Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

How does the anchor controller work with regards to the web traffic

Hi all

I am configuring an anchor controller for my guest wireless internet access.

Firstly, does the config need to have all the same config, SSID's etc on it, the same as the other controllers, or is it a minimal config?

also, how does the web traffic travel through, does the anchor controller literally act as a proxy for the web traffic? and if so on my firewall is the web traffic all sourced from the anchor controllers IP address?

Many thanks

Carl

15 REPLIES
Hall of Fame Super Silver

Re: How does the anchor controller work with regards to the web

When you setup an anchor wlc for guest traffic or any... You need to make sure the SSID is identical except for the interface configuration. All traffic will be tunneled to that guest wlc and that is what your FW will see.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

How does the anchor controller work with regards to the web traf

So, on the anchor config what vlan do I map the SSID to ?

also where does the source of the traffic come from, the original client or the WLC ? what effectively is the WLC doing here ?

cheers

Carl

Hall of Fame Super Silver

How does the anchor controller work with regards to the web traf

On the guest anchor wlc, you would create an interface for your dmz.  The wlc would then have an ip in the dmz vlan and your guest ssid would be mapped to that guest vlan.  What you are doing is tunneling guest user traffic right to the dmz wlc instead of your internal wlc and then having to acl everything.  So a guest user associates, gets granted access and get put in the guest vlan in the dmz.

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

How does the anchor controller work with regards to the web traf

Here is a doc that might explain it better than me:)

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html

-Scott
*** Please rate helpful posts ***
Silver

How does the anchor controller work with regards to the web traf

If you understand how Layer 3 inter controller roaming works, its the same thing for anchoring.

The Anchor is not a web proxy, it is just like any other WLC.

Basic flow of a client traffic will be:

Client >802.11> AP >CAPWAP> Foreign WLC >MobilityTunnel> Anchor WLC >Ethernet>Traffic dumped on Vlan (presumably going into the DMZ

New Member

Re: How does the anchor controller work with regards to the web

hi there

We already have another site with this configured, and the SSID is different for that other site, does this mean we will have to use the same SSID as the other site, or can you create another SSID on the anchor controller and assign to the DMZ vlan ? so effectively the anchor will have 2 guest SSID's mapped to one DMZ vlan, is that ok ?

cheers

How does the anchor controller work with regards to the web traf

Carl,

Correct you can use another SSID as a guest ssid and anchor it to the DMZ. Just make sure they match on the new controller and the DMZ anchor.

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

How does the anchor controller work with regards to the web traf

Hi there

Im still confused for what I need to configure, Is it as below ?

Remote WLC controller site 1 has Guest SSID of guest-wlan-SITEA and in vlan 101

Remote WLC controller site 2 has Guest SSID of guest-wlan-SITEB and in vlan 201

Do I just add both SSID's to the anchor controller and map them to a different vlan in the DMZ ? and do I allow the original source IP address subnets out my firewall for each site ?

cheers

Carl

Hall of Fame Super Silver

How does the anchor controller work with regards to the web traf

Create guest-wlan-SITEA & guest-wlan-SITEB on the DMZ wlc.  Then make sure you should be able to map them to the same or different (interface) in the dmz wlc.  Make sure you create the mobility anchor for the ssid also.  The subnet that you place these guest users will only be located in the dmz, so that subnet is what you neet to allow. 

-Scott
*** Please rate helpful posts ***
New Member

How does the anchor controller work with regards to the web traf

Hi

thanks for the reply,

im still unsure what you are saying , my Guest WLAN on site A is on IP subnet 192.168.1.0/24 and site B is 192.168.2.0/24, this traffic gets tunneled to the anchor and put on the DMZ which is say on the 10.11.11.0/24 subnet,

how is the traffic sourced ? does it just route through the DMZ with the original source IP from each site ?

cheers

Carl

How does the anchor controller work with regards to the web traf

so, when you anchor the WLAN, the client will pull it's IP address from the pool of the DMZ WLAN DHCP, not from the local site.

So the only subnet(s) that you need to allow, are the ones in the DMZ, not the actual sites.

WHen you anchor, the client is physically connected to the local WLC, but is logically in the DMZ.  ALl traffic is ingress/egress at the DMZ WLC.  so the traffic flow is

client <--> AP <--> WLC(local) WLC (DMZ) <--> network

then the reverse for the return.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How does the anchor controller work with regards to the web traf

Hi there

I cannot see how this is going to work, the anchor controller is at another site,  on a different subnet. Is this the only way we can do it or the recommended way?

so I need to put the dhcp in the range of the DMZ subnet, what if there is an SSID from another site already using it?  and what does that mean for the local site, the Vlan for guest is on a total different subnet at the moment, do we assign no ip's to the vlan? im lost, can you explain a little further?

cheers

Carl

How does the anchor controller work with regards to the web traf

The local WLC can be put to a 'null' interface.  So what you do is create an interface that has no real Layer 2 relevence, and point the local WLAN at this interface.  That way if the anchoring fails, the client is not dumped on a real subnet.

As for the DMZ, you just need to make sure that subnet only lives there.

now, anchoring the guest WLAN is the 'best practice' for security, as you put the guest clients, who are untrusted, outside of the real network.  THey can't come back inside due to the firewall, unless you pinhole specifically for it to happen.

You can have a guest SSID at each site, with it's own subnet.  THen you just treat it like anyother WLAN.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

How does the anchor controller work with regards to the web traf

Ok

can you please give me an example of this with some ip addresses for example to make it easier ?

cheers

Carl

How does the anchor controller work with regards to the web traf

DMZ Anchor.

ip address 172.16.1.0/23.  Plenty of space for the client.

Local

ip address 192.168.1.0/24.  No layer 2 VLAN associated, or you can create one and at L3 ip route 192.168.1.0/24 null 0, to stop them from getting anywhere incase the anchor breaks.

Client associates, to the local, is pushed across the mobiltiy tunnel to the DMZ, where they get IP 172.16.1.50/24.  As this is where the IP subnet resides, what ever routing and FW policies you allow are followed.

No Anchor:

Local WLC

Ip address 192.168.1.0/24.  Client gets an address in this IP subnet, and foloows the local routing rules you have defined for the subnet.

Steve

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
1594
Views
0
Helpful
15
Replies
CreatePlease to create content