So, on the anchor config what vlan do I map the SSID to ?

also where does the source of the traffic come from, the original client or the WLC ? what effectively is the WLC doing here ?

cheers

Carl

On the guest anchor wlc, you would create an interface for your dmz.  The wlc would then have an ip in the dmz vlan and your guest ssid would be mapped to that guest vlan.  What you are doing is tunneling guest user traffic right to the dmz wlc instead of your internal wlc and then having to acl everything.  So a guest user associates, gets granted access and get put in the guest vlan in the dmz.

Here is a doc that might explain it better than me:)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html

If you understand how Layer 3 inter controller roaming works, its the same thing for anchoring.

The Anchor is not a web proxy, it is just like any other WLC.

Basic flow of a client traffic will be:

Client >802.11> AP >CAPWAP> Foreign WLC >MobilityTunnel> Anchor WLC >Ethernet>Traffic dumped on Vlan (presumably going into the DMZ

hi there

We already have another site with this configured, and the SSID is different for that other site, does this mean we will have to use the same SSID as the other site, or can you create another SSID on the anchor controller and assign to the DMZ vlan ? so effectively the anchor will have 2 guest SSID's mapped to one DMZ vlan, is that ok ?

cheers

Carl,

Correct you can use another SSID as a guest ssid and anchor it to the DMZ. Just make sure they match on the new controller and the DMZ anchor.

Hi there

Im still confused for what I need to configure, Is it as below ?

Remote WLC controller site 1 has Guest SSID of guest-wlan-SITEA and in vlan 101

Remote WLC controller site 2 has Guest SSID of guest-wlan-SITEB and in vlan 201

Do I just add both SSID's to the anchor controller and map them to a different vlan in the DMZ ? and do I allow the original source IP address subnets out my firewall for each site ?

cheers

Carl

Create guest-wlan-SITEA & guest-wlan-SITEB on the DMZ wlc.  Then make sure you should be able to map them to the same or different (interface) in the dmz wlc.  Make sure you create the mobility anchor for the ssid also.  The subnet that you place these guest users will only be located in the dmz, so that subnet is what you neet to allow. 

Hi

thanks for the reply,

im still unsure what you are saying , my Guest WLAN on site A is on IP subnet 192.168.1.0/24 and site B is 192.168.2.0/24, this traffic gets tunneled to the anchor and put on the DMZ which is say on the 10.11.11.0/24 subnet,

how is the traffic sourced ? does it just route through the DMZ with the original source IP from each site ?

cheers

Carl

so, when you anchor the WLAN, the client will pull it's IP address from the pool of the DMZ WLAN DHCP, not from the local site.

So the only subnet(s) that you need to allow, are the ones in the DMZ, not the actual sites.

WHen you anchor, the client is physically connected to the local WLC, but is logically in the DMZ.  ALl traffic is ingress/egress at the DMZ WLC.  so the traffic flow is

client <--> AP <--> WLC(local) WLC (DMZ) <--> network

then the reverse for the return.

Steve

Hi there

I cannot see how this is going to work, the anchor controller is at another site,  on a different subnet. Is this the only way we can do it or the recommended way?

so I need to put the dhcp in the range of the DMZ subnet, what if there is an SSID from another site already using it?  and what does that mean for the local site, the Vlan for guest is on a total different subnet at the moment, do we assign no ip's to the vlan? im lost, can you explain a little further?

cheers

Carl

The local WLC can be put to a 'null' interface.  So what you do is create an interface that has no real Layer 2 relevence, and point the local WLAN at this interface.  That way if the anchoring fails, the client is not dumped on a real subnet.

As for the DMZ, you just need to make sure that subnet only lives there.

now, anchoring the guest WLAN is the 'best practice' for security, as you put the guest clients, who are untrusted, outside of the real network.  THey can't come back inside due to the firewall, unless you pinhole specifically for it to happen.

You can have a guest SSID at each site, with it's own subnet.  THen you just treat it like anyother WLAN.

Steve

Ok

can you please give me an example of this with some ip addresses for example to make it easier ?

cheers

Carl