A blog with tips, tricks and tutorials to help you prepare your CCIE Wireless lab exam.

Sunday, July 26, 2009

Wired Guest

You know the wireless guest feature, where users get a Web authentication page, enter username and password (or just enter their email address if it is a Pass Through config) to access the Internet.
The Wireless Business Unit has had the request for year to do the same for wired users... why? Well, juts because you always get that guy who does not have wireless, wants to plug somewhere just to check emails. Over the years, as the wireless guest access has become "the guest networks", we wireless guys are usually asked to take care of this "wired exception" along with the wireless standard guest users.
So now, the controller can also take care of these guys. It is easy to configure and very close to the wireless guest config. You can do it on one controller, or with 2 controllers, which is more interesting.
So imagine, you have a Switch, with a VLAN 50, which is the "Wired guest" VLAN. Whenever a wired guest wants access to the internet, plug the laptop to a port on that switch, in VLAN 50. This VLAN 50 guest to the trunk where you have your controller, called WLC1, waiting. WLC1 is your internal controller. It has quite a few WLANs and VLANs. It also receives the requests for wired (and wireless maybe) guest users, and sends them to the DMZ controller, DMZWLC.
So here is the process. Configuring Wired Guest Access is done is 5 steps:

1. Configure a dynamic interface (VLAN) for wired guest user access
2. Create a wired LAN for guest user access
3. Configure the Foreign controller (Main Office)
4. Configure the anchor controller (the DMZ controller)
5. Fine tune the guest LAN

1. On WLC1, create a dynamic interface VLAN50. In the interface configuration page, check the "Guest LAN" box. As soon as you check that box, fields such as IP address or gateway disappear. The only thing your WLC needs to know about this interface is that "there will be client traffic coming from VLAN 50. These clients are wired guests".

2. On a controller, an Interface is used when associated to a WLAN. The second step is therefore to create a WLAN on your Main Office controllers. Navigate to WLANs and click New.
In WLAN Type, choose Guest LAN.
In profile Name and WLAN SSID, enter a name that identifies what this WLAN is about. These names can be different, but cannot contain any space. The term WLAN is used, but this network profile has nothing to do with wireless.
The General tab offers 2 drop down list: one "Ingress" and one "Egress". Ingress is the VLAN users come from (VLAN 50), Egress is the VLAN you want to send them to.
For Ingress, choose VLAN50. Easy. For Egress, things are a little more interesting. If you had only one controller, you would create another dynamic interface, a "standard" one this time (i.e. NOT guest LAN), and you would send your wired users to this interface. In this case, we send them to the DMZ controller. So for the Egress interface, choose the Management Interface.
The Security mode for this Guest LAN "WLAN" is Web Auth, which is fine. Click Ok to validate.

3. From the WLAN list, click Mobility Anchor at the end of the Guest LAN line, and choose your DMZ controller. I am supposing here that both controllers know each others. If they do not know each other yet, go to Controller > Mobility Management > Mobility group, and add DMZWLC on WLC1, and similarly add WLC1 on DMZ. Both controllers do NOT need to be in the same mobility group (actually they'd better NOT be! Otherwise you would be breaking basic security rules here).

4. Your Main Office controller is ready. You now need to prepare your DMZ controller. Open a Web browser session to your DMZ controller and navigate to WLANs.
Create a new WLAN.
Just like on the Main Office controllers, in WLAN Type, choose Guest LAN.
In profile Name and WLAN SSID, enter a name that identifies what this WLAN is about. Use the same values as on the Main Office controller.
The Ingress interface here is None... It actually does not matter, as the traffic will be received through the EoIP tunnel, so this is why you do not need to specify any ingress interface.
The egress interface is the one on which the clients are supposed to be sent. Let's say that the DMZ VLAN is VLAN9. Create a standard dynamic interface for VLAN 9 on your DMZWLC, then choose VLAN 9 as the egress interface.
You need to configure the end of the Mobility Anchor tunnel. From the WLAN list, choose Mobility Anchor for Guest LAN. Send the traffic to the local controller, DMZWLC.
Both ends are now ready.

5. You can also fine tune the WLAN settings on both ends. Be careful, settings are to be exactly the same on both ends. For example, if you choose to click, in the WLAN Advanced tab, "Allow AAA override" on WLC1, you need to check the same box on DMZWLC. Any difference in settings in the WLAN on either side will make that the tunnel will break (DMZWLC will refuse the traffic, you can see that by running debug mobility).

Keep in mind that all values will actually be obtained from DMZWLC: IP addresses, VLAN values, etc. You configure the WLC1 side identically just for it to relay the request to the WLCDMZ...
Give it a try, and post here if it does not work.. :-)


  1. Hi Jerome,

    You mentioned "The General tab offers 2 drop down list: one "Ingress" and one "Egress". "

    I am running WLC version I do not find those options to select the ingress or egress interface.

    Any suggestions will be helpful.


  2. I apologize, I missed to select Guest Lan as wlan type. Then I was able to view the options.

  3. Hi Jerome,

    Is it possible to allow NGS sponsor to setup wired guest them self? I assume they need to configure switchport and assign wired guest vlan, etc.

  4. Hi Jerome,

    I have several questions... :)

    I have 2 WLC that are in Mobility Group.

    1. Do I MUST configure Anchor for the Wired Guest Access to work, or can I leave it just with the Mobility Group
    2. Is it possible to have this Guest LAN behind a Firewall, FWSM in my case, and to terminate as L3 interface on the FWSM
    3. If the 2nd question is affirmative, should the interface used for the egress traffic to be on the FWSM or on the 6500 series as L3 interface

    NOTE: I am using a local DHCP on the WLC for the Wired Guest Access users.

    Thanks in advance :)

    Best regards,

  5. Jerome,

    Could you elaborate on why they better not be on the same mobility group?

  6. Well.... this is the common recommendation. It is probably obsolete a bit. The original reason was that you wanted to avoid at all costs the case where there would be roaming from the main controllers to the anchor controller. The anchor controller would be in the DMZ, with no AP attached. But today, you can roam between mobility groups, so setting a different mobility group will probably not avoid anything... the recommendation is still present in the lab, as a reminder that the anchor controller is isolated, and not "just one of your controllers"...

  7. Many thanks for this very helpful article, which explains wired guest far more clearly than the cisco documentation. I found it very helpful in troubleshooting some problems we were having, which were due to minor differences in the config beetween the two WLCs. Now fixed.



  8. Great article. But what about scalability? Cisco states that there is a max of 5 Guest LANs, how can I implement this Wired Guest Access on more than 5 sites (with only one DMZ Controller) when each site is supposed to have a unique subnet for its Guest Access?

    1. Not sure if you are still reading this, since this comment is over 6 months old; but if you have more the 5 sites it shouldn't matter. That limitation is for the number of Guest WLANs that you can configure. As long as the egress interface used on the DMZ controller is in a subnet that is large enough to support all your wired guest users across all your remote sites; then no matter what site they are at; they will get an address in that subnet. You really only need 1 Guest LAN for all of your wired guest users. Remember, they are layer 2 adjacent to the internal controller, who then tunnels them (still at layer 2 from the client perspective) up to the DMZ controller; where they are then switched out into the DMZ to be routed out to wherever they need to go. The end client's IP resides in the DMZ and not at the site that they are plugging into.

  9. I am really enjoying reading your well written articles. It looks like you spend a lot of effort and time on your blog. I have bookmarked it and I am looking forward to reading new articles. Thanks for sharing. Keep up the good work.

    My Lead Company Review

  10. hey Jerome,
    how does anchor controller know what WLAN to "anchor" the traffic. I have more WLAN with the same SSID - difference is profile names and in rate limiting. Strange situation is that every user hits WLAN with lowest WLAN ID (looks like profile name is not checked - only SSID). Have you experienced something like this?

  11. is it really required to have anchor WLC, can we achieve wired guest on 2 WLC in HA setup on LAN. How do we setup this up for remote office to use wired guest which are connected via L3 MPLS.

  12. The content on your web site never confuses me. Keep it up!!
    Zero Up 2.0