ACL blocking traffic towards the management interface on WLC 5508

Similar Messages

• What VLAN should the management interface be in on a 4400 controller?

  Hi,
  Some documentations put the management interface on a 4400 controller into a regular tagged VLAN. But some documentations put it in an untagged Native VLAN, the tag=0. What is the difference? Which configuration is optimal?
  Thanks,
  Justin

  The answer is "it depends" :-)
  I would not say any particular config is optimal though. If you have an established VLAN for management interfaces, I would use that. However if you put the management interface in the same VLAN as your AP's, AP's find your controllers easier. Otherwise you can use DHCP to point AP's to controllers.
  I prefer to tag the frame as to which VLAN it belongs to, even if that is the same as the native VLAN.

• 2950 - Changing the Management interface.

  Hi Guys
  I know the SI 2950's can't support more than 1 active SVI at any one time and i've seen from the release notes of the 2950 code that the "management" command is no longer available for changing the management interface VLAN.
  Considering this what would be the best way to change teh management VLAN remotely on a large number of 2950's without losing connectivity? I'd lab this up myself by I don't have a 2950 around to see what happens when I "Un Shut" the new VLAN.
  Any help would be muchly apprciated.
  Thanks

  Please disregard this message.
  I found a 2950 and discovered that when the new interface is "un shut" the old interface is automatically shut down.

• ACL Best Practice - On the Internet interface

  I have a question relating to ACL's on a routers 'Internet' facing interface.
  Further to reading several whitepapers on the topic, a recommended ACL would typically contain the following statements.
  In addition, the Cisco SDM automatically generates a similar externally facing ACL:
  ip access-list extended INBOUND
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  deny ip 10.0.0.0 0.255.255.255 any
  deny ip 172.16..0.0 0.15.255.255 any
  deny ip 192.168.0.0 0.0.255.255 any
  deny ip 127.0.0.0 0.255.255.255 any
  deny ip host 0.0.0.0 any
  deny ip any any
  My question is thus...
  What is the point of lines 4-8 when the last line blocks them anyway?
  I appreciate that when we view the ACL we can see the number of matches per explicit ACL entry, but in terms of blocking functionality, I can't see the added benefit.
  Instead, the following ACL would provide the same benefit and be simpler to maintain.
  ip access-list extended INBOUND
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  deny ip any any
  Am I missing something obvious?
  Thanks in advance for assistance,
  Regards.

  thanks Jon for your response.
  With regard to your first suggestion relating to a possible typo, my intention was not "permit ip any any".
  My main point is that there are several example configurations posted on the Internet which at the top of the ACL explicitly deny specfic types of traffic then have a blanket 'DENY ALL' at the end. Here's another example someone else has posted:
  http://www.velocityreviews.com/forums/t34618-cisco-837-wan-interface-accesslist.html
  With regard to your second suggestion, your right, I should have included a command like:
  permit tcp any any established log
  I appreciate this ACL is not stateful and I should use either the firefall feature set or a dedicated firewall applicance.
  My question primarily is related to my first point. i.e. what is the point of :
  deny ip 10.0.0.0 0.255.255.255 any
  deny ip 172.16..0.0 0.15.255.255 any
  deny ip 192.168.0.0 0.0.255.255 any
  deny ip 127.0.0.0 0.255.255.255 any
  deny ip host 0.0.0.0 any
  when we have the following statement at the end:
  deny ip any any
  There are many example Internet facing ACLs posted on the net that propose this same example configuration.
  thanks again for your response.
  - peter

