Configuring multiple dynamic interfaces in 5508
Hi,
I have 5508 controller where as ap-manager interface configuration is optional but since i have different topology at other end , I have 4507 configured with HSRP and i want to divide the AP traffic in both the switches therefore I will have to go ahead and configure multiple AP-manager interface and map with two different physical ports.
But I have challenge to configure multiple dynamic interfaces.
I want to create two wlans ( Internal wlan and guest wlan )
Internal WLAN : 192.168.10.0
default gateway : 192.168.10.1
internal DHCP server : 172.16.10.1
Physical Port : ............... ? which port to configure ? ( I have connectivity with port 1 & port 2 )
Guest WLAN : 192.168.20.0
Default gateway : 192.168.20.1
Internal DHCP server : 172.16.10.1
Physical port : ............... ? which port to configure ? ( I have connectivity with port 1 & port 2 )
I want to map it to multiple ports of dynamic interfaces for client traffic to physical ports.
how do i configure it ?
In adition to Nico's answer, I would go throught the detailed guide for the configuration of dynamic interfaces:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1167723.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.
Similar Messages
-
How to configure multiple outgoing interfaces + NAT + PfR
Hello,
I have the following config running on Cisco2851.
Five interfaces (four ADSL and one LAN 10Mb/s) connected to Internet using pppoe.
Local policy is used to make working route tracking.
The PfR also configured to load balance traffic coming from LAN to Internet.
PAT is also configured with "oer" keyword at the end of string to not relocate working translations.
But the router is not performing good. :-(
After investigation I found that the selection of the exit interface and setting source ip for
NAT is not synchronized. The provider's router just drops the incoming packet due to uRPF check.
Also, the selection of the exit interface is not PFR aware (mode select-exit best) during
NAT session setup, and router selects one of the possible exit interfaces randomly.
I have two questions:
1. How to make synchronization of NAT and Routing to build matching pair of Out_IP=Out_Interface and make my setup working?
2. How to select the less loaded interface during setup of NAT phase and Routing phase and really involve PfR?
Actually, these two questions is just my one requirement: during setup of NAT session, I need
to find less loaded interface (PfR should check current rx/tx load), select it, and keep it untouched.
Thanks,
Sergey
Config:
version 15.1
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname bif
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M8.bin
boot-end-marker
enable secret 5 $1$3ggj$huERPVt0luOX6qo6
no aaa new-model
crypto pki token default removal timeout 0
dot11 syslog
no ip source-route
ip cef
no ip domain lookup
ip domain name zzz.mgm
no ipv6 cef
multilink bundle-name authenticated
key chain PFR
key 0
key-string 7 107E2F2B
voice-card 0
pfr master
logging
border 192.168.254.254 key-chain PFR
interface Dialer5 external
interface Dialer4 external
interface Dialer3 external
interface Dialer2 external
interface Dialer1 external
interface GigabitEthernet0/0 internal
mode select-exit best
pfr border
logging
local Loopback0
master 192.168.254.254 key-chain PFR
license udi pid CISCO2851 sn FCZ0929
username se privilege 15 secret 5 $1$DUbm$RuZKP8X.19uBtm21
username ru privilege 15 secret 5 $1$1V.h$iotp/bjhUg4ho93d
redundancy
ip ssh version 2
track 1 ip sla 1 reachability
delay down 30 up 15
track 2 ip sla 2 reachability
delay down 30 up 15
track 3 ip sla 3 reachability
delay down 30 up 15
track 4 ip sla 4 reachability
delay down 30 up 15
track 5 ip sla 5 reachability
delay down 30 up 15
interface Loopback0
ip address 192.168.254.254 255.255.255.255
interface GigabitEthernet0/0
description ### LAN ###
ip address 192.168.68.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description ### WDSL link to Dialer 5 ###
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 5
interface ATM0/0/0
description ### DSL link 1 to Dialer 1 ###
no ip address
no atm ilmi-keepalive
shutdown
pvc 1/32
pppoe-client dial-pool-number 1
interface ATM0/1/0
description ### DSL link 2 to Dialer 2 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 2
interface ATM0/2/0
description ### DSL link 3 to Dialer 3 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 3
interface ATM0/3/0
