Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Should foreign WLC guest WLAN use managment interface or ?

Hi wireless experts,

I am confused about if the foreign WLC guest WLAN should use management interface or a dedicated guest interface. Help please.

I have seen production setups using guest interface, which has no access to the rest of the production network because the vlan is not included on the LAG trunk between the foreign WLC and the switch.

It's kind of matching what Enterprise Mobility 7.3 Design Guide says.

--------------------------------------------------------------------------------------------------------------------------------

Enterprise Mobility 7.3 Design Guide

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch10GuAc.html

The default interface used by the foreign WLC for the guest WLAN is the management interface. If the

EoIP tunnel cannot be established with the anchor, the foreign controller will disassociate any wireless

clients that were previously associated with the unreachable anchor and then assign new clients and

reassociate clients to the interface configured under the guest WLAN of the foreign itself. Therefore, it

is recommended to link the guest WLAN on the foreign to a non-routable network, or alternatively

configure the DHCP server of the management interface with an unreachable IP address. If the anchor

becomes unreachable, this prevents the guest clients to gain access to the management network.

--------------------------------------------------------------------------------------------------------------------------------

When look further to the foreign WLC guest WLAN configuration, it recommended the other way, i.e to use management interface.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch10GuAc.html#wp1000069

b. By default, the WLAN is assigned to the "management" interface of the WLC. Do not change this.

May I please ask which way is the best practice? If any negative impact to configure the DHCP server of the management interface with an unreachable IP?

Thanks for your patience to finish the reading.

Cedar

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Should foreign WLC guest WLAN use managment interface or ?

You can use the management or you can create a null interface or black-hole interface and map the foreing WLC guest ssid to that.  It's best practice to create a bogus interface and use that when you are anchoring... especially for guest.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Should foreign WLC guest WLAN use managment interface or ?

HI Cedar,

Agree with Scott:)

In a real-world deployment, it is best practice to assign the guest  WLAN to an interface assigned to an unused VLAN. This mitigates the  scenario where the anchor controller becomes unavailable and the guest  WLAN become attached to the management interface of the foreign  controller, which represents a security issue.

Check it out this blog:

http://wifinigel.blogspot.de/2011/08/creating-per-site-guest-vlans-on-guest.html

Reagrds

Dont forget to rate helpful posts

4 REPLIES
Hall of Fame Super Silver

Should foreign WLC guest WLAN use managment interface or ?

You can use the management or you can create a null interface or black-hole interface and map the foreing WLC guest ssid to that.  It's best practice to create a bogus interface and use that when you are anchoring... especially for guest.

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***
VIP Purple

Should foreign WLC guest WLAN use managment interface or ?

HI Cedar,

Agree with Scott:)

In a real-world deployment, it is best practice to assign the guest  WLAN to an interface assigned to an unused VLAN. This mitigates the  scenario where the anchor controller becomes unavailable and the guest  WLAN become attached to the management interface of the foreign  controller, which represents a security issue.

Check it out this blog:

http://wifinigel.blogspot.de/2011/08/creating-per-site-guest-vlans-on-guest.html

Reagrds

Dont forget to rate helpful posts

New Member

Should foreign WLC guest WLAN use managment interface or ?

Thanks so much for your answer. And thank you to Scott as well.

Cedar

New Member

Should foreign WLC guest WLAN use managment interface or ?

The default Mobility Domain Name is automatically entered in the  Mobility Group membership for that controller, along with the necessary  IP address and MAC address information for that controller. The IP  address and MAC address information of other controllers in that  Mobility Group must be entered manually.

Figure 4-27 and Figure 4-28 show the Mobility Group membership  information for both main site WLAN controllers. It can be seen that the  Mobility Group membership has two main members for the two WLAN  controllers that are providing WLAN access within the main site. These  WLAN controllers are also members of another Mobility Group  GUEST_ACCESS. This Mobility Group has been configured to provide guest  access tunneling and is discussed later in this chapter.

The remote site WLAN controller Mobility Group membership configuration  uses a different mobility group name, and does not include either of the  main site WLAN controllers. The reason for it not including either of  the main site WLAN controllers is because it is not expecting to support  seamless roaming between the remote site and main site. There is no  point of providing seamless roaming between controllers when there is no  seamless WLAN coverage between APs connected to those controllers.  Because this design includes supporting guest access tunneling for users

at the remote site, the GUEST_ACCESS mobility group-member information also appears on the remote site WLAN controller.

for more informatio please visit the below link

http://www.cisco.com/en/US/docs/solutions/Enterprise/Medium_Enterprise_Design_Profile/chap4.html#wp1059041

589
Views
0
Helpful
4
Replies
CreatePlease login to create content