29 December 2012
Wired Guest on WLC, Ingress/Egress?
Was going through my studies for the CCIE Wireless, in particular Wired Guest on the WLC. I have heard of this feature, read about it a lot of times but never had to configure this feature before. I thought I lab it out so I can get my head around it. I followed the Cisco configuration guide from http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.html#wp1066125
Most of it was straightforward but the one thing I find very confusing is the Ingress and Egress interface.
The figure below shows the Ingress and Egress configuration.
So what is the difference? What is required to be configured? Well it depends if you are configured the guest wired on a single WLC or you are configuring it on two WLC with foreign and anchor WLCs.
Single WLC
Ingress Interface: The L2 VLAN that the wired guest user computer is connected to. This VLAN is configured on the Ingress Interface and the switch port.
Egress Interface: The L3 Dynamic Interface VLAN where the guest user gets put into after L3 authentication (usually web auth). The guest user will be in this subnet and get a DHCP address from.
Two WLC
Foreign WLC
Ingress Interface: Similar to Single WLC Ingress Interface above. This is where the guest user starts and comes in.
Egress Interface: Technically, this does not need to be configured. As the foreign WLC will create an EOIP tunnel to the anchor WLC, this interface should never be used. To test it out, I configured it on the management interface, it works. I then try configuring this to an interface that goes no where, wired guest still works.
Anchor WLC
Ingress Interface: This is not required and cannot be configured. On the Anchor WLC, you do not need to create the Guest LAN interface, so nothing should appear hear and should default to none. This is because the Anchor receives the guest VLAN from the Foreign WLC through the EOIP tunnel.
Egress Interface: Similar to Single WLC Egress Interface. This is where the guest user ends up after successful L3 authentication.
The following are some screenshots of configuration with two WLC.
Creating the Guest LAN interface on the foreign WLC.
Configuring the wired guest "WLAN" on the foreign WLC. Ingress interface to "99", the interface create above and Egress interface to management which doesn't really matter what is configured as EOIP will be used.
The figure below shows the wired guest client on the anchor WLC. Notice the mobility role of "Export Anchor".
Most of it was straightforward but the one thing I find very confusing is the Ingress and Egress interface.
The figure below shows the Ingress and Egress configuration.
So what is the difference? What is required to be configured? Well it depends if you are configured the guest wired on a single WLC or you are configuring it on two WLC with foreign and anchor WLCs.
Single WLC
Ingress Interface: The L2 VLAN that the wired guest user computer is connected to. This VLAN is configured on the Ingress Interface and the switch port.
Egress Interface: The L3 Dynamic Interface VLAN where the guest user gets put into after L3 authentication (usually web auth). The guest user will be in this subnet and get a DHCP address from.
Two WLC
Foreign WLC
Ingress Interface: Similar to Single WLC Ingress Interface above. This is where the guest user starts and comes in.
Egress Interface: Technically, this does not need to be configured. As the foreign WLC will create an EOIP tunnel to the anchor WLC, this interface should never be used. To test it out, I configured it on the management interface, it works. I then try configuring this to an interface that goes no where, wired guest still works.
Anchor WLC
Ingress Interface: This is not required and cannot be configured. On the Anchor WLC, you do not need to create the Guest LAN interface, so nothing should appear hear and should default to none. This is because the Anchor receives the guest VLAN from the Foreign WLC through the EOIP tunnel.
Egress Interface: Similar to Single WLC Egress Interface. This is where the guest user ends up after successful L3 authentication.
The following are some screenshots of configuration with two WLC.
Creating the Guest LAN interface on the foreign WLC.
Configuring the wired guest "WLAN" on the foreign WLC. Ingress interface to "99", the interface create above and Egress interface to management which doesn't really matter what is configured as EOIP will be used.
Configuring the wired guest "WLAN" on the anchor WLC. Ingress interface as mentioned above can't be configured and left to none as EOIP will be used. Egress interface configured to VLAN where guest user will be placed after successful L3 authentication.
The figure below shows the wired guest client on the foreign WLC. Notice the mobility role of "Export Foreign".
Labels: Anchor WLC, Egress Interface, Foreign WLC, Guest, Ingress Interface, Wired Guest, WLC