cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3880
Views
0
Helpful
2
Replies

Guest Anchor Controller

Marvin Krym
Level 1
Level 1

Cisco documentation recommends using a dedicated controller for the guest anchor controller function becuase it needs to be located in the DMZ. However, if I have spare capacity on an existing controller (ie one used to manage APs) then perhaps I can also use it as the guest anchor.  Instead of being physically connected to the DMZ, I would just extend a guest user VLAN from the guest anchor controller to the DMZ.  I would welcome feedback on the validity & security of this alternate solution.

Thanks.

2 Accepted Solutions

Accepted Solutions

George Stefanick
VIP Alumni
VIP Alumni

Hi Marvin,

Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.

Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.

In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.

I hope this helps.

Does this make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

View solution in original post

Stephen Rodriguez
Cisco Employee
Cisco Employee

The recommendation is the 'most secure solution', as it puts the guest users outside of your network.

If you don't need/want to put a WLC out in the DMZ, you can still use one of the WLC inside the network to anchor your guest traffic to.

As for the phsycical connection, it depends on what you are looking to do.  If you are going to service AP, internal users, and guests, you would be better served with LAG, vs splitting ports. IMO.  You can still split the ports, and put one of them to a 'DMZ VLAN', but then you limit your internal users as well as teh guests.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

2 Replies 2

George Stefanick
VIP Alumni
VIP Alumni

Hi Marvin,

Like anything in networking, there are always different ways to skin a cat. First lets chat about the guest anchor deployment in the DMZ. This particular design is Ciscos most secure way to handle guest access. The wireless guest packet never touches your switch fabric until it hits the DMZ. The packet rides over the guest wifi, hits the ap, gets encapsulated and doesnt get unecapsulated until it hits the DMZ anchor.

Another way and less expensive is to add a dynmic interface on your internal controller and ride that trffic into the DMZ. I have customer that do this very thing as well. Its cheaper and may be less hassle configuration wise.

In this approch, your guest packet gets unwrppaed can placed at the door step of the WLC.

I hope this helps.

Does this make sense?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Stephen Rodriguez
Cisco Employee
Cisco Employee

The recommendation is the 'most secure solution', as it puts the guest users outside of your network.

If you don't need/want to put a WLC out in the DMZ, you can still use one of the WLC inside the network to anchor your guest traffic to.

As for the phsycical connection, it depends on what you are looking to do.  If you are going to service AP, internal users, and guests, you would be better served with LAG, vs splitting ports. IMO.  You can still split the ports, and put one of them to a 'DMZ VLAN', but then you limit your internal users as well as teh guests.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: