Guest Access and IP addressing usage

Answered Question
Nov 3rd, 2011

Hi there

Have a typical Guest set up, foreign WLC has a tunnel to a WLC in our DMZ (mobility anchor); client  will get a web page, and sign on; and off to the Internet they go.

As we know, client needs an IP address first before it does anything, as the SSID is out there with no authentication.   and the problem we are running into is, we are running out of IPs because we have a bunch of clients picking up IPs but then they are not moving towards authenticating (I suspect many clients simply scan for any open SSID and connect to it, thereby using up an IP.  We clamped down DHCP Lease time to 30 mins, but this only helped to an extent.

Is there anything on the WLC or other wireless network devices that can limit this from happening? Is increasing the scope the only way to resolve this issue?

Many thanks in advance!

I have this problem too.
0 votes
Correct Answer by George Stefanick about 2 years 5 months ago

Holly Jesus girl ... I though i had a decent size guest network...

If you anchor your foreign controller guest WLAN to more than (1) anchor DMZ clients will automagically round robbin from the first anchor to the second amchor and then back again to the first anchor. You cant turn this off or on, it just happens this way. I did put in a "change request" to have this as an option to turn off and on. But cisco hasnt added it yet and may never .. who knows...

71 is the cap. I dont know away around that ...

Good call on the DMZ mobility group name. I do the same helps with toruble shooting and doesnt take up a tunnel on existing internal mob groups ...

Correct Answer by George Stefanick about 2 years 5 months ago

Private/Nat ... We push the guest to the DMZ - unwrap the EoIP packet and dump the guest smack in the DMZ. From there we do DHCP, NAT and push threw bluecoat to the internet...

Correct Answer by George Stefanick about 2 years 5 months ago

Pat,

Wecome...

And welcome to the world of Cisco Guest Wireless where your scopes must be large and your leases must be short ! LOL

The only thing you can do is hide the SSID or leave it BROADCASTING and make a large scope and limit lease time.

We show currently 4,434 guest IPs on my network right now. Of which, after a quick ping to devices that are passed WEBAUTH we have 398 actual users. We have our lease times at 2 hours ...

Sorry, i know thats not the anwser you wanted ...

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
Correct Answer
George Stefanick Thu, 11/03/2011 - 08:46

Pat,

Wecome...

And welcome to the world of Cisco Guest Wireless where your scopes must be large and your leases must be short ! LOL

The only thing you can do is hide the SSID or leave it BROADCASTING and make a large scope and limit lease time.

We show currently 4,434 guest IPs on my network right now. Of which, after a quick ping to devices that are passed WEBAUTH we have 398 actual users. We have our lease times at 2 hours ...

Sorry, i know thats not the anwser you wanted ...

kobayashimaru08 Thu, 11/03/2011 - 08:54

Yes that is what I kind of figured. But I thought I should ask the question just to be sure.  are you using public space or private/hide-nat setup?

Correct Answer
George Stefanick Thu, 11/03/2011 - 08:58

Private/Nat ... We push the guest to the DMZ - unwrap the EoIP packet and dump the guest smack in the DMZ. From there we do DHCP, NAT and push threw bluecoat to the internet...

kobayashimaru08 Thu, 11/03/2011 - 09:02

Yes that is what I am recommending here as well. Good to know I am on target with someone else who does this.  Thanks George!

George Stefanick Thu, 11/03/2011 - 09:06

Yea no worries... We ALL bang our head with this one at some point!

Thanks for the ratings!

George Stefanick Thu, 11/03/2011 - 09:13

Also -- When building your scopes and if you are using 1 5508 there is a client limiation... No need to waste a class B for exmaple if the WLC can only handle 7000 clients ..

Cisco 5508 Series Controllers Location Support

The Cisco 5508 Series Controller can now support up to 7000 clients and 5000 RFID tags when using the location support.

Also if you are using 2 5508s in the DMZ they will round robbin.

just an fyi

kobayashimaru08 Thu, 11/03/2011 - 09:21

Oh well now that leads to another question then! (and yw for the ratings...   )
Here is my deal -  I currently have roughly 150 WLCS now, expanding another possible 50 in the next 12 months
I have 6 5508's in my DMZ

but there is still the limitation of 71 tunnels that can be made (unless you tell me there is a way around that!)

Each DMZ WLC also has its own mobility group name (i.e WLC 1 is mobility name xxxGUEST_01, WLC 2 is xxxGUEST_02...etc)

you mention round robin; how would I do that, considering each foreign WLC is only tunneled to one DMZ WLC currently?

Correct Answer
George Stefanick Thu, 11/03/2011 - 09:29

Holly Jesus girl ... I though i had a decent size guest network...

If you anchor your foreign controller guest WLAN to more than (1) anchor DMZ clients will automagically round robbin from the first anchor to the second amchor and then back again to the first anchor. You cant turn this off or on, it just happens this way. I did put in a "change request" to have this as an option to turn off and on. But cisco hasnt added it yet and may never .. who knows...

71 is the cap. I dont know away around that ...

Good call on the DMZ mobility group name. I do the same helps with toruble shooting and doesnt take up a tunnel on existing internal mob groups ...

kobayashimaru08 Thu, 11/03/2011 - 09:42

ha! No worries, girl in a tech world... used to it LOL

When we changed up this year (went from a private entity to being taken over by the 'mother ship' as I like to call it; they said '2012 is the Wireless Year, we want it everywhere to be able to be used by everyone; we want it easy, and we want to start employee BYOB (to which I grumbled a bit... but oh well) And now just got news we are taking another division on board, so that number I just gave you I say add another 10 or 15 to, not to mention a few WiSMs thrown in there.  We were using Guest NAC,  but then it was though to be easier using a shared ID/PW with it changing weekly, which currently I manage by pushing WCS jobs out each week; and future is to use an AD backend for that instead. And this is slightly off topic- but I also broadcast the SSID for the mother ship into our network and tunnel our WLC back to an anchor on their network so users can pick up IPs from there, and then our WLCs live in their radius server.
... Fun Stuff, eh?

kobayashimaru08 Thu, 11/03/2011 - 09:55

Cool! I will check your blog for sure... I sort of bumbled figuring it out... if only I had known I would have less head dings

Yes... we have a job that pushes each week, creating a local Net  user, tied to the guest profile on the anchor WLCs. The username stays the same, and the pw changes.  Figuring that out was also cause for a few head dings, but works great (so far!)

kobayashimaru08 Thu, 11/03/2011 - 10:09

I can... I have a meeting to attend ... give me a bit Perhaps I should start a new blog or thread on it?

Actions

Login or Register to take actions

This Discussion

Posted November 3, 2011 at 8:41 AM
Stats:
Replies:18 Avg. Rating:5
Views:4315 Votes:0
Shares:0

Related Content

Discussions Leaderboard