Friday, January 27, 2012

Do not trunk a wired guest VLAN to multiple foreign controllers

This is an issue that recently plagued me for longer than I would care to admit. I hope it helps you!

I'm focusing on Cisco Bug CSCtw44999 "Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported, and will generate unpredictable results." It will also generate lots of trouble tickets.

Many sites have two 5508 series controllers, one being the primary and one being the secondary. The controllers are both configured the same for redundancy (with exception to the obvious hostnames, IP addresses, etc) and usually put all of a building's access points on one controller to avoid inter-controller roaming. The secondary exists in case the primary fails - it may host another building's AP.

Take a look at the drawing I have included...

The guest wireless network is a Cisco best practices configuration. The guest WLAN is configured on both the primary & secondary controllers and tunneled to an anchor controller in the DMZ.

Now we get to the guest wired solution.

The following document is pretty straightforward on how to configure wired guest networking, but does not address redundancy for the foreign (local)controllers:

http://www.cisco.com/image/gif/paws/99470/wired_guest_access.pdf
Redundancy is covered in this document:

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_user_accts.html#wp1066125
It states: "Follow these guidelines before using wired guest access on your network:"

•Wired guest access is supported only on the following controllers: Cisco Flex 7500 and 5500 Series controllers, the Cisco WiSM2, and the Catalyst 3750G Integrated Wireless LAN Controller Switch.

•Do not trunk a wired guest VLAN to multiple foreign controllers. This is not supported and may generate unpredictable results.  A true statement, I assure you.
•A wired guest LAN can support multiple anchor controllers.


Redundancy is also covered in this document:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70users.htmlIt states: "Follow these guidelines before using wired guest access on your network:"

•Wired guest access is supported only on the following controllers: 5500 and 4400 series controllers, the Cisco WiSM, and the Catalyst 3750G Integrated Wireless LAN Controller Switch.

•Do not attempt to trunk a guest VLAN on the Catalyst 3750G Integrated Wireless LAN Controller Switch to multiple controllers. Redundancy cannot be achieved by doing this action.
That last bullet point is very important. It states "do not attempt to...", but that is rather confusing. It should read, "Do not trunk a wired guest VLAN to multiple foreign controllers."

Needless to say, that can easily be overlooked during configuration day, and you could introduce problems into your wired guest solution.

Redundancy cannot be achieved by trunking a wired guest VLAN to two or more foreign (local) controllers!
Here are the issues that you might see:
-DHCP problems
-Dissassociate/Deauthenticate (login through the splash page over and over again.)
-Timeouts - we saw 90 second long timeouts to the gateway in the DMZ from a wired guest

If you have multiple local controllers, then only one of the them should be configured (or at least active) for the Guest Wired network.

The fix: Trunk the guest wired VLAN to all your local controllers, but only one controller should have the wired guest WLAN active. If the controller with the active wired guest profile fails, then enable the wired guest profile on another controller. Looks like this is about as much redundancy as we can get at the moment. (Jan 2012)