Setting up an Anchor Controller on DMZ

Unanswered Question
Jul 2nd, 2010

We have a Foreign WLC Controller (4400 Series) inside our network with the following configuration:

AP Manager Interface:, Default gateway:

Management Interface:, Default gateway:

Secure Interface:, Default gateway:

Guest Interface:, Default gateway: (currently disabled)

We want to install an Anchor WLC Controller (4400 Series) on the DMZ of ASA 5510

The ip add of the DMZ interface is

What will be the Ip addresses of the anchor interfaces (AP Manager, Management and Guest-dmz interfaces?)

Do the AP Manager and the management Interface will be on the same subnet as the DMZ Interface?

If  the guest-dmz interface is on different subnet as the DMZ Interface what will be its default gateway?

Please can someone help on how to configure the anchor Interfaces. Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
leejohns Thu, 07/08/2010 - 13:02

The answer to your question is "what do you want the anchor WLC interface IPs to be?".  It is entirely up to you and how you want to design the anchor setup.  You can either have the management and ap-manager interfaces in the DMZ VLAN or you can have them in a completely different VLANs and setup a dynamic interface on the DMZ VLAN for the guest users.  So your DMZ switch can have just a single VLAN in the 172.17 network and the guest traffic will use the management interface, or you can setup the DMZ switch with multiple VLANs; one for WLC management and one for guest traffic.

Remember that the anchor WLC is the IP point of precence on the network for the guest clients so think of it in the terms of if you had a wired client connected to a switch in the DMZ, how would configure the network so that client could access the Internet.



Robert Mantwani Thu, 08/26/2010 - 01:42

To Lee

First of all thanks for your response. I need some clarification: If the DMZ switch is setup with multiples VLANs it means we will have to create subinterfaces on DMZ interface to match the multiples VLANs (e.g.: 172.17 or new such as 172.25  for wlc management and 172.31 for guest)



nikhilcherian Tue, 11/15/2011 - 20:36

Hi Robert,

Did multiple VLAN work for you on DMZ, i am facing some issues with this setup, Can you please help



Scott Fella Wed, 11/16/2011 - 00:28

Can you describe your setup and the issue you are having? You can setup multiple vlans, but what are these vlans being used for.

Sent from Cisco Technical Support iPhone App

nikhilcherian Wed, 11/16/2011 - 11:22

I have 3 sub interfaces in ASA's DMZ interface. I have 3 vlans, say 70,80 and 90 whose gateway's are DMZ sub-interfaces.I have created 3 interfaces in anchor WLC in the DMZ, i use vlan 70 for management interface and other 2 vlans for wireless users, which are anchored from my foriegn WLC.My issue is the client can ping the gateway only in I put them in vlan 70, If the client is vlan 80 or vlan 90, I cant ping the gateway.

I even tried to ping the vlan 80, vlan 90 gateway from the wlc, I dont get any response for the same


Scott Fella Wed, 11/16/2011 - 11:39

Well did you trunk the interface the WLC is connected to.  Maybe the dmz switch is not passing the other vlans.

Scott Fella Wed, 11/16/2011 - 20:25

Are you anchoring the SSID in the dmz wlc to itself? Can the dmz WLC ping the gateway of the other vlans?

Sent from my iPhone

nikhilcherian Wed, 11/16/2011 - 22:58

I have 2 WLC in the inside network, which I am using for guests, I am anchoring these SSID to the DMZ wlc



Scott Fella Thu, 11/17/2011 - 02:03

Okay so you are anchoring the guest SSID's to the dmz wlc. Are you anchoring the dmz controllers guest SSID to itself? Have you tried a wired connection in the dmz if that works just to rule out any network issue.

Sent from Cisco Technical Support iPhone App


This Discussion