• Changing the IP address of the management interface

  Hi all,
  I need to make a change to a pair of Production wireless controllers. Basically the IP range that was assigned for the wireless LAN is no longer sufficient. The gateway for the controllers is a pair of Cisco 4500's that are running HSRP.
  I need to extend the LAN from a /23 to a /22. Unfortunately the range of addresses is completely different. To make matters worse I have to do this remotely, some distance away!
  The layer 3 interface on the switches uses .2 and .3 of the new address range with .1 as the gateway (standby ip).
  The controllers are setup as a Primary and Secondary device. With all the APs currently associated with the Primary.
  My plan was to change the IP address of the management and ap-manager (both are on the same subnet) on the Secondary controller, I'd then lose visibility of the Secondary controller, then change the IP addresses of the physical interfaces on the 4500's. Confirm reachabilty to the new IP addresses defined on the Secondary controller. Assuming this works, reconfigure the physical interfaces on the two interfaces to ensure the Primary is reachable again, make the IP changes to the Primary WLC, update the physical interfaces on the 4500's to use the new IP addresses and then both WLC's should be reachable. The AP's will hopefully have rebooted and obtained a new IP address from the new range defined for them.
  I'm really not sure of another way of doing this, other than adding a secondary IP address to the interfaces?
  I also wonder if there is a way to apply the initial configuration to the secondary controller, and if my changes don't work, reload the controller so it goes back to using the saved configuration and not the running configuration. Do the controllers support something similar to the 'reload in x' command like on Cisco switches? I've looked up the reset command but am not sure it achieves the same outcome?
  Any ideas?

  Hi Scott,
  Would you do the Primary or Secondary controller first? All the AP's are currently associated with the Primary controller.
  We don't have access to the console port on the controller remotely. We don't have a KVM/IP KVM there.
  What would be the safest method in your opinion?
  - Make the IP changes through the GUI on the Secondary controller.
  - Make the changes on the L3 switches.
  - Confirm reachability to the new ap-manager IP address and management IP address.
  - Adjust the configuration on the L3 switch so the Primary is reachable again.
  - Make the IP change through the GUI on the Primary controller.
  - Confirm reachability to the Primary and Secondary.
  Do the controllers support the 'reload in x' command or something similar? And is the 'Apply' command in the GUI like committing the change to the running-configuration but not the start-up configuration or if there is a major problem I can get somebody on-site to pull the power?
  Thanks

• ¿Can Extended and Ethertype (input) ACLs be applied to the same interface?

  Hello team:
  ¿ Is it possible to apply one Extended ACL and one Ethertype ACL, in input mode, to the same interface?
  Thank you very much in advance.
  Mariela Musitani

  Thank you very much Borys. I assumed that it was possible, but the documentation was not clear in this context.
  regards, Mariela

• Configuring 802.11v - BSS Transition Management on Cisco WLC 5508

  Hi,
  I am new to the configuration of the WLC, and I am trying to enable 802.11v sub feature called BSS Transition Management.
  I am using WLC software version 8.0.115.0, but I can't find this feature not in the GUI and not in the CLI. I did, however, managed to find other 802.11v sub features like BSS Max Idle and DMS.
  Has anyone configured this feature?
  How is it done?
  Thanks,
  Udi Atar

  Yeah I want to tag all the VLAN's for sure.  Here is my switch config:
  Building configuration...
  Current configuration : 140 bytes
  interface Port-channel11
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 63,121,190,3000
  switchport mode trunk
  end
  3560-153#show runn int gi0/33
  Building configuration...
  Current configuration : 171 bytes
  interface GigabitEthernet0/33
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 63,121,190,3000
  switchport mode trunk
  channel-group 11 mode on
  end
  3560-153#show runn int gi0/34
  Building configuration...
  Current configuration : 171 bytes
  interface GigabitEthernet0/34
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 63,121,190,3000
  switchport mode trunk
  channel-group 11 mode on
  end

• Prime Infrastructure 2.0 can not create the guest account on WLC 5508

  The PI can manage the WLC which means the connection between them is ok, but I am not able to create the guest account on it. The WLC has guest SSID with web auth configured correctly..
  Any idea why?
  Thanks!

  raymond,
  that's good to know that it required :
  1) not only a RW community string
  2) but also as well ssh credentials
  i too would have thought option 1) would be all that was required but it doesn't appear that way w/ your response.
  the only way i'll go to add devices in is by doing both SNMP RW and ssh at the same time.
  now we know
  thanks for pointing this out

