Cisco 5760 WLC initial config
Hi,
I am configuring up a Cisco 5760 WLC and wondering if it is required to put in a default route? In this document it says to put one in but i dont see why it is needed as it is connected to a switch via a layer 2 Trunk.
Reference:
https://supportforums.cisco.com/docs/DOC-34430
Another question, since there is no more Dynamic Interfaces and they are replaced with Layer 2 & 3 interfaces instead. Do all Layer 2 interfaces you create require a layer 3 interface IP address to be configured also? As shown below:
Thanks
So by default the 5760 has IP routing enabled so you will need to put in a default route. A default gateway won't work unless you disable IP routing first.
Sent from Cisco Technical Support iPhone App
Similar Messages
-
Attach WAP4410N as WGB to Cisco 5760 WLC with LWAP 3702
I have 5760 WLC with 3702 wireless infrastructure. Can i connect a WAP4410N AP as WGB to be attached to my current wifi network so i can provide connectivity to some wired devices? Any tips on doing so? And any limitation can be imposed for using this WAP instead of any other AP that are supported by WLC5760? If the wired clients are passive, configuring passive-client on WLC will work normally?
Thanks Eric for the reply, however, this AP is not expected to be controlled by WLC as you mentioned since it is not lightweight and not supported by this WLC for compatibility. But in this scenario, i'm talking about operating it in WGB mode to be attached to the unified wireless infrastructure. In this scenario, it is just attached as a client that pass the traffic of its clients to the other side.
I have noticed the below statement in this guide page (539)
http://hcsdemo.com/c/en/us/td/docs/switches/lan/catalyst3650/software/release/37e/consolidated_guide/b_37e_consolidated_3650_cg.pdf
When non-Cisco WGBs are used, the switch has no information about the IP address of the clients on the wired segment behind the WGB. Without this information, the switch drops the following types of messages:
• ARP REQ from the distribution system for the WGB client.
• ARP RPLY from the WGB client.
• DHCP REQ from the WGB client.
• DHCP RPLY for the WGB client.
Accordingly, if the switch will drop all this traffic, then no traffic will be passed from the WGB clients to the network ! what I’m missing here?!!! -
HA clarification in cisco 5760 WLC
Hi Experts ,
We want to establish HA between two 5760 WLC's. These controllers will be there in seperate building . So IS there anyway that we can establish HA without using stacking cables?Hi guys! We have 2 WLC 5760 and one of them is a HA SKU and they HAVE to be in different buildings. Can we configure the HA SKU WLC as standalone and use mobility groups for redundancy? Is there a License issue in this scenario?
Thanks in advance! -
Hi All,
I'm looking at the feature set offered by the 5760 so far I like it.
However find it bit hard to locate an "all in one" configuration guide for the platform.
I came across individual pieces of the config guide which is based on CLI -IOS XE
http://www.cisco.com/en/US/partner/products/ps12598/products_installation_and_configuration_guides_list.html
What I'm after is a configuration guide similar to what we have for IOS 7.0 train which includes configurations done via GUI.
Unless I need to fine tune or debug I'm happy with the GUI when it comes to WLCs :-)
On a side note, would there be a chassis based equivalent to the 5760 ?
Any help is much appreciated.
Thanks,
JaneshThat is the only guides out right now. I guess you will have to wait a while before some better "How to Guides" be one available. As far as the chassis, I believe they will, but not anytime soon.
Sent from Cisco Technical Support iPhone App -
Hi,
My customer Cisco 5760 WLCs running as a HA pair. Clean Air has been configured on these boxes but when I do a sh ap dot11 5ghz cleanair summary all the APs show Spectrum Oper State as Down:-
CPIT-5760-WLC-1#sh ap dot11 5ghz cleanair summary
AP Name MAC Address Slot ID Spectrum Capable Spectrum Intelligence Spectrum Oper State
AP1 xxxx.xxxx.xxxx 1 Enabled Enabled Down
AP2 xxxx.xxxx.xxxx 1 Enabled Enabled Down
AP3 xxxx.xxxx.xxxx 1 Enabled Enabled Down
Anyone got any ideas as to how I overcome this little obstacle?
