Infrastructure diagram for guest wifi service is well known:
Pic.1 – Diagram for guest wifi service (diagram is taken from “design guide”)
Between local wireless controllers located on site (shown and named as “campus controllers” or “foreign WLCs”) and wireless controller located in DMZ (shown and named usually as “anchor controller”) should be configured and built EoIP tunnel. This article is dedicated to describe how correctly to configure this tunnel, as no documentation from cisco.com has such detailed information.
For functioning guest wifi service status of a tunnel should be UP (local WLC and anchor WLC show status of this tunnel as UP when all is correct):
Pic.2 – EoIP tunnel is established
To build a peer it is needed
1) IP address of management interface on remote peer (if you do configuration on anchor, its need IP of management interface on foreign WLC and vice versa – for foreign WLC its needed management IP of anchor WLC)
2) member MAC address: is tricky case as it is needed to use MAC address of virtual interface of the remote site. If any side (local WLCs or anchor WLC(s)) is in HA-SSO mode, then its needed to use high-availability virtual MAC address, which can be received by command (or from GUI via https access)
(Cisco Controller) >show redundancy summary
3) Group name – is Local Mobility Group of remote side and it is cAsE senSiTivE
Pic.3 – EoIP tunnel is established
If at least one of 1), 2) or 3) is not fulfilled peer will not be up and will show “data path is down” or “control path is down”.
4) firewall rules between anchor WLC (usually located in DMZ) and local WLCs should be cleared. From my experience such ports are needed:
“Legacy mobility: IP Protocol 97 for user data traffic, UDP Port 16666”
Despite it is called “legacy mobility” it is used by firmware 22.214.171.124, per firewall logs, UDP 16667 is not used, despite it is mentioned as
“New mobility: UDP Port 16666 and 16667” under related Q&A
Additionally, per my memory, communication for EoIP is initiated from anchor (I’ve never seen such details on cisco documentations), but to be 100% sure, it is recommended to enable ACLs so that EoIP can be initiated from local WLCs as well as from anchor WLC, because for stateful firewall it is important which side initiates communication.
If mentioned in 4) details are not taken into account, then status of EoIP peer will be shown as “control and data path down“, “data path is down” or “control path is down”, depending on what is configured in related access lists.
P.S.: it is worse also to mention that Cisco suggests to have identical WLAN settings on local WLC and anchor, e.g. if “11k Neighbor List” is enabled on local WLC under guest wifi WLAN, then such setting should be enabled on anchor as well. The same is true for QoS settings under respective WLAN and other parameters.