cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
971
Views
5
Helpful
6
Replies

WLC 5508 multiple Mobility Hops

Dan
Level 1
Level 1

Some quick background:

 

We've entered into a collaboration partnership with some other organisations, we're trying to share our own wireless SSIDs across each others controllers and APs. We are using a site to site VPN with our DMZ WLCs as the interesting traffic.

 

So far we have this working ok:

Our internal WLC -> our DMZ WLC - mobility group works fine

Our DMZ WLC -> Their DMZ WLC - also works fine.

 

What we can't get working is a multiple hop mobility for the SSIDs. So:

 

It would be our internal SSID and the path would go:

 

Their internal WLC -> Their DMZ WLC -> Our DMZ WLC -> our Internal WLC.

 

SSID settings are exactly the same. The SSID's mobility anchor is set as the next one in the chain. All are using Management as their interface except where the SSID ends on our internal WLC - which has it's own interface with DHCP pool etc. The internal WLC (where the chain ends) also has it's mobility anchor set as local.

 

Have we maybe got something wrong or missed something to allow this or is a mobility anchor with multiple hops just not possible?

 

Thanks

6 Replies 6

Hi @Dan

This is actually a very interesting project. Honestly I've never see anyone trying something like that.

 Mobility chain would be possible up to 24 WLC. However, as per your description, your environment is not just about Mobility chain but you are Anchoring WLC and at the same time chaining Mobility group.

 I tried to find on cisco docs which is the limitation for this kind of setup but looks like this is not quite common.

 

 

-If I helped you somehow, please, rate it as useful.-

Freerk Terpstra
Level 7
Level 7

Which technical solution is best really depends on the applicable functional and security requirements.

In case seamless roaming between two adjacent buildings from different organizations is required, mobility tunnels between the controllers are required. When this is not a requirement I would give the "guest" end-points their point of presence in the local DMZ and tunnel that traffic within the VPN to their own organization in case necessary. Or give their point of presence in the local "internal" zone, depending on the security requirements. In the end more tunnels means more points of failure and more potential bottlenecks.

 

Keep in mind that in case dot1x authentication is being used, also the management-plane of the local foreign controller needs to be able to talk with the RADIUS server of the other organization. Another scenario is integration between the RADIUS servers and threat all end-points as "trusted". If this is allowed depends on the security requirements and the level of trust between the different organizations.

Please rate useful posts... :-)

We can't really attach the access points to our DMZ controller as we have 330 APs over 55 different sites and the SSID is to be broadcast across all of them to allow their employees access to their network during collaboration work and vice versa. They aren't adjacent either, they're in another part of the city. I think we're going to have to just link both our internal WLCs together. I did some testing with our 3 WLCs doing 2 hops and was not successful.

 

We are using Dot1x via ISE for our wireless authentication. Does this mean their WLC needs direct access to our ISE node over the VPN? I thought the authentication requests would come from our internal WLC. That might present a problem. We may have to put a RADIUS proxy in our DMZ as I don't think we will want to expose our ISE node to any organisation even if it's over a VPN, otherwise we will have to NAT it.

 

Be aware of the bandwidth and latency constraints when you decide to tunnel all the client traffic. In case a lot of traffic is destined for the internet I would create new client VLANs and route them locally and only tunnel what is necessary within the IPsec VPN tunnel configuration.

The local WLC performs the layer 2 authentication since it is the foreign controller, so it will setup the RADIUS communication.

Please rate useful posts... :-)

Some of the traffic will be internet based but all of it is going to have to go through the tunnel because they'll be authenticating with their AD and Proxy servers. Our users will be doing the same as well. It's probably not going to be that many users to begin with at the moment. As far as I know we only have 1 member of staff that visits the other sites once a week or so. Isn't all the traffic coming from their WLC over the VPN anyway? How would you separate that?

You can't make that distinction when you use mobility tunnels, but you can when you use the site-to-site VPN. In that case you need to create a client VLAN on your local firewall with, for example 10.1.1.0/24 as IPv4 network. Lets say that the the remote location uses different server VLANs which can be summarized to 10.2.0.0/16. Now, when you just specify these source and destination networks in your VPN configuration, all other traffic will be routed locally on the firewall. You do need to create some kind of access-list and probably NAT rules as well to allow this to happen.

 

It all depends on your security policy if this setup is feasible for you, but since you use a proxy the end-points shouldn't try to access the internet directly anyway :-)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: