Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
5
Helpful
1
Replies

Multiple VLANS Anchor

KatherineTran
Level 1
Level 1

‎11-18-2022 06:46 AM - edited ‎11-18-2022 06:47 AM

Hi Guys!

I've looked at some example configurations and community posts. I have the following topology:

Foreign WLC [9800] <---> Anchor WLC [5520] <--> DMZ interface (Dynamic interface group with multiple VLANs)

We want to use the Anchor WLC DMZ that has multiple VLANs of restricted networks for visitors. We intend to use DOT1X that determines that VLAN the user drops into on the SSID. I've found documentation on joining the 9800 to the 5520 (https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html#anc22) however I'm trying to understand if we would need to configure the interface group with the same VLANs on the 9800 SSID? Even if the VLANs are not trunked down to a physical port on the WLC at the foreign site?

 

I know we have to configure an identical SSID and security settings like dot1x. 

Thanks

KT

 

 

 

If I wanted to 

Labels:
0 Helpful
1 Reply 1

Arshad Safrulla
VIP Alumni
VIP Alumni

‎11-18-2022 11:10 PM

Hi in 9800's, you don't configure the interfaces unless DHCP relay or MDNS is required, configuring one SVI for WMI is more than sufficient. If you don't have this requirement, I suggest you configure a VLAN group and allow all these VLANs in the trunks connecting to the uplink switch/ or any network device. You can also use Radius server to assign the VLANs, which I think is best suited for you and in this case, it is enough that you simply create the L2 VLAN in the anchor WLC. 

Also remember if you are using any L3 authentication using Radius then radius packets are initiated from the anchor controller, if you are using any L2 authentication radius packets are sent from foreign controller. So make sure that your radius server is configured accordinly.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card