Assigning multiple ports/interfaces to a VLAN-Switch-IOS

Similar Messages

• Assign Swtich Port Descriptions based on CDP, LLDP, or some type of Hostname Information

  Hey guys,
  I was wondering, is there a way to automatically change/assign the port Descriptions on my Cisco switches based upon information pulled from CDP or LLDP, or some type of hostname, that will go out, pull what device is plugged into that port, and insert description information about that device into the Port Description for that particular port that the device is plugged into?
  Thank you for your help!
  Michael

  Good question!
  You can do this with an eem applet policy.
  below is a link that discusses it.
  https://supportforums.cisco.com/document/100791/automatically-set-port-descriptions
  hope this helps,
  if so, please rate.
  thanks

• Wlc2112-k9 802.1x dynamic vlans on multiple ports

  I have a wlc2112-k9. I have succesfully setup a WLAN with 802.1x authentication and dynamic VLAN assignment. The issue I have (and maybe it isn't an issue and just the way the controller works) is that if the vlan interfaces I have defined are connected to different ports from which the default interface for the WLAN it doesn't work.
  So for instance, I create my WLAN and set the interface to the management interface (which is connected to port 1). I then define all my other vlan interfaces that could be returned by my radius server.
       ex: vlan_102 connected to port 2
             vlan_104 connected to port 3
             vlan_106 connected to port 4
  And so forth.
  Port 1 is configured on the switch on vlan 21. If the radius server returns a VLAN ID of 102, 104 or 106 my client successfully connects to the WLAN but it gets put on VLAN 21. However if I move the vlan interfaces above over to port 1 the client correctly gets put on the correct VLAN.
  All ports on the switch are configured as trunk with the native vlan set to the corresponding value that is set on the WLC.
  Is this just the way the controller functions? That it can't assign a client to a different interface that is connected to a different port from the default one setup when the WLAN is created? I would have just though that if the radius server returned VLAN 102 that it would find that interface and connect the user session via that interface regardless of the port it is configured on.
  Thanks

  dynamic vlan assignment should work with the controller
  by returing the standard IETF attributes
  64,65, and 81
  You said that you have configured the native vlan on each trunk port to be exactly the same as the vlan assigned to dynamic interface on the neighbor controller port. Make sure to have the native vlan something else specially i guess that you have tagged the vlans on those dynamic interfaces.
  Please make sure to rate correct answers

• Multiple ports vlan trunking

  Hello, I recently purchased a 3560 switch and I am relatively new with VLANs.
  What I need to do is quite simple:
  I need multiple fastethernet ports into multiple VLANs on a single switch. For that, I need to trunk these ports but nothing seems to work properly.
  I created multiple VLANs (vlan 100, 200 and 300), but by default each VLAN can see each other (my allowed vlan list is set to ALL on each port).
  When I setup the restrictions of that allowed vlan list, the problem is each port see each other. Example: Port 0/22 is set allowed vlan 100,200 .. but that port still can see vlan 300. I configured Native VLAN on VLAN50 (empty VLAN) for each port on the switch.
  I tried on a 3560 and a 2950, but exactly the same problem occurs.
  The problem is really basic but I'm on it since 1 week. Is there anyone who could help me please?

  Check below link for detail configuration & information.
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00800d84be.html
  If you want to remove the vlan from the trunk, you can simply use below command :
  switchport trunk allowed vlan remove 300
  Hope this helps.

• OTV site vlan with multiple overlay interface

  Hi,
  I have an OTV multihoming sites. 2 sites. 2 otv edge device each site.
  and with multiple overlay interface sharing 1 joint interface
  otv edge device connected to multiple VDC.
  each internal / downlink will forward different vlan for each vdc.
  ================================
  example
  int overlay 1
  otv extends-vlan 10
  int overlay 2
    otv extends vlan 20
  int eth 2/1
  description trunk to VDC1
  switchport trunk allowed vlan 10,100
  int eth 2/2
  description trunk to VDC2
  switchport trunk allowed vlan 20,100
  otv site-vlan 100
  ================================
  i understand that i can only use 1 site vlan.
  so in order for the failover to happen, both eth 2/1 and eth2/2 must fail?
  what if only int eth2/1 fail? will the int overlay 1 failover to secondary otv device?
  thanks,
  ivan

  "So when querying the adjacency server the ED then knows which other ED is within the same site?"
  Yes for the first part of the question, using the site Vlan unique to each site.
  Why do you need a routed link between ED's at local site? You dont need to connect those back-back over L3. Moreover if you want to use it for L3 ADJ over peer-link, you need to make sure that VLAN that you are using is not allowed on the VPC member ports, just on the peer-link, else VPC loop alrorithm will break your traffic.
  Are you planning to use multicast or a Unicast deployment? I remember I tried testing the topology in a POC for one of my customer, things did not work as expected in multicast deployment mode and worked fine in Unicast Adjacency server mode. I need to go back and check my notes on this.
  I would rather have the join-interface go back to a routed core at site rather than back-back connecivity as it opens up the tested Multicast deployment mode.
  Cheers,
  -amit singh

• Assigning multiple interfaces for Oracle API Gateway (OAG)

  We are deploying Oracle API Gateway to throttle our incoming API requests. We would like to keep the incoming external API requests separate from the internal configuration management so that they go through different interfaces when accessing the OAG server. This is mainly for security reasons so that the external people won’t have access to the interface used by internal operations team to manage OAG. Based on your experience, is there any standard best practice to accomplish this? We were thinking to perhaps use two of the server’s network interfaces with different IPs, one for the incoming API requests and the other for the internal admin management of OAG. But not sure if this is the best way to do what we need. We are aware of OAG's capability to support two separate ports to handle this situation, but would like a more secure set-up that could completely eliminate external access to the OAG management done by the IT team.
  Would appreciate any thoughts on best practices used regarding multiple interfaces for OAG set-up. Thank you. Oracle Marketing Cloud.

  You are on the right track.
  Here is how you can achieve this:
  You can use multiple network interfaces on the UNIX machine and setup networking/routing in such a way that all external traffic comes on on one card and is routed internally via a different card.
  Segregate difference types of services (i.e to be used by external clients vs internal apps) into difference different "Service Groups". Have each of these service groups listen on different port + NIC card (under Listeners, you can define a port to list to list on a specific network address and port instead of *).
  Setup additional protection for services that will be accessed by external clients. Use "Threatening Content " filter to protect your services.
  Setup 2 way SSL for the interface that will be called by external clients. Setup a DN based authorization check if you want to have both authentication and authorization.
  Hope this helps.
  -Thanks,
  Ankit Kumar

• Assigning multiple IP address to the same Interface in rc.conf

  Hi,
  Is there any way to assign multiple IP address to the same Interface in rc.conf ?
  Or else how is it done?
  Thanks
  --Siju

  Like oh so many things, IP aliasing is covered in the wiki.
  Or you can just add the commands to /etc/rc.local if you need to do it some other way.

• How to provide access to multiple users connected to a Dumb switch? (multi-auth/multi-domain)

