In Auto-Anchor mobility solution one objective is to assign guest users into a single subnet IP irrespective of their entry point to the network.
But if you have a large corporate environment with multiple locations & you want to allocated guest users to different IP subnets (for managing & reporting purposes) within this Auto-Anchor deployment model, how do you do this ?
In the Anchor Controller you can configure a feature called “Foreign Mapping” under WLAN to facilitate this. This feature introduced in WLC 7.0.116.0 software code.
Here is my topology to test this. In here we will map two different foreign controllers (WLC2 & WLC3) into different interfaces at Anchor Controller (WLC1) for guest users.
Before mapping foreign controllers MAC into interfaces you should get a list of all controllers in your mobility list. “show mobility summary” command will give you required output for this. You need to ensure both WLC2 & WLC3 configured for auto-anchor mobility (please refer Auto-Anchor Mobility post for this) before start configuring this feature
(WLC1) >show mobility summary Symmetric Mobility Tunneling (current) .......... Enabled Symmetric Mobility Tunneling (after reboot) ..... Enabled Mobility Protocol Port........................... 16666 Default Mobility Domain.......................... mrn-cciew Multicast Mode .................................. Enabled Mobility Domain ID for 802.11r................... 0x4ccd Mobility Keepalive Interval...................... 10 Mobility Keepalive Count......................... 3 Mobility Group Members Configured................ 3 Mobility Control Message DSCP Value.............. 0 Controllers configured in the Mobility Group MAC Address IP Address Group Name Multicast IP Status 00:0b:85:40:a1:c0 10.10.112.10 mrn-cciew 239.239.239.239 Up 00:0b:85:43:d8:60 10.10.111.10 mrn-cciew 239.239.239.239 Up 00:1b:d5:cf:e6:00 10.10.120.140 mrn-ccie 0.0.0.0 Up
Now if you click foreign mapping on guest WLAN on WLC1 you would see a page like this.
Now you need to map WLC2 MAC address onto vlan 12 interface & WLC3 MAC address onto WLC3 MAC address by selecting required foreign WLC MAC & interface name & click “Add Mapping”. See below screen capture.
You can do this via CLI as well. Here are the CLI commands required for this.
config wlan mobility foreign-map add 4 00:0b:85:40:a1:c0 vlan12 config wlan mobility foreign-map add 4 00:1b:d5:cf:e6:00 vlan13
Now you can verify the guest users at these two locations get IP from those two different subnets. I have two connections to guest wireless network at these two locations.
(WLC1) >show client summary
Number of Clients................................ 2
MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:22:fa:94:68:58 10.10.120.140 Associated 4 Yes Mobile 1 No
04:f7:e4:ea:5b:66 10.10.112.10 Associated 4 Yes Mobile 1 No
You can check individual client detail by “show client detail <client_mac_address>” command. Here is the output for the above two client
Here is the WLC2 (in Head Office) associated client detail.
(WLC1) >show client detail 00:22:fa:94:68:58 Client MAC Address............................... 00:22:fa:94:68:58 Client Username ................................. user1 AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 4 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 410 secs Channel.......................................... N/A IP Address....................................... 10.10.13.12 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.120.140 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ vlan13 VLAN............................................. 13
Here is the WLC3 (in Branch) associated client detail.
(WLC1) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. user1 AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 4 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 2456 secs Channel.......................................... N/A IP Address....................................... 10.10.12.51 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. 3 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.112.10 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ vlan12 VLAN............................................. 12 Quarantine VLAN.................................. 0 Access VLAN...................................... 12
If you look at foreign controller about these client detail you would see a output like this. Note that client IP, User information is not available to this WLC as client traffic is tunnel back to anchor controller.
(WLC2) >show client detail 04:f7:e4:ea:5b:66 Client MAC Address............................... 04:f7:e4:ea:5b:66 Client Username ................................. N/A AP MAC Address................................... 64:a0:e7:af:47:40 AP Name.......................................... LWAP-03 Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 4 BSSID............................................ 64:a0:e7:af:47:4c Connected For ................................... 1251 secs Channel.......................................... 40 IP Address....................................... Unknown Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Silver 802.1P Priority Tag.............................. disabled WMM Support...................................... Enabled Power Save....................................... ON Current Rate..................................... m7 Supported Rates.................................. 24.0,36.0,48.0,54.0 Mobility State................................... Export Foreign Mobility Anchor IP Address....................... 10.10.111.10 Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ management VLAN............................................. 112 Quarantine VLAN.................................. 0 Access VLAN...................................... 112
As you can see this feature is very useful to have this in your guest wireless environment. If you need, you can pool multiple subnets using interface group (or vlan select) feature in order to maintain large guest user environment at a single location. In this case you need to map interface group at anchor controller for a foreign controller.
Related Post
1. Wireless Mobility Basics
2. Configuring Mobility on WLC
3. L2-Inter Controller Roaming
4. L3-Inter Controller Roaming
5. WLC – Web Authentication
6. Configuring Auto Anchor
7. Mobility Ping Tests
8. Configuring Wired Guest
9. Static IP Clients Mobility
mrn-cciew 
Thank you so much for this post, I think I might get addicted to your blog 🙂
As long as my blog helps you to understand something in wireless, it is a good addiction…
thanks for the feedback
Can you please clarify one thing. In this configuration example what is the interface of the guest wlan on the anchor controller, or it should be an interface group?
Thank you in advance
By default guest wlan on anchor controller could be on any interface available on it (vlan 12,13 or any other).
What this feature do in this topology is, if guest is coming via WLC2 then they will map to vlan 12 & if guest is coming from WLC3 they will map to vlan 13. No interface group required on anchor controller.
If your environment is big, so even for WLC2 guests you can have multiple vlan assigned on anchor, then you can create multiple interface groups (ie one interface group per foreign WLC) & map interface group name instead of interface name.
HTH
Rasika
Good day,
This is a really good post. Helping me to understand mobility anchors.
I have a current design where we have 2 WLCs in HA SSO. We have a large environment so we have different AP groups. We are mapping different VLANs to the different AP groups to 1 Guest WLAN.
We are using one mobility Anchor for the Guest WLAN.
Is it that we do multiple interfaces on the internal WLCs to map to the AP groups and then create an Interface group on the anchor WLC for all the interfaces
OR
Use one interface on the internal WLC and then create the interface group on the anchor wlc for the different interfaces and assign it to the WLAN
I have done some more reading and i believe this is what needs to be done:
Internal WLC configs:
1. Configure WLAN for guest and leave it as default mgmt interface.
2. Per AP group, assign the WLAN to the same mgmt interface.
Anchor WLC configs
1. Configure the different guest interfaces on the anchor controller
2. Add them to an interface group
3.Apply the interface group to the Guest WLAN configured on the Anchor controller
Let me know if this makes any sense.
Hi Davion,
Foreign mapping feature is useful when you get multiple foreign WLCs(or internal WLCs). What I understand you got only one foreign WLC (HA pair), so in that case it does not make sense using “Foreign Mapping” feature.
In general guest deployment, see below answers to your queries.
1. Configure WLAN for guest and leave it as default mgmt interface.
2. Per AP group, assign the WLAN to the same mgmt interface.
For these internal WLCs, it is recommend to create a dummy interface rather using Mgmt. (ie, you can define it a vlan interface on wlc, but no L2 vlan define on your switch infrastructure)
Pls correct me if I haven’t understand your query correctly
Regards
Rasika
Hi Rasika,
I have 2 questions:
1) Before enabling foreign mapping, you mentioned that i should have made the auto anchor first. While doing the auto anchor, i’ll be already defining 2 different WLANs on the Anchor WLC (one per foreign), right? If so, each WLAN has its out output dynamic interface. So, what is the need for foreign mapping? OOOOR, There is only 1 WLAN on the Anchor? If yes, why not configuring 2 WLANs?
2) What if i have single foreign (or even multiple) and i define different guest WLAN per AP group? So, i have multiple guest WLANs? In this case, i’ll be having multiple Guest WLAN on Anchor, right?
3) What if the Guest WLAN is an interface group. Interface Group should be defined only on Anchor and can be management on foreign, right?
Sorry for making it long 🙂
One more question, for your setup, you assumed that auto-anchor is already done. But, when doing so, on the anchor, i have only 1 SSID for guest, right? Which interface it should be assigned to (VL12 or VL13) or Mgmt (Since the mapping is done on the foreign mapping page)?