Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Layer 2 isolation due to Multiple Anchor controllers

Hello,

Just checking to see if there are 2 anchor controllers in different locations, that if client A connects to anchor controller A and client B connects to anchor controller B, will there be Layer 2 isolation between the 2 clients?

Thanks,

Jason

Everyone's tags (6)
15 REPLIES

Re: Layer 2 isolation due to Multiple Anchor controllers

It depends. I'd say yes by default, but if you allowed connectivity between the subnets...

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Layer 2 isolation due to Multiple Anchor controllers

Thanks Stephen.  They share the same subnet, and I can communicate between hosts on the same anchor, but not with a host on the other anchor.  Was trying to figure out if this is by design of the technology, or if there is a setting that changes this.

Thanks,

Jason

Hall of Fame Super Silver

Layer 2 isolation due to Multiple Anchor controllers

If the clients are all on the same subnet, it's weird that they can't communicate, I can ask my clients to test this out.  It might just be a limitation of the technology of using multiple anchors.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Layer 2 isolation due to Multiple Anchor controllers

Well... my client was able to join the guest network and get anchored to one of the guest anchors and ping another device on a different anchor.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

Layer 2 isolation due to Multiple Anchor controllers

Jason, same subnet, different anchors?  how are the anchors communitcating, thorugh a firewall?

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
Cisco Employee

Layer 2 isolation due to Multiple Anchor controllers

is the network topology as this smiple sketch ?

Untitled.png

New Member

Layer 2 isolation due to Multiple Anchor controllers

yes, that is accurate.  Different hosts connecting to the same SSID, but go to different anchor controllers that connect to different firewalls.  I can ping everything that connects to the same anchor, but nothing that connects to the other anchor. I am wondering if its just the EoIP tunnels that is blocking that access.

Thanks,

Jason

Hall of Fame Super Silver

Re: Layer 2 isolation due to Multiple Anchor controllers

But the subnet is tied together correct, meaning that the users are put in the exact same layer 2 subnet in the DMZ?

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Layer 2 isolation due to Multiple Anchor controllers

Correct, but I don't see arp or anyting from any host connected to the other anchor controller.

Cisco Employee

Layer 2 isolation due to Multiple Anchor controllers

one last question just for confirmation , you have two WLANs on the forgien WLC with the same SSID , right ?

if yes , then you can replace each anchor WLC with a L2 switch and consider that the clients are directly connected to these switches , if these switches do L2 isolation between the clients , then the WLCs do .

New Member

Layer 2 isolation due to Multiple Anchor controllers

the same SSID is created on the local controller and both anchor controllers.

Cisco Employee

Layer 2 isolation due to Multiple Anchor controllers

ok, what i'm trying to say that if there is communication between client A and client B it's would not be through the mobility tunnels between the WLCs , it will be through the switched network .

New Member

Layer 2 isolation due to Multiple Anchor controllers

Correct.  I just wanted to make sure what I was seeing was sane.  I thought it was because of the way EoIP and CAPWAP tunnels work. So broadcasts and such would not cross them, therefore I would only communicate to  hosts that are connected to the same anchor controller via that tunnel.

thanks,

Jason

Hall of Fame Super Silver

Layer 2 isolation due to Multiple Anchor controllers

The anchor WLC is putting the guest in the same switched subnet correct?  if so, it would be the same as if you were connected wired, you should be able to ping any device on that same layer 2 network.

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***
New Member

Re: Layer 2 isolation due to Multiple Anchor controllers

same subnet but different anchors in different parts of the US. so hosts local to that anchor are switched. the networks are not shared except the same L2 subnet, and the original controller. so what would have to happen is that host traffic would have to cross back over the EoIP tunnel to the internal controller, and then cross the other EoIP tunnel back to the other controller to talk to those hosts. I don't believe this is possible, but want to confirm that. this was setup by an outside consultant before I got there.

thanks,

Jason.

Sent from Cisco Technical Support iPad App

237
Views
0
Helpful
15
Replies
CreatePlease to create content