Solved: WLC 5508 Office extend - remote LAN - Page 2

latintrpt · ‎08-29-2011

I'm confused as to how to setup the remote LAN portion of the office extend solution. Do I need to set up this remote LAN with a local interface and have it talk to the controller's internal DHCP server? Or can I set up this remote LAN and anchor it off to my internal controllers?

Thanks

latintrpt · ‎08-30-2011

On ANCHOR DMZ WLC...

I have a WLAN called OE-WIRED

It is configured as a REMOTE LAN

Security Policy: None

It is anchored to a 1 foreign controller and not to itself.

EGRESS: Mangement

On FOREIGN WLC...

I have a WLAN called OE-WIRED

It is configured as GUEST LAN

Security Policy: None

It is anchored to itself and nothing else

INGRESS: None

EGRESS: is set to an exisiting WIRED side interface test and working

Profile name is the same and correct.

George Stefanick · ‎08-30-2011

Ok ...

When you look at the anchors do they show up and up on both side?

Is there a firewall between them?

Did you configure AP groups ?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

kristjan.edvardsson · ‎01-28-2015

I as doing this for OE and wired tunneling from AP -> DMZ WLC -> Internal WLC. I wanted the wired phone to terminate via Anchor WLC (DMZ) towards the Internal WLC.

However the anchoring for wireled remote LAN isn´t available like we see on "normal" WLAN SSIDs.

I hoped upgrading to 8.0.110 would solve it but it is still not available.

Not much use to terminate on the DMZ. I saw that someone was complaining about this and had issued a TAC case. Anyone know if this feature will be introduced and when ?

Scott Fella · ‎01-28-2015

That RLAN reverse tunnel like you mentioned has been removed as a feature from v7.2 or v7.4. You have to have the OEAP join the WLC on the inside. I don't think they have any plans on brining this back.

-Scott

-Scott
*** Please rate helpful posts ***

kristjan.edvardsson · ‎01-28-2015

Thanks Scott. Do you know why they removed it ?

security concernes or something else ?

I will probably then terminate them on the DMZ anchor and have a special VLAN on the firewall filtering the services needed.

Viten Patel · ‎01-28-2015

the idea is to use the main wlc where the OEAP is joined to egress the wired traffic.

George Stefanick · ‎01-28-2015

We have a pretty large deployment. It's best to drop it in the DMZ sonyhe traffic can be inspected ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Scott Fella · ‎01-28-2015

I think Viten explained it. Pretty much I noticed it when I upgraded our engineer lab WLC which was in the DMZ. I liked to be able to keep OEAPs in their own WLC seperste from the inside wlc/APs. Now you have to add the mac filters of each ap to prevent OEAP's that you don't want from joining. That means all you non OEAP's also.

-Scott

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎08-30-2011

on the foreign WLC do a:

>show guest-lan X

on the anchor WLC do a:

show remote-lan X

X = the number of your interface ...

Post what you have for both ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

latintrpt · ‎08-30-2011

both the DMZ anchor controller and foreign controller show UP and UP between them.

No firewall in between them.

I did configure AP groups, but I have included OE-WIRED in the AP group for my office extend AP's.

The funny part is that when I take the AP 600 home with me, my other wireless SSID's I have broadcasted are working and I can pick up an IP off a foreign controller, so anchoring is working there. It's just with the wired port it is not working.

latintrpt · ‎08-30-2011

DMZ ANCHOR CONTROLLER:

(Cisco Controller) >show remote-lan 2

Remote LAN Identifier............................ 2

Profile Name..................................... OE-WIRED

Status........................................... Enabled

MAC Filtering.................................... Disabled

AAA Policy Override.............................. Disabled

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist.................................... Disabled

Session Timeout.................................. Infinity

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

Remote LAN ACL................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Radius Servers

Authentication................................ Disabled

Accounting.................................... Disabled

Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

--More-- or (q)uit

802.11 Authentication:........................ Open System

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------

FOREIGN CONTROLLER:

(Cisco Controller) >show guest-lan 2

Guest LAN Identifier............................. 2

Profile Name..................................... OE-WIRED

Status........................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Number of Active Clients......................... 0

Exclusionlist.................................... Disabled

Session Timeout.................................. Infinity

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ rumcwireless

Multicast Interface.............................. Not Configured

Ingress Interface................................ unconfigured

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

--More-- or (q)uit

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver (best effort)

Radius Servers

Authentication................................ Disabled

Accounting.................................... Disabled

Security

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Enabled

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

Band Select...................................... Disabled

Load Balancing................................... Disabled

Mobility Anchor List

GLAN ID IP Address Status

------- --------------- ------

2 172.xx.x.xx Up

George Stefanick · ‎08-30-2011

BTW -- once this is all worked out. You should consider some type of security on the WIRED side. If someone steals that AP and you have no security on the wired side they can be right into the heart of your network.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

George Stefanick · ‎08-30-2011

For others who may be using this thread in the future. The issue after everything was configured was related to a bug:

You need to make sure you enable a mandatory data rate in 1,2,5.5 or 11 and NOT in the OFDM.

If you find this helpful please rate helpful post ! Thanks

CSCtq76431 Bug Details

Evora:Remote LAN client fails association w/ 802.11b rates not mandatory.

Symptom:
Remote LAN client(s) fail association to wired remote LAN tunneled to WLC. On
OEAP 602 event log:

*Jun 03 17:01:39.066: (Re)Assoc-Req from 48:5b:39:13:99:bd forwarded to WLC,
wired: yes
*Jun 03 17:01:39.082: received assoc-rsp for idx=3, status=18

From WLC debug client:

*apfMsConnTask_3: Jun 03 13:01:31.832: 48:5b:39:13:99:bd Sending Assoc Response
to station on BSSID ec:c8:82:c0:25:20 (status 18) Ap VapId 2 Slot 0

Conditions:
WLC that supports OEAP 602 running 7.0.116.0 with 802.11g data rate configured
as MANDATORY (6,9,12,18,24,36,48,54).

Workaround:
Do not set 802.11g datarates to Mandatory.

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

pvzcisco07 · ‎03-10-2014

Hi George, Thanks a lot for your instructions. There is very little official Cisco info about RLANs so this has been very useful. However, the problem I have is that I am unable to anchor the Remote LAN on my DMZ controller to the foreign WLC. The mobility anchor option is not available when I click the arrow next to the RLAN (screenshot as attached). Any suggestions?

pvzcisco07 · ‎03-10-2014

Upon further investigation it seems the feature to anchor RLANs has been removed as of version 7.2. (CSCuf52450). We are currently running 7.5.102.0.

I have logged a TAC case to have the feature re-instated in the next release.