• Binding interfaces on WLC 5508

                 Hello, I would like information on binding multiple intefaces from the WLC to a Cisco switch for more bandwidth. Can someone point me in the right direction for this? thank you  

  Here are some links.  You need to have LAG enabled on the WLC and then you need to create an etherchannel to your switch.  You can connect the WLC to multiple switches if they are in VSS.
  https://supportforums.cisco.com/docs/DOC-20587
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_ports_interfaces.html
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• WLC 5508 CPU ACL

  Hi, how are you?.  Sorry  by my questions and thanks for the patience.
  I have a doubt. CPU ACL affects only the traffic of the management interface?.
  For example:
  Controller WLC 5508 version 7.0.98.0
  Interface management IP address 186.108.26.2/24
  Interface XX IP address 190.139.109.101
  I have configured the following ACL and applied to CPU ACL:
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >
  (Cisco Controller) >show acl cpu        
  CPU Acl Name................................ ACL
  Wireless Traffic............................ Enabled
  Wired Traffic............................... Enabled
  (Cisco Controller) >show acl summary    
  ACL Counter Status               Enabled
  ACL Name                         Applied
  ACL                              Yes   
  (Cisco Controller) >show acl detailed ACL
                         Source                        Destination                Source Port  Dest Port
  Index  Dir       IP Address/Netmask              IP Address/Netmask        Prot    Range       Range    DSCP  Action      Counter
       1  In         1.1.1.0/255.255.255.0         1.1.1.115/255.255.255.255    6     0-65535   443-443    Any Permit           0
       2 Any         0.0.0.0/0.0.0.0         100.100.100.100/255.255.255.255    6    0-65535   443-443    Any Permit           0
       3 Any         0.0.0.0/0.0.0.0                 0.0.0.0/0.0.0.0          Any     0-65535     0-65535  Any   Deny          51
  DenyCounter : 27
  (Cisco Controller) >
  I have the following doubts
  It is not necessary to allow the ports of tunnel capwap?.
  I have applied this ACL and traffic from Interface XX to 190.139.109.101 is filter.  If I remove CPU ACL traffic to interface XX is permit.  Then CPU ACL affect all interfaces???.

  Hi,
  better a late reply than no reply at all ...
  The CPU ACL actually filters traffic that is destined to one of the WLC ip addresses, so it works on all interfaces, but does not filter all types of traffic. Only traffic that is destined to the WLC itself.
  So if you apply a CPU ACL, it is likely you need to either allow capwap ports or allow everything in the subnet where APs are.
  Regards,
  Nicolas

• 2 AP Management interface WLC 5508 at the same time

  Good afternoon,
  I have a customer that wants a few APs are managed by the interface of management and do join by that interface and another group of APs are managed and do join by another interface configured as "Enable Dynamic AP Management"
  is a WLC 5508, i created an interface by checking the option "Enable Dynamic AP Management" but does not work, by the interface of management are recorded without problems.
  Is it possible to do this? Are you supported?

  I don't know I understand your question properly or not.
  I think you want to join APs to management and AP manager interface at same time ?
  When you want to allow APs to join on two ports 1(management) & 2 at the same time, then you have use this:
  As you must be aware that only one AP manager is allowed per port. So if you leave the Management interface as an AP‐manager and just create one additional AP manager interface, you’ll allow APs to join to either port, but the Management interface will not be able to fail over since that would make two AP managers on the same interface.
  Or 
  Remove the AP management function from the Management interface and then create two new AP manager interfaces (one for each port).
  Regards
  Dont forget to rate helpful posts

