establish the EOIP tunnel betwwen my Anchor and my Mobility controller. 

What changes should i be asking them to make on the Firewall ?

From what i have read and understood :

A. Data - 12222/Control - 12223 - LWAPP

B .Data - 5247/Control - 5246     - CAPWAP

C. Mobility traffic           - 16666/16667

Is there anything else necessary for both the controllers to communicate  ?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to rahul nair

‎11-18-2015 12:20 AM

yes you are correct.... Traffic flow with firewall will be :

Client > AP > WLC >FW> Guest WLC > DMZ > Internet

yes it(DHCP req) will start form forein wlc.

During the anchoring scenario the client’s DHCP is handled by the anchor controller as the client data is tunneled within an EoIP tunnel between the foreign and anchor controllers.

yes you can do the mobilty eping/moing test to ensure that data and control path are up and working:

https://rscciew.wordpress.com/2014/07/10/mobility-configuring-on-wlc/

http://revolutionwifi.blogspot.de/2010/10/auto-anchor-mobility-fundamentals.html

Regards

Dont forget to rate helpful posts

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni

‎11-17-2015 11:30 PM

If a firewall is involved, ports 16666 (16667 if using secure mobility) and protocol 97 must be allowed bidirectionally between the IP addresses of the controller management interfaces.

– UDP 16666 for tunnel control traffic

– IP Protocol 97 for user data traffic

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
rahul nair
Level 1
Level 1
In response to Sandeep Choudhary

‎11-17-2015 11:38 PM

Hi Sandeep ,

Thanks for the reply .

And apart from this , i think i should be getting a rule created so that both Anchor and Mobility controllers can reach other . Am i right ?

So if my understanding is correct , all guest internet traffic originating from the client , would first hit the AP.

Being a  Centrally switched WLAN , then it would hit the foreign controller which will be then tunnelled to the Anchor controller . Then to my internet router.

Am i getting this correct ?

Thanks ,

Rahul.

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to rahul nair

‎11-17-2015 11:51 PM

Yes you are right.

The Guest traffic, however, is sent to the anchor controller in the DMZ via an Ether IP tunnel, and the anchor controller bridges it to the DMZ network. The network firewall is configured to allow UDP 16666 and Protocol 97 traffic between the two controllers. Because the anchor controller handles client DHCP and authentication, the laptop of the visitor has an IP in the DMZ VLAN range.


Here is the flow:


Client > AP > WLC > Guest WLC > DMZ > Internet

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
rahul nair
Level 1
Level 1
In response to Sandeep Choudhary

‎11-17-2015 11:57 PM

Thanks a lot .

Just to confirm once more , the actual physical  flow should be like :

Client > AP > WLC >FW> Guest WLC > DMZ > Internet ?

And all the guest traffic , including DHCP request/ack would be originating from the IP address of the Foreign WLC right ?  As the packets' source Ip address?

I am asking this , so that just one rule enabling both WLCs to talk to each other would do the trick. 

Lastly is there a final test that i can do from both the WLCs do ensure that is effectively achieved from both the end ? Like a command or something ?

0 Helpful

Go to solution
Sandeep Choudhary
VIP Alumni
VIP Alumni
In response to rahul nair

‎11-18-2015 12:20 AM

yes you are correct.... Traffic flow with firewall will be :

Client > AP > WLC >FW> Guest WLC > DMZ > Internet

yes it(DHCP req) will start form forein wlc.

During the anchoring scenario the client’s DHCP is handled by the anchor controller as the client data is tunneled within an EoIP tunnel between the foreign and anchor controllers.

yes you can do the mobilty eping/moing test to ensure that data and control path are up and working:

https://rscciew.wordpress.com/2014/07/10/mobility-configuring-on-wlc/

http://revolutionwifi.blogspot.de/2010/10/auto-anchor-mobility-fundamentals.html

Regards

Dont forget to rate helpful posts

0 Helpful

Go to solution
rahul nair
Level 1
Level 1
In response to Sandeep Choudhary

‎11-18-2015 12:32 AM

Thanks Sandeep .

I think it is clear now !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card