Is a WLAN guest anchor solution with additional wlan controller in DMZ possible??? (Competitor = Cisco!!!)

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Customer needs: Virtualize Management and AC (formerly netsight and nac) and WLAN.
A must have: guest traffic must not break out in the virtual "management" environment where Netsight, NAC and WLAN resides (should reside in future).
The "bridge building" competitor (cisco) solves this with a so called "guest anchor" in the dmz which is an additional wlan-controller.
-> The guest SSID is more or less bridged at "guest anchor" controller in DMZ.
L2 security -> A separate VLAN from "virtual management environment" to DMZ is (as far as I know) no option for the customer.
From the technical point of view I do have a different opinion - however
Does anybody have an idea how to resolve this requirement?
Maybe within a special mobility setting?
Many Thanks in advance
Regards
Christian Zottl
(Axians)
Photo of Christian Zottl

Christian Zottl

  • 124 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Christian Zottl

Christian Zottl

  • 124 Points 100 badge 2x thumb
Hello Guys,
I got a reply by Extreme that this can be done if the wireless controller is hardware.
Thanks to Extreme Partner Support!!
Regards
Christian
Photo of Yacobucci, Ryan

Yacobucci, Ryan, Multi-Tier Technical Support Engineer

  • 5,014 Points 5k badge 2x thumb
Hello Christian,

The EWC has the ability to deploy "B@HWC" typologies which is a topology where all client traffic is tunneled through the network and is bridged at the EWC's physical port. This sounds like what you're looking for. 

Also, you can break registration out to the additional NIC on the NAC if you want the guest captive portal to exist inside the DMZ as well. The NAC can perform registration functions on a separate NIC from management that can have a different network assignment.

Thanks
-Ryan
Photo of Christian Zottl

Christian Zottl

  • 124 Points 100 badge 2x thumb
Hello Ryan,
thanks for your reply. I am aware of the things you are mentioning - and from technical aspect this is what the customer needs and more or less is already installed (by myself :-) ) and I have also recommended to still use it - Like the last 5 years ...
But somebody has shown the customer the solution provided by Cisco which is very similar regarding the functionality - and I do think this additional controller is not necessary - however, somebody is trying to replace the loved WLAN Solution by Chantry/Siemens [greeting to Ronald Dvorak] /Enterasys/Extreme.
Some people are pointing at: with cisco the packet bridges out in the "dmz" and not at the controller which is placed in the management environment- this is not allowed... (I am not supposed to comment this in more detail...),
which would be quite the same if using a separate interface of the controller exclusively for guest access.
Many thanks to you Ryan
Regards
Christian
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,586 Points 20k badge 2x thumb
The feature was released with 7.31 and was/is called centralized mobility / remotable VNS.

Clients from all APs/controllers on a remotable SSID in the mobility zone are terminated on the controller with the remotes service checkmark set to "remotable".
Photo of Christian Zottl

Christian Zottl

  • 124 Points 100 badge 2x thumb
Hello Ron,

before opening this topic I was thinking about giving you a phone call ...
If somebody knew this WLAN system it is you.
Once again many thanks for your perfect training in 2008 :-) I can still remember

This is the solution I was looking for.

Thank you
Regards
Christian
(Edited)
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 3,050 Points 3k badge 2x thumb
As I understand , it does not need to be hardware controller . The V2110 will work fine for that solution as well - as far as you can bring DMZ to the data centre. 
Photo of Christian Zottl

Christian Zottl

  • 124 Points 100 badge 2x thumb
Also thanks to your reply
Photo of SH

SH

  • 3,204 Points 3k badge 2x thumb
Hello all,


Have anyone ever made a configuration with Extreme like the Cisco Anchor solution for guests?

If yes how?

Best regards.
Stephan
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,586 Points 20k badge 2x thumb
Hey Stephan,

...no, but I'd tell you how to configure it :-)

I'll PM you the steps...

Grretings,
Ron
Photo of Christian Zottl

Christian Zottl

  • 124 Points 100 badge 2x thumb
If our customer will not buy the "bridge building - wlan solution (competitor cisco) I will install this solution and can report to you. But I am sure this will not happen before April 2017 ...
Regards
Christian
Photo of SH

SH

  • 3,204 Points 3k badge 2x thumb

Hello,

now I have a running anchor solution with EWCs and it works fine.

The setup is quite easy. For example if you have one wireless Controller in the DMZ and one in the productive LAN (if you have two on both places enable availability and sync for the the same result) you have do to the following steps:

  1. Bring your Controllers in one mobility Group
  2. Create a complete VNS (as usual) on the Anchor-Controller in the DMZ with a B@EWC or routed topology.
  3. In the Advanced Options on the WLAN Service select "Remotable"
  4. Now you create a WLAN Service (not a hole VNS!) on the Controller in the productive LAN. For this, select "Remote" as Service Type and select the SSID created on the Anchor (automatically created by the mobility feature) .
  5. Create a Virtual Network for the new WLAN Service and a suitable Role (e. g. Access Control allow)

Thats all. Know you have a SSID on the APs in the productive LAN which is tunneled to the Anchor-Controller.

In this case you will have no APs on the Anchor only in the productive LAN. So you need no additional licenses on the Anchor EWC.

Please be aware Anchor Controller is only a Cisco wording. We call this Feature "Centralized Mobility".


Regards

Stephan


(Edited)
Photo of M.Nees

M.Nees, Embassador

  • 9,262 Points 5k badge 2x thumb
Great job -  hopefully there are more other users outside who use this ...

Regards,
Matthias