Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2415
Views
5
Helpful
5
Replies

Implementing Two Guest Anchor WLCs

Go to solution
c.fuller
Level 1
Level 1

‎03-04-2011 07:02 AM - edited ‎07-03-2021 07:54 PM

Hello -

I am wondering if anyone has ever setup a guest network solution using two anchor controllers where the internal WLCs each have two anchors configured and use a primary Anchor and when unavailable can dynamically fail over to a secondary Anchor. 

I am looking to bring my current guest service onto the DMZ.  Right now we are using separate ISPs where we tunnel the guest traffic to an anchor controller and out the separate ISP.   We do not use our corporate internet service for guest.   In any event.  The DMZ design I am working on would include two WLCS sitting on our DMZ.  I'd like to have each internal WLC configured to associate to the DMZ WLC that is connected to our active DMZ/Border.   Upon failure, I would then like to have the internal WLCs failover to the second DMZ WLC on our standby DMZ/Border.   So I would need to configure both anchors on the guest WLAN of each WLC.   I'm just wondering if this is possible and if the failover will actually work.

Any input is appreciated.   I'd like to implement a redundant guest solution where internal WLCS can dynamically failover to a backup Anchor....

Thanks

Chuck

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎03-04-2011 07:55 AM

Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.

When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.

As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.

Does that answer your question?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

5 Replies 5

Go to solution
George Stefanick
VIP Alumni
VIP Alumni

‎03-04-2011 07:55 AM

Hi, I just got done moving our anchors to the DMZ so you are in luck as everything is fresh in my mind. I, like you, have dual anchors in the DMZ I also have over 30 inside (foreign controllers) connected to these anchors.

When you anchor a WLAN to (2) anchor controllers, the controllers automagically load balance guest associations. Example: 2 guest attached to SSID: GUEST. Guest#1 goes to anchor#1 and guest #2 goes to anchor#2. You dont configure anything, this happens automagically, like I mentioned.

As for failover. Yes, if you pull the plug to anchor#1. The EoIP tunnel breaks between the anchor and the foreign controller. Guest that were on anchor#1 will require reauthentication and then join to anchor#2.So if you had say a "accept page", these guest will get that same page again from anchor 2.

Does that answer your question?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
c.fuller
Level 1
Level 1
In response to George Stefanick

‎03-04-2011 08:11 AM

George,

Thank you.  This information is very helpful.  This is good to know.   The tricky part for me is that our secondary/backup border is not active and therefore the EoIP to the backup anchor WLC won't establish.  The routing via that border is not available unless the primary border goes south.    So the load balancing part creates an issue.  Maybe it will work ok if the backup anchor tunnel is never established, then no load balancing would be able to happen. Then maybe once primary border fails, the secondary EoIP would establish because the routing via our backup border would be available.   It would be better if there was no load-balancing.   But I still may be able to work around this.  I'll talk with our lead network architect and figure out how we can get this done. 

Regards

Chuck

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to c.fuller

‎03-04-2011 08:40 AM

Your thinking is correct.

Say if the route to Anchor#2 is not live, the EoIP adjacency will never form between the foreign WLC and anchor#2 WLC.  Your data and controller tunnels will show in the DOWN state on both WLCs. In your situation, all guest will go to anchor#1 until which point anchor#2 becomes routable.

Once anchor#2's route link comes up, after about 1 minute or so anchor#2 and the foreign controller will form a EoIP adjacency and guest will start to drop at the anchor#2's door step.

Thanks for the rating ... Much appreciated... Stop back if you have any other questions.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful

Go to solution
igaffine
Level 1
Level 1
In response to c.fuller

‎05-12-2011 05:07 AM

Chuck,

Did you have any joy implementing the dual guest anchors and running the tunnels in active/standby mode, rather than load-sharing. I have a similar setup and would like to setup a second guest anchor so that it is used only in a failure situation. The internal WLCs (foreign) will have communication to dual guest WLCs, so I have no means of restricting the mobility tunnels.

Ideally I would like a tick box that says 'disable load-sharing on anchors/tunnels'

Appreciate any feedback,

Cheers,

Ian

0 Helpful

Go to solution
luceroc
Level 4
Level 4
In response to George Stefanick

‎12-23-2014 02:30 PM

Hello George,  I know this is a very old note but it's germane to my current situation.  I have as you mentioned a few years ago many foreign controllers anchored to two controllers in my DMZ.  One thing that I have been trying to find the answer to is how the anchor controllers are configured with respect to mobility groups and mobility memberships.

 

1. Do both controllers in a DMZ need to belong to the same mobility group for the load balancing to automagically work?

2. That said, do they both need to have a mobility tunnel between the two DMZ controllers?

3. Does it matter?

Thanks in advance!

Charlie Lucero

 

0 Helpful
Review Cisco Networking for a $25 gift card
Top