Configuring multiple dynamic interfaces in 5508

Hi,
I have 5508 controller where as ap-manager interface configuration is optional but since i have different topology at other end , I have 4507 configured with HSRP and i want to divide the AP traffic in both the switches therefore I will have to go ahead and configure multiple AP-manager interface and map with two different physical ports.
But I have challenge to configure multiple dynamic interfaces.
I want to create two wlans ( Internal wlan and guest wlan )
Internal WLAN : 192.168.10.0
default gateway : 192.168.10.1
internal DHCP server : 172.16.10.1
Physical Port : ............... ?  which port to configure ? ( I have connectivity with port 1 & port 2 )
Guest WLAN : 192.168.20.0
Default gateway : 192.168.20.1
Internal DHCP server : 172.16.10.1
Physical port :  ............... ?  which port to configure ? ( I have connectivity with port 1 & port 2 )
I want to map it to multiple ports of dynamic interfaces for client traffic to physical ports.
how do i configure it ?

In adition to Nico's answer, I would go throught the detailed guide for the configuration of dynamic interfaces:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1167723.
HTH,
Tiago
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Similar Messages

  • How to configure multiple outgoing interfaces + NAT + PfR

    Hello,
    I have the following config running on Cisco2851.
    Five interfaces (four ADSL and one LAN 10Mb/s) connected to Internet using pppoe.
    Local policy is used to make working route tracking.
    The PfR also configured to load balance traffic coming from LAN to Internet.
    PAT is also configured with "oer" keyword at the end of string to not relocate working translations.
    But the router is not performing good. :-(
    After investigation I found that the selection of the exit interface and setting source ip for
    NAT is not synchronized. The provider's router just drops the incoming packet due to uRPF check.
    Also, the selection of the exit interface is not PFR aware (mode select-exit best) during
    NAT session setup, and router selects one of the possible exit interfaces randomly.
    I have two questions:
    1. How to make synchronization of NAT and Routing to build matching pair of Out_IP=Out_Interface and make my setup working?
    2. How to select the less loaded interface during setup of NAT phase and Routing phase and really involve PfR?
    Actually, these two questions is just my one requirement: during setup of NAT session, I need
    to find less loaded interface (PfR should check current rx/tx load), select it, and keep it untouched.
    Thanks,
    Sergey
    Config:
    version 15.1
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    hostname bif
    boot-start-marker
    boot system flash:c2800nm-adventerprisek9-mz.151-4.M8.bin
    boot-end-marker
    enable secret 5 $1$3ggj$huERPVt0luOX6qo6
    no aaa new-model
    crypto pki token default removal timeout 0
    dot11 syslog
    no ip source-route
    ip cef
    no ip domain lookup
    ip domain name zzz.mgm
    no ipv6 cef
    multilink bundle-name authenticated
    key chain PFR
     key 0
      key-string 7 107E2F2B
    voice-card 0
    pfr master
     logging
     border 192.168.254.254 key-chain PFR
      interface Dialer5 external
      interface Dialer4 external
      interface Dialer3 external
      interface Dialer2 external
      interface Dialer1 external
      interface GigabitEthernet0/0 internal
     mode select-exit best
    pfr border
     logging
     local Loopback0
     master 192.168.254.254 key-chain PFR
    license udi pid CISCO2851 sn FCZ0929
    username se privilege 15 secret 5 $1$DUbm$RuZKP8X.19uBtm21
    username ru privilege 15 secret 5 $1$1V.h$iotp/bjhUg4ho93d
    redundancy
    ip ssh version 2
    track 1 ip sla 1 reachability
     delay down 30 up 15
    track 2 ip sla 2 reachability
     delay down 30 up 15
    track 3 ip sla 3 reachability
     delay down 30 up 15
    track 4 ip sla 4 reachability
     delay down 30 up 15
    track 5 ip sla 5 reachability
     delay down 30 up 15
    interface Loopback0
     ip address 192.168.254.254 255.255.255.255
    interface GigabitEthernet0/0
     description ### LAN ###
     ip address 192.168.68.1 255.255.255.0
     no ip redirects
     no ip proxy-arp
     ip flow ingress
     ip nat inside
     ip virtual-reassembly in
     duplex auto
     speed auto
    interface GigabitEthernet0/1
     description ### WDSL link to Dialer 5 ###
     no ip address
     duplex auto
     speed auto
     pppoe enable group global
     pppoe-client dial-pool-number 5
    interface ATM0/0/0
     description ### DSL link 1 to Dialer 1 ###
     no ip address
     no atm ilmi-keepalive
     shutdown
     pvc 1/32
      pppoe-client dial-pool-number 1
    interface ATM0/1/0
     description ### DSL link 2 to Dialer 2 ###
     no ip address
     no atm ilmi-keepalive
     pvc 1/32
      pppoe-client dial-pool-number 2
    interface ATM0/2/0
     description ### DSL link 3 to Dialer 3 ###
     no ip address
     no atm ilmi-keepalive
     pvc 1/32
      pppoe-client dial-pool-number 3
    interface ATM0/3/0
     description ### DSL link 4 to Dialer 4 ###
     no ip address
     no atm ilmi-keepalive
     pvc 1/32
      pppoe-client dial-pool-number 4
    interface GigabitEthernet1/0
     description ### Virtual interface to NME-16ES-1G-P ###
     ip address 192.168.254.253 255.255.255.254
    interface Dialer1
     description ### Dialer for line 1 ###
     bandwidth 224
     bandwidth receive 1728
     ip address negotiated
     ip mtu 1492
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     ip tcp adjust-mss 1452
     load-interval 30
     dialer pool 1
     ppp authentication chap callin
     ppp chap hostname
     ppp chap password
     no cdp enable
    interface Dialer2
     description ### Dialer for line 2 ###
     bandwidth 224
     bandwidth receive 1728
     ip address negotiated
     ip mtu 1492
     ip flow ingress
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     ip tcp adjust-mss 1452
     dialer pool 2
     ppp authentication chap callin
     ppp chap hostname
     ppp chap password
     no cdp enable
    interface Dialer3
     description ### Dialer for line 3 ###
     bandwidth 224
     bandwidth receive 1728
     ip address negotiated
     ip mtu 1492
     ip flow ingress
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     ip tcp adjust-mss 1452
     dialer pool 3
     ppp authentication chap callin
     ppp chap hostname
     ppp chap password
     no cdp enable
    interface Dialer4
     description ### Dialer for line 4 ###
     bandwidth 224
     bandwidth receive 1728
     ip address negotiated
     ip mtu 1492
     ip flow ingress
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     ip tcp adjust-mss 1452
     dialer pool 4
     ppp authentication chap callin
     ppp chap hostname
     ppp chap password
     no cdp enable
    interface Dialer5
     description ### Dialer for WDSL line ###
     bandwidth 10000
     bandwidth receive 10001
     ip address negotiated
     ip mtu 1492
     ip flow ingress
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     ip tcp adjust-mss 1452
     load-interval 30
     dialer pool 5
     ppp authentication chap callin
     ppp chap hostname
     ppp chap password
     no cdp enable
    ip local policy route-map LOCAL-PBR
    no ip forward-protocol nd
    no ip http server
    no ip http secure-server
    ip nat inside source route-map NAT1 interface Dialer1 overload oer
    ip nat inside source route-map NAT2 interface Dialer2 overload oer
    ip nat inside source route-map NAT3 interface Dialer3 overload oer
    ip nat inside source route-map NAT4 interface Dialer4 overload oer
    ip nat inside source route-map NAT5 interface Dialer5 overload oer
    ip nat inside source static tcp 192.168.68.160 22 $$$Dialer5-IP$$$ 2222 extendable
    ip nat inside source static tcp 192.168.68.160 22 $$$Dialer2-IP$$$ 2222 extendable
    ip nat inside source static tcp 192.168.68.160 22 $$$Dialer3-IP$$$ 2222 extendable
    ip nat inside source static tcp 192.168.68.160 22 $$$Dialer4-IP$$$ 2222 extendable
    ip nat inside source static tcp 192.168.68.230 21 $$$Dialer1-IP$$$ 21 extendable
    ip nat inside source static tcp 192.168.68.160 25 $$$Dialer1-IP$$$ 25 extendable
    ip nat inside source static tcp 192.168.68.22 143 $$$Dialer1-IP$$$ 143 extendable
    ip nat inside source static tcp 192.168.68.22 443 $$$Dialer1-IP$$$ 443 extendable
    ip nat inside source static tcp 192.168.68.160 22 $$$Dialer1-IP$$$ 2222 extendable
    ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
    ip route 0.0.0.0 0.0.0.0 Dialer2 track 2
    ip route 0.0.0.0 0.0.0.0 Dialer3 track 3
    ip route 0.0.0.0 0.0.0.0 Dialer4 track 4
    ip route 0.0.0.0 0.0.0.0 Dialer5 track 5
    ip sla 1
     icmp-echo 8.8.8.8 source-ip $$$Dialer1-IP$$$
     timeout 1000
     frequency 5
    ip sla schedule 1 life forever start-time now
    ip sla 2
     icmp-echo 8.8.8.8 source-ip $$$Dialer2-IP$$$
     timeout 1000
     frequency 5
    ip sla schedule 2 life forever start-time now
    ip sla 3
     icmp-echo 8.8.8.8 source-ip $$$Dialer3-IP$$$
     timeout 1000
     frequency 5
    ip sla schedule 3 life forever start-time now
    ip sla 4
     icmp-echo 8.8.8.8 source-ip $$$Dialer4-IP$$$
     timeout 1000
     frequency 5
    ip sla schedule 4 life forever start-time now
    ip sla 5
     icmp-echo 8.8.8.8 source-ip $$$Dialer5-IP$$$
     timeout 1000
     frequency 5
    ip sla schedule 5 life forever start-time now
    access-list 100 permit ip any any
    access-list 101 permit ip host $$$Dialer1-IP$$$ any
    access-list 102 permit ip host $$$Dialer2-IP$$$ any
    access-list 103 permit ip host $$$Dialer3-IP$$$ any
    access-list 104 permit ip host $$$Dialer4-IP$$$ any