Thanks
AlanThanks for the reply. As far as I can tell all the radios are operational:-
and Clean Air has been configured:-
ap dot11 24ghz cleanair
ap dot11 5ghz cleanair
Also the link you sent was for release 7 on the old series controllers whereas this is a HA pair of the 5760s running release 3.03.
I have been through the configuring Clean Air chapter for this release and it doesn't suggest anything I haven't already tried.
Alan -
5760 WLC compatability with 887 routers in unified mode
Hi,
I was wondering if cisco 5760 WLC is compatible with APs in 887 router when switched to unified mode? It seems like WLC is rejecting it says unsupported AP
CheersNot supported.
Here is the supported AP list as of IOS-XE 3.6.0 (1700 & 1570 series support added in 3.7.0E)
http://www.cisco.com/c/en/us/td/docs/wireless/technology/5760_deploy/CT5760_Controller_Deployment_Guide/Supported_Features.html#pgfId-1071753
HTH
Rasika
**** Pls rate all useful responses **** -
Cisco 5760 - Anchor config issue
Hi,
I am having an issue where the 5760 Anchor WLC has 4 Subnets but half of the VLANS need to go to a seperate gateway and the other half to another gateway.
Below image is what the network looks like:
The router (Content Filtering) is the Gateway for 4 x SSID’s/VLANs
The Firewall is the Gateway for the Management VLAN
The issue here is that we have 2 separate Gateways and there is no way to define separate gateways for each VLAN on the 5760 WLC
We have an default IP route 0.0.0.0 0.0.0.0 10.1.1.254 which is pointing to the Firewall. The firewall is not the gateway for the other 4 x SSID/VLANs that exist on the Anchor so we do not want all traffic going to the Firewall, only management traffic.
Is there a way to set different gateways for different subnets/VLANs on the 5760 WLC? Keeping in mind that there is an default route pointing to the Firewall.
Also does the 5760 WLC acts as a Layer 3 device?
ThanksAll types of deployments listed below for the Anchor configuration.
Case solution :
Wireless WebAuth and Guest Anchor Solutions
The following sections show a WebAuthentication (WebAuth) configuration and Guest Anchor examples on the CT5760.
Note For a complete webauth configuration, please download the webauth bundle from the following URL: http://software.cisco.com/download/release.html?mdfid=284397235&softwareid=282791507&
release=3.2.2&relind=AVAILABLE&rellifecycle=&reltype=latest .The readme file has all the GUI and CLI configuration for webauth.
Configure Parameter-Map Section in Global Configuration
The parameter map connection configuration mode commands allow you to define a connection- type parameter map. After you create the connection parameter map, you can configure TCP, IP, and other settings for the map.
! First section is to define our global values and the internal Virtual Address.
! This should be common across all WCM nodes.
PARAMETER-MAP TYPE WEBAUTH GLOBAL?
VIRTUAL-IP IPV4 192.0.2.1
PARAMETER-MAP TYPE WEBAUTH WEBPARALOCAL?
TYPE WEBAUTH?