description ### DSL link 4 to Dialer 4 ###
no ip address
no atm ilmi-keepalive
pvc 1/32
pppoe-client dial-pool-number 4
interface GigabitEthernet1/0
description ### Virtual interface to NME-16ES-1G-P ###
ip address 192.168.254.253 255.255.255.254
interface Dialer1
description ### Dialer for line 1 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer2
description ### Dialer for line 2 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 2
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer3
description ### Dialer for line 3 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 3
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer4
description ### Dialer for line 4 ###
bandwidth 224
bandwidth receive 1728
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 4
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
interface Dialer5
description ### Dialer for WDSL line ###
bandwidth 10000
bandwidth receive 10001
ip address negotiated
ip mtu 1492
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
load-interval 30
dialer pool 5
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
ip local policy route-map LOCAL-PBR
no ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source route-map NAT1 interface Dialer1 overload oer
ip nat inside source route-map NAT2 interface Dialer2 overload oer
ip nat inside source route-map NAT3 interface Dialer3 overload oer
ip nat inside source route-map NAT4 interface Dialer4 overload oer
ip nat inside source route-map NAT5 interface Dialer5 overload oer
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer5-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer2-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer3-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer4-IP$$$ 2222 extendable
ip nat inside source static tcp 192.168.68.230 21 $$$Dialer1-IP$$$ 21 extendable
ip nat inside source static tcp 192.168.68.160 25 $$$Dialer1-IP$$$ 25 extendable
ip nat inside source static tcp 192.168.68.22 143 $$$Dialer1-IP$$$ 143 extendable
ip nat inside source static tcp 192.168.68.22 443 $$$Dialer1-IP$$$ 443 extendable
ip nat inside source static tcp 192.168.68.160 22 $$$Dialer1-IP$$$ 2222 extendable
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
ip route 0.0.0.0 0.0.0.0 Dialer3 track 3
ip route 0.0.0.0 0.0.0.0 Dialer4 track 4
ip route 0.0.0.0 0.0.0.0 Dialer5 track 5
ip sla 1
icmp-echo 8.8.8.8 source-ip $$$Dialer1-IP$$$
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 8.8.8.8 source-ip $$$Dialer2-IP$$$
timeout 1000
frequency 5
ip sla schedule 2 life forever start-time now
ip sla 3
icmp-echo 8.8.8.8 source-ip $$$Dialer3-IP$$$
timeout 1000
frequency 5
ip sla schedule 3 life forever start-time now
ip sla 4
icmp-echo 8.8.8.8 source-ip $$$Dialer4-IP$$$
timeout 1000
frequency 5
ip sla schedule 4 life forever start-time now
ip sla 5
icmp-echo 8.8.8.8 source-ip $$$Dialer5-IP$$$
timeout 1000
frequency 5
ip sla schedule 5 life forever start-time now
access-list 100 permit ip any any
access-list 101 permit ip host $$$Dialer1-IP$$$ any
access-list 102 permit ip host $$$Dialer2-IP$$$ any
access-list 103 permit ip host $$$Dialer3-IP$$$ any
access-list 104 permit ip host $$$Dialer4-IP$$$ any
access-list 105 permit ip host $$$Dialer5-IP$$$ any
access-list 199 permit ip 192.168.68.0 0.0.0.255 any
route-map LOCAL-PBR permit 10
match ip address 101
set interface Dialer1
route-map LOCAL-PBR permit 20
match ip address 102
set interface Dialer2
route-map LOCAL-PBR permit 30
match ip address 103
set interface Dialer3
route-map LOCAL-PBR permit 40
match ip address 104
set interface Dialer4
route-map LOCAL-PBR permit 50
match ip address 105
set interface Dialer5
route-map LOCAL-PBR permit 100
match ip address 100
set global
route-map NAT3 permit 10
match ip address 199
match interface Dialer3
route-map NAT2 permit 10
match ip address 199
match interface Dialer2
route-map NAT1 permit 10
match ip address 199
match interface Dialer1
route-map NAT5 permit 10
match ip address 199
match interface Dialer5
route-map NAT4 permit 10
match ip address 199
match interface Dialer4
control-plane
mgcp profile default
line con 0
line aux 0
line 66
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
session-timeout 15
login local
transport input all
line vty 5 15
session-timeout 15
login local
transport input all
scheduler allocate 20000 1000
end
Show ip route:
sh ip route 0.0.0.0
Routing entry for 0.0.0.0/0, supernet
Known via "static", distance 1, metric 0 (connected), candidate default path
