Can someone point me to a link that will give configuration examples of a wireles anchor config with one controller in a DMZ. I have tried this on my own and have some problems in my test enviorment. I believe my issues were with the firewall but not exactly sure. Thanks in advance for the help
Setting up a mobility anchor can be tricky. The key thing to keep in mind is that the WLAN configuration parameters must match *exactly* (with only a couple exceptions) or else it won't work. The Enterprise Mobility Design Guide 4.1 (found on the WCS product support page) is what I used to muddle through the first time I did this:
We run a 5508 anchor in a DMZ, we don't use the Service-Port in this setup. So the management-interface has to be connected as a trunk port.
In order to correctly sync with internal controllers the following ports have to be opened up between them - UDP 1666-7, UDP 5246-7, icmp echo-request (type 8), Ethernet-over-IP protocol 96 and 97.
We also keep the anchor in a seperate mobility-domain but which is connected to the same mobility-group as the internal controller(s). It is important to mirror your guest wlan configuration through all your controllers, if you are using your anchor as the web-authentication route-point, I would recommend using a publically-routable IP address associated with a FQDN (fully qualified domain name) as your virtual-interface IP address; this will allow you to assign a valid publically signed SSL certificte down the track - this is best practice and stops the annoying security error pop-ups in most browsers on most devices.
SSL certification for Web-Auth is poorly documented on the Cisco website so - If you want to get a valid SSL certificate make sure you use version 0.9.8 of OpenSSL to generate your certificate request (there are too many bugs in the latest version of OpenSSL apparently, also most public certificate authorities will only sign a request with a bit depth of 2048 or more - the results you get back from your chosen public certification authority needs to be concatenated into a chained certificate file in PEM format - web-auth SSL supports chained certs on the 5508 so you'll be fine with this. (https management interface does NOT however support chained certs).
Thanks Guys for the links and advice. I did get the controllers talking to each other yesterday. Turns out I had them in different mobility groups (Dumb Mistake on my part). I will also be implementing Cisco ACS for authentication and Cisco IPS for Security. Is there anything to look out for when using an ACS in this setup. I have worked with ACS for many years but not in this type of install. Thanks again for the replies.
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...