25 APs / Port Anchor WLC versus Guest WLC

Unanswered Question
Jan 16th, 2009
User Badges:

Greetings, first timer here.

We're adding public internet access to our existing wireless network. We are using a 4402 WLC for our guest controller, and our secure WLC is a 4404.

Cisco recommends placing a limit of 25 APs per distribution port, and we utilize that practice on our 4404. My question is, once we add the guest controller, which uses the same APs as the Anchor controller, do we have to re-apply the 25 AP/port rule to the guest controller?

The 4404 obviously has 4 distribution ports giving a max of 100 APs, and the 4402 has 2 resulting in only 50 APs. We've got all of our APs covered by the best practice on the 4404, but would exceed that on the 4402.

I thought that because the data is moving between the WLCs via the ether tunnel, I was covered by the 4404.

Thoughts or suggestions?

I can't seem to find anything in the white papers or best practices.

Thanks to all


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Stephen Rodriguez Fri, 01/16/2009 - 14:54
User Badges:
  • Purple, 4500 points or more


If the 4402 is only for the guest anchoring, then no you do not need to redo the AP deployment. You are correct, the guests will all be sent across the mobility tunnel, UDP 16666 or 16667 and IP protocol 97, to the anchor controller.

Scott Fella Fri, 01/16/2009 - 20:58
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 Wireless

To add onto Stephen's post, the guest wlc will reside in the dmz and will not support any ap's. The 4404 will contain your internal secure wireless, but now you will add another wlan for guest users. This wlan will be anchored to the guest anchor controller in the dmz.

Here are some links:



lbrusso6824 Mon, 01/19/2009 - 08:17
User Badges:

Hey thanks a lot! Yes, the guest WLC is in a DMZ and we're moving the data over an ether tunnel.

Thanks for the links as well.



lbrusso6824 Mon, 01/19/2009 - 10:08
User Badges:

Hey Scott, and Stephen as well, Could I impose one more question on you guys?

Will the guests users receive their IPs from the 4404's DHCP server via the Ether IP Tunnel, or will the 4402, "Guest WLC", have to have its own DHCP server?

If they are carried over from the 4404 via the tunnel, do I point the 4402 to the 4404's DHCP server during configuration?

The reason I ask is that I thought all of the Management and AP-Manager interfaces had to be on the same subnet. The 4404's DHCP server would obviously be on a different subnet than my public WLC's interfaces.

Do you understand my question, or am I being as clear as mud?

wesleyterry Mon, 01/19/2009 - 11:31
User Badges:
  • Bronze, 100 points or more

I configure the DHCP scopes on the DMZ controller. If you configured them internally, then your public clients would need whatever additional ports back into your trusted network for the dhcp discovery....

lbrusso6824 Mon, 01/19/2009 - 12:02
User Badges:

Hey Wesley,

Thanks for replying again.

Ah yes good ole DORA!

It's funny how your brain can go to mush about the basic stuff when you're focusing on a new problem.

Well that adds a wrinkle. We want to keep the public and secure sides isolated.

We're planning on using a Linux based firewall to isolate and scrub the public traffic, so the guest WLC will be connected via a switch to the DMZ port of that firewall.

I had assumed that because the guest user would be using the same APs only different WLANs to the 4404 and then tunnel over to the 4402 for access to the internet, that the 4404 “Private WLC” would handle the initial DHCP transaction.

When you refer to the “DMZ Controller”, you're referring to the WLC that resides within the DMZ and not the DMZ Firewall correct?

During my first glance at the initial configuration routines I didn't see anywhere I could set up DHCP scopes.

The 4402 just prompts for an entry of the DHCP server IP address on the Management Interface.

I can't thank you enough for your help, I'm really treading water here. I know time is a valuable commodity, and I try to help others where I can to balance the help that I receive.

I know that's the long way around the barn to say thanks, but wanted you to know that I do indeed know the value of the help I receive.

Best regards


wesleyterry Mon, 01/19/2009 - 12:52
User Badges:
  • Bronze, 100 points or more

Point the wlan on each controller to have a DHCP server of the management IP address of you DMZ Controller.

Then on the GUI of the DMZ controller go to section called Controller > Internal DHCP Server

From there you create you DHCP scope...

The bottom line is that you want you guest clients to be treated like the physically reside in the DMZ. Which is technically what is happening...

lbrusso6824 Mon, 01/19/2009 - 08:14
User Badges:

Thanks, I thought that was the case, but being new to this it's sure nice to be able to bounce it off of you folks.

Hopefully I'll be able to do the same for someone else one day.

Thanks again.


wesleyterry Sat, 01/17/2009 - 15:05
User Badges:
  • Bronze, 100 points or more

I have no factual information to back up what I am about to say and it may be partially incorrect, but this is how I always explained the process of guest anchoring:

So the 25AP suggestion per interface I think is because of the fact that if you had more than 25 APs on one port, you could theoretically be over subscribing the bandwidth than the port could provide ([email protected] = 1000mbps)....

Anyhow, unless you plan on actually sending a gig worth of traffic to your Guest Controller, I don't think there is any real need to split your anchor. I'm pretty sure Guest Controllers are usually for internet access and 1Gb worth of internet bandwidth sure seems like alot to me..

Also, I had always thought of the anchor tunnel similar in nature to an AP LWAPP tunnel. The controller that supports 25 APs is designed to support 25 LWAPP tunnels. The 50AP model, supports 50 LWAPP tunnels. This same logic could be applied to the WLAN Anchor tunnels. Think of each WLAN Anchor Tunnel as an AP connected to a controller.

When a guest is anchored to the Public Controller, it isn't the AP that is tunneled there nor the client, it is the WLAN. So you could have 25 APs with the same guest WLAN, but really it is still just 1 WLAN anchored to the controller. If for some reason you wanted to do more than 25 different WLANs, then I would suggest splitting those WLANS between your interfaces...

I think the bottom line though is that if you aren't worried about over-subscribing your interface on the anchor controller, there shouldn't be any concerns.

lbrusso6824 Mon, 01/19/2009 - 08:19
User Badges:

Thank you for taking the time to reply, and adding your input.

I think between all of you folks I've got a little better footing.




This Discussion