I am configuring an anchor controller for my guest wireless internet access.
Firstly, does the config need to have all the same config, SSID's etc on it, the same as the other controllers, or is it a minimal config?
also, how does the web traffic travel through, does the anchor controller literally act as a proxy for the web traffic? and if so on my firewall is the web traffic all sourced from the anchor controllers IP address?
When you setup an anchor wlc for guest traffic or any... You need to make sure the SSID is identical except for the interface configuration. All traffic will be tunneled to that guest wlc and that is what your FW will see.
Sent from my iPhone
So, on the anchor config what vlan do I map the SSID to ?
also where does the source of the traffic come from, the original client or the WLC ? what effectively is the WLC doing here ?
On the guest anchor wlc, you would create an interface for your dmz. The wlc would then have an ip in the dmz vlan and your guest ssid would be mapped to that guest vlan. What you are doing is tunneling guest user traffic right to the dmz wlc instead of your internal wlc and then having to acl everything. So a guest user associates, gets granted access and get put in the guest vlan in the dmz.
Here is a doc that might explain it better than me:)
If you understand how Layer 3 inter controller roaming works, its the same thing for anchoring.
The Anchor is not a web proxy, it is just like any other WLC.
Basic flow of a client traffic will be:
Client >802.11> AP >CAPWAP> Foreign WLC >MobilityTunnel> Anchor WLC >Ethernet>Traffic dumped on Vlan (presumably going into the DMZ
We already have another site with this configured, and the SSID is different for that other site, does this mean we will have to use the same SSID as the other site, or can you create another SSID on the anchor controller and assign to the DMZ vlan ? so effectively the anchor will have 2 guest SSID's mapped to one DMZ vlan, is that ok ?
Correct you can use another SSID as a guest ssid and anchor it to the DMZ. Just make sure they match on the new controller and the DMZ anchor.
Im still confused for what I need to configure, Is it as below ?
Remote WLC controller site 1 has Guest SSID of guest-wlan-SITEA and in vlan 101
Remote WLC controller site 2 has Guest SSID of guest-wlan-SITEB and in vlan 201
Do I just add both SSID's to the anchor controller and map them to a different vlan in the DMZ ? and do I allow the original source IP address subnets out my firewall for each site ?
Create guest-wlan-SITEA & guest-wlan-SITEB on the DMZ wlc. Then make sure you should be able to map them to the same or different (interface) in the dmz wlc. Make sure you create the mobility anchor for the ssid also. The subnet that you place these guest users will only be located in the dmz, so that subnet is what you neet to allow.
thanks for the reply,
im still unsure what you are saying , my Guest WLAN on site A is on IP subnet 192.168.1.0/24 and site B is 192.168.2.0/24, this traffic gets tunneled to the anchor and put on the DMZ which is say on the 10.11.11.0/24 subnet,
how is the traffic sourced ? does it just route through the DMZ with the original source IP from each site ?
so, when you anchor the WLAN, the client will pull it's IP address from the pool of the DMZ WLAN DHCP, not from the local site.
So the only subnet(s) that you need to allow, are the ones in the DMZ, not the actual sites.
WHen you anchor, the client is physically connected to the local WLC, but is logically in the DMZ. ALl traffic is ingress/egress at the DMZ WLC. so the traffic flow is
client <--> AP <--> WLC(local)
then the reverse for the return.
I cannot see how this is going to work, the anchor controller is at another site, on a different subnet. Is this the only way we can do it or the recommended way?
so I need to put the dhcp in the range of the DMZ subnet, what if there is an SSID from another site already using it? and what does that mean for the local site, the Vlan for guest is on a total different subnet at the moment, do we assign no ip's to the vlan? im lost, can you explain a little further?
The local WLC can be put to a 'null' interface. So what you do is create an interface that has no real Layer 2 relevence, and point the local WLAN at this interface. That way if the anchoring fails, the client is not dumped on a real subnet.
As for the DMZ, you just need to make sure that subnet only lives there.
now, anchoring the guest WLAN is the 'best practice' for security, as you put the guest clients, who are untrusted, outside of the real network. THey can't come back inside due to the firewall, unless you pinhole specifically for it to happen.
You can have a guest SSID at each site, with it's own subnet. THen you just treat it like anyother WLAN.
can you please give me an example of this with some ip addresses for example to make it easier ?
ip address 172.16.1.0/23. Plenty of space for the client.
ip address 192.168.1.0/24. No layer 2 VLAN associated, or you can create one and at L3 ip route 192.168.1.0/24 null 0, to stop them from getting anywhere incase the anchor breaks.
Client associates, to the local, is pushed across the mobiltiy tunnel to the DMZ, where they get IP 172.16.1.50/24. As this is where the IP subnet resides, what ever routing and FW policies you allow are followed.
Ip address 192.168.1.0/24. Client gets an address in this IP subnet, and foloows the local routing rules you have defined for the subnet.