BANNER TEXT ^C WEBAUTHX^C
REDIRECT ON-SUCCESS HTTP://9.12.128.50/WEBAUTH/LOGINSUCCESS.HTML
REDIRECT PORTAL IPV4 9.12.128.50
Configure Customized WebAuth Tar Packages
Transfer each file to flash:
copy tftp://10.1.10.100/WebAuth/webauth/ webauth_consent.html flash:webauth_consent.html
copy tftp://10.1.10.100/WebAuth/ webauth_success.html flash: webauth_success.html
copy tftp://10.1.10.100/WebAuth/ webauth_failure.html flash: webauth_failure.html
copy tftp://10.1.10.100/WebAuth/ webauth_expired.html flash: webauth_expired.html
Configure Parameter Pap with Custom Pages
parameter-map type webauth webparalocal
type webauth
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash: webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Parameter Map with Type Consent and Email Options
parameter-map type webauth webparalocal
type consent
consent email
custom-page login device flash:webauth_consent.html
custom-page success device flash:webauth_success.html
custom-page failure device flash:webauth_failure.html
custom-page login expired device flash:webauth_expired.html
Configure Local WebAuth Authentication
username guest password guest123
aaa new model
dot1x system-auth-control
aaa authentication login EXT_AUTH local
aaa authorization network EXT_AUTH local
aaa authorization network default local
or
aaa authentication login default local
aaa authorization network default local
Configure External Radius for WebAuth
aaa new model
dot1x system-auth-control
aaa server radius dynamic-author ?
client 10.10.200.60 server-key cisco ?server-key cisco ?
auth-type any
radius server cisco
address ipv4 10.10.200.60 auth-port 1812 acct-port 1813
key cisco
aaa group server radius cisco server name cisco
aaa authentication login EXT_AUTH group cisco
or
aaa authentication login default group cisco
Configure WLAN with WebAuth
wlan Guest-WbAuth 3 Guest-WbAuth
client vlan 100
mobility anchor 192.168.5.1
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth authentication-list EXT_AUTH
security web-auth parameter-map webparalocal
no shutdown
Configure HTTP Server in Global Configuration
!--- These are needed to enable Web Services in the Cisco IOS® software.
ip http server
ip http secure-server
ip http active-session-modules none
Other Configurations to be Checked or Enabled
!--- These are some global housekeeping Cisco IOS® software commands:
ip device tracking
ip dhcp snooping
SNMP Configuration
From the CT5760 console, configure the SNMP strings.
snmp---s er v er co mmuni t y p ub l i c r o
snmp---s er v er co mmuni t y p r i v a t e r w
IPv6 Configuration
IPv6 is supported on the data path. Wireless clients will be able to get an IPv6 address.
Enable IPv6 Snooping - CT5760
There are slight differences in configurations on a CT5760 when configuring IPv6. To enable IPv6 on a CT5760, the following step must be completed.
ipv6 nd raguard attach-policy testgaurd
Trusted-port
Device-role router
interface TenGigabitEthernet1/0/1
description Uplink to Core Switch
switchport trunk native vlan 200
switchport mode trunk
ipv6 nd raguard attach-policy testgaurd
ip dhcp snooping trust
Enable IPv6 on Interface - CT5760
Based on interfaces that need IPv6 configurations and the type of address needed, respective configurations are enabled as follows. IPv6 configurations are enabled on VLAN200.
vlan configuration 100 200
ipv6 nd suppress
ipv6 snooping
interface Vlan100
description Client VLAN
ip address 10.10.100.5 255.255.255.0
ip helper-address 10.10.100.1 2001:DB8:0:10::1/64
ipv6 address FEC0:20:21::1/64
ipv6 enable -
Has anyone deployed converged access with 3850 switches and 5760 WLCs?
Has anyone deployed a converged access network architecture with 3850 switches and 5760 WLCs? I have done lots of projects with the 5508 WLCs In a centralized deployment. Basically with this design, I manage 2 logical networks as the wireless network is an overlay over the wired network. I can design firewall to segregate traffic between the wired and wireless hence I can carry both staff and guest traffic.
Now Cisco is telling us that there is new design such that the dats plane traffic can be dropped locally through the 3850 switched. I am not sold on this and have not found any recommended best practices on when should we use a converged access architecture.
Pros
With converged access, data traffic is terminated at the MA which is on the switches, hence the WLC will not be a bottleneck? This is to prepare adoption for 802.11ac?
Less hops for voice calls from user A to user B as data control traffic is dropped locally.
Cons
Now how do I segregate guest and staff traffic if my security folks say I need a firewall?