Routing Descriptor Blocks:
directly connected, via Dialer5
Route metric is 0, traffic share count is 1
* directly connected, via Dialer3
Route metric is 0, traffic share count is 1
directly connected, via Dialer4
Route metric is 0, traffic share count is 1
directly connected, via Dialer2
Route metric is 0, traffic share count is 1
Log:
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, TCP Adjust MSS(82), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 192.168.68.2 dst 8.8.4.4
*Apr 16 07:04:18.103: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
*Apr 16 07:04:18.103: FIBfwd-proc: depth 0 first_idx 3 paths 4 long 0(0)
*Apr 16 07:04:18.103: FIBfwd-proc: try path 3 (of 4) v4-ap-Dialer5 first short ext 0(-1)
*Apr 16 07:04:18.103: FIBfwd-proc: v4-ap-Dialer5 valid
*Apr 16 07:04:18.103: FIBfwd-proc: Dialer5 no nh type 3 - deag
*Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none deag 1 chg_if 0 via fib 0 path type attached prefix
*Apr 16 07:04:18.103: FIBfwd-proc: packet routed to Dialer5 p2p(0)
*Apr 16 07:04:18.103: FIBipv4-packet-proc: packet routing succeeded
*Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 ttlexp 0
*Apr 16 07:04:18.103: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.103: UDP src=61183, dst=53, CCE Post NAT Classification(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Firewall (firewall component)(39), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, TCP Adjust MSS(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Dialer idle reset(84), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
*Apr 16 07:04:18.107: UDP src=61183, dst=53, Dialer idle reset(85), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), g=8.8.4.4, len 66, forward
*Apr 16 07:04:18.107: UDP src=61183, dst=53
*Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Virtual-Access3), len 66, sending full packet
*Apr 16 07:04:18.107: UDP src=61183, dst=53hi,is this question is ok?
if you forget do this config like below:
pfr master
learn
delay
throughput
periodic-interval 3
monitor-period 1
pfr master
delay threshold 200
jitter threshold 50
mode route control
mode monitor passive
mode select-exit best
i will do like this,four ADSL connect a switch ,this switch connect a router 2911(with data license)
at 2911 do four pppoe
i want to load balance at this four adsl. -
WRVS4400N - Multiple Dynamic VPN Configurations?
Hello,
I am wondering if anyone knows whether or not the WRVS4400N supports more than one dynamic VPN configuration?
I am trying to get the WRVS4400N to let more than one TheGreenBow client to connect to it.....
Thank you,
A ReadYes, you can configure multiple dynamic-to-static l2l on ASA. But for multiple connections using ezvpn will be much easier. Following links may help you
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml -
Please tell me there is a better way to configure multiple interfaces
I have a desktop with interfaces with statically assigned network addresses, I can't use rc.conf to configure them anymore so my /etc/rc.local file now looks like:
/sbin/ifconfig ext0 10.0.0.1/24
/sbin/route add default gw 10.0.0.1
/sbin/ifconfig int0 192.168.0.1/24
I don't like this; it seems completely in-elegant and, worse, if I need to start up any demons that require networking to work, they aren't going to work. I've considered patching the initscripts, but this is inelegant because then I have to merge changes every time I update them. I guess maybe the best solution is to write my script for /etc/rc.d/, choosing a name unlikely to be taken by any script I'm likely to start in the future. Please tell me there is a better way to do this.I read the news, it indicates that I can no longer use rc.conf to configure both of my network interfaces. It suggests using network manager, which is silly, because all I need to do is assign static IPs. So I spent some hours trying to find any documentation or examples on how to set this up with netcfg, but was unsuccessful. Then I read some forum posts, but they had answers like "yeah, you can't do that anymore, read the news". That was not helpful to me either (unless you mean to suggest that I should be using iproute instead of ifconfig in my scripts, which I see no need to do, ifconfig works and I already know what options to pass it). I also tried searching the arch general mailing list, but didn't see anything addressing the topic either this month or last month.
