cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1162
Views
5
Helpful
14
Replies

Redundant guest anchor/office extend 5508 controllers

latintrpt
Level 1
Level 1

Hello,

We are looking to deploy 2 guest anchor/office extend 250 AP 5508 Controllers.

The first 5508 would be primary for both public wireless and office extend AP's.  The second 5508 would not be used unless the first controller fails.

What is best practice when it comes to the certificate for public wireless.  Should I create single certificate for both controllers or have two different certificates?

Thanks

2 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

I have a very large guest network and we leverage OE as well. When it comes to the certificates for guest services you can use the same on both controllers with no issues. Or you could use two .. We use one certificate on both our anchors.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Right but keep the subnet mask the same and exclude the ranges that overlap. Otherwise your GWs and broadcast will be jacked up .. makes sense?

The DHCP server is just handing out addresses it doesnt care what address it is ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

14 Replies 14

George Stefanick
VIP Alumni
VIP Alumni

I have a very large guest network and we leverage OE as well. When it comes to the certificates for guest services you can use the same on both controllers with no issues. Or you could use two .. We use one certificate on both our anchors.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George,

Thank you for your fast response.

So this means you use the same DNS name for both controllers and if your first controller fails you would just need to change the DNS entry to point to the secondary controller?

George is correct... You can use the same cert for WebAuth on as many WLC's as you want:). It's the FQDN that needs to resolve via DNS. The DNS resolves the FQDN to the WLC VIP address which will all need to be the same.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Thanks to George and Scott.

Lets step back for a second.

You have a virtual address on each controller and they should all be the same. For example 1.1.1.1. On the WLC under the virtual interface there is a DNS entry ... this is where you put your dns name. Like guest.network.com.

You then get a cert called guest.network.com and you add a A record to resolve guest.network.com to 1.1.1.1 in DNS

So when a client opens a page they get the cert going to guest,network.com. Your dns resolves it to 1.1.1.1. Then you get the guest page <1.1.1.1> is where the guest page lives.

Also there is no real failover when it comes to guest. Guest get round robin to the anchors.

With all this being said the common piece in all of this is the virtual interface and they all need to be the same -- in this case 1.1.1.1.

Also if you are guest and you land in anchor #1 and you hit 1.1.1.1 its the local virtual interface for that controller.

Does this all make sense?

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

BTW -- I blogged about the certs for guest and set up here if you need it

http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

This makes sense.  What would I need to do so that the networks don't overlap on both controllers for guest?  Would I need to make new networks on the secondary controller:

Primary Controller

You have yourself a lot of guest subnets right there.

If both anchors share the same L2 you can share scopes / subnets.

But since you are using the WLC for DHCP ( which i would not ) you can split the scope start end on each controller. Also best pratice is to tagg all your interfaces. I see you have the managment not tagged.

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

yup we do.

So what you are saying is:

Primary Controller 1

guest-scope-p

172.21.32.20 - 172.21.35.254 / 255.255.252.0

Primary Controller 2

guest-scope-p

172.21.36.20 - 172.21.39.254 / 255.255.252.0

So essentially splitting it in the middle so I have 1000 addresses on both controllers that the client can choose from on either controller.

Is this correct?

Right but keep the subnet mask the same and exclude the ranges that overlap. Otherwise your GWs and broadcast will be jacked up .. makes sense?

The DHCP server is just handing out addresses it doesnt care what address it is ..

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Makes perfect sense, I got you.

Thank You again

Thanks for supporting the rating system

__________________________________________________________________________________________
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
__________________________________________________________________________________________
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George, I have one final question, and this in regards to redundancy with OfficeExtend.

On the actual AP-600, you can only specify one DMZ Controller IP address.  How can I add in the second?  How do I get redundancy to work on a new controller I add?

Thanks

George Stefanick
VIP Alumni
VIP Alumni

After the Ap600 joins the anchor click on wireless then the ap600. Under high availability you will see 3 fields.

Sent from Cisco Technical Support iPhone App

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: