Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Guest tunnel on a single WLC 5508?


I'd like to create a tunnel for guest traffic, but I only have 1 Cisco WLC controller and don't have the budget to get another.  All the reference architecture points to having a 2nd controller as a mobility anchor for the EOIP tunnel.  Is there a way to have an EOIP tunnel with only 1 controller for guest traffic?  If so, could you provide a link to an example or steps to create?

(For corporate secure access, I already have a wlan pointing to a radius and CA server)



Everyone's tags (4)

Re: Guest tunnel on a single WLC 5508?

To have an EOIP tunnel it would require two WLC.


Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Guest tunnel on a single WLC 5508?

An EOIP Tunnel for guest traffic is a concept that requires at least two wireless LAN controllers because you are going to anchor the clients of the desired wireless LAN controller on another controller in order to send that traffic off the network. If you do not have two controllers then there is no other option than to configure a guest VLAN and manage that traffic accordingly (maybe through a VPN tunnel) to reach the desired resources for guest clients.

I hope this answers your question.

Marco Gonzalez

Guest tunnel on a single WLC 5508?

One EoIP tunnel is configured between the guest anchor controller and        each internal controller that supports access points with guest client        associations. So it has to be two different controllers.

New Member

Re: Guest tunnel on a single WLC 5508?

No 2 controllers are necessary for this implementation. Reason is mention below.

What is an Ethernet over IP (EoIP) tunnel to the unsecured network area?

A. Cisco recommends the use of a controller dedicated to guest traffic. This controller is known as the guest anchor controller.

The guest anchor controller is usually located in an unsecured network area, often called the demilitarized zone (DMZ). Other internal WLAN controllers from where the traffic originates are located in the enterprise LAN. An EoIP tunnel is established between the internal WLAN controllers and the guest anchor controller in order to ensure path isolation of guest traffic from enterprise data traffic. Path isolation is a critical security management feature for guest access. It ensures that security and quality of service (QoS) policies can be separate, and are differentiated between guest traffic and corporate or internal traffic.

An important feature of the Cisco Unified Wireless Network architecture is the ability to use an EoIP tunnel to statically map one or more provisioned WLANs (that is, SSIDs) to a specific guest anchor controller within the network. All traffic—both to and from a mapped WLAN—traverses a static EoIP tunnel that is established between a remote controller and the guest anchor controller.

Using this technique, all associated guest traffic can be transported transparently across the enterprise network to a guest anchor controller that resides in the unsecured network area.

CreatePlease to create content