Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

Hi,

I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:

(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)

GUEST1: 10.9.65.0/24 – VLAN 11

GUEST2: 10.9.66.0/24 – VLAN 12

GUEST3: 10.9.67.0/24 – VLAN 13

Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)

The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.

The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:

Interface vlan 11 – 10.9.65.1

Interface vlan 12 – 10.9.66.1

Interface vlan 13 – 10.9.67.1

wgh-anchorwlc5760-primary#show ip interface brief

Interface              IP-Address      OK? Method Status                Protocol

Vlan1                  10.8.252.1      YES NVRAM  up                    up

Vlan11                 10.9.65.1       YES manual up                    up

Vlan12                 10.9.66.1       YES manual up                    up

Vlan13                 10.9.67.1       YES manual up                    up

GigabitEthernet0/0     10.8.252.85     YES NVRAM  down                  down

Te1/0/1                unassigned      YES unset  up                    up

Te1/0/2                10.8.253.1      YES NVRAM  up                    up

Capwap0                unassigned      YES unset  up                    up

If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.

If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.

If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.

Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.

anchorwlc5760-primary#show wireless client summary

Number of Local Clients : 3

MAC Address    AP Name                          WLAN State              Protocol

--------------------------------------------------------------------------------

04f7.e482.b21c N/A                              2    IPLEARN            Mobile

bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile

a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile

However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.

image.JPG

I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.

My question is: Why clients are not able to ping their default gateway?

I hope it makes sense.

I appreciate any thoughts and help. Thanks in advance.

Joana.

2 REPLIES
New Member

Did you managed to find a

Did you managed to find a solution for this? How was it resolved?

New Member

Hi,I couldn't get it working

Hi,

I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:

 

(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)

 

The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.

 

I hope it helps.

 

Joana.

466
Views
0
Helpful
2
Replies