I have few basic clarifications on these components.. i have a network, with LWAPP's and WLC on one site - say site A. lets consider only the guest SSID, access as of now.. The Anchor guest controller is positioned on a DMZ segment on Site B. Site A & B are connected through a routed network. I also have a NAC guest server, on Site C. Now, i want to integrate all these components. As per my knowledge following is the traffic flow:
1) When guest users access their SSID, they are mapped to the anchor controller in DMZ, throu mobililty groups.. the WLC then initiates a EoIP tunnel to DMZ controller.. Firewall rules allow,all reuired ports (IP 97, 16666 UDP etc), and end to end ip communication happens.
2) Upon the reuest, the Anchor controller provides an Ip address from DHCP configured locally. In this case, will the default gateway of the PC's be Anchor DMZ controller's WLAN IP or will it be local to Site A (say L3 switch) ?
3) Then when the user tries to access any site, he is given a web authentication portal, which is linked to the radius server/nac guest server. during authentication, dmz controller again tries speaking to the nac guest server in site c. hence the firewall has to alow for UDP 1812/1813 radius ports..
4) after authentication, the user browses internet. Now, what will be the ip packet flow in this instance. Will all traffic be first tunneled across LWAPP to the controller, and from there EoIP'ed to the Anchor ? Anchor then forwards it to the internet gateway, through DMZ ? as asked before, will the default gateway of the PC's be the WLAN IP of the anchor ? if there are too many users, will I create many WLAN SSID's for guests, for Site A ?
Client connects to Guest SSID on AP connected to Controller A
Controller A anchors the SSID/WLAN to DMZ Controller at Site B
So, basically, client is actually hanging off the network port of the DMZ Controller (so all IP/Routing needs to be assigned from the standpoint of the ethernet port on the DMZ controller). The Client Gateway should be the gateway of Controller B, not the IP of Controller B.....
When client makes Web-Request, the request is hijacked by a web-authentication device (your NAC in site C?) and once authenticated, the client is allowed on the internet back at Site B.
With all that said, no traffic should be going to Site C once authenticated. So traffic flow should be (after authenticated):
Client > AP Site A > Site A Controller > Site B DMZ Controller > DMZ Controller Gateway to wherever.....
Is that clarifying anything?
I don't think there is a reason to create more WLAN SSID's for guests unless you need different authentication methods or if for some reporting reason you want different.
Number of users I don't think will be a limiting factor
thanks for the clarification. that solves almost all my design related questions... ur explanation means that:
1) I will not need any layer 3 vlans, for guest, on the local L3 switched network, in site A, right ? i have close to 7 closets, which trunk onto the core switch in site A. each closet has around 10 AP's, which communicate with 2 x WLC 4404 (100 k9).. the core switch is connected to WAN router, through which routing happens to site B..
2)can i define the dhcp server locally on the anchor controller ? in this aspect, i hope the dhcp broadcast is sent through EoIP ? does it have any dependency on knowing the DNS server ?
Thanks again.. have u implemented this ? Do u have any working configs ? I have seen wireless SRND, and have a basic config template, for all devices.. any other links which u can suggest ?
1. You should not do any VLAN for L3 network on side A for Guests. However you have to tailor guest WLAN on foreign controller with some dynamic interface. For security purpose it is wise to create dummy vlan on foreign controller. Tailor it with Guest WLAN and not allowed on trunk connection between foreign controller and core switch.
2. Yes you can use DHCP server on Anchor Controller
...and yes I have some experience with whole stuff you mentioned ;-)
Thanks again.. that was useful too. One last query.. and this was grilling my head:
1) how does the guest vlan egress work ? I have a WLC on a new DMZ of PIX, with /27 subnet.. This WLAN is used only for EoIP communication.. now, when the guest user gets a DHCP IP, what IP pool should i define here ? since the default route is going to be towards the PIX, it should be one among the 4 interfaces, right now ? or should I have another interface or VLAN dmz for the egress traffic from WLC ? SRND says something about dynamic interfaces, but not been explained at all :(
2) will the foreign WLC talk to the Anchor controller 1 & 2, in load balancing mode ? why i'm asking is, if the dhcp is defined on Anchor 1 and if the request goest to anchor 2, then it will be an issue.. otherwise is it advicible to split up dhcp scopes between the two Anchors ? say 1-127 in one anchor and 128-254 on other ?
3) Lastly.. about guest nac servers.. i have 2 of them in place.. will the guest database be replicated between them , like what ACS does ? if so, is the replication bidirectional ? If lobby admin creates an account, it will be good if he just creates in one box, and the other box replicates it ..
Thanks for all your answers.. it has been really useful to me.. and i think will be useful for anyone who works on Anchor+guest+foreign WLC designs :)
So I really can't answer 1 and 3, and 2 actually brings up concern....
How do you plan to anchor to load-balanced WLCs? I'm pretty sure you anchor to one controller, but maybe I just haven't read much about Load-balancing. Clear to enlighten me?
furthermore, When configuring anchor wlans, I've always had to make the configuration Identical. Which included defining the DHCP server on the wlan that is trusted. As far as I know, you can only define 1 DHCP server, so I'm not really sure how you would even make two dhcp servers work (unless you don't have to define a dhcp server on the trusted WLC)...
But assuming you could make both dhcp servers work with the wlc, then you probably will need to split the scopes else you have no way to control address conflicts if you are really using two dmz controllers.
I guess I need to read-up a little on what you are calling "load balancing mode"...
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...