    access-list 105 permit ip host $$$Dialer5-IP$$$ any
    access-list 199 permit ip 192.168.68.0 0.0.0.255 any
    route-map LOCAL-PBR permit 10
     match ip address 101
     set interface Dialer1
    route-map LOCAL-PBR permit 20
     match ip address 102
     set interface Dialer2
    route-map LOCAL-PBR permit 30
     match ip address 103
     set interface Dialer3
    route-map LOCAL-PBR permit 40
     match ip address 104
     set interface Dialer4
    route-map LOCAL-PBR permit 50
     match ip address 105
     set interface Dialer5
    route-map LOCAL-PBR permit 100
     match ip address 100
     set global
    route-map NAT3 permit 10
     match ip address 199
     match interface Dialer3
    route-map NAT2 permit 10
     match ip address 199
     match interface Dialer2
    route-map NAT1 permit 10
     match ip address 199
     match interface Dialer1
    route-map NAT5 permit 10
     match ip address 199
     match interface Dialer5
    route-map NAT4 permit 10
     match ip address 199
     match interface Dialer4
    control-plane
    mgcp profile default
    line con 0
    line aux 0
    line 66
     no activation-character
     no exec
     transport preferred none
     transport input all
     transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
    line vty 0 4
     session-timeout 15
     login local
     transport input all
    line vty 5 15
     session-timeout 15
     login local
     transport input all
    scheduler allocate 20000 1000
    end
    Show ip route:
    sh ip route 0.0.0.0
    Routing entry for 0.0.0.0/0, supernet
      Known via "static", distance 1, metric 0 (connected), candidate default path
      Routing Descriptor Blocks:
        directly connected, via Dialer5
          Route metric is 0, traffic share count is 1
      * directly connected, via Dialer3
          Route metric is 0, traffic share count is 1
        directly connected, via Dialer4
          Route metric is 0, traffic share count is 1
        directly connected, via Dialer2
          Route metric is 0, traffic share count is 1
    Log:
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Stateful Inspection(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Ingress-NetFlow(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Virtual Fragment Reassembly(25), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Access List(31), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Virtual Fragment Reassembly After IPSec Decryption(39), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, MCI Check(80), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=192.168.68.2 (GigabitEthernet0/0), d=8.8.4.4, len 66, input feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, TCP Adjust MSS(82), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: FIBipv4-packet-proc: route packet from GigabitEthernet0/0 src 192.168.68.2 dst 8.8.4.4
    *Apr 16 07:04:18.103: FIBfwd-proc: Default:0.0.0.0/0 process level forwarding
    *Apr 16 07:04:18.103: FIBfwd-proc: depth 0 first_idx 3 paths 4 long 0(0)
    *Apr 16 07:04:18.103: FIBfwd-proc: try path 3 (of 4) v4-ap-Dialer5 first short ext 0(-1)
    *Apr 16 07:04:18.103: FIBfwd-proc: v4-ap-Dialer5 valid
    *Apr 16 07:04:18.103: FIBfwd-proc: Dialer5 no nh type 3  - deag
    *Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none deag 1 chg_if 0 via fib 0 path type attached prefix
    *Apr 16 07:04:18.103: FIBfwd-proc: packet routed to Dialer5 p2p(0)
    *Apr 16 07:04:18.103: FIBipv4-packet-proc: packet routing succeeded
    *Apr 16 07:04:18.103: FIBfwd-proc: ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 ttlexp 0
    *Apr 16 07:04:18.103: FIBfwd-proc: sending link IP ip_pak_table 0 ip_nh_table 65535 if Dialer5 nh none uhp 1 deag 0 chgif 0 ttlexp 0 rec 0
    *Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Post-routing NAT Outside(24), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, Stateful Inspection(27), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.103: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.103:     UDP src=61183, dst=53, CCE Post NAT Classification(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Firewall (firewall component)(39), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53, TCP Adjust MSS(50), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53, NAT ALG proxy(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Post-Ingress-NetFlow(68), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Dialer idle reset(84), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), len 66, output feature
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53, Dialer idle reset(85), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Dialer5), g=8.8.4.4, len 66, forward
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53
    *Apr 16 07:04:18.107: IP: s=$$$Dialer4-IP$$$ (GigabitEthernet0/0), d=8.8.4.4 (Virtual-Access3), len 66, sending full packet
    *Apr 16 07:04:18.107:     UDP src=61183, dst=53

    hi,is this question is ok?
    if you forget do this config like below:
    pfr master
    learn
    delay
    throughput
    periodic-interval 3
    monitor-period 1
    pfr master
    delay threshold 200
    jitter threshold 50 
    mode route control 
    mode monitor passive
    mode select-exit best 
    i will do like this,four ADSL connect a switch ,this switch connect a router 2911(with data license)
    at 2911 do four  pppoe
    i want to load balance at this four adsl.

  • WRVS4400N - Multiple Dynamic VPN Configurations?

    Hello,
    I am wondering if anyone knows whether or not the WRVS4400N supports more than one dynamic VPN configuration?
    I am trying to get the WRVS4400N to let more than one TheGreenBow client to connect to it.....
    Thank you,
    A Read

    Yes, you can configure multiple dynamic-to-static l2l on ASA. But for multiple connections using ezvpn will be much easier. Following links may help you
    http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805733df.shtml

  • Please tell me there is a better way to configure multiple interfaces

    I have a desktop with interfaces with statically assigned network addresses, I can't use rc.conf to configure them anymore so my /etc/rc.local file now looks like:
    /sbin/ifconfig ext0 10.0.0.1/24
    /sbin/route add default gw 10.0.0.1
    /sbin/ifconfig int0 192.168.0.1/24
    I don't like this; it seems completely in-elegant and, worse, if I need to start up any demons that require networking to work, they aren't going to work.  I've considered patching the initscripts, but this is inelegant because then I have to merge changes every time I update them.  I guess maybe the best solution is to write my script for /etc/rc.d/, choosing a name unlikely to be taken by any script I'm likely to start in the future.  Please tell me there is a better way to do this.

    I read the news, it indicates that I can no longer use rc.conf to configure both of my network interfaces.  It suggests using network manager, which is silly, because all I need to do is assign static IPs.  So I spent some hours trying to find any documentation or examples on how to set this up with netcfg, but was unsuccessful.  Then I read some forum posts, but they had answers like "yeah, you can't do that anymore, read the news".  That was not helpful to me either (unless you mean to suggest that I should be using iproute instead of ifconfig in my scripts, which I see no need to do, ifconfig works and I already know what options to pass it).  I also tried searching the arch general mailing list, but didn't see anything addressing the topic either this month or last month.
    At any rate, I still haven't found a better solution to configuring multiple network interfaces than writing my /etc/rc.d/ script, although I have come across one other possible solution, namely, installing and configuring ifplugd, which I hadn't considered before.

