View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

WL0033 - WLC Mobility Anchor (Part 2)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
Video Download: 
Title: WL0033 - Video Download $17.00
Purchase WL0033 - Video Download $17.00
The video demonstrates the concept of Mobility Anchor for guest users on Cisco Wireless LAN Controller. We will extend our knowledge of mobility tunnel, foreign and anchor controllers, from the last video to securely segregate guest traffic into DMZ. The second half of the video shows you how to configure Cisco ISE to operate with the anchor WLC in the DMZ to provide guest login portal without allowing guest traffic into internal network.
Part 2 of this video covers configuration of ISE to provide guest portal in DMZ
  • Guest Anchor Controller
  • Foreign Controller
  • Mobility Domain, Tunnel, Member
  • Sponsored, Hotspot, Wired Guest
  • Identity Services Engine (ISE)
  • Guest DMZ

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.



Thank wou very much for your video, that's really interesting.
I have a question regarding the flow, on your design, the ISE and DNS server have a link in the DMZ, then what's the flow regarding the client ?
For me it's:
- The client connects to the AP
- The client request a IP from the DHCP server which is in the DMZ
- Then the foreign WLC will request the URL to the ISE in the DMZ ? and the foreign WLC will send the URL to the client
- Then a mobility tunnel is created between the foreign and anchor WLC, and the client can go out on the internet

Is that ok ? Or am I totally wrong ?
I have difficulties to understand at which step the client is going out to the internet

Thanks by advance for your answer,

You are on the right track. All client traffics are dropped into the DMZ. After client has passed authentication with ISE, anchor WLC will allow client to go to internet.

Good, thank you !

If I understand well, when using Layer 2 security (Like 802.1x or MAB with an ISE), the foreign WLC handles all the radius exchanges with the DMZ's ISE
When using Layer 3 security (Web authentication), the Anchor does all the radius exchanges with the radius server ?
What about the DHCP process ? For layer 2 or layer 3 security, is it always the foreign who does the DHCP requests ? Or the Anchor ?


First of all, do not get WLC L3 security confused with ISE CWA and the two does not really have anything to do with one another. Here we only enable L2 MAC filter to get URL redirect from ISE. Initial RADIUS is handled by the foreign WLC and whether the request goes to internal or DMZ ISE depends on if you have dedicated ISE in DMZ. Here we also uses internal ISE in DMZ so the request went to internal ISE, while the URL redirect when to the ISE interface in the DMZ. Anchor WLC does not really take part in this other than dropping traffic in DMZ.

For DHCP, assuming you have DHCP proxy disabled, which you should, it is being served by whatever DHCP server you put in the DMZ.

At the end of this video, you found that DNS is not working correctly, so you hard coded the DNS on client side. It could be you mis-configured ACL on WLC2, check on 18:12, the 1st entry in ACL is TCP, DNS. It might be the cause of DNS failure.

BTW, your lab recordings are amazing, keep it up.

Nice catch... Anything could happen in live lab.. :-) 

Lab Minutes Classifieds