cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3278
Views
0
Helpful
25
Replies

Office Extend Deployment Questions

alex.dersch
Level 4
Level 4

Hello,

I have a couple of question regarding office extend deployment. We have an existing WLC 5508 with 30 access points; now we’d like to deploy 3 offices extend antennas in home offices, to provide the same SSID as in the main office. We got a WLC 2504 which I think is the best to place it in the DMZ. I read I have to open the ports udp/5246 and udp/5247 on the outside firewall in direction to the DMZ. What ports do I have to open from the DMZ to my inside network?

When I configure the WLC 2504 as an anchor controller is all the traffic send then first to the internal controller? If so which ports are involved?

Thanks in advanced

Alex

2 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

Hi Alex

I would get up to speed by reading the OE config guide

http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml

I also created a quick cheat sheet here:

https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2012/06/28/cisco-wlc-anchor-controller-dmz-ports-w-officeextends

Keep in mind, you dont need all those ports open. You can anchor the traffic to the inside controllers (foreign) and provide the security there. I drop by in the DMZ.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Yes it does. Confirm by looking at the mobility tunnels are they "up"?

You then need go into the anchor controller and select wlans. Next to your oe WLAN there is a blue box you then to select anchor and then select the inside controller .

You need to do the same on your inside controller. Select the WLAN and then anchor to itself (local) ..

Did you do that ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

25 Replies 25

George Stefanick
VIP Alumni
VIP Alumni

Hi Alex

I would get up to speed by reading the OE config guide

http://www.cisco.com/en/US/products/ps11579/products_tech_note09186a0080b7f10e.shtml

I also created a quick cheat sheet here:

https://supportforums.cisco.com/community/netpro/wireless-mobility/security-network-management/blog/2012/06/28/cisco-wlc-anchor-controller-dmz-ports-w-officeextends

Keep in mind, you dont need all those ports open. You can anchor the traffic to the inside controllers (foreign) and provide the security there. I drop by in the DMZ.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hello George,

this was exactely what i was looking for. thanks a lot

Alex

George Stefanick
VIP Alumni
VIP Alumni

Good deal .. Stop back if you have issues ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George, i think i got some new issues now.

i configured an WLAN via NCS and deployed it to the WLC in the inside network and the WLC in my DMZ. My client sees the SSID and get successfully authenticated, it just doesn't an IP address. I can see in the logs of the WLC in the DMZ that it sends a DHCP discover message to my DHCP server.

I thought it tunnels the request and sends it to the wlc in the inside network, from there the request is sent to the DHCP server. Does it means also i have to enable all data traffic from the WLC in the DMZ to the inside network?

Maybe i understand the concept of the anchor wrong?

And another strange behaviour is that my internal antennas are sending traffic on port upd/5246 to the controller in the DMZ although they not supposed to send data to the DMZ WLC.

thanks

Alex

Scott Fella
Hall of Fame
Hall of Fame

You need to create a reverse anchor. Do from the DMZ WLC, the WLAN should anchor to the foreign WLC and the foreign WLC WLAN should anchor to itself. The WLAN's also need to match identically except for the interface it is mapping to.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott, in this scenario which one is the foreign wlc?

thanks

It's reversed. So the DMZ WLAN anchors to the inside WLC and the inside WLC WLAN anchors to itself.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hi Scott,

you mentioned reverse anchor is not supported any more in threat https://supportforums.cisco.com/thread/2186736

regards

Alex


Reverse anchor is one way if doing it. I think what Scott means is you can't drive the wired traffic back into the foreign wlc ..

Let's step back for a moment. You have a oe ap deployed. That ap phones home to a anchor wlc in the DMZ.

You can either drop the traffic right there in the DMZ and police it back into the network. Or you can anchor that WLAN to the inside controller also called the foreign controller. In this design the traffic hits the DMZ controller and then passed through to the foreign via anchoring ..

The reverse anchor simple means you are pushing the traffic by anchoring the WLAN to the inside controller. It's the opposite of what you would do for a guest WLAN.

Make sense so far ?

Me, I drop my oe traffic in the DMZ ..

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George, i am still struggeling with my wireless lan segements. I'd like to send client data from the oe ap through the firewall to the foreign controller (in my inside lan) before it is sent to the final destination in my LAN segments. I think thats the reverse achor scenaria.

i already configured a default mobility group on the foreign controller called wifi and on the anchor i have the default mobility group oeap.

then i configured on the foreign controller a new mobility group named oeap with the ip address of the controller in the dmz

and on the controller in the dmz i configured a new mobility group name wifi with name wifi and the ip address of controller inside.

is this correct?

regards

Alex

Yes it does. Confirm by looking at the mobility tunnels are they "up"?

You then need go into the anchor controller and select wlans. Next to your oe WLAN there is a blue box you then to select anchor and then select the inside controller .

You need to do the same on your inside controller. Select the WLAN and then anchor to itself (local) ..

Did you do that ?

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella
Hall of Fame
Hall of Fame

Wireless WLAN's you can anchor to the inside, wired from the OEAP600 you can't anchor. So depending in if you want to also use the wired port on the OEAP600, you would need your OEAP600 to join your inside WLC's.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Hello Scott,

i finally could make it run. I missed the blue square anchor thing. It's working fine for my wireless. No chance to get the wired lan up and running with the wlc in the dmz. It's quite disapointing, have to get now wireless phones instead of wired ones.

anyways thanks a lot, you guys helped me a lot, so i can fly to Cisco Live without headache

regards

Alex

You can drop the wired traffic in the DMZ. This is what I do .. If you do use wireless see my blog post about OE and cisco phones...

https://supportforums.cisco.com/community/netpro/wireless-mobility/wireless-voice-video/blog/2013/02/26/bug-csctn75346-7925-phone-loses-5-ghz-connection-intermittently-with-oeap600

Going to Live ? I will be presenting with Cisco on 802.11ac on Tuesday. Stop by and say Hi .. Scott will be there as well. Steve is still up in the air ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Review Cisco Networking for a $25 gift card