  • ASA with Multiple dynamic L2L VPN

    I have an ASA 5510 as VPN Concentrator, used for about 30 L2L-VPNs.
    I need also some L2L-VPN with dynamic remote peer.
    While the configuration for a single dyn-VPN is quite simple (as described in several examples), how can I configure the ASA in the case of many dyn-VPNs ?
    Basically, all the dyn-VPN should use the same PSK (the one of DefaultL2LGroup).
    But using "aggressive mode" on the remote peer, I could use a different PSK for each dyn-VPN:
    tunnel-group ABCD ipsec-attributes
    pre-shared-key *
    Is this configuration correct ?
    Best regards
    Claudio

    Hi,
    Maybe the solutions provided in the following document might also be an option for you to configure multiple dynamic L2L VPN connections on the ASA
    http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080bc7d13.shtml
    Hope this helps
    - Jouni

  • Wireless lan Controller 4402 / ping dynamic interface failed

    hi,
    i've a problem with a Wireless Lan Controller 4402.
    When i configure the dynamic interface on the my network , with wired lan
    i don't reach (i use the ping command) the ip address of the WLC.
    In my case (wired):
    On my pc i've a ip 10.1.78.1 255.255.0.0 and dgw 10.1.1.1 (vlan721)
    The lan WLC have a ip of management 10.12.2.4 /24 (vlan799) [dgw 10.12.2.1]
    dynamic vlan 792 ip add 10.12.78.100 / 22 (vlan792) [dgw 10.12.68.1]
    i ping these interfaces (10.12.2.4 and 10.12.78.100) and the ping is ok.
    When i create a dynamic interface vlan 721 starting the problem:
    dynamic vlan 791 ip address 10.1.1.240 / 16 (vlan721)
    After this ......the ping on 10.12.2.4 and 10.12.78.100 don't respond very well
    and i lose the 80-90% of the ping packages.
    through the wi-fi instead I do not have problems.
    the problem exist only via wired (cable).
    Can you help me?
    Thanks
    FCostalunga

    Hello,
    Pinging the dynamic interface is officially not supported. The reason why is because the controller places a very low priority on ICMP traffic. Typically, you will not have an issue with doing so on your wireless network because this interface is basically a gateway for the client. However, from the wired network - the only interface designed to respond to pings 100% of the time is the management interface. Hope this helps!
    -Mark

  • WLC DHCP Settings - Under Dynamic Interface configuration

    Hi Guys,
    If I have a dynamic interface that is connected to a subnet where the router interfaces have DHCP servers configured under the helper address commands, do I need to configure the DHCP fields under the dynamic interface configuration?
    I have helper address configured on the connected routers AND these fields configured with the same DHCP servers.
    Just wondering if I can take the IPs out of the WLC configuration?
    Many thx indeed,
    Ken

    Ken, the DHCP address under the dynamic interface, is the address the WLC will unicast the DHCP request to when a client tries to use that interface. Under normal operation this address is needed. There is a way to get the WLC to bridge the packet to the wire so that it is a broadcast instead of a unicast packet. CLI command is config dhcp proxy disable.
    But I do believe that even if you issue the CLI command, the software wants the DHCP address listed under the dynamic interface.
    HTH,
    Steve

  • REST Sender adapter - multiple dynamic parameters

    Dear
    We are currently configuring a sender REST adapter which be called as such:
    http://host:port/RESTAdapter/pi/query/jira/solman/getsystems?sap-client=001&cust=00009999
    (even encoding the question url or only question mark and ampersand doesn't help)
    However whenever we try this, we can see following error returned by PI:
    The sender adapter is configured properly according to the documentation on SAP Help:
    Has anyone encountered this issue before?
    We might think this is a bug, as the interface works fine when we use following pattern:
    But only when we use the url as follows:
    http://host:port/RESTAdapter/pi/query/jira/solman/getsystems%3Fsap-client=001&cust=00009999
    We had to encode the question mark in the URL (%3F) in order for PI to pick the right channel with the correct parameters.
    When using the normal question mark (e.g. used with the Chrome Advanced REST Client), we basically receive the same error as above:
    Have any of you encountered this before, or have any of you used multiple parameters before in the sender REST adapter.
    Thanks for any feedback.

    Hi Nicolas,
    Were you able to resolve this issue. We are also facing similar issue. We are try to specify multiple dynamic query parameter in PI RFC Sender adapter endpoint and getting similar errors. Please let me know if you have found any solution.
    Thanks
    -Pradeep

  • ISE and WLC dynamic interface group assignment ?

    I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites.  I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs.  Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
    Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
    TIA

    I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
    This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
    Edit:
    Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

  • WLC Dynamic Interface

    I wonder why we need Dynamic Interfaces. I have created two WLANs. One is WPA2-Enterprise obtaining vlan id's per user from Radius server and the other WEP wlan for guest users whose traffic should go to a specific guest vlan. I am using an external DHCP server and configured WLC not to proxy dhcp requests and to act as a bridge.
    I had to create dynamic interfaces on WLC (we are using 5508 with software version 7) for all the VLANs which radius server returns. I could make it with only defining the dynamic interfaces and entering 0.0.0.0 for ip addresses.
    For the other WLAN with WEP, I have to enter and IP for the dynamic interface to work. I am not sure if this is a requirement or my misconfiguration, but I do want a way not to set an IP address for the dynamic interface. I do not want to waste addresses and also do not want the clients to be able to access wlc through that IP address.
    I appreciate any comment on why I need IP addresses for dynamic interfaces.

    Vadood... The WLC does use that IP address as it needs to have layer 2 connection to any subnet it will place users on. Even is your doing AAA override, the radius tell the WLC that that device needs to be on vlan x and the WLC will put that device on vlan x, but if the WLC has no IP address on that subnet, well then the communication stops there. The user will never get an IP address if using dhcp or if the device has a static, the WLC has no way to communicate to that subnet.
    By the way, users can't access the dynamic interface by default. You have to enable that. But then again, they can try to access the management interface also, unless you disable globally management over wireless.
    Sent from Cisco Technical Support iPhone App

  • Include multiple sub-interfaces in Cisco ASA for VPN tunnel

    I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
    Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
    Inside, int0/1 : 10.1.1.0/24
    DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
    Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
    Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
    And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
    So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
    Additional settings:
    Have ACL to allow all sub interfaces to access outsite ( lower security level)
    NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
    I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

    I am trying to create a VPN tunnel between two Cisco ASAs where one ASA has multiple sub-interfaces.
    Say, In Cisco ASA 5550(in datacentre), I created multiple subinterfaces with VLAN ID as below:
    Inside, int0/1 : 10.1.1.0/24
    DMZ, int0/1.100: 10.1.100.0/24 (VLAN 100)
    Production, int 0/1.101 : 10.1.101.0/24 (VLAN 101)
    Management, int 0/1.102: 10.1.102.0/24 (VLAN 102)
    And another Cisco ASA 5505 is only configured with 1 x inside interface Inside, int 0/1: 192.168.1.0/24
    So far, I have only been able to provide outside access to one of the sub-interfaces as NAT rule on inside interface didn't work for VLANs. Hence had to issue Global NAT rule to be applied on Production subinterface so that production VLAN can have outside access. I have managed to establish VPN tunnel between two ASAs on Production sub-interface only, Source interface = Production subinterface
    Additional settings:
    Have ACL to allow all sub interfaces to access outsite ( lower security level)
    NAT rules is configured on Production subinterface with Source NAT Type as Dynamic PAT; when this was configured with source interface as inside, PCs behind various VLAN coun't access internet. 
    I want to establish a site-to-site VPN tunnel with multiple sub-interfaces of Cisco ASA 5550 to Cisco ASA 5505. Would you please suggest what I am missing in my configuration? I need to be able to access multiple VLANs of datacentre from remote site.

  • WLC2504 - Dynamic interface problem

    Hi,
    I have problem with my WLC2504. My WLC is  connected through two ports (1 and 2 of four) to my distro switch, where  I have dot1q trunks configured. WLC is configured with Management interface  (IP address 192.168.255.9/24), over which my  LAPs are correctly joined.  However, once I'm trying to add additional Dynamic WLC interface, which  has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC  stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one
    Thanks for soon answer
    palo73