  Good morning everybody,
  I am writing on behalf of not being able to implement a desired outcome in our company network. In fact the situation is as follows:
  What I want to do is to be able to authenticate users (802.1x authentication) in our company radius server and authorize them access by having a dynamic VLAN assignment in a multi-user environment on one and the same port of a Cisco 2960 switch. So far, the authentication and authorization has been working completely smoothly (there are no problems with itself). The concept involves the configuration of both DATA and VOICE VLANs as I there is also phone authentication implemented. In order to simulate this environment I introduce a Dumb switch connected to my Cisco 2960 Catalyst.
  What I have successfully managed to get to work so far is this:
  1) On one switch port I have tried the “authentication host-mode multi-domain” and it worked perfectly for a PC behind a telephone, or with one PC connected to a the dumb switch + the telephone connected to another port of the dumb switch. Logically it is the same situation as there is a separation in two domains – DATA and VOICE. Bellow is an output from show authentication sessions for this scenario.
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  2) On the other hand, when I try the same scenario with the “authentication host-mode multi-auth”, the switch still separates the traffic in two domains and is able to authenticate all users, AS LONG AS they are in the same VLAN.
  show authentication sessions:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac   dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  However, I cannot succeed authentication of many users from DIFFERENT VLANs, neither in multi-auth nor in multi-domain modes.
  What I want to get is an output like this:
  Interface  MAC Address     Method   Domain   Status         Session ID          
  Fa0/23     0021.9b62.b79b  dot1x    DATA     Authz Success  C0A8FF69000000F3008E (user1)
  Fa0/23     b888.e3eb.ebac dot1x    DATA     Authz Success  C0A8FF69000000F8008C (user2)
  Fa0/23     0015.655c.b912  dot1x    VOICE    Authz Success  C0A8FF69000000F9009F (phone)
  I want the switch to authenticate the users anytime they connect to itself and for them to have an instant access to the network. (I tell this because I tried scenario 1) with multi-domain mode and authentication violation replace, and it worked but, two users never had access to the “Internet” simultaneously!!!
  The configuration of the interface connected to the Dumb switch is as follows.
  interface FastEthernet0/x                                                      
   description Connection to DUMBswitch                                            
   switchport mode access                                                         
   switchport voice vlan XXX                                                      
   switchport port-security maximum 10                                            
   switchport port-security                                                       
   switchport port-security violation protect                                     
   authentication host-mode multi-auth                                            
   authentication priority dot1x                                                  
   authentication port-control auto                                               
   authentication timer reauthenticate 4000                                       
   authentication violation replace                                               
   dot1x pae authenticator                                                        
   dot1x timeout tx-period 10                                                     
   spanning-tree portfast                                                         
  The way I see it is explained in the following steps:
  - PC1 connects to the Dumb switch. This causes the Cisco switch to authenticate user1. This creates an auth. session with its MAC address linked to a domain DATA.
  - When PC2 connects to the Dumb switch, this causes the violation replace which replaces the recent authenticated MAC address with the MAC of PC2. I would like it once authenticated to appear in the authentication sessions with a link to a new DATA domain linked to the VLAN assigned from the RADIUS server.
  Is this possible? I think (in theory) this is the only way to provide authenticated access to multiple users connecting through Dumb switch to the network.
  Has anybody ever succeeded in such a configuration example and if yes, I would be love to get some help in doing so?
  Thank you
  Stoimen Hristov

  Hi Stoimen,
  I have done a setup similar to yours with the only exception being VLAN assignment. When I used dACLs only, it makes things somewhat easier as the VLAN no longer matters. Remember that the switchport is in access mode and will only allow a single VLAN across it (with the exception of the voice VLAN). I think that is the real cause of your problem.
  From what I can see, you have 2 options available to you:
  1) Use dACLs instead of VLAN assignment. This means that an access list will be downloaded from the radius server straight to the authenticated user's session. I have tested this and it works perfectly. Just Google Cisco IBNS quick reference guide and look for the section that deals with Low Impact mode.
  2) Get rid of the dumb switches and use managed switches throughout your network. Dumb switches will always be a point of weakness in your network because they have no intelligence to do advanced security features like port security, 802.1x, DHCP snooping, etc.
  Hopefully someone else will chime in with another option.
  Xavier

• Solaris 8: Multiple primary interfaces connected to the same network

  I have a machine with Solaris 8, and it has multiple interfaces that are connected to the same network which means they all have metric 0 (1 hop) to the default gateway.
  assume:
  e1000g0: 192.168.30.70
  e1000g2: 192.168.30.72
  e1000g4: 192.168.30.74
  e1000g5: 192.168.30.76
  gateway: 192.168.30.65 (Cisco Router)
  However, it seems like despite the fact that they have a direct connection, they seem to be using e1000g0 to access the 192.168.30.0 network to get to the default gateway and then to anywhere else.
  When I send a ping to say, 192.168.30.74 (IP of e1000g4) and capture packets on e1000g0, I see the "echo reply" messages going out of it as opposed to e1000g4 even though e1000g4 is the one receiving the "echo request". This should not happen and these should be completely independent as they should all be advertising a 1 hop to that network
  The outputs from netstat -rn and ifconfig -a are shown in the picture on the link below
  [http://img836.imageshack.us/img836/7308/ifconfignetstathiddenip.jpg]
  This gets even more confusing when I go into the Cisco router and run the command: "show mac address-table" where only the MAC address of e1000g0 is shown for the switch port it's connected to, but not for the other interfaces which are connected to the switch. Yes, all ports are active (no shut) and are pingable.
  Also, the odd thing is that ALL of these individual MACs show up in the router ARP table when the machine comes up, however after sending a ping to one of them, after a certain expiry or whatever period, the MACs disappear from the router ARP table and only the MAC for e1000g0 shows up. The arp table of the solaris machine however shows all the relevant MACs of each port of the router that it's physically connected to (This is actually a Cisco Switch with the advanced IP services imagine and L3 routing turned on)
  Before anyone asks: The setting local-mac-address? setting does NOT exist in my machine and it never has, but it used to work fine. Also, from the ifconfig command, once can tell that all the MAC addresses are fine.
  I need to somehow assign all these interfaces equal priority and make them understand that they're physically connected to the 192.168.30.0 network and there's no need to go through e1000g0 to get to it.
  This is causing a lot of problems as eventually all traffic will end up going through the e1000g0 interface and that will become a bottle neck.
  Please help Thanks in advance

