Solved: OfficeExtend Solution Query

Ryan Morgan · ‎02-16-2012

Hi,

We've recently setup a WLAN infrastructure using a WLC2504 and Aironet 1261 LWAP's; two SSID's are configured on the WLC; one configured for Guest [using lobby ambasador] and one configured for Internal use.

The requirement to deploy the Aironet 600 seris AP's has arisen due to the need to be more flexible with our telewokers.

I've read through the community posts on the subject, Aironet 600 Series OfficeExtend Access Point Configuration Guide and reviewed the capabilities of the WLC2504 yet I'm still a little hazy as to if we can support OfficeExtend with the current infrastructure equipment or if we need to review the design as a whole.

From what I've gathered OfficeExtend is supported on WLC2504's but they cannot be configured as guest anchor controller, also the 2500 series cannot terminate guest traffic outside the firewall only originate guest tunnels.

Does this mean I need to deploy a annother WLC swhich can be cnfigured as an anchor / EoIP such as WLC5508 as guest anchor controller /Office Extend controller in the DMZ with EoIP to the existing 2504?

The reason I ask is I couldn't find documentation with OfficeExtend referenced in context with an existing single WLC deployment, the configuration guide shows a WLC situated in the DMZ with a publicly reachable IP address and UDP ports 5246 and 5247 open - our solution currently consists of 1x WLC2504 on the internal LAN which presumably we can't just relocate this to the DMZ as internal AP's won't be able to authenticate?.

Regards,

Ryan Morgan

Vinay Sharma · ‎03-31-2012

Hello,

For More information on OEAP-600, please watch the "Community Tech-Talk Series" Cisco Office Extend Access Point OEAP-600

https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2012/02/24/cisco-office-extend-access-point-oeap-600

Thanks,

Vinay Sharma

Community Manager - Wireless

Thanks & Regards

View solution in original post

Stephen Rodriguez · ‎02-16-2012

It works very similar to having the anchor WLC. You still configure the FW to NAT UDP 5246/5247 to the inside address of the WLC. Whether or not it's in the DMZ or not is moot for the most part.

So configure the FW to NAT the above, and configure the Nat IP on the managment interface of the WLC and see if your OEAP will join.

Steve

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

Ryan Morgan · ‎02-24-2012

Hi Steve,

Wouldn't this pose a secuirty risk? effectively we would be allowing external devices to directly access the corporate network albeit on specific ports.

Just wondering regarding best practices for solution design - I couldn't find any mention of OfficeExtend or OEAP in the SRND; realistically we could do this for our environment but in the case of most of our customers they wouldn't want any device to be able to register with the internal controller - I guess we're portentially two controllers in these cases.

Thanks for your input so far