    The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface is also used for communications between the controller and APs. The management Interface is the only consistently "pingable" in-band interface IP address on the controller. The management interface will act like an AP manager interface by default.
    The dynamic interface with the “Dynamic AP Management” option enabled on it is used as the tunnel source for packets from the controller to the AP, and as the destination for CAPWAP packets from the AP to the controller. The dynamic interfaces for AP manager must have a unique IP address. Typically, this is configured on the same subnet as the management interface, but this is not necessarily a requirement. In the case of the Cisco 2500 Series Wireless Controller, a single dynamic AP manager can support any number of APs. However, as a best practice, it is suggested to have 4 separate dynamic AP manager interfaces and associate them to the 4 Gigabit interfaces. By default, the management interface acts like an AP-manager interface as well and it is associated to one Gigabit interface. As a result, if you are using the management interface, you need to create only 3 more dynamic AP manager interfaces and associate them to the remaining 3 Gigabit interfaces.
    The virtual interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is 1.1.1.1. The virtual interface address is not pingable and should not exist in any routing table in your network.
    Dynamic interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The Cisco 2500 Series Wireless Controller will support up to 16 dynamic interfaces. Dynamic interfaces must be configured on a unique IP network and VLAN. Each dynamic interface acts as a DHCP relay for wireless clients associated to wireless LANs (WLANs) mapped to the interface. A WLAN associates an SSID to an interface and is configured with security, QoS, radio policies, and other wireless network parameters. There can be up to 16 WLANs configured per controller.
    Guidelines for Deploying the Cisco 2500 Wireless Controller
    Ethernet ports on Cisco 2500 Series Wireless Controllers do not work as Switch ports (that is, 2 machines directly connected to these ports will not be able to communicate with each other). You should not connect servers like DHCP, TFTP etc. on these ports and expect Wireless Clients and APs to receive an IP address from this DHCP server.
    Ethernet ports on the Cisco 2500 Series Wireless Controller should only be used to connect/uplink to an infrastructure network configured as a data interface (management interface and dynamic interfaces) or an AP-managers interface.
    If multiple Ethernet ports on a Cisco 2500 Series Wireless Controller are uplinked to an infrastructure switch, you should make sure data interfaces (management or dynamic interfaces) or AP-managers interfaces are configured for these uplinked physical ports. Physical Ethernet ports which are used as an uplink to an infra switch should not be left un-configured. This may result in unexpected behaviors.
    Multicast unicast is not a supported configuration on Cisco 2500 Series Wireless Controller. As a result, HREAP APs are not able to receive multicast traffic because HREAP APs only work with multicast unicast.
    For more information you can refer to the link -
    http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml

  • 4402 WLC Dynamic Interfaces- More than 1 Gateway Possible?

    I am configuring a guest access solution with multiple guest access gateways associated with a single VLAN. Each gateway will have its own /24 network, and obviously it own gateway. The interface configuration page requires a single gateway in the IP config section.
    Does anyone know the purpose of this IP config?
    Will command line config of the dynamic interface permit no gateway and a netmask big enough to encompass all gateways?
    Thanks

    Thanks for your replies.
    2 Coova gateways each with web authentication and a dhcp server plugged into each layer2 vlan works great with IOS APs, which do no require IP config per (vlan) subinterface.
    The objective is to loadbalance, provide redundancy and handle the total number of guests. The DHCP servers race to provide the client with IP config which then causes the client subsequently use that gateway.

  • Cannot contact Non-native dynamic interfaces on WLC 4402

    Hi,
              In my company we are recently planning to get a DMZ anchor for Guest WLAN. Our setup is as following
    We have two 5508 WLCs in inside corporate network which serves for the corporate wlan. Recently we put one 4402 in DMZ in LAG mode. Two SSID has been created in 4402 namely guest and consultant. We have mobility configured perfect between these three. For the the two ssids the 4402 is the anchor.   We have created sub interfaces in ASA for management and two WLANs. The port channel is also configured proper with the native vlan for management and allowing all three vlans through it. The concern is that we cannot ping the untagged dynamic interface of WLC. The WLAN clients are getting DHCP ip perfectly on each ssid, I mean in different networks. But the clients cannot reach the gateway which is the subinterface of ASA. If I am using the webauth I am not getting redirected to the authentication page. but if I set the security to none (both L2 and L3) I can reach up to the corresponding dynamic interface and not beyond that.
    Below are my configuration details
    At switch side
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 177
    switchport trunk allowed vlan 177-180
    switchport mode trunk
    interface GigabitEthernet2/0/26
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 177
    switchport trunk allowed vlan 177-180
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet1/0/26
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 177
    switchport trunk allowed vlan 177-180
    switchport mode trunk
    channel-group 1 mode on
    WLC configurations
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    ap-manager                        LAG  untagged 192.168.7.3     Static  Yes    No
    management                      LAG  untagged 192.168.7.2     Static  No     No
    qd-consultant                     LAG  179      192.168.9.254   Dynamic No     No
    qd-guest                            LAG  178      192.168.8.254   Dynamic No     No
    qd-test                              LAG  180      192.168.10.254  Dynamic No     No
    service-port                         N/A  N/A      0.0.0.0               DHCP    No     No
    virtual                                 N/A  N/A      192.0.2.1           Static  No     No

    Your configuration looks good except you should assign an ip address to the service port. Never leave that at 0.0.0.0. Change that to an ip address that is non routable in your network.
    Now for your issue. Have you tried plugging in a laptop to the dmz switch in those vlans to see if it works wired. Since these are new subnets, are you sure they are being NAT'd to your public address. Check that first and let us know. The WLC should be able to ping the gateway and out into the Internet if things are setup right in the dmz.
    Sent from my iPhone

  • 2125 WLC Dynamic interfaces and their physical interface

    I'm trying to broadcast multiple SSIDs per AP. I would like the new second SSID to be on a different VLAN. I have been reading this article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml#dyn-interface and it looks like you create a trunk port on the switch that the WLC is connected to, which makes sense to me. A friend however told me to use a seperate physical interface on the WLC and assign the dynamic interface to it and connect it to the desired VLAN, instead of using the interface that is currently in production. I liked this idea because I would have downtime trying to reconfigure the port as a trunk that's in production.
    So I guess my question is, if I use a secondary port on the WLC to connect to a different network than what the AP is on how will communication work? When the AP sends data to the WLC will everything be encapsulated in CAPWAP? How about the primary link connecting the WLC to the primary production network? Will this data to and from the WLC on the switch retain it's CAPWP encapsulation? Now that I'm thinking about it I guess it would have to since the WLC is what decapsulates the CAPWAP data and not the switch...
    I would just like some advice on if I'm doing this correctly. Thanks a lot!  -Mark

    We generally recomment one trunk port to be configured for different VLAN (for management and AP inetreface) but we can use other ethernet port also on WLC for any differnt VLAN config.
    For all your port related queries please find the attach link with the diagramme.:-
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
    Q. How does a WLC switch packets?
        A. All the client (802.11) packets are encapsulated in a LWAPP packet by the LAP and sent to the WLC. WLC descapsulates the LWAPP packet and acts based on the destination IP address in the 802.11 packet. If the destination is one of the wireless clients associated to the WLC, it encapsulates the packet again with the LWAPP and sends it to the LAP of the client, where it is decapsulated and sent to the wireless client. If the destination is on the wired side of the network, it removes the 802.11 header, adds the Ethernet header, and forwards the packet to the connected switch, from where it is sent to the wired client. When a packet comes from the wired side, WLC removes the Ethernet header, adds the 802.11 header, encapsulates it with LWAPP, and sends it to the LAP, where it is decapsulated, and the 802.11 packet is delivered to the wireless client. For more information about this, refer to the LWAPP Fundamentals section of the document Deploying Cisco 440X Series Wireless LAN Controllers.
    Q. What are the various options available to access the WLC?
        A. This is the list of options available to access the WLC:
            GUI access with HTTP or HTTPS
            CLI access with Telnet, SSH, or console access
            Access through service port
        For more information on how to enable these modes, refer to the Using the Web-Browser and CLI Interfaces section of the document Cisco Wireless LAN Controller Configuration Guide, Release 5.1. Usually, the management interface IP address is used for GUI and CLI access. Wireless clients can access the WLC only when the optionEnable Controller Management to be accessible from Wireless Clients is checked. In order to enable this option, click the Management menu of the WLC, and click Mgmt via Wireless on the left-hand side. WLC can also be accessed with one of its dynamic interface IP addresses. Use the config network mgmt-via-dynamic-interface command to enable this feature. Wired computers can have only CLI access with the dynamic interface of the WLC. Wireless clients have both CLI and GUI access with the dynamic interface.

Maybe you are looking for