• WLC 5508 Cant get access via the Mgmt Interface

  Hello everybody,
  i have a wlc 5508 (version 7.0.98.0) , if i'm pinging the service port interface or try to get access via this interface, everythings is fine, but if cant get access via the management interface. (but its pingable)
  the crazy thing is, that the LAP joined successful ti the wlc, but the Upgradetool (converting an AP to an LAP) doesnt work, because the tool cant reach the mgmt interface of the wlc.
  there are no ACLs, which are blocking the traffic between wlc and my computer
  Does anyone has an idea, what i've configured wrong???
  regrads,
  Rocco

  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  wlan1                                   1    16       172.16.2.10      Dynamic No     No
  management                         1    2        172.16.1.10      Static     Yes    No
  wlan2                                   1    220      172.16.3.10   Dynamic No     No
  service-port                        N/A  N/A      10.75.100.99      Static     No     No
  virtual                                N/A  N/A      1.1.1.1               Static     No     No
  and my Pc is in the 172.16.4 subnet
  i have no access to the switch port, where the controller is connected to, but i know that this port permits access to the vlans which are used

• Cisco ASA won't send Syslog out management interface

  I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?

  Hi Mark,
        Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.
  So firstly we have two questions:
  1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
  2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA
  -enable logging
  -logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
  -logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)
  -Further if you have already sorted out till here, get us the following outputs:
  -show run
  -show logging
  -show logging queue
  Hope it helps
  Cheers,
  Naveen
  Please Rate Helpful posts.

• Splitting the app traffic from the cluster and admin traffic

  Hi,
  We currently have a 10.3.2.0 setup where an admin server is behind a firewall and is running on the Administration Port and is connected to two managed servers in front of a first firewall in the DMZ.
  On each managed server there is two network interfaces one for management and one for apps/DB connections.
  So I was wanting to know how to you get the managed server to split the traffic??
  If I set the managed servers listening address to the management interface then it starts up fine as that what the admin server behind the firewall can see, BUT it means app and JDBC Connections dont work and the server goes to ADMIN state first before you have to manually resume it.
  If I set the managed servers listening address to the app interface then it can't start up and the app interfaces address is block from the admin server to the managed server via the firewall.
  If I set the managed server to have no listening address and leave it blank in the interface field, it starts up and listens on all interfaces, BUT can't find a route to the admin server.
  So what is the answer, can you do something with Network Channels?? Or is it the case you just can't do it and just to have one interface and one listening address as the admin traffic is split by the default administration channel anyway.
  Would be get to know.
  Alistair.

  Are you using cellular data? If yes, try to use Wi-Fi and see if the app works better by using a faster data connection. If you have no problem using Wi-Fi and maps, see if you can have a faster cellular connection by switching to 3G, 4G to LTE service in Settings/Cellular.

• Help with Cisco 5508 management interface

  Hello,
  I'm trying to verify some behaviors I'm seeing with my 5508 controller setup and forgive me for missing anything obvious, I've zero experience with this hardware and clueless on the best practices. With that said... out of the box I ran through the AutoInstall process.
  I gave my service port an IP address on my subnet, 10.10.8.0/24 vlan 100 and gave the management interface the ip address 10.10.30.5/24 vlan 130
  From my host I can ping the management interace 10.10.30.5 and the interface gateway 10.10.30.1
  I cannot connect to the controller via 10.10.30.5 either through the web GUI or telnet
  I can connect to the controller via 10.10.8.200 both through the web interface and telnet
  while connected to the service port, I can ping the management port IP but I cannot ping the 10.10.30.1 gateway.
  We have attached two test 3502I AP's and they found the controller and pulled correct ip addresses, clients can authenticate and access network resources as well as the Internet so for the most part, things are working but it concerns me that the management interface can't ping its own gateway.
  Keep in mind, I did no other configurations besides what got configured in the AutoInstall process. What should I look at to resolve?
  Thanks!
  Mike

  The service port is for out of band management and should not be connected to the network.  If connected tot he network, it should not have connectivity to the management interface of the wlc. 
  You can create an ACL to block the service port ip to the managment vlan if you want.  I normally do not connect the service port to the network.