Troubleshooting wireless client mobility will be a nightmare as the 3850 switches are MA.
Pushing and upgrading code for the Code will mean upgrading the stack of switches in the LAN riser. This will be painful in a huge campus environment like an university.
Can someone convince me why would a customer choose converged access?
Sent from Cisco Technical Support iPad AppThey choose CA because of the capwap termination at the switch. You can still use a 5508 and tunnel guest to a DMZ segment if you wish. You will need a 5508 though is you want to tunnel traffic to an anchor WLC.
Sent from Cisco Technical Support iPhone App -
Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS
Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik -
Cisco 5760 controller in centralized mode supports 4404 controller as anchor controller?
Hello All,
I have a cisco 5760 controller running in centralized mode. I want to configure one 4404 controller as anchor controller to work with the 5760 controller. Is this supported?.
Thanks in advance
ShabeebNo, It is not supported.
You cannot have a mobility peer with 5760 unless you enable "new mobility" on its peer . In CUWN products this is supported in 5508/WiSM2/8510 on specific codes. In current supported codes it has to be 7.6.x or 8.x.
As you know 4400 only supported upto 7.0.x code. So new mobility is not supported, hence you cannot peer with CA products.
In case if you have a "new mobility" supported WLC, here how you configure it
http://mrncciew.com/2014/05/06/configuring-new-mobility/
HTH
Rasika
**** Pls rate all useful responses **** -
5760 WLC cross-satck port-channels?
Hi would anyone know if cross-stack port-channels can be configured on a stack of 5760 WLC's?
I need to aggregate x4 20Gb port-channels comprised of x8 10Gb 10G-LR SFP's
ThanksPlease check the below link
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5700/software/release/3se/layer2/command_reference/b_lay2_3se_5700_cr/b_lay2_32se_5700_cr_chapter_010.html -
The release notes for the new 5760 WLC mention that "profiling and on boarding" are not yet supported.
http://www.cisco.com/en/US/docs/wireless/controller/3.2_0_se/release_notes/OL28115_3_2_se_rn.html
Does this mean that when using ISE with Guest Server features, device profiling or guest self registration isn't supported ??Yes It is true that 5760 does not support "profiling and on boarding". But when you use ISE for the same it will support the entire feature which you looking for.
-
Cisco 4404 WLC causing a DOS attack several times a day
Hi Everyone
Excuse if this is a duplicate post, but I have searched the forums, but no joy. I also posted it in wireless security as this is where I felt it fits.
Anyway onto my issue:
I manage a CISCO 4404 WLC with about 46 access points across our WAN. System works very well, serving trusted users, guests etc very well.
However, over the last month or two we have had an issue where we have had high load on our WAN.
We have traced this down to the CISCO 4404, about 3-4 times a day, the controller connects to every access point and transmits about 5-8mb of data on port 5427. This in itself would not be a problem, but it connects to all 46 at the same time.
Yes, 46 x 5mb = no WAN for about 2-5 minutes.
ARGH!
So can anyone sugest where I start to look? I am happy to post configs etc. Firmware 7.0.230
CheersHi Steve
Yes it is the capwap port. The remote access points are in hreap mode and servicing trusted network access (802.1x) and guest access is tunnelled across the wan with local breakout from the 4404 via a dedicated vlan. The guest wireless is wpa2.
As the traffic originates from the 4404 and goes to all access points we don't believe it is a network breach. I always hate the phrase "it affects everyone", it usually does not, however in this instance the packeteer shows it does connect to every access point.
DNS is also configured so when new access points are connected they get auto join and get a base configuration.
This issue has been going on since at least Christmas and we put a packeteer box between our wan and our local network. We can say it is the 4404. -
WCS and WLC WLAN Config not fully in sync
Hi,
We're facing the issue WCS and WLC WLAN Config is not fully in sync. WLC showing server 1 is IP:10.160.22.151, Port:1812 but WCS server showing none even after click on “Audit” button. Any idea how to resolve this issue? Is this causing any wireless problem? Attached is screen captured. Thanks for your help.You mentioned "audit". Have you done a WCS audit so the WLC and WCS are in SYNC?
