11-17-2015 03:39 AM - edited 07-05-2021 04:14 AM
Dear Forum Members,
Apologies if i am asking a foolish question. I have no prior experience in new mobility architecture. I am working on a design which includes the following.
3 x 3850 (acting as MA)
1 x 5508 (acting as MC) - Foreign Controller
1 x 5508 (acting as Guest Anchor)
We need to have 2 vlan's, one ofr guest access and other for staff access. i am planning the vlan & IP address assignment and i am confued with new mobility. Please correct me if my below understnading is wrong.
At 3850, i need to create 2 vlans
vlan 1 - staff ssid
vlan 2 - wifi Mgmt
At Foreign controller side (i.e MC)
vlan 1 - staff ssid
vlan 2 - wifi mgmt
At Guest anchor controller,
vlan 3 - guest ssid
vlan 2 - wifi mgmt.
Please correct me if my understnading is wrong. I guess, that the guest vlan would work the same as in centralized access in which all the vlan traffic is encrypted back to the guest anchor. so i do not need to create that vlan in switch/ MC
Also, does this Mgmt vlan needs to be L2? the guest anchor would be in DMZ and so it wouldnt be on the same vlan as foreign controller.
Please help if you can provide some inputs.There is no lab facility for me to test.
thanks nd regards,
dathan
Solved! Go to Solution.
11-17-2015 09:16 PM
So, do i need to create SVI for guest vlan in the 3850 MA? I know that we need to have the SVI for staff vlan since the 3850 terminates the CAPWAP.
SVI needs to define on your L3 switch, not in all MA switches. MA will simply terminate capwap & handover traffic as L2 in respective vlan. All your wireless users vlans need to exist on MA switches, L3 SVI can be on a different switch.
Regarding Guest, you can map this to a dummy vlan in your MA switches. Something similar to this
wlan Guest 20 Guest
aaa-override
band-select
client vlan <dummy_vlan_name/number>
ip dhcp required
mobility anchor <Guest Anchor_Mgmt_IP>
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security ft over-the-ds
security web-auth
security web-auth authentication-list default
session-timeout 14400
no shutdown
I think in MC,you may not require SSID configuration, simply MC & GA need to be in the mobility list.
HTH
Rasika
*** Pls rate all useful responses ***
11-17-2015 11:11 AM
Hi
I would suggest few things here.
Do not use 5508 as MC, going forward 8.1 onward this functionality is not supported in AireOS controllers. see below
http://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn81.html
With Release 8.1 in a New Mobility environment, Cisco WLCs running Cisco Wireless software cannot function as mobility controllers (MC). However, the Cisco WLCs can function as guest anchors.
Here are the answer to other queries
does this Mgmt vlan needs to be L2? the guest anchor would be in DMZ and so it wouldnt be on the same vlan as foreign controller.
No, two WLC can have different management vlans
I guess, that the guest vlan would work the same as in centralized access in which all the vlan traffic is encrypted back to the guest anchor. so i do not need to create that vlan in switch/ MC.
MC is the one peering with Guest Anchor, so MC required to have the Guest WLAN created. Refer below
HTH
Rasika
*** Pls rate all useful responses ***
11-17-2015 08:57 PM
Thank you Rasika for your detailed response.
So, do i need to create SVI for guest vlan in the 3850 MA? I know that we need to have the SVI for staff vlan since the 3850 terminates the CAPWAP.
I assume the SSID <-> interface/ Vlan mapping for guest ssid happens in guest anchor. In MC and MA, i can map the guest SSID to the management interface.
Please correct if my understnading is wrong. Thanks a lot in advance.
Regards,
dathan
11-17-2015 09:16 PM
So, do i need to create SVI for guest vlan in the 3850 MA? I know that we need to have the SVI for staff vlan since the 3850 terminates the CAPWAP.
SVI needs to define on your L3 switch, not in all MA switches. MA will simply terminate capwap & handover traffic as L2 in respective vlan. All your wireless users vlans need to exist on MA switches, L3 SVI can be on a different switch.
Regarding Guest, you can map this to a dummy vlan in your MA switches. Something similar to this
wlan Guest 20 Guest
aaa-override
band-select
client vlan <dummy_vlan_name/number>
ip dhcp required
mobility anchor <Guest Anchor_Mgmt_IP>
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security ft over-the-ds
security web-auth
security web-auth authentication-list default
session-timeout 14400
no shutdown
I think in MC,you may not require SSID configuration, simply MC & GA need to be in the mobility list.
HTH
Rasika
*** Pls rate all useful responses ***
11-19-2015 02:59 AM
Hi Rasika,
Thanks a lot for your valued respnses. Your advices really helped me a lot.
Regards,
dathan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide