Like we configured guest access service for wireless users, same feature can be extended to wired guest users using WLC configuration. In this post we will see how to configure this Wired Guest Access service.
Two separate solutions are available for this:
- A single WLAN controller (VLAN Translation mode) – the access switch trunks the wired guest traffic in the guest VLAN to the WLC that provides the wired guest access solution. This controller carries out the VLAN translation from the ingress wired guest VLAN to the egress VLAN.
![Wired-Guest-00]()
- Two WLAN controllers (Auto Anchor mode) – the access switch trunks the wired guest traffic to a local WLC (the controller nearest to the access switch). This local WLC anchors the client onto a DMZ Anchor WLC that is configured for wired and wireless guest access. After a successful handoff of the client to the DMZ anchor controller, the DHCP IP address assignment, authentication of the client, etc. are handled in the DMZ WLC. After it completes the authentication, the client is allowed to send/receive.
![Wired-Guest-01]()
Ideally your Mobility Anchor WLC will be in DMZ & foreign WLCs will be inside of your network. Therefore vlans defined on your inside network is not span into DMZ.
To test this out (scenario 2), I have used below topology. To simulate vlan isolation in Anchor & foreign WLCs & I have created an isolated layer 2 vlan (vlan 18 named WIRED- GUEST) on CAT3 which is not allow to CAT2 via the trunk link. Layer 3 interface for this defined on CAT2, but there are no layer 2 connectivity on this VLAN between CAT2 & CAT3. (In practical deployment scenario you does not require this)
In CAT3 switch configuration should look like this.
vlan 18 name WIRED-GUEST interface Port-channel1 switchport trunk allowed vlan 10-18,112 interface FastEthernet0/1 description WIRED-GUEST switchport access vlan 18 switchport mode access switchport nonegotiate ! interface FastEthernet0/20 description Cat2 switchport trunk native vlan 999 switchport trunk allowed vlan 1-17,19-4094 switchport mode trunk
In CAT2
interface Vlan18
description WIRED-GUEST-SVI
ip address 10.10.18.1 255.255.255.0
ip helper-address 192.168.200.1
!
interface GigabitEthernet1/0/1
description WLC1
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan 10-18,23,111,113
switchport mode trunk
Now in WLC2, you can first define a “wired-guest” interface. Ensure you tick “Guest LAN” option as shown in the below.
Then you need to create a WLAN to support these wired guest users. Type should be “Guest LAN” in this scenario. You can define 5 different Guest LAN on your controller & there for ID number should be between 1-5.
In the WLAN edit page you have to select “wired-guest” interface you created as ingress interface & any other interface as egress (Usually keep management as egress interface). L3 Authentication can be Web-Auth, Pass through or None. In my example I kept it as WebAuth. Since I have configured my users on ACS, I have added it as AAA server.
Then ensure Anchor Controller is added to mobility list.
Then you need to configure “wired-guest” WLAN for the mobility anchor as shown in the below.
Now you have to configure Anchor Controller (WLC1). In WLC1 you have to create same Guest LAN (wired-guest) and map into dynamic interface where clients can obtain IP addresses through a DHCP server. So first step is to create the dynamic interface on WLC1.
Once you create an interface, you can define a WLAN for this(Guest LAN type) as shown in the below. This WLAN should have identical settings to the WLAN defined on foreign WLC (WLC2 in my example) other than the dynamic interface maps to it.
Map the interface created as “egress interface” & keep the ingress interface as none. Ensure same layer 3 security & other settings configured as WLAN you created on WLC2.
Until you configure the Mobility Anchor for this WLAN you cannot enable this WLAN as it gives error stating “ingress interface cannot be none”. Therefore you have to configure Mobility Anchor before enabling this WLAN. Since this is anchor WLC we have to anchor this WLAN into same IP.
Then you can enable this WLAN on your anchor controller as shown in the below.
Now it is ready to test.Like in Wireless Guest Access , once you get an IP & try to browse internet you will re-direct to a portal where you can enter the username & password. Once that success, you can browse internet.
If you look at client association on WLC1 you would see something like this. Note that protocol shown as 802.3(Mobile) indicate it is wired anchored client. 
Here is detail of the client connectivity. Note that user details, IP information available at Export Anchor WLC.
Here is the information available at Expoert Foreign WLC. See that no IP information, User detail available to WLC2.
Here is “debug client <mac_address>” command output on WLC1 (Export Anchor)
(WLC1) >debug client 00:1f:16:18:df:ec (WLC1) >*mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec Adding mobile on Remote AP 00:00:00:00:00:00(0) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'WLC-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7) *mmListen: Mar 26 18:25:42.720: 00:1f:16:18:df:ec Resetting web acl from 255 to 255 *mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 53) *mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED *mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7) *mmListen: Mar 26 18:25:42.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule *mmListen: Jan 24 07:52:06.721: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Fr *mmListen: Mar 26 18:25:42.722: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16 *mmListen: Mar 26 18:25:42.722: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255) *pemReceiveTask: Mar 26 18:25:42.723: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role *pemReceiveTask: Mar 26 18:25:42.726: 00:1f:16:18:df:ec 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4 *pemReceiveTask: Mar 26 18:25:42.726: 00:1f:16:18:df:ec Sent an XID frame *apfReceiveTask: Mar 26 18:25:45.312: 00:1f:16:18:df:ec apfMmProcessCloseResponse (apf_mm.c:485) Expiring Mobile! *apfReceiveTask: Mar 26 18:25:45.313: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00] *apfReceiveTask: Mar 26 18:25:45.313: 00:1f:16:18:df:ec apfMsAssoStateDec *apfReceiveTask: Mar 26 18:25:45.313: 00:1f:16:18:df:ec Deleting mobile on AP 00:00:00:00:00:00(0) *pemReceiveTask: Mar 26 18:25:45.315: 00:1f:16:18:df:ec 0.0.0.0 Removed NPU entry. *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec Adding mobile on Remote AP 00:00:00:00:00:00(0) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'WLC-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec Resetting web acl from 255 to 255 *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 53) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7) *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4431, Adding TMP rule *mmListen: Jan 24 07:52:11.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule type = Airespace AP - Learn IP address on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Fr *mmListen: Mar 26 18:25:47.719: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16 *mmListen: Mar 26 18:25:47.720: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255) *pemReceiveTask: Mar 26 18:25:47.720: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role *pemReceiveTask: Mar 26 18:25:47.724: 00:1f:16:18:df:ec 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4 *pemReceiveTask: Mar 26 18:25:47.724: 00:1f:16:18:df:ec Sent an XID frame *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.785: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05) *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.785: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0 VLAN: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.785: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1) *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP transmitting DHCP DISCOVER (1) *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 3584, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10 *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP ARPing for 10.10.18.1 (SPA 10.10.18.10, vlanId 18) *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.786: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:25:54.787: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.791: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.791: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.791: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP transmitting DHCP DISCOVER (1) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 7680, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 350, port 1, vlan 18) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.792: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.794: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.794: 00:1f:16:18:df:ec DHCP setting server from OFFER (server 192.168.200.1, yiaddr 10.10.18.100) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP transmitting DHCP OFFER (2) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 0, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.18.100 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.795: 00:1f:16:18:df:ec DHCP server id: 1.1.1.1 rcvd server id: 192.168.200.1 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.796: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 318,vlan 111, port 1, encap 0xec05) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.796: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.796: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP transmitting DHCP REQUEST (3) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 7680, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP requested ip: 10.10.18.100 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP server id: 192.168.200.1 rcvd server id: 1.1.1.1 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 358, port 1, vlan 18) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 0.0.0.0, dhcpGateway: 0.0.0.0, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.797: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.798: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.798: 00:1f:16:18:df:ec Static IP client associated to interface wired-guest which can support client subnet. *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec Adding Web RuleID 5 for mobile 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state WEBAUTH_REQD (8) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) pemAdvanceState2 5170, Adding TMP rule *DHCP Pr: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Replacing Fast Path rule type = Airespace AP Client - ACL passthru on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Successfully plumbed mobile rule (ACL ID 255) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec Plumbing web-auth redirect rule due to user logout *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec Assigning Address 10.10.18.100 to mobile *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.805: 00:1f:16:18:df:ec DHCP success event for client. Clearing dhcp failure count for interface wired-guest. *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP transmitting DHCP ACK (5) *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP xid: 0xde1705dd (3726050781), secs: 0, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP ciaddr: 0.0.0.0, yiaddr: 10.10.18.100 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:10.806: 00:1f:16:18:df:ec DHCP server id: 1.1.1.1 rcvd server id: 192.168.200.1 *pemReceiveTask: Mar 26 18:26:10.806: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role *pemReceiveTask: Mar 26 18:26:10.809: 00:1f:16:18:df:ec 10.10.18.100 Added NPU entry of type 2, dtlFlags 0x4 *pemReceiveTask: Mar 26 18:26:10.812: 00:1f:16:18:df:ec Sent an XID frame *apfReceiveTask: Mar 26 18:26:10.891: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:26:10.895: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:26:10.895: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:26:10.896: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:26:10.905: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP transmitting DHCP INFORM (8) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP xid: 0x1f167da1 (521567649), secs: 0, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 350, port 1, vlan 18) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.601: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP transmitting DHCP ACK (5) *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP xid: 0x1f167da1 (521567649), secs: 0, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:26:14.602: 00:1f:16:18:df:ec DHCP server id: 192.168.200.1 rcvd server id: 192.168.200.1 *apfReceiveTask: Mar 26 18:26:20.911: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:26:20.913: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:26:20.913: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 . *apfReceiveTask: Mar 26 18:28:01.164: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *apfReceiveTask: Mar 26 18:28:01.164: 00:1f:16:18:df:ec Orphan Packet from 10.10.18.100 *emWeb: Mar 26 18:28:07.630: 00:1f:16:18:df:ec Username entry (user2) created for mobile *emWeb: Mar 26 18:28:07.639: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_NOL3SEC (14) *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec apfMsRunStateInc *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state RUN (20) *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec Session Timeout is 0 - not starting session timer for the mobile *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Reached PLUMBFASTPATH: from line 5063 *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Replacing Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 1, QOS = 0 ACL Id = 255, Jumbo Frames = NO *emWeb: Mar 26 18:28:07.644: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Fast Path rule (contd...) 802.1P = 3, DSCP = 0, TokenID = 5006 IPv6 Vlan = 18, IPv6 intf id = 16 *emWeb: Mar 26 18:28:07.645: 00:1f:16:18:df:ec 10.10.18.100 RUN (20) Successfully plumbed mobile rule (ACL ID 255) *pemReceiveTask: Mar 26 18:28:07.652: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Anchor role *pemReceiveTask: Mar 26 18:28:07.656: 00:1f:16:18:df:ec 10.10.18.100 Added NPU entry of type 1, dtlFlags 0x4 *pemReceiveTask: Mar 26 18:28:07.659: 00:1f:16:18:df:ec Sending a gratuitous ARP for 10.10.18.100, VLAN Id 28690 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP received op BOOTREQUEST (1) (len 308,vlan 111, port 1, encap 0xec05) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP selecting relay 1 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP selected relay 1 - 192.168.200.1 (local address 10.10.18.10, gateway 10.10.18.1, VLAN 18, port 1) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.453: 00:1f:16:18:df:ec DHCP transmitting DHCP INFORM (8) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP xid: 0x3a553a74 (978664052), secs: 0, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 10.10.18.10 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP sending REQUEST to 10.10.18.1 (len 350, port 1, vlan 18) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP selecting relay 2 - control block settings: dhcpServer: 192.168.200.1, dhcpNetmask: 255.255.255.0, dhcpGateway: 10.10.18.1, dhcpRelay: 10.10.18.10 VLAN: 18 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.454: 00:1f:16:18:df:ec DHCP selected relay 2 - NONE *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP received op BOOTREPLY (2) (len 308,vlan 18, port 1, encap 0xec00) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP sending packet in EoIP tunnel to foreign 10.10.112.10 (len 346) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP transmitting DHCP ACK (5) *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.455: 00:1f:16:18:df:ec DHCP xid: 0x3a553a74 (978664052), secs: 0, flags: 0 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP chaddr: 00:1f:16:18:df:ec *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP ciaddr: 10.10.18.100, yiaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP siaddr: 0.0.0.0, giaddr: 0.0.0.0 *DHCP Proxy DTL Recv Task: Mar 26 18:31:26.456: 00:1f:16:18:df:ec DHCP server id: 192.168.200.1 rcvd server id: 192.168.200.1
Here is “debug client <mac_address>” command output on WLC2 (Export Foreign)
(WLC2) >debug client 00:1f:16:18:df:ec (WLC2) >*apfReceiveTask: Mar 26 07:28:28.417: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621) *apfReceiveTask: Mar 26 07:28:28.417: 00:1f:16:18:df:ec Adding mobile on Wired Guest 00:00:00:00:00:00(0) *apfReceiveTask: Mar 26 07:28:28.417: 00:1f:16:18:df:ec apfMsAssoStateInc *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec apfHandleWiredGuestMobileStation (apf_wired_guest.c:131) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Idle to Associated *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2) *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4) *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7) *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Associated to Associated *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 48) *apfReceiveTask: Mar 26 07:28:28.418: 00:1f:16:18:df:ec Wired Guest packet from 0.0.0.0 on mobile *apfReceiveTask: Mar 26 07:28:28.419: 00:1f:16:18:df:ec Orphan Packet from 0.0.0.0 *apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED *apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 75) *apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec apfMsRunStateInc *apfReceiveTask: Mar 26 07:28:30.362: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20) *apfReceiveTask: Mar 26 07:28:30.363: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4495 *apfReceiveTask: Mar 26 07:28:30.363: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 29, QOS = 0 ACL Id = 255, Jumbo Frames = NO *apfReceiveTask: Mar 26 07:28:30.364: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 112, IPv6 intf id = 0 *apfReceiveTask: Mar 26 07:28:30.364: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255) *pemReceiveTask: Mar 26 07:28:30.365: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Foreign role *pemReceiveTask: Mar 26 07:28:30.371: 00:1f:16:18:df:ec 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4 *apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Deleted mobile LWAPP rule on AP [00:00:00:00:00:00] *apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec apfMsRunStateDec *apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec apfMsAssoStateDec *apfReceiveTask: Mar 26 07:28:32.952: 00:1f:16:18:df:ec Deleting mobile on AP 00:00:00:00:00:00(0) *pemReceiveTask: Mar 26 07:28:32.969: 00:1f:16:18:df:ec 0.0.0.0 Removed NPU entry. *apfReceiveTask: Mar 26 07:28:33.423: 00:1f:16:18:df:ec 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Adding mobile on Wired Guest 00:00:00:00:00:00(0) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec apfMsAssoStateInc *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec apfHandleWiredGuestMobileStation (apf_wired_guest.c:131) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Idle to Associated *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 START (0) Initializing policy *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:1f:16:18:df:ec on AP 00:00:00:00:00:00 from Associated to Associated *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 48) *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Wired Guest packet from 0.0.0.0 on mobile *apfReceiveTask: Mar 26 07:28:33.424: 00:1f:16:18:df:ec Orphan Packet from 0.0.0.0 *apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED *apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec Stopping deletion of Mobile Station: (callerId: 75) *apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec apfMsRunStateInc *apfReceiveTask: Mar 26 07:28:35.360: 00:1f:16:18:df:ec 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20) *apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4495 *apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Adding Fast Path rule type = Airespace AP Client on AP 00:00:00:00:00:00, slot 0, interface = 29, QOS = 0 ACL Id = 255, Jumbo Frames = NO *apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 5006 IPv6 Vlan = 112, IPv6 intf id = 0 *apfReceiveTask: Mar 26 07:28:35.361: 00:1f:16:18:df:ec 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255) *pemReceiveTask: Mar 26 07:28:35.362: 00:1f:16:18:df:ec Set bi-dir guest tunnel for 00:1f:16:18:df:ec as in Export Foreign role
Important Points for Wired Guest Deployment
1. Currently, five Guest LANs for wired guest access are supported. In total, 16 WLANs for Wireless users and 5 WLANs for wired guest access can be configured on the Anchor WLC. No separate tunnels exist for WLANs. All the guest WLANs, which include the WLANs for wired guest access, use the same EoIP tunnels to the Anchor WLC.
2. Administrators need to create dynamic interfaces in the WLAN controller, mark them as “Guest LAN,” and associate them to WLANs created as Guest LANs.
3. Make sure that WLAN configurations, including authentication, are identical on both the Anchor and Remote controllers to pass the client traffic.
4. WLCs should have compatible software versions. Ensure that they run the same major version.
5. Web-authentication is the default security mechanism available on a wired guest LAN. The current options available are these: Open, Web Auth, and Web Passthrough.
6. In case of failure of the EoIP tunnel between the remote and anchor WLC, the client database is cleaned up from the Anchor WLC. The client needs to re-associate and re-authenticate.
7. No layer 2 security is supported.
8. Multicast/Broadcast traffic on the wired guest LANs is dropped.
9. DHCP Proxy settings must be identical on both the Anchor and Remote controllers.
Here are the few reference documents discuss about this.
1. Ask the Expert : Wired Guest Access
2. Wired Guest Access Configuration Example
Related Posts
1. Wireless Mobility Basics
2. Configuring Mobility on WLC
3. L2-Inter Controller Roaming
4. L3-Inter Controller Roaming
5. WLC – Web Authentication
6. Configuring Auto Anchor
7. Auto-Anchor Foreign Mapping
8. Mobility Ping Tests
9. Static IP Clients Mobility
