cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6333
Views
24
Helpful
29
Replies

WLC 5508 Office extend - remote LAN

latintrpt
Level 1
Level 1

I'm confused as to how to setup the remote LAN portion of the office extend solution.  Do I need to set up this remote LAN with a local interface and have it talk to the controller's internal DHCP server?  Or can I set up this remote LAN and anchor it off to my internal controllers?

Thanks

29 Replies 29

On ANCHOR DMZ WLC...

I have a WLAN called OE-WIRED

It is configured as a REMOTE LAN

Security Policy: None

It is anchored to a 1 foreign controller and not to itself.

EGRESS: Mangement

On FOREIGN WLC...

I have a WLAN called OE-WIRED

It is configured as GUEST LAN

Security Policy: None

It is anchored to itself and nothing else

INGRESS: None

EGRESS: is set to an exisiting WIRED side interface test and working

Profile name is the same and correct.

Ok ...

When you look at the anchors do they show up and up on both side?

Is there a firewall between them?

Did you configure AP groups ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I as doing this for OE and wired tunneling from AP -> DMZ WLC -> Internal WLC. I wanted the wired phone to terminate via Anchor WLC (DMZ) towards the Internal WLC.

However the anchoring for wireled remote LAN isn´t available like we see on "normal" WLAN SSIDs.

I hoped upgrading to 8.0.110 would solve it but it is still not available.

Not much use to terminate on the DMZ. I saw that someone was complaining about this and had issued a TAC case. Anyone know if this feature will be introduced and when ?

That RLAN reverse tunnel like you mentioned has been removed as a feature from v7.2 or v7.4. You have to have the OEAP join the WLC on the inside. I don't think they have any plans on brining this back. 

-Scott

-Scott
*** Please rate helpful posts ***

Thanks Scott. Do you know why they removed it ?

security concernes or something else ?

 

I will probably then terminate them on the DMZ anchor and have a special VLAN on the firewall filtering the services needed.

the idea is to use the main wlc where the OEAP is joined to egress the wired traffic.

We have a pretty large deployment. It's best to drop it in the DMZ sonyhe traffic can be inspected .. 

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

I think Viten explained it. Pretty much I noticed it when I upgraded our engineer lab WLC which was in the DMZ.  I liked to be able to keep OEAPs in their own WLC seperste from the inside wlc/APs. Now you have to add the mac filters of each ap to prevent OEAP's that you don't want from joining. That means all you non OEAP's also. 

-Scott

-Scott
*** Please rate helpful posts ***

on the foreign WLC do a:

>show guest-lan X

on the anchor WLC do a:

show remote-lan X 

X = the number of your interface ...

Post what you have for both ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

both the DMZ anchor controller and foreign controller show UP and UP between them. 

No firewall in between them.

I did configure AP groups, but I have included OE-WIRED in the AP group for my office extend AP's.

The funny part is that when I take the AP 600 home with me, my other wireless SSID's I have broadcasted are working and I can pick up an IP off a foreign controller, so anchoring is working there.  It's just with the wired port it is not working.

DMZ ANCHOR CONTROLLER:

(Cisco Controller) >show remote-lan 2

Remote LAN Identifier............................ 2

Profile Name..................................... OE-WIRED

Status........................................... Enabled

MAC Filtering.................................... Disabled

AAA Policy Override.............................. Disabled

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist.................................... Disabled

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Remote LAN ACL................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Radius Servers

   Authentication................................ Disabled

   Accounting.................................... Disabled

   Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

--More-- or (q)uit

   802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Disabled

   CKIP ......................................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

FOREIGN CONTROLLER:

(Cisco Controller) >show guest-lan 2

Guest LAN Identifier............................. 2

Profile Name..................................... OE-WIRED

Status........................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

  Radius-NAC State............................... Disabled

  SNMP-NAC State................................. Disabled

  Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist.................................... Disabled

Session Timeout.................................. Infinity

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ rumcwireless

Multicast Interface.............................. Not Configured

Ingress Interface................................ unconfigured

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

--More-- or (q)uit

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Radius Servers

   Authentication................................ Disabled

   Accounting.................................... Disabled

Security

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Splash-Page Web Redirect...................... Disabled

   Auto Anchor................................... Enabled

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Mobility Anchor List

GLAN ID     IP Address            Status

-------     ---------------       ------

2           172.xx.x.xx           Up

BTW -- once this is all worked out. You should consider some type of security on the WIRED side. If someone steals that AP and you have no security on the wired side they can be right into the heart of your network.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

For others who may be using this thread in the future. The issue after everything was configured was related to a bug:

You need to make sure you enable a mandatory data rate in 1,2,5.5 or 11 and NOT in the OFDM.

If you find this helpful please rate helpful post ! Thanks

CSCtq76431            Bug Details

Evora:Remote LAN client fails association w/ 802.11b rates not mandatory.
Symptom:
Remote LAN client(s) fail association to wired remote LAN tunneled to WLC.  On
OEAP 602 event log:

*Jun 03 17:01:39.066: (Re)Assoc-Req from 48:5b:39:13:99:bd forwarded to WLC,
wired: yes
*Jun 03 17:01:39.082: received assoc-rsp for idx=3, status=18

From WLC debug client:

*apfMsConnTask_3: Jun 03 13:01:31.832: 48:5b:39:13:99:bd Sending Assoc Response
to station on BSSID ec:c8:82:c0:25:20 (status 18) Ap VapId 2 Slot 0

Conditions:
WLC that supports OEAP 602 running 7.0.116.0 with 802.11g data rate configured
as MANDATORY (6,9,12,18,24,36,48,54).

Workaround:
Do not set 802.11g datarates to Mandatory.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Hi George, Thanks a lot for your instructions. There is very little official Cisco info about RLANs so this has been very useful. However, the problem I have is that I am unable to anchor the Remote LAN on my DMZ controller to the foreign WLC. The mobility anchor option is not available when I click the arrow next to the RLAN (screenshot as attached). Any suggestions?

 Upon further investigation it seems the feature to anchor RLANs has been removed as of version 7.2. (CSCuf52450). We are currently running 7.5.102.0.

I have logged a TAC case to have the feature re-instated in the next release.

Review Cisco Networking for a $25 gift card