  Ok thanks. That was a useful response.
  I did think about the trunking software that is claimed to be available for Solaris 8, but it's only available if you've got paid support contract. Oracle came and ruined everything re: Sun support which is so expensive now.
  The other confusion is, we never had that OR needed to configure trunking/link aggregation on this machine, so why now?
  Lastly, by your explanation, this should be expected and is "normal" behaviour, which would mean that this machine was always doing this and I only just noticed it this time? I thought if you turn off ipv4 forwarding and router function in the machine, it's every interface for itself. But it's not doing that :(
  So then the question is, Can I force it? I've tried a bunch of things by manipulating the tables and it seems to mess things up where nothing is getting through or it now shifts all the traffic to some other port make the problem no different
  Is there a way to give equal weight to all interfaces for the traffic to go directly through them that is originating at those ports?

• Static unicast MAC entry in multiple ports Cat6500VSS

  Hello, I'm trying to configure a static mapping of a MAC address in two different ports on a Catalyst 6500 switch.
  My situation is: I've configured a Cluster of Firewalls which exposes a unicast MAC addres for the cluster virtual interface. The situation is that the MAC address is a unicast one, and when the swith sees the MAC from multiple ports, it gets confused and starts doing flooding in all the VLAN.
  The configuration I'm trying to do is for a McAfee Firewall conected to 2 Catalyst 6500 in VSS mode. Here is the article of the firewall vendor with the recommended configuration: https://kc.mcafee.com/corporate/index?page=content&id=KB61307&actp=null&viewlocale=en_US&showDraft=false&platinum_status=false&locale=es_ES
  What i want to do is to configure unicast mirrored mode, and in that mode, I have to run this command on Catalyst 6500 and I can't:
  mac-address-table static 000e.a210.440a GigabitEthernet 1/1/3 GigabitEthernet 2/1/3
  Note that the mac address is a unicast one
  How can I do That? Any help will be appreciated

  Hello,
  There is a fundamental architecture difference between the 2 platforms regarding the internal forwarding of frames. With the 3550 the notification packet is sent after a lookup and the results index can contain more than one entry where as with other architectures the results are limited to a single entry. Basically that is why you can configure an ARP entry to point to different ports on the 3550 versus other platforms.
  Hope that helps.
  Regards,
  James

• ERROR OWS-04045 during accessing multiple ports based web service

  I use WSA to publish a web service which have multiple ports.
  The ant build script :
  <oracle:assemble appName="${app.name}" ear="${app.name}.ear"
  targetNamespace="http://www.xxx.com" classpath="${domestic.class.path}"
  input="${web.home.path}/WEB-INF/classes" output="${archive.output.path}"
  style="rpc" mappingFileName="type-mapping.xml" appendToExistingDDs="true"
  serviceName="${app.name}">
  <oracle:porttype interfaceName="com.xxx.service.ICompanyDefinerWebService"
  className="com.xxx.CompanyWebServiceImpl">
  <oracle:port name="company" uri="company" />
  </oracle:porttype>
  <oracle:porttype interfaceName="com.xxx.IUserDefinerWebService"
  className="com.xxx.UserProfileWebServiceImpl">
  <oracle:port name="userprofile" uri="userprofile" />
  </oracle:porttype>
  </oracle:assemble>
  There is a class name UserDTO which extends another class AbstractDTO, which locates in another package. I used a type-mapping file for giving them different namespaces.
  After deployment, I can use the url http://localhost:8888/xxx/userprofile to access the web service. OC4J provided a javascript based stub for testing.
  But I met some problems. When I use the web stub to access it , error occurs.
  ERROR OWS-04045 Malformed Request Message:Caught exception while handling request: unexpected element name: expected={http://www.xxx.com/framework/bean}operationRecord, actual={http://www.xxx.com/user/dto}operationRecord
  I switched the form to display in xml before invoke, I found there are different and correct namespaces on these 2 elements (UserDTO and OperationLog) .So, I'm very strange why the server will response such a fault information.
  In addition, if I use default style (just document-wrapped) to publish web service, almost all methods can not be accessed on web stub which is provided by oracle.
  Surely, the problem is caused by multiple port. The soap specification is 1.2 and JDK is SUN 1.5.0-b6, OC4J is 10.1.3.3
  I just want to konw whether oracle have some better practices or suggestion for publishing a web service which will have multiple ports.
  The other problem is we can not use abstract class(only support interface) when we want to use WSA to assemble a web service based EAR.

  Is it possible to use several "class L4VIPCLASS" inside the "policy-map multi-match VIPs" in order to have several VIPs to load-balance services for several serverfarms?
  Something like this:
  class-map match-all L4VIPCLASS-1
  2 match virtual-address 172.16.1.1 tcp eq www
  class-map match-all L4VIPCLASS-2
  2 match virtual-address 172.16.1.2 tcp eq www
  class-map match-all L4VIPCLASS-3
  2 match virtual-address 172.16.1.3 tcp eq 8081
  policy-map type loadbalance http first-match WEB_POLICY-1
  class class-default
  serverfarm-1
  policy-map type loadbalance http first-match WEB_POLICY-2
  class class-default
  serverfarm-2
  policy-map type loadbalance http first-match WEB_POLICY-3
  class class-default
  serverfarm-3
  policy-map multi-match VIPs
  class L4VIPCLASS-1
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-1
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 1 vlan 11
  class L4VIPCLASS-2
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-2
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 2 vlan 22
  class L4VIPCLASS-3
  loadbalance vip inservice
  loadbalance policy WEB_POLICY-3
  loadbalance vip icmp-reply active
  loadbalance vip advertise active
  nat dynamic 3 vlan 33
  interface vlan XX
  service-policy input VIPs
  Many thanks for your support.

• Int vlan up while no port connected on the vlan

  Hello,
  Having a cat3750 stack (Layer2-Layer3, release 12.2.25SEB4), I would like to have an interface vlan up for administration reason with no port connected on this vlan?
  Do you know a way to get it, wihout using loopback interface, i.e. having a switch port stat up while not beeing connected. (no keepalive nor L3 interface with no keepalive do not help me)
  sh run int fas 3/0/24
  Building configuration...
  Current configuration : 170 bytes
  interface FastEthernet3/0/24
  no switchport
  no ip address
  no logging event link-status
  no keepalive
  no snmp trap link-status
  power inline never
  no mdix auto
  end
  sh run int vlan 1
  Building configuration...
  Current configuration : 96 bytes
  interface Vlan1
  description *** Management ***
  ip address a.b.c.d 255.255.255.248
  end
  sh int vlan 1
  Vlan1 is up, line protocol is down
  sh int fast 3/0/24
  FastEthernet3/0/24 is down, line protocol is down (notconnect)
  Regards,

  Hello Glen,
  Thank you replying so fast.
  Here is some more information:
  The switch is used as a router too.
  It is reachable by a WAN router connected to this switch on an another vlan (vlan 9). The SVI for the management of this switch is on a dedicated vlan (vlan 1) but this is the only switch of this site.
  The management of this switch isn't in the same vlan as the router.
  And I wonder if there is a way to have a SVI up just for the management process of this switch, without using a loopback interface.
  WAN router is on vlan 9 and I would like to have the switch management IP'address on vlan 1.
  Vlan 1 IP network is a subnet of the network routed by the WAN router (managed by an operator).
  Regards,

