11-18-2022 06:46 AM - edited 11-18-2022 06:47 AM
Hi Guys!
I've looked at some example configurations and community posts. I have the following topology:
Foreign WLC [9800] <---> Anchor WLC [5520] <--> DMZ interface (Dynamic interface group with multiple VLANs)
We want to use the Anchor WLC DMZ that has multiple VLANs of restricted networks for visitors. We intend to use DOT1X that determines that VLAN the user drops into on the SSID. I've found documentation on joining the 9800 to the 5520 (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html#anc22) however I'm trying to understand if we would need to configure the interface group with the same VLANs on the 9800 SSID? Even if the VLANs are not trunked down to a physical port on the WLC at the foreign site?
I know we have to configure an identical SSID and security settings like dot1x.
Thanks
KT
If I wanted to
11-18-2022 11:10 PM
Hi in 9800's, you don't configure the interfaces unless DHCP relay or MDNS is required, configuring one SVI for WMI is more than sufficient. If you don't have this requirement, I suggest you configure a VLAN group and allow all these VLANs in the trunks connecting to the uplink switch/ or any network device. You can also use Radius server to assign the VLANs, which I think is best suited for you and in this case, it is enough that you simply create the L2 VLAN in the anchor WLC.
Also remember if you are using any L3 authentication using Radius then radius packets are initiated from the anchor controller, if you are using any L2 authentication radius packets are sent from foreign controller. So make sure that your radius server is configured accordinly.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide