Cisco Wireless :: 3502 - WLC User Rate Limit On Guest SSID Anchor Controller
Jul 30, 2012
We have been deploying 3502 APs remotely to locations with full T1s that backhaul to where I sit at HQ. Both the foreign and anchor controller are here at my location.
I am seeking to rate limit per user the bandwidth each client will get on the guest internet ssid. As you know this traffic is encapsulated in capwap between the AP and the controller so I cant use a standard ACL on the switch or router.
We are trying to keep the guest internet access usage in check on the T1 at any given site so the other ssid's & local lan traffic is not overly competing for the bandwidth.
I found the place to edit the default profiles in the controller but the documentation really isnt clear on best practices.
So I put it to you my fellow wireless engineers to suggest how you are implementing bandwidth management on your wireless guest internet.
Oh and here is my hardware & software levels.
5508wlc - forgeign
4402wlc - anchor
Software Version7.0.230.0
View 3 Replies
ADVERTISEMENT
Aug 12, 2012
I know that the 3600 series APs are not supported on the 4404 WLC. However, would the following scenario be supported? I would like to use the 4404 (software rel. 7.0) as a guest anchor with a 5508 (software release 7.2) as the foreign controller supporting series 3600 APs. I ask because the APs do not need to join the guest anchor.
View 7 Replies
View Related
Dec 5, 2011
I know that the recommendation from Cisco for the mobility anchor feature to work well is to use the same IOS version on the anchor WLC and local WLC controller. Now I´ll install on a new site a 5508 local WLC with a newer IOS version which is installed on the other controllers ( Guest and local ). Later I´ve planned to update also the other controllers to the same IOS version. Now my question is, must I upgrade all other controller at the same time ?
View 4 Replies
View Related
Nov 6, 2012
We currently have all of our foreign AP controllers on software version 7.0.116. This consists of a mixture of 4400 and 5508 WLC's. Our guest anchor is a 4402 on version 7.0.116. We are replacing the guest anchor with a 5508. We are also upgrading our 5508 wireless controllers to version 7.2 to support the 3600 series AP's. My question is what is the recommeded code that the anchor controller should be on? Should it also be upgraded to 7.2? If we upgrade the anchor controller to version 7.2, will this affect anchoring to 4400 series foreign controllers still on7.0.116?
View 9 Replies
View Related
Dec 6, 2012
We are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and is this a supported deployment model.
View 2 Replies
View Related
Aug 16, 2012
We have a Cisco 4400 series wireless controller deployed as a Guest Anchor in a private DMZ. We have 13 foreign controllers anchored to this for Guest Wireless. We recently anchored 17 additional controllers to this Anchor controller. Since we have done that, periodically on just 3 of the foreign controllers, the control path shows down on the mobility peer, then comes back up. We have had this issue in the past, but it resolved itself. However, now we are seeing this issue again. Are we reaching a limit on EoIP tunnels? I have read that there is a max of 71, and that is per controller, not SSID. We do have a firewall in the middle but all necessary ports are open.
We have had this issue for quite sometime, it just does not happen frequently. Since we have added the additional controllers, it is now happpening very often, but only with 3 controllers. There is not much in common with these 3 controllers. 2 are 4400 series, and 1 is a 5508. All 3 are local on a campus LAN, different networks. Could it have anything to do with memory or utilization?
View 15 Replies
View Related
Mar 7, 2013
I am trying to set up a guest SSID which will be separate from other corp SSIDs. I have read about this auto-anchor feature and I have a basic idea. Here are some questions about the network design
1. Can Cisco 5508 with 7.2.111.3 code do NAT? I mean can I use the anchor controller also as a gateway to Internet or do I need another device such as FW or router to do the job?
2. I want the guests to get IP address in 192.168.0.0/24 range. On the anchor controller I will need an interface in this range, correct? However on the internal controller I won't need this interface. The guest ssid will be associated with the management interface on the internal controller, correct?
3. I want the guests to get IP address from general DHCP server. Does DHCP request have to come out of the new interface in the 192.168.0.0/24 range? However this interface will be connecting with the FW. It won't have connection back to the internal network to reach the DHCP server. The management interface will have the route to the DHCP server. Is it possible to use management interface for this SSID but still let traffic to pass through the Guest interface?
View 3 Replies
View Related
Feb 23, 2012
In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
[code]....
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
View 8 Replies
View Related
Feb 28, 2013
i have two 5508 ver 7.3.0, one is the primary and one is the guest controller. mobility is up and running. i have an exising guest ssid working with wpa2-psk and web authentication and its working fine but i require a second guest ssid that only uses a wpa2-psk for ipod/ipads as i cant use passive client on primary controller. i presently have the one vlan range and dhcp setup on the guest controller to give addressing to either ssid. i know you can have multiple ssid setup on the guest controller but in other sites i have only had one guest connection comming from the primary controller, just a primary controller on each sites was only creating one link to the same guest controler.
View 3 Replies
View Related
May 2, 2012
We are deploying 3600 AP's with a 2504 and would like to create multiple SSID's that are mapped to unique VLANs so we can control the traffic at the Firewall. We have the 2504 up and running with AP's but there appears to be no where in the 2504 controller Web GUI to configure a VLAN mapping to an SSID. Any pointers to documentation on how to configure?
View 1 Replies
View Related
Jun 2, 2013
We have a customer that have 2 5508 as primary and backup controller and a 4400 as an anchor controller. We plan to upgrade the 5508 to 7.3.112.0 and the 4400 is already 7.0.116.0. Will there be any issue if the anchor controller is not the same code as the foreign controller? Do I also have to upgrade the acnhor controller to 7.0.240.0?
View 2 Replies
View Related
Dec 6, 2012
I am looking to configure a wired and wireless guest network. I have industrial barcode scanners that connect to one SSID and then there is the business network on the office SSID (no vlan seperation for these devices just different SSIDs). There is not really a need to seperate the business network from the scanners in any case. However, there are needs for a guest network and this needs to be seperated. At the bare minumum I would like to have the wireless guest network. Here is what I have: 2125 Wireless LAN controller managing 18 LAPs (1 indoor and 17 outdoors)Cisco Cat 2950 switches (2 x 24 port and soon to be replaced with 2 x 48 port 2960's with 802.1x capability) Sonicwall TZ210 firewallOne existing wired and trunked vlan for PLC infrastructure. One ESXi hosting Windows server guests (soon to be 2 with vMotion) The reason for the wired guest access network is tp prevent anyone from plugging into the wall jack in the office with thier home laptops or anyone else from being on the same subnet as our domain machines. Granted they would be unathenticaed but there would be no layer 2 seperation and that is what I think would be best.
How would I go about doing this on the wireless controller without an anchor controller just using my existing hardware? I would like to have the Guest SSID only availible in the front office. Is it possible to offer a guest network while still servicing the business network SSID on the same access point? Then might I be able to have the guest network be treated as it should at the controller? However this might present another issue altogether as the guest traffic will be over the same wire as the business SSID until it hits the controller for management.
View 1 Replies
View Related
Jan 31, 2012
We have a secure ssid and a guest ssid. Is the a way to prompt for a single username and password and if that name is guest it will automatically connect to the guest ssid? If active directory user and password it will automatically use the secure ssid? we are using Microsoft NPS/Radius, 3502 ap's, and 5508 controller.
View 3 Replies
View Related
Nov 26, 2012
We have a WLC (5508) in our main office in Brisbane that is hosting two WLANs. One provides wireless access to our internal network and the second provides wireless guest access. The guest WLAN is anchored to a controller sitting in the DMZ at our Data Centre.
In the DMZ the anchor controller has a management interface and an interface in the DMZ for the wireless guest access. I am using the DHCP server on the anchor DMZ to provide IPs etc to wireless guest clients. The default gateway is 10.8.144.1 which is a VIP or a pair of firewalls.
Initially everything works fine. Guests connect to the guest network, have to authenticate via a web portal (Cisco ISE server) and then can go on an use the internet. Works perfectly until the firewalls fail over and the secondary firewall takes over the VIP address. All access to the internet is lost at that point. If I try to disconnect and then reconnect a wireless client it connects, as in it will get an IP address, but DNS resolution stops and I do not get redirected to the web auth portal. If the firewalls are failed back to the primary then everything works again, no issues. However, if I reboot the WLC while the secondary firewall has the VIP IP everything will work fine as it did on the primary. If the firewalls now fail over to the primary again everything goes to ****. Until either the firewalls are failed back or the anchor WLC is rebooted.
Initially I thought this was an issue on the firewall, but this doesn't appear to be the case. When the firewall fails over it sends out a gratuitous ARP advising of the change in MAC address for the 10.8.144.1 IP address. The WLC seems to update its ARP table because if I run the command "show arp switch" it has the 10.8.144.1 IP address with the MAC address of the active firewall. From the client perspective I have run a wireshark and captured packets on the wireless interface when trying to connect. The laptop is continuously send ARP requests for 10.8.144.1 but gets not reply. Without this the client cannot send an ethernet frame to the gateway and hence get to the DNS server and WEB portal. Internet access breaks. Doing a TCP dump on the active firewall shows it receiving and then sending a reply to the ARP request. It just never gets to the wireless client. Debugging ARP packets on the anchor WLC seems to indicate that the controller is receiving the ARP replies from the firewall. So I'm at a loss as to why things should break when the firewalls fail over.
I have a 3750 switch in the DMZ with SVI of 10.8.144.4. I thought I could get a work around where I would make this the default gateway. The theory being that this interface MAC address would never change. However I was wrong. Even with this IP set as the gateway address for the wireless clients I see the exact same bahaviour when the firewalls fail over. I can't explain it other than to say that the gratuitous ARP sent by the firewalls seems to kill the ability of ARP replies to be sent back to the wireless client.
View 3 Replies
View Related
Feb 2, 2012
Any link that will give configuration examples of a wireles anchor config with one controller in a DMZ. I have tried this on my own and have some problems in my test enviorment. I believe my issues were with the firewall but not exactly sure.
View 4 Replies
View Related
Nov 7, 2012
All controllers are in version 7.2.111.3.C1 is a 5508, it is ou anchor controller.C2 is a 5508, it is a big site controller.C3 is a 2504, it is a small site controller. C2 and C3 are in the same mobility group than C1 (and all is up up in mobilty managment). When "DHCP Addr. Assignment" is enable on C1 : Clients on C2 received their IP address by our external DHCP server via C1 and the guest tunneling betwenn C1 and C2 and all is working fine. Clients on C3 don't received their IP address by our external DHCP server via C1 and the guest tunneling betwenn C1 and C3, so nothing work.
View 4 Replies
View Related
Jan 2, 2012
I'm trying to research the tunnel limits on a 5508 controller if you're terminating controllers to two different SSID's. For example. In my DMZ i have a GUEST SSID for contractors and guests and then I have another SSID used by employees so that tablet and mobile phone users can access the interenet. Because we don't trust any of these devices we have that SSID is termiated just as we do our GUEST SSID.
To reduce the number of anchor controllers I deploy, I wanted to start with one 5508 Controller. (then move up to about 3) This controller would have two SSID's, GUEST & MOBILE. On the Foreign controllers when I setup anchor tunneling I will be anchoring to the same controller however to two different SSID's.
Per the 5508 specs it supports 71 tunnels.
So my question to the group is, will the 5508 see this anchoring as one tunnel each? Or does it support 71 Tunnels per SSID?
View 14 Replies
View Related
Feb 12, 2013
We have Internal Wireless Controllers to be set up for HA (AP SSO) and wireless traffic from Guest SSID will be terminated on a Guest Anchor Controller inside Firewall DMZ. The Internal WLC controllers are installed with software versions 7.3.101.0, and the Guest Anchor controller is installed with software version 7.2.103.0. Just wondering if the Guest Anchor controller needs an upgrade to match the software versions on the HA controllers. Also, Cisco provides a new version of code, 7.3.112.0 now. So is it recommended to install the new software version on the HA controllers as well as the Guest Anchor Controller.
View 8 Replies
View Related
Sep 23, 2012
I am in process of replacing our 44xx controllers with new 55xx controllers. During the upgrade, I would like to add redundancy to our guest controllers that reside in the DMZ and had a question about regarding the setup.
If I remember correctly, I would place both guest controllers on the same mobilty group, and then add both of the controllers to the foreign controllers. The foreign controllers will form mobility with both anchors, but choose the one with the lowest MAC address as primary. On the foreign controller, if the lowest MAC addressed anchor controller does not respond, it will connect to the second controller. Is that still true? or is there a better way to go about it?
Also, I was wondering, do I need to put different guest network ranges on each of the Anchor controller? or can I use the same exact range on both anchor controller (since if a controller goes down, the clients would be reconnecting to the second controller anyways?)
Any best way to setup redundant Anchor (guest) controllers).
View 22 Replies
View Related
May 20, 2012
I recently upgraded our controllers to the latest version 7 software, as I read this was one of the requirements to get them to connect. But I am not having any luck getting into a controller. Normally I plug them in to the network, they pop into the controller listed as something like AP5057.a844.xxxx and then I can finish configuring them, but a static IP on them, etc. This is the first of this model AP I have tried to deploy, so I am wondering what is different with these. or what I might be missing in the default config in the WLAN controllers. Niether of which are set to "Master" either.
View 10 Replies
View Related
Feb 3, 2013
I just read that starting from version 7.4, the 2500 controller can be used to terminate guest anchor tunnels. have a question regarding the performance of the internal DHCP server when used in guest environments.
View 1 Replies
View Related
Feb 26, 2013
I'm attempting to set up (for testing purposes) a 2nd 'guest' SSID on an internal WLC (WLC-A), and terminate it in a DMZ on an anchor controller (WLC-B). We already have a guest SSID originating on WLC-A and terminating on WLC-B though. Is it possible to originate a 2nd guest SSID on WLC-A?
WLC-A - 2504 (7.2.x)
WLC-B - 5508 (7.2.x)
The problem I'm seeing is I'm getting no DHCP address assigned on the test SSID. If I statically assign IP information I still have no connectivity. It's as if the EoIP tunnel for the 2nd test SSID isn't functional.
View 2 Replies
View Related
Jul 26, 2011
I have the following
WCS: Version 7.0.164.3 and WLC 5508 Software Version7.0.116.0 And cannot import it. I have 2 more WLC 5508 (same version) already imported in WCS with no issue. Have run debug on the DMZ WLC and can see the snmp request coming through when I try to import it. Firewall rules are fine, ran a tcpdump and the WLC returns snmp values back. snmp credentials and routing is fine, can ping both in both ways.
Always comes up with the following error.
IP Address TypeStatus 203.14.70.91Failed to add device to WCS Reason: Object not found in device
View 2 Replies
View Related
Jul 18, 2012
I have 2 5508s (foreign and anchor both running 7.2.110.0) with an open WLAN configured via mobility anchors. This configuration works and has no problems. My next task is to incorporate a webauth page (accept/reject) to present the clients with AUP information, etc. On the foreign controller I created a test WLAN (open) and setup webauth Passthrough using the Cisco webauthbundle (wap.html), this works as intended, no issues. However I am at a loss as to how to incorporate the webauth Passthrough functionality on the WLAN that is configured for the mobility anchor.
View 2 Replies
View Related
Sep 12, 2012
I would like to be able to allow a specific client to only associate at 6mbit/s -is this possible using the wlc controller 5508? Another option would be to limit a whole w lan ssid to 6mbit/s but i can't find a way to do that either.
Other w lan ssid's on the same access points/controller need full data rates, so i guess i can't use the RF-profiling for this.
View 2 Replies
View Related
Jun 2, 2011
We’d like to extend our current Guest LAN from a 4400 WLC in our data center to a 2100 WLC located at a remote facility. However, we cannot get the foreign controller to pass traffic to the anchor controller – or so it seems. The catch is that we’re not actually trying to extend the SSID itself to provide wireless access, but instead flub it so that we can provide local wired access tunneled to the Guest LAN on the anchor WLC. I’m not entirely sure if this is possible, because I’ve read that before the EoIP tunnel will come up a guest client must associate to the foreign WLC.
We’ve followed the instructions we could find that go over setting up this type of scenario, but unfortunately they only cover setting up back-to-back 4400 controllers and as such, some functions described (notably being able to create a Guest LAN) are not possible on the 2100. We haven’t been able to find a clear and concise guide on the scenario we want to set up.
Here’s some detail:
Mobility group is up/up between both WLCs. Both WLCs are running 6.0.x code.
Anchor WLC – 3750G-24WS-S25 (a 4400 WLC w/ integrated 3750G-24)
Guest LAN WLAN “wired-guest” created; Ingress is “none” and Egress is our existing “dirtnet” – i.e. outside access. The “dirtnet” interface is *not* a Guest LAN interface. Mobility anchor is set as local.
Remote WLC – WLC2106
WLAN “wired-guest” created; Interface is “wired” w/ an IP address on the same subnet as the anchor “dirtnet” and associated with port 2. Mobility anchor is set to the anchor WLC and is up/up. I have a laptop connected to port 2 with a statically assigned IP address on the same subnet as “dirtnet.” I am able to ping the local port 2 address, but I can’t ping across the tunnel to the anchor WLC. I also cannot ping the anchor WLC "dirtnet" interface from the foreign WLC’s Ping tool.
View 1 Replies
View Related
Apr 21, 2013
I want to use a 5508 as an anchor controller for a wireless guest deployment....but the client has internal 4402's controllers, with software version 7.0.235.0...is it possible tu mix these two controllers for a Wireless Guest Access Deployment??
View 3 Replies
View Related
Jan 28, 2012
I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centers with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
This is how I tried to distribute :
network. 10.1.0.0/23
gateway: 10.1.1.254
Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
As the user load balancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP load balancing and having full redundancy at the same time?
View 3 Replies
View Related
Jun 7, 2011
in one of the sites, the client has an exisiting 4402 controller which he moved to the DMZ in order to set it as an anchor & he purchased two new 5508 controllers to control the corporate APs. I configured all the parameters needed for the guest anchoring & then I tested the connection but there was an issue. (all the controllers are running the same firmware version)after testing the setup, the guest users could get an IP from the internal DHCP of the anchor controller (in DMZ), but then they cannot reach the internet or anything outside the anchor controller.Cisco confirmed that the 4400 is fully compatible with the 5500 to work in an anchor-foreign secnario as long as they are running the same firmware version. yet, when I temporarily used one of the 5500 controller in the DMZ as an anchor & I applied the exact same configurations on it as the 4400, it worked perfectly without any issues.
note: on the anchor controller (4400), the management & AP-manager interfaces reside on the same subnet & the wireless guest SSID is also mapped to the management interface. (may be this setup is causing the issue) but on the 5500 it is working just fine?
View 2 Replies
View Related
Feb 27, 2013
Is there any possibility to limit the bandwidth per SSID on Cisco Aironet 1100 that is connected to Cisco router 876? So the main goal is to have two SSID one for the guests and one for the colleagues and to limit for example half the bandwidth of internet link per SSID so we dont get into situation that colleagues overload whole internet link so that guests can always surf without problem.
View 3 Replies
View Related
Feb 24, 2011
I am not able to disable rate limit comand from Cisco 3700 series router. I have tried with no rate limit command in the interface .Command is taking but still the rate limit comman in the interface.
View 2 Replies
View Related
Dec 6, 2011
I have a stack of Cisco 3750v2 switches with 8 VLANs (one per customer) and 8 SVI's (again, one per customer). I am trying to apply rate limiting to the SVI's of each vlan for both input and output traffic. This is my SVI configuration for one such VLAN (I have substituted the real IPs for prviate IPs for the purposes of this example) -
interface Vlan30
description ****CUST-C-VL30-SUBRATE-CAR-10M****
ip address 192.168.30.250 255.255.255.0
[Code]...
Based on this and the speed tests I am performing from within the VLAN i am receiving the full bandwidth and not what should be assigned based on the rate limiting. Have I missed anything as far as the configuration goes?
View 10 Replies
View Related
Jan 17, 2012
I'm trying to limit one of my inside hosts, since it's been a little of a hog. I have 3Mb available from my ISP via 2x T1. I'm testing this on a computer in a lab:
PC 10.10.10.10------Cisco2960-------- 10.10.10.1 Inside - ASA - Outside 208.66.x.1------------------------208.66.x.2-Cisco 2811-2xT1
Here's what I've tried so far, please see text in red:
***global (outside) 1 208.66.x.115
***nat (inside) 0 access-list No-Nat
***nat (inside) 1 0.0.0.0 0.0.0.0
[Code].....
It didn't work... I was able to max the bandwidth again. I also tried to apply service-policy to inside int, which didn't make a difference.
View 1 Replies
View Related