Wireless guest access and anchor controller

Unanswered Question

Ok..perhaps I am a big dummy but I can't find any really good documentation on how to setup a 4400 in a DMZ for Wireless guest access. I know you wouldhave to setup mobility groups and make sure you can ping the controllers across thenetwork.. I am just not sure how to do all this and where to setup the guest wireless. which controller does this wlan go on? what other things do I have to setup to make this all happen?

If anyone can point me to a good document I would be forever grateful.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
wesleyterry Thu, 01/22/2009 - 16:42

So i've been meaning to write up a real document on this configuration, but I'll try to give you a brief configuration starting point:

The bottom line is that you need to configure the same WLAN with the exact same settings on each controller.

Set up a DHCP scope on the DMZ controller that hands out the client addresses you want to give (that are routeable in the DMZ to the internet).

Configure mobility groups with MAC and IP of the controllers but the group name does not have to match. In fact, I recommend your DMZ controller being in a different mobility domain. So on the dmz, define the internal controller with the internal controller mobility name. On the internal controller, define the dmz controller with the dmz mobility name....

On the Internal Controller, when viewing the WLANs, there is an option to anchor the WLAN (little blue drop down on the far right next to each wlan). Select this option and create an anchor and choose the IP address of the DMZ Controller.

Now, when an AP has a client on the ssid, the controller anchors to the dmz, dmz controller gives it an IP address and the client is effectively in the DMZ only.

I'll try to write a better one in detail later tonight.

wesleyterry Thu, 01/22/2009 - 17:49

I haven't read Cisco's Guide, but here are all the steps I did for 4.1:

Internal Trusted Controller will be referred to as LAN-Con

DMZ Guest Controller will be referred to as DMZ-Con

Setting up Default Mobility Domain Name

Controller > General

Default Mobility Domain Name:

*Set the LAN-Con in one Domain Name, and the DMZ-Con in a different Domain Name.

Setting up Mobility Groups

Controller > Mobility Management > Mobility Groups

Note the Value of MAC Address and IP Address listed for the (Local) entry, for each controller that will be added in the mobility group.

On each Controller, click New and add the corresponding entries for each other controller to be in the group.

For Exmaple, on the LAN-Con, enter the IP address, MAC Address and Default Mobility Domain Name of the DMZ-Con.

On the DMZ-Con, enter the IP Address, MAC Address and Default Mobility Domain Name of the LAN-Con.

Configuring WLAN


Configure a WLAN on each controller with Identical setting that will be your Guest WLAN/SSID.

Select the WLAN Interface as the Management Interface.

*I have heard it is suggested to create a private interface entry on the LAN-Con, but I have not tested this.

*On the DMZ-Con, use the Management Interface unless for some reason you have multiple vlans in the DMZ and need this traffic on a different interface.

Set the DHCP Server on each Controller for the WLAN to point to the Management IP of the DMZ-Con.

Anchoring the WLAN

From the LAN-Con:


Select the Blue Drop-Down to the Right of the WLAN to be used for Guest Access.

Select Mobility Anchors

Set "Switch IP Address (Anchor)" drop-down to the DMZ-Con.

*These entries are value in the Mobility Groups section, previously defined.

Select Mobility Anchor Create

*WLAN is now Anchored to the DMZ-Con.

From the DMZ-Con:

Do the above steps, but select the "Switch IP Address (Anchor)" as the DMZ-Con IP Address (local).

*LAN-Con should be anchored to DMZ-Con. DMZ-Con should be anchored to itself.

Configuring DHCP

From the DMZ-Con:

Controller > Internal DHCP Server

New >

Edit the DHCP Scope that has been created to include all necessary information.

*Be sure to define the network address with the subnet mask for the subnet.

Apply the configuration and DHCP will now work.

****Apply the SSID on the LAN-Con to an AP and those clients should be anchored to the DMZ-Con

****This guide assumes all appropriate routing has been taken care of between the LAN-Con and the DMZ-Con.


This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode