Cisco Support Community

The Cisco Unified Wireless solution does not support redundant WLCs in the DMZ for guest tunneling

Core Issue

In this sample configuration, when one Demilitarized Zone (DMZ) controller fails, the wireless LAN (WLAN) client does not automatically connect to a second DMZ controller:

  • The Mobility Anchors are used in order to provide WLAN access for guests.

  • There are two anchor controllers and an internal controller in the DMZ.

  • All three controllers are in the same Mobility Group with the same Virtual IP Address.


Presently, redundant wireless LAN controllers (WLCs) are not supported in the DMZ for guest tunneling. This is why the client does not automatically connect to the other controller in the DMZ.

The auto-anchor mobility, or the guest WLAN mobility, is used in order to improve load balancing and security for the roaming clients on a WLAN. Under normal roaming conditions, the client devices join a WLAN and are anchored to the first controller that they contact. If a client roams to a different subnet, the controller to which the client roams sets up a foreign session for the client with the anchor controller. But, with the use of the auto-anchor mobility feature, a controller or set of controllers can be specified as the anchor points for the clients on a WLAN.

In the auto-anchor mobility mode, a subset of a mobility group is specified as the anchor controllers for a WLAN. Use this feature in order to restrict a WLAN to a single subnet, regardless of the entry point of the client into the network. The clients can then access a guest WLAN throughout an enterprise but still be restricted to a specific subnet. The auto-anchor mobility can also provide geographic load balancing because the WLANs can represent a particular section of a building, such as a lobby or a restaurant, which effectively creates a set of home controllers for a WLAN. The mobile clients can be anchored to the controllers that control the access points in a particular vicinity instead of to the first controller that they happen to contact.

Note: The mobility anchor must not be configured for Layer 3 mobility. The mobility anchor is used only for guest tunnelling.

When a client first associates with a controller that is preconfigured as a mobility anchor for a WLAN, the client associates with the controller locally, and a local session is created for the client. The clients can be anchored only to the preconfigured anchor controllers of the WLAN. For a given WLAN, configure the same set of anchor controllers on all the controllers in the mobility group.

Refer to these documents for more information:

Problem Type

Redundancy / failover


Wireless LAN Controllers