• WLC is ARPing but will not receive answer from vlan-switch

  Hi - this is my first posting in theese forums - hope I get it right
  Setup: a procurve-vlan-switch (2915) is connected directly to a cisco-wlc (2504) on two ports.
       Port 1 on the wlc has the management- and apmanager-interface, untagged, connected to untagged port on procurveswitch.
       Port 2 on the wlc has a dynamic interface (vlan 100) connected to tagged (vlan100) port on the switch.
  Port 1 I can ping, and everything works as it should, LAP connects and so on.
  Port 2 I can't ping, and it will not let clients get an ip-address i the vlan100 segment.
       Wireshark tells me, that wlc sends arp-requests to the vlan-gateway on the procurve switch, and also that the switch replies in the same vlan (with tagged packets). But the WLC will not pick theese answers up and keeps ARPing for the gateway. Result is = no dhcp-answer to the clients.
  Workaround: If I first ping from the wlc to the gateway, everything works for 5 minutes, i.e. I can ping the dynamic interface on the wlc and clients get ip-addresses, but when the arp-cache times out, everything goes black again.
  BIG question: Can anyone help me with this? Why will the wlc not pick the arp-answer from the switch? The wlc asks with tagged packets and get tagged replies imediatly but will not listen
  Sincerely
  Nicholas Wolf Haamann

  Is there a reason you are using two separate ports on the WLC?
  Generally you would just create a Trunk port to the WLC and all traffic would pass over it.
  The fact it works for 5 minutes makes me wonder if the WLC is somehow using the same MAC for both ports. What MAC addresses does the MAC address table on the HP switch show for both ports?

• 802.1x Dynamic VLAN Switching Question

  Trying to set up 802.1x dynamic VLAN switching, and have a question. I think I've gotten it working except for one part. The VLAN on a protected interface is never getting switched. I can see an entry in the ACS stating that it applied the appropriate VLAN via RADIUS response, but it never changes on the switch.
  Environment:
  ACS Express 5.0.1
  C3550 running c3550-ipbasek9-mz.122-44.SE6.bin
  Switch config:
  aaa new-model
  aaa group server radius dot1x
  server-private 10.10.1.4 auth-port 1645 acct-port 1646 key 7 071C244F5C0C0D544541
  aaa authentication dot1x default group dot1x
  dot1x system-auth-control
  dot1x guest-vlan supplicant
  interface FastEthernet0/3
  switchport access vlan 3
  switchport mode access
  speed 100
  duplex full
  dot1x pae authenticator
  dot1x port-control auto
  dot1x violation-mode protect
  dot1x timeout tx-period 5
  dot1x timeout supp-timeout 5
  spanning-tree portfast
  ip radius source-interface FastEthernet0/1 vrf default!
  radius-server host 10.10.1.4 auth-port 1645 acct-port 1646 key 7 01000307490E125E731F
  Am I missing something easy?

  It looks like "aaa authorization network default group dot1x" was the missing command I needed to get this working.
  The only issue I'm having now is that if the client fails to meet the authentication requirements, the line status gets set as "down"

• Service port interface Question

  I have a customer that wants to use the service port interface as a backup entry door to its WLCs in the event of a network failure or misconfiguration. I have configured the WLC's mgt and ap-manager interface in a 10.50.x.x network and the service interface in a 10.103.x.x network, which are 2 completely separate networks. Cisco's documentation is unclear as to how to configure the service interface. Should I have the service interface completely separate from the 10.x.x.x network class (e.g 172.16.x.x or 192.168.x.x) or I am okay in using the 10.103.x.x. network?
  The WLC can be configured with static routes. Are those, when configured, reserved for the service interface? Should I configure the WLC with a static route? And if yes what should it be?
  Your help would be greatly appreciated
  Thanks

  You can use the service port, but make sure you configure it correctly. Here is from a Cisco doc:
  By default, the physical service port interface has a DHCP client installed and looks for an address via DHCP. The WLC attempts to request a DHCP address for the service port. If no DHCP server is available, then a DHCP request for the service port fails. Therefore, this generates the error messages.
  The workaround is to configure a static IP address to the service port (even if the service port is disconnected) or have a DHCP server available to assign an IP address to the service port. Then, reload the controller, if needed.
  The service port is actually reserved for out-of-band management of the controller and system recovery, and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port cannot carry 802.1Q tags. Therefore, it must be connected to an access port on the neighbor switch. Use of the service port is optional.
  The service port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different subnet from the management, AP-manager, and any dynamic interfaces. Also, it cannot be mapped to a backup port. The service port can use DHCP in order to obtain an IP address, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service port interface. Static routes can be defined through the controller for remote network access to the service port.
  Hope this helps.