At any rate, I still haven't found a better solution to configuring multiple network interfaces than writing my /etc/rc.d/ script, although I have come across one other possible solution, namely, installing and configuring ifplugd, which I hadn't considered before. -
ASA with Multiple dynamic L2L VPN
I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
I need also some L2L-VPN with dynamic remote peer.
While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
tunnel-group ABCD ipsec-attributes
pre-shared-key *
Is this configuration correct ?
Best regards
ClaudioHi,
Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
Hope this helps
- Jouni -
Wireless lan Controller 4402 / ping dynamic interface failed
hi,
i've a problem with a Wireless Lan Controller 4402.
When i configure the dynamic interface on the my network , with wired lan
i don't reach (i use the ping command) the ip address of the WLC.
In my case (wired):
On my pc i've a ip 10.1.78.1 255.255.0.0 and dgw 10.1.1.1 (vlan721)
The lan WLC have a ip of management 10.12.2.4 /24 (vlan799) [dgw 10.12.2.1]
dynamic vlan 792 ip add 10.12.78.100 / 22 (vlan792) [dgw 10.12.68.1]
i ping these interfaces (10.12.2.4 and 10.12.78.100) and the ping is ok.
When i create a dynamic interface vlan 721 starting the problem:
dynamic vlan 791 ip address 10.1.1.240 / 16 (vlan721)
After this ......the ping on 10.12.2.4 and 10.12.78.100 don't respond very well
and i lose the 80-90% of the ping packages.
through the wi-fi instead I do not have problems.
the problem exist only via wired (cable).
Can you help me?
Thanks
FCostalungaHello,
Pinging the dynamic interface is officially not supported. The reason why is because the controller places a very low priority on ICMP traffic. Typically, you will not have an issue with doing so on your wireless network because this interface is basically a gateway for the client. However, from the wired network - the only interface designed to respond to pings 100% of the time is the management interface. Hope this helps!
-Mark -
WLC DHCP Settings - Under Dynamic Interface configuration
Hi Guys,
If I have a dynamic interface that is connected to a subnet where the router interfaces have DHCP servers configured under the helper address commands, do I need to configure the DHCP fields under the dynamic interface configuration?
I have helper address configured on the connected routers AND these fields configured with the same DHCP servers.
Just wondering if I can take the IPs out of the WLC configuration?
Many thx indeed,
KenKen, the DHCP address under the dynamic interface, is the address the WLC will unicast the DHCP request to when a client tries to use that interface. Under normal operation this address is needed. There is a way to get the WLC to bridge the packet to the wire so that it is a broadcast instead of a unicast packet. CLI command is config dhcp proxy disable.
But I do believe that even if you issue the CLI command, the software wants the DHCP address listed under the dynamic interface.
HTH,
Steve -
REST Sender adapter - multiple dynamic parameters
Dear
We are currently configuring a sender REST adapter which be called as such:
http://host:port/RESTAdapter/pi/query/jira/solman/getsystems?sap-client=001&cust=00009999
(even encoding the question url or only question mark and ampersand doesn't help)
However whenever we try this, we can see following error returned by PI:
The sender adapter is configured properly according to the documentation on SAP Help:
Has anyone encountered this issue before?
We might think this is a bug, as the interface works fine when we use following pattern:
But only when we use the url as follows:
http://host:port/RESTAdapter/pi/query/jira/solman/getsystems%3Fsap-client=001&cust=00009999
We had to encode the question mark in the URL (%3F) in order for PI to pick the right channel with the correct parameters.
When using the normal question mark (e.g. used with the Chrome Advanced REST Client), we basically receive the same error as above:
Have any of you encountered this before, or have any of you used multiple parameters before in the sender REST adapter.
Thanks for any feedback.Hi Nicolas,
Were you able to resolve this issue. We are also facing similar issue. We are try to specify multiple dynamic query parameter in PI RFC Sender adapter endpoint and getting similar errors. Please let me know if you have found any solution.
Thanks
-Pradeep -
ISE and WLC dynamic interface group assignment ?
I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites. I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs. Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
TIAI understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
Edit:
Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name). -
I wonder why we need Dynamic Interfaces. I have created two WLANs. One is WPA2-Enterprise obtaining vlan id's per user from Radius server and the other WEP wlan for guest users whose traffic should go to a specific guest vlan. I am using an external DHCP server and configured WLC not to proxy dhcp requests and to act as a bridge.
I had to create dynamic interfaces on WLC (we are using 5508 with software version 7) for all the VLANs which radius server returns. I could make it with only defining the dynamic interfaces and entering 0.0.0.0 for ip addresses.
For the other WLAN with WEP, I have to enter and IP for the dynamic interface to work. I am not sure if this is a requirement or my misconfiguration, but I do want a way not to set an IP address for the dynamic interface. I do not want to waste addresses and also do not want the clients to be able to access wlc through that IP address.
I appreciate any comment on why I need IP addresses for dynamic interfaces.Vadood... The WLC does use that IP address as it needs to have layer 2 connection to any subnet it will place users on. Even is your doing AAA override, the radius tell the WLC that that device needs to be on vlan x and the WLC will put that device on vlan x, but if the WLC has no IP address on that subnet, well then the communication stops there. The user will never get an IP address if using dhcp or if the device has a static, the WLC has no way to communicate to that subnet.
By the way, users can't access the dynamic interface by default. You have to enable that. But then again, they can try to access the management interface also, unless you disable globally management over wireless.
Sent from Cisco Technical Support iPhone App -
Include multiple sub-interfaces in Cisco ASA for VPN tunnel
I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
Inside, int0/1 : 10.1.1.0/24
DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
Additional settings:
Have ACL to allow all sub interfaces to access outsite ( lower security level)
NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet.
I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site. -
WLC2504 - Dynamic interface problem
Hi,
I have problem with my WLC2504. My WLC is connected through two ports (1 and 2 of four) to my distro switch, where I have dot1q trunks configured. WLC is configured with Management interface (IP address 192.168.255.9/24), over which my LAPs are correctly joined. However, once I'm trying to add additional Dynamic WLC interface, which has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one
Thanks for soon answer
palo73The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface is also used for communications between the controller and APs. The management Interface is the only consistently "pingable" in-band interface IP address on the controller. The management interface will act like an AP manager interface by default.
The dynamic interface with the “Dynamic AP Management” option enabled on it is used as the tunnel source for packets from the controller to the AP, and as the destination for CAPWAP packets from the AP to the controller. The dynamic interfaces for AP manager must have a unique IP address. Typically, this is configured on the same subnet as the management interface, but this is not necessarily a requirement. In the case of the Cisco 2500 Series Wireless Controller, a single dynamic AP manager can support any number of APs. However, as a best practice, it is suggested to have 4 separate dynamic AP manager interfaces and associate them to the 4 Gigabit interfaces. By default, the management interface acts like an AP-manager interface as well and it is associated to one Gigabit interface. As a result, if you are using the management interface, you need to create only 3 more dynamic AP manager interfaces and associate them to the remaining 3 Gigabit interfaces.
The virtual interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is 1.1.1.1. The virtual interface address is not pingable and should not exist in any routing table in your network.
Dynamic interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The Cisco 2500 Series Wireless Controller will support up to 16 dynamic interfaces. Dynamic interfaces must be configured on a unique IP network and VLAN. Each dynamic interface acts as a DHCP relay for wireless clients associated to wireless LANs (WLANs) mapped to the interface. A WLAN associates an SSID to an interface and is configured with security, QoS, radio policies, and other wireless network parameters. There can be up to 16 WLANs configured per controller.
Guidelines for Deploying the Cisco 2500 Wireless Controller
Ethernet ports on Cisco 2500 Series Wireless Controllers do not work as Switch ports (that is, 2 machines directly connected to these ports will not be able to communicate with each other). You should not connect servers like DHCP, TFTP etc. on these ports and expect Wireless Clients and APs to receive an IP address from this DHCP server.
Ethernet ports on the Cisco 2500 Series Wireless Controller should only be used to connect/uplink to an infrastructure network configured as a data interface (management interface and dynamic interfaces) or an AP-managers interface.
If multiple Ethernet ports on a Cisco 2500 Series Wireless Controller are uplinked to an infrastructure switch, you should make sure data interfaces (management or dynamic interfaces) or AP-managers interfaces are configured for these uplinked physical ports. Physical Ethernet ports which are used as an uplink to an infra switch should not be left un-configured. This may result in unexpected behaviors.
Multicast unicast is not a supported configuration on Cisco 2500 Series Wireless Controller. As a result, HREAP APs are not able to receive multicast traffic because HREAP APs only work with multicast unicast.
For more information you can refer to the link -
http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml -
4402 WLC Dynamic Interfaces- More than 1 Gateway Possible?
I am configuring a guest access solution with multiple guest access gateways associated with a single VLAN. Each gateway will have its own /24 network, and obviously it own gateway. The interface configuration page requires a single gateway in the IP config section.
Does anyone know the purpose of this IP config?
Will command line config of the dynamic interface permit no gateway and a netmask big enough to encompass all gateways?
ThanksThanks for your replies.
2 Coova gateways each with web authentication and a dhcp server plugged into each layer2 vlan works great with IOS APs, which do no require IP config per (vlan) subinterface.
The objective is to loadbalance, provide redundancy and handle the total number of guests. The DHCP servers race to provide the client with IP config which then causes the client subsequently use that gateway. -
Cannot contact Non-native dynamic interfaces on WLC 4402
Hi,
In my company we are recently planning to get a DMZ anchor for Guest WLAN. Our setup is as following
We have two 5508 WLCs in inside corporate network which serves for the corporate wlan. Recently we put one 4402 in DMZ in LAG mode. Two SSID has been created in 4402 namely guest and consultant. We have mobility configured perfect between these three. For the the two ssids the 4402 is the anchor. We have created sub interfaces in ASA for management and two WLANs. The port channel is also configured proper with the native vlan for management and allowing all three vlans through it. The concern is that we cannot ping the untagged dynamic interface of WLC. The WLAN clients are getting DHCP ip perfectly on each ssid, I mean in different networks. But the clients cannot reach the gateway which is the subinterface of ASA. If I am using the webauth I am not getting redirected to the authentication page. but if I set the security to none (both L2 and L3) I can reach up to the corresponding dynamic interface and not beyond that.
Below are my configuration details
At switch side
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk native vlan 177
switchport trunk allowed vlan 177-180
switchport mode trunk
interface GigabitEthernet2/0/26
switchport trunk encapsulation dot1q
switchport trunk native vlan 177
switchport trunk allowed vlan 177-180
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport trunk native vlan 177
switchport trunk allowed vlan 177-180
switchport mode trunk
channel-group 1 mode on
WLC configurations
(Cisco Controller) >show interface summary
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap-manager LAG untagged 192.168.7.3 Static Yes No
management LAG untagged 192.168.7.2 Static No No
qd-consultant LAG 179 192.168.9.254 Dynamic No No
qd-guest LAG 178 192.168.8.254 Dynamic No No
qd-test LAG 180 192.168.10.254 Dynamic No No
service-port N/A N/A 0.0.0.0 DHCP No No
virtual N/A N/A 192.0.2.1 Static No NoYour configuration looks good except you should assign an ip address to the service port. Never leave that at 0.0.0.0. Change that to an ip address that is non routable in your network.
Now for your issue. Have you tried plugging in a laptop to the dmz switch in those vlans to see if it works wired. Since these are new subnets, are you sure they are being NAT'd to your public address. Check that first and let us know. The WLC should be able to ping the gateway and out into the Internet if things are setup right in the dmz.
Sent from my iPhone -
2125 WLC Dynamic interfaces and their physical interface
I'm trying to broadcast multiple SSIDs per AP. I would like the new second SSID to be on a different VLAN. I have been reading this article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml#dyn-interface and it looks like you create a trunk port on the switch that the WLC is connected to, which makes sense to me. A friend however told me to use a seperate physical interface on the WLC and assign the dynamic interface to it and connect it to the desired VLAN, instead of using the interface that is currently in production. I liked this idea because I would have downtime trying to reconfigure the port as a trunk that's in production.
So I guess my question is, if I use a secondary port on the WLC to connect to a different network than what the AP is on how will communication work? When the AP sends data to the WLC will everything be encapsulated in CAPWAP? How about the primary link connecting the WLC to the primary production network? Will this data to and from the WLC on the switch retain it's CAPWP encapsulation? Now that I'm thinking about it I guess it would have to since the WLC is what decapsulates the CAPWAP data and not the switch...
I would just like some advice on if I'm doing this correctly. Thanks a lot! -MarkWe generally recomment one trunk port to be configured for different VLAN (for management and AP inetreface) but we can use other ethernet port also on WLC for any differnt VLAN config.
For all your port related queries please find the attach link with the diagramme.:-
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
Q. How does a WLC switch packets?
A. All the client (802.11) packets are encapsulated in a LWAPP packet by the LAP and sent to the WLC. WLC descapsulates the LWAPP packet and acts based on the destination IP address in the 802.11 packet. If the destination is one of the wireless clients associated to the WLC, it encapsulates the packet again with the LWAPP and sends it to the LAP of the client, where it is decapsulated and sent to the wireless client. If the destination is on the wired side of the network, it removes the 802.11 header, adds the Ethernet header, and forwards the packet to the connected switch, from where it is sent to the wired client. When a packet comes from the wired side, WLC removes the Ethernet header, adds the 802.11 header, encapsulates it with LWAPP, and sends it to the LAP, where it is decapsulated, and the 802.11 packet is delivered to the wireless client. For more information about this, refer to the LWAPP Fundamentals section of the document Deploying Cisco 440X Series Wireless LAN Controllers.
Q. What are the various options available to access the WLC?
A. This is the list of options available to access the WLC:
GUI access with HTTP or HTTPS
CLI access with Telnet, SSH, or console access
Access through service port
For more information on how to enable these modes, refer to the Using the Web-Browser and CLI Interfaces section of the document Cisco Wireless LAN Controller Configuration Guide, Release 5.1. Usually, the management interface IP address is used for GUI and CLI access. Wireless clients can access the WLC only when the optionEnable Controller Management to be accessible from Wireless Clients is checked. In order to enable this option, click the Management menu of the WLC, and click Mgmt via Wireless on the left-hand side. WLC can also be accessed with one of its dynamic interface IP addresses. Use the config network mgmt-via-dynamic-interface command to enable this feature. Wired computers can have only CLI access with the dynamic interface of the WLC. Wireless clients have both CLI and GUI access with the dynamic interface.
Maybe you are looking for
-
Anybody has the same problem?
-
External monitor goes black when macbook pro has magsafe connected
Hi, I have bought an external monitor about 1 week ago, and I have it connected with a minidisplay to dvi cable, and a dvi cable to the monitor. It was working OK -well, it had some sudden flash to black screen that lasted about 1 second, but nothing
-
White Screen of Death....Any ideas
My iPhone 3G has recently been getting a white screen when I wake it up. The phone still works, but the screen is essentially dead. I can reset it and it comes back to normal, only to do it again later. Sometimes it works for hours without needing to
-
Hi, We are using SunOS 5.10 Generic_137138-09 i86pc i386 i86pc on 2 X4600's. Both of them seem to have an issue with snmp reporting running processes and send our ops monitoring (Zenoss) into a tailspin reporting processes as down when they are in fa
-
CIN and 3 Plants having a common Excise Registration
Hi Experts, Please provide the solution for this. I have an organisation which has 3mfg units.I want to treat this as Plants 1,2&3 Most of the raw materials are common for all the three plants.Also they have one Excise registration for all 3 units.My