02-02-2012 05:00 AM - edited 07-03-2021 09:29 PM
hi,
I am setting up officeexten. jsut have a few queries regarding the setup.
I have placed the officeextend wlc in the dmz with an mgmt ip of 192.168.10.2. in the process of anchoring this to the internal wlc. Also the ip on the firewall for this interface is 192.168.10.1
1. does the mobility group need to match the same on the internal wlc ?
2. Now do i need a NAT trasnaltion on the firewall for the external WAN ip (AP primed address say 66.10.10.10) to NAT back to 192.168.10.2 ?
3. The 5508 WLC is running on ver6.0.199.4 (license level base) - will this support officeextend?
Thanks
02-02-2012 05:46 AM
The mobility group name doesn't have to match. As long as you have 6.0 or newer, you are fine. For NAT translation, you need to NAT udp 5246 & 5247 from your public to your dmz management interface. On the ap, the primary wlc should have the wlc host name (case sensitive) and the NAT ip address that you also specify in the management interface.
Thanks,
Scott Fella
Sent from my iPhone
02-02-2012 12:29 PM
Thanks Scott,
Can i NAT ip or do i sepcifically need to tie down to port 5246 and 5247?
Thanks
02-02-2012 12:36 PM
You need to specify both udp 5246 and 5247 or else the officeextend ap will not join the wlc.
02-03-2012 01:44 AM
Thanks again scott:) i will try this and update you on how it went
02-03-2012 02:39 AM
I may be reading this wrong, but your anchor DMZ is also being used for guest access, no ? If so, then a mobility group should be used on the anchor which joins the internal controllers (foreign) for guest roaming.
But I cold be reading your question wrong. Am I off base Scott?
02-03-2012 02:54 AM
Now that I think about it, if you want to anchor your OE ssid to a foreign WLC, it does need to be in a mob group.
02-03-2012 04:46 AM
The dmz wlc is only for officeextend that is anchroed back to internal wlc. I thought of the same as it should be in the same mob group but when scott said mobility group does not have to match, then i thought i was wrong !!
02-03-2012 04:51 AM
If you are roaming from one ap to another ap on a different wlc, then the mobility nae should be the same. But even for a dmz guest anchor for example... I never use the same mobilty group name as the internal wlc, but it works either way. So this would be the same for OfficeExtend. Since your dmz wlc is only for OfficeExtend, it really doens't matter if you put it on the same mobility group as your internal wlc. You will not be doing any intercontroller roaming anyways.
02-03-2012 04:55 AM
oh ok i will try this on Monday and see how it goes (with same mobilty name and with different ones)
02-03-2012 04:56 AM
Yeah... keep us posted and also let us know what code you have on both.... don't know if you upgraded or not.
02-03-2012 08:51 AM
It does matter if the names are the same. The DMZ should ALWAYS be named different than an internal WLC. If the name is the same and your APs do not have primary/secondary specified your APs will attempt to join the DMZ WLC instead of the internal WLC because it will be seen as the least utilized.
I always put a different mobility group name on the DMZ WLC hosting my OEAPs.
02-03-2012 08:53 AM
I agree.... I keep it different, but others like to keep it the same.
02-07-2012 04:36 AM
tried this but the tunnel didnt come up until the Mobility group name was same. Once the Mobility group name was same i could mping and eping and the control and data came up so i think its a must
Thanks
02-07-2012 04:42 AM
Thanks for the follow up. It shouldn't matter, but your testing proves otherwise. Might just be an OfficExtend thing:) Thanks for the info though.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide