Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Guest Access and IP addressing usage

Hi there

Have a typical Guest set up, foreign WLC has a tunnel to a WLC in our DMZ (mobility anchor); client  will get a web page, and sign on; and off to the Internet they go.

As we know, client needs an IP address first before it does anything, as the SSID is out there with no authentication.   and the problem we are running into is, we are running out of IPs because we have a bunch of clients picking up IPs but then they are not moving towards authenticating (I suspect many clients simply scan for any open SSID and connect to it, thereby using up an IP.  We clamped down DHCP Lease time to 30 mins, but this only helped to an extent.

Is there anything on the WLC or other wireless network devices that can limit this from happening? Is increasing the scope the only way to resolve this issue?

Many thanks in advance!

3 ACCEPTED SOLUTIONS

Accepted Solutions

Guest Access and IP addressing usage

Pat,

Wecome...

And welcome to the world of Cisco Guest Wireless where your scopes must be large and your leases must be short ! LOL

The only thing you can do is hide the SSID or leave it BROADCASTING and make a large scope and limit lease time.

We show currently 4,434 guest IPs on my network right now. Of which, after a quick ping to devices that are passed WEBAUTH we have 398 actual users. We have our lease times at 2 hours ...

Sorry, i know thats not the anwser you wanted ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Guest Access and IP addressing usage

Private/Nat ... We push the guest to the DMZ - unwrap the EoIP packet and dump the guest smack in the DMZ. From there we do DHCP, NAT and push threw bluecoat to the internet...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Guest Access and IP addressing usage

Holly Jesus girl ... I though i had a decent size guest network...

If you anchor your foreign controller guest WLAN to more than (1) anchor DMZ clients will automagically round robbin from the first anchor to the second amchor and then back again to the first anchor. You cant turn this off or on, it just happens this way. I did put in a "change request" to have this as an option to turn off and on. But cisco hasnt added it yet and may never .. who knows...

71 is the cap. I dont know away around that ...

Good call on the DMZ mobility group name. I do the same helps with toruble shooting and doesnt take up a tunnel on existing internal mob groups ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
18 REPLIES

Guest Access and IP addressing usage

Pat,

Wecome...

And welcome to the world of Cisco Guest Wireless where your scopes must be large and your leases must be short ! LOL

The only thing you can do is hide the SSID or leave it BROADCASTING and make a large scope and limit lease time.

We show currently 4,434 guest IPs on my network right now. Of which, after a quick ping to devices that are passed WEBAUTH we have 398 actual users. We have our lease times at 2 hours ...

Sorry, i know thats not the anwser you wanted ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

Yes that is what I kind of figured. But I thought I should ask the question just to be sure.  are you using public space or private/hide-nat setup?

Guest Access and IP addressing usage

Private/Nat ... We push the guest to the DMZ - unwrap the EoIP packet and dump the guest smack in the DMZ. From there we do DHCP, NAT and push threw bluecoat to the internet...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

Yes that is what I am recommending here as well. Good to know I am on target with someone else who does this.  Thanks George!

Guest Access and IP addressing usage

Yea no worries... We ALL bang our head with this one at some point!

Thanks for the ratings!

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Guest Access and IP addressing usage

Also -- When building your scopes and if you are using 1 5508 there is a client limiation... No need to waste a class B for exmaple if the WLC can only handle 7000 clients ..

Cisco 5508 Series Controllers Location Support

The Cisco 5508 Series Controller can now support up to 7000 clients and 5000 RFID tags when using the location support.

Also if you are using 2 5508s in the DMZ they will round robbin.

just an fyi

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

Oh well now that leads to another question then! (and yw for the ratings...   )
Here is my deal -  I currently have roughly 150 WLCS now, expanding another possible 50 in the next 12 months
I have 6 5508's in my DMZ

but there is still the limitation of 71 tunnels that can be made (unless you tell me there is a way around that!)

Each DMZ WLC also has its own mobility group name (i.e WLC 1 is mobility name xxxGUEST_01, WLC 2 is xxxGUEST_02...etc)

you mention round robin; how would I do that, considering each foreign WLC is only tunneled to one DMZ WLC currently?

Guest Access and IP addressing usage

Holly Jesus girl ... I though i had a decent size guest network...

If you anchor your foreign controller guest WLAN to more than (1) anchor DMZ clients will automagically round robbin from the first anchor to the second amchor and then back again to the first anchor. You cant turn this off or on, it just happens this way. I did put in a "change request" to have this as an option to turn off and on. But cisco hasnt added it yet and may never .. who knows...

71 is the cap. I dont know away around that ...

Good call on the DMZ mobility group name. I do the same helps with toruble shooting and doesnt take up a tunnel on existing internal mob groups ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Guest Access and IP addressing usage

by the way the ***** was J E S U S not anything else ! LOL

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

ha! No worries, girl in a tech world... used to it LOL

When we changed up this year (went from a private entity to being taken over by the 'mother ship' as I like to call it; they said '2012 is the Wireless Year, we want it everywhere to be able to be used by everyone; we want it easy, and we want to start employee BYOB (to which I grumbled a bit... but oh well) And now just got news we are taking another division on board, so that number I just gave you I say add another 10 or 15 to, not to mention a few WiSMs thrown in there.  We were using Guest NAC,  but then it was though to be easier using a shared ID/PW with it changing weekly, which currently I manage by pushing WCS jobs out each week; and future is to use an AD backend for that instead. And this is slightly off topic- but I also broadcast the SSID for the mother ship into our network and tunnel our WLC back to an anchor on their network so users can pick up IPs from there, and then our WLCs live in their radius server.
... Fun Stuff, eh?

New Member

Guest Access and IP addressing usage

oops. that BYOB was supposed to be B Y O "D" heh heh

Guest Access and IP addressing usage

SURE ..... Its 5 o clock somewhere!

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________

Guest Access and IP addressing usage

Ahhh.. very nice I did the same here as well ..

I blogged about it:

http://www.my80211.com/home/2011/3/3/wlc-internal-anchoring-solves-vrf-challenge.html

I call it internal anchoring LOL

So you have your guest account created each week on a schedue event in WCS?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

Cool! I will check your blog for sure... I sort of bumbled figuring it out... if only I had known I would have less head dings

Yes... we have a job that pushes each week, creating a local Net  user, tied to the guest profile on the anchor WLCs. The username stays the same, and the pw changes.  Figuring that out was also cause for a few head dings, but works great (so far!)

Guest Access and IP addressing usage

Really, I didnt know you can do that ... Can you share ?

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

I can... I have a meeting to attend ... give me a bit Perhaps I should start a new blog or thread on it?

Guest Access and IP addressing usage

yes, i would ike to learn what you are doing ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Guest Access and IP addressing usage

4428
Views
0
Helpful
18
Replies