If you make a change on the WLC you will not see it in WCS UNLESS they are SYNC. You will see the term "mismatch".
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
New installation of Prime Infrastructure 2.2.0 (PI-VA-2.2.0.0.158.ova)
installed fixes/software/device packs:
PI 2.2.1 Poodle Fix (installed)
PI 2.2.1 Maintenance Release (installed,ncs stopped,rebooted)
Prime Infrastrucutre 2.2 Device Pack 3 (installed,ncs stopped,rebooted)
Licences installed (ncs stopped,rebooted)
Added all devices via Bulk Import (Inventory>Device Management>Network Devices)
Problem 1:
The Cisco 5500 WLCs are not listed in Inventory>Device Management>Network Devices (see screen shot) but listed under "All Devices"!
The Cisco 4400 WLCs and the 8500 WLCs are listed within their subgroup.
Devices are in "Managed State"
Problem 2: fixed! (Browser issue)
Problem 3:
Unable to run "Wired Detailed Device Inventory" report because I get the error message: Failed to run report: Unable to retrieve data for: Chassis Information (if Chassis Information is selected, if System Information is selected I get the error message with ...retrieve data for:System Information)
All devices do have an "Admin Status = Managed" and the Last Inventory Collections Status = Completed.
Has anyone the same issues or a tip for me?
Another topic, the "User Defined Fileds" are not exported when with running a "Device Export" (Inventory > Device Management > Network Devices). ;-(
BR
BastianHallo Bastian,
I think you still have browser issue, Using IE is still the best with Prime.
I have exactly same prime 2.2 and installed fixes/software/device packs.
I have no problem I can see all views. I use now IE 11, with Chrome 42.0.2311.90 and firefox 37.01 I have problems too with lots of views. You have not tell what browser + version you have.
Since you have same prime 2.2 as me. I have other problems, can you check yours?
Can you see a functional CLI template page at Configuration > Templates > Features & Technologies:
https://supportforums.cisco.com/discussion/12481691/can-cisco-prime-22-still-do-simple-ad-hoc-deployment-job-cli-over-all-switches
Do you have SNMP Connectivity Failed while Verify Credentials has no errors all green and checked.
https://supportforums.cisco.com/discussion/12494786/snmp-request-exceeds-internal-data-buffer-512-bytes-prime-22-asa-5545
Maybe you are looking for
-
BIOS Advanced Settings in Pavilion NB
Hi, i need change advanced settings in BIOS, like turn off SMART, because i need restarting computer many many times in hour and i cant always pushing F1 to ignore SMART warning. I really need help with this. Is there any BIOS flash wich have advance
-
Qosmio PX30t-A-119 is not connecting to WLAN
My PC keeps telling me no connections are available. My router is on and my phone &'iPad can connect to it but my Qosmio can't. I managed to connect it via an Ethernet cable but when I removed it it still can't pick up any broadband signal. Any ideas
-
Difficult to Rename Files (Finder windows keep Refreshing)
Has anyone else noticed how difficult it is to rename files in a folder? It is almost as if Leopard's Finder keeps refreshing (or building thumbnails) or something. Here is my scenario: - Browse to a folder (in my case a folder with large files) - Hi
-
Hi, Can I change at runtime a given definition in of a style ? In example, I have the following defined: Button paddingTop: 1; paddingBottom: 1; padding-left: 1; padding-right: 1; fillAlphas: 0.4, 0.8, 0.2, 1.0; fillColors: #F
-
Hi When iam selecting allocation as Delevery Note as ref ( instead of PO ref) only goods and services invoice items is as selection criteria if i want Planned delevery items what settings i have to do My client want to post frieght bill passing alon