01-18-2007 04:57 PM - edited 07-03-2021 01:30 PM
I have 2 WLc 4402. 1 Remote and 1 DMZ. I have read the deployment guide for guest access 20 times and still cannot get it to work. a couple answers that I don't see in the guide. 1. Do AP's need to be associated with the DMZ WLC? 2. Am I anchoring my management IP or a different Dynamic IP? I have verified with Eping and mping that the tunnels should be able to be created, how do I verify? An issue that concerns me is that I cannot ping (ICMP) my remote WLC mgmt interface from the DMZ WLC. I know I have connectivity because of eping, mping and https mgmt from the same subnet as the DMZ WLC MGMT Interface. should I be concerned about this? It could just be ICMP blocked at the FW.
I am trying no to open a support ticket as I am sure this is a simple issue. One of my problems is that my VLANs cannot be tagged because the DMZ VLAN does not reside on our core switches and hence I cannot do 802.1Q which is discussed on page 4 of the dep. guide. to get around this I configured IF/2 on my Remote WLC to an IP from my DMZ subnet? Is this ok, is it needed?
Summary Internal IF 1.1.1.1 for both WLC
remote WLC
MGMT = 10.160.24.30 IF/1
AP-MGMT = 10.160.24.31
Service = 192.168.0.10
guest = 10.160.80.16 IF/2
DMZ WLC
MGMT = 10.160.80.15
ap-mgmt = 10.160.24.33 (don't need?)
service = 192.168.0.10
internet = public IP to be natd by FW
I am a newbie to the Cisco WIFI world, but not to IT/networking.
Any help would be greatly appreciative
05-07-2009 02:47 AM
I believe you need to enable IP Protocol 1 (for ICMP) in order for ping to work ...
05-08-2009 04:21 AM
1. Do AP's need to be associated with the DMZ WLC?
a) No
2. Am I anchoring my management IP or a different Dynamic IP?
a) No IP gets anchored. You Anchor the WLAN on one controller to your DMZ. On the DMZ, you anchor that wlan to itself.
3) I have verified with Eping and mping that the tunnels should be able to be created, how do I verify?
a) from CLI: show mobility summary
This will should you if everything is UP, or if control/data path is down. EPING/MPING should verify this as well if they are successful.
I'm not sure what you mean about port 2. Are you placing a link straight out to your DMZ? Normally everything goes out the main interface and "routes" out to your dmz.
06-29-2009 09:54 AM
I had the same issue about guest DMZ controller , do I need to config same SSID on both of anchor and foreign controller ? I also need to use web-auth for wireless guest , which controller's SSID need to be configured web-auth ? By the way , I found a example on CCO , but only for "wired" ,
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
anyone can provide me the example for "wireless gest tunneling " will be very appreciated.
07-04-2009 09:13 AM
yueric,
1.do I need to config same SSID on both of anchor and foreign controller?
-Yes the wlan needs to be configured the exact same way on both the anchor and foreign controllers
2.which controller's SSID need to be configured web-auth?
-Both need to be configured the same way, so if you want to use web-auth you need to configure the anchor and foreign controller wlan to use web-auth.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide