Mobility Question

Unanswered Question
Nov 11th, 2008


we have some WLCs running 5.1 in the internal LAN. Now we want enroll some SSIDs with DMZ Services such as Internet. Therefor we have an external WLC in the DMZ outside. What is the exactly way to configure a "Internet" SSID to the internal APs additionaly so that the internal WLC forwards that traffic to the external WLC which decrypts that in to "the internet" ? All WLCs are reachable, they all have the same Virtual IP and the Same RF and Mobility-Group-Name.

We also have a running WCS.

As i remember, there was some guest-wlan access in the older wlc versions. In the newer configuration guide is there only a LAN-Guest Access.

Thanks for Feedback

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dneckermann Thu, 11/20/2008 - 03:37


my problem is that i want to create a WLAN/SSID on an internal WLC for customers with WPA2 security. Therefor i have to configure a virtual interface with the same ip adress,a dynamic interface, a WLAN/SSID witch wpa on the anchor wlc behind the firewall. On the internal wlc where my aps are connected i want use that external SSID. So to get this ssid ancored (and use the EOIP tunnel) i have to configure one -mobility group -dynamic interface internal (with IP ? VLAN ?) -same SSID on the foreign wlc and my problem is now that the foreign hasn't the same physical vlan and subnet 'cos its in the inside network - so the communication works, the ancor process works also but the client can't communicate to the subnet where the anchor is connected. There is also a DHCP Problem for the clients. Symmetric tunnel is enabled - both wlcs have the same general config.

I found out, that the first WLC does the Layer2 Authentication with his Management-Adress as source and after that it pushes the client information to the anchor with the eoip tunnel and the ancor in the dmz accept that .. and thats where it ends. Sometimes DHCP work (DHCP is also in the DMZ Subnet) sometimes it does not work.. but my Problem is that there is no communication possible in the external DMZ Subnet...

Is that scenario generally possible ? In the guide the Wired Guest Access shows that situation but there is no vlan information, config information or other needed information to configure that scenario with wireless guest access and different vlans/subnets on the wlcs. There is also no information how to configure the dynamic interfaces..

Scott Fella Thu, 11/20/2008 - 05:27

The wlan configuration has to be exact. The foreign WLC (internal) will tunnel traffic out the management interface. So you do not need to create a dynamic interface on the foreign WLC. The anchor wlc will be anchored to the foreign wlc through its management interface and then either you can create a dynamic interface to dump the guest out onto the DMZ or just dump them out of the management interface in the DMZ. I usually wil create the DHCP on the anchor wlc, unless you have a dhcp server in the DMZ. No need to open another hole in the FW for dhcp.

Wired is different setup in general to wireless guest.... get the wireless guest going first and then the wired.

dneckermann Mon, 12/01/2008 - 01:15


thanks ! I've configured the management-interface for the wlan ssid konfiguration and after a reboot of the wlc it works ! The documentation for that scenario isn't really good. It cost's me some time to find out that the first wlc does the authentication, the configuration of the ssids...

But many thanks for help !

Scott Fella Mon, 12/01/2008 - 13:06

There are alot of things that are not documented well, but this forum helps alot.


This Discussion