Guest VLAN - Mobility Anchor

mnordhoff · ‎02-19-2007

I've seen various configuration & deployment guides that explain the process for configuring guest access using mobility anchors but I'm still confused by one thing...

What is the purpose for creating a separate wired guest VLAN on the local switch and controller and then associating it with the guest WLAN? Why not just use the local controller's management interface instead since the nature of the mobility anchor concept is that a tunnel is built from the local controller to an anchor controller in the DMZ and DHCP is served from the anchor controller?

To me it seems the creation of a wired guest VLAN on the local switch and controller implies that the local guest VLAN is a required part in implementing the guest tunnel. Further, it would seem the wired guest VLAN itself would need to be secured via ACLs or an additional firewall, especially since it would then be routable to/from the private network.

rodney · ‎02-21-2007

I agree...the documentation Cisco has is (as usual) misleading and bad!

We did not set our network up as the documentation states with a Guest VLAN created on the switch. We implemented exactly as you stated. The internal controller simply builds a tunnel to the DMZ controller. The ip space is in fact in the DMZ and DHCP is served up off of the DMZ controller as well.

Once again cisco drops the ball in documentaion which is frustrating. A document that tells you to click or fill in an option is worthless...yeah, I know I need to fill in the blank...could you be a little more specific?

mnordhoff · ‎02-21-2007

Thanks for the info... I'll probably end up setting up a few different scenarios in the lab to see what works & what doesn't. For the record, you are VERY right about most of the documentation being ambiguous at best.