Dynamic interface port assignment

Good Day,
I am setting up a 4402 (50 ap license ver 5.0) that will manage about 40 aps. Following the Cisco docs, I have created two ap manager intefaces for load balancing. Each physical port is attached to one of two Cat 6509s (no lag).
Our network ultimately connects to a router (over which I have no control) with six 100 mps ports each representing a subnet/vlan. So my intent is to create six dynamic interfaces each coresponding to a vlan for load balancing and bandwidth optimization.
My question regards assinging each dynamic interface to a physical port. Simple logic would have me assinging 3 interfaces to port #1 and three to port #2, then assigning a proportionate number of aps to each interface.
Is it that simple, or are there other considerations.
Thanks

You're correct. Creating a dynamic interface for each VLAN is exactly what you need to do. This will load-balance the traffic from the multiple VLANs across your links.
I would highly recommend that you consider LAGging the two uplinks. It provides better load-balancing and better redundancy. Since you're connecting to a 6509, you can LAG between two blades for redundancy purposes.
Whether you LAG or not is completely up to you, of course. But you seem to be good to go if you want to leave them unLAGged.
Jeff

Similar Messages

ISE and WLC dynamic interface group assignment ?

I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites. I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs. Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
TIA

I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
Edit:
Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

Dynamic interface group assignment

Wir testen aktuell das dynamische vlan assignment mit dem wlc (version 7.3.101) und dem microsoft nps server. das überschreiben der vlan id anhand einer zutreffenden netzwerkrichlinie funktioniert einwandfrei. nun stellt sich die frage, ob das überschreiben auch möglich ist, wenn auf dem wlc für eine ap-group eine interface gruppe anstelle eines einzelnen vlans definiert ist. hat jemand erfahrungen damit gemacht? konkret sieht der aufbau wie folgend aus:
vlan 100-110 sind in als interface group01 zusammengefasst.
unter ap groups ist eine ssid mit dieser interface gruppe01 konfiguriert.
unter wlan ist eine ssid mit: radius server overwrite interface und: allow aaa override konfiguriert.
auf dem nps gibt es eine zutreffende netzwerkrichtlinie mit radius attribute:
framed-protocol = ppp
service-type = Framed
Tunnel-Medium-Type 802
Tunnel-Pvt-Group-Id = gruppe01 (Name der Interface Gruppe, analog VLAN)
Tunnel-Type = VLAN
--> Wenn wir eine einfache VLAN ID angeben funktioniert es, mit dem Namen der Interface Gruppe funktioniert es nicht.
Hat jemand erfahrung, ob das zuweisen einer interface gruppe per radius attribut möglich ist?

Thank you for your answer.
if i define a single vlan id, everything works fine. but we try to make this work with an interface group instead of a single vlan... i am not shure if this is possible or not.. i just read the following release notes:
AAA Override Support for Interface Groups
This release supports AAA override for interface groups.
This feature extends the current access point group and AAA override architecture where access point groups and AAA override can be configured to override the interface group WLAN that the interface is mapped to. This is done with multiple interfaces using interface groups.
so if i change the single vlan id from tunnel-private-group-id attribute to the interface group it doesnt work anymore...

WLC, mapping new dynamic interface to an already used port

This is my question
We have a multiple wlc deployment and a wlan which is running dhcp issues (scopes exhausted)
The main Wlan is mapped to a dynamic interface group (2 vlans), both vlans are mapped to a single physical port
adding a new dynamic interface (vlan) to the interface group is needed,
- a new dynamic interface will be created and mapped to the same physical port of the other two (3 vlans)
- the new interface will be addad to the interface group
the question is:
does this operation will require some network downtime (controller reboot,ap reboot... etc.) or will it be a seamless operation?
thank you

Does this mean, when utilizing an 802.1x WLAN in an AP Group, you can not dynamically assign an interface via radius because itw ill be ignored due to the AP Group settings? If so, that seems short sited to me?
AAA override get priority when AAA override and AP group is used. the debug client output should show site specific over-ride for AP group initially and once it goes into .1x auth it will return the overrided vlan.

Dynamically assign a send pipeline to a dynamic send port in orchestration

Hi
I have an orchestration that is using a dynamic send port. I need to somehow assign the send pipeline to the dynamic send port programmatically.
for example, I will have a decide shape in the orchestration. Based on the condition in the decide shape I need to assign the corresponding send pipeline for that condition. let's say in Branch A, I want to select xml assembler , in Branch B I will want
to select a flat file assembler...
how can this be achieved. I have seen some links recommending using the ESB tool kit, but I do not want to go down that route.
any help is appreciated
Regards, Mazin - MCTS BizTalk Server 2006

Ashwin
Thanks again for your reply.
If I do it using role links I will loose the flexibility I have "having a dynamic file name" lots of our partners would like to receive their files with specific file naming convention based on the content of the file.
If I use a decide shape / another dynamic send port, this means that everytime I have a new custom pipeline I would need to modify the orchestration and add another decide branch with another dynamic send port.
both of the above suggestions will break the flexibility of the solution since we now can configure new partners in seconds in the configuration database without the need to modify the orchestration or add any new send ports
Regards, Mazin - MCTS BizTalk Server 2006
So in your requirement, the “dynamic” nature you want from send port are
following:
To set the send file names dynamically depends on the message received.
To send the message to different send locations depending on the message received. You want to retrieve this destination URL location from database.
And send ports may have different pipeline component like flat-file and XML ones.
As I have commented in my earlier reply, Role-Link could fit your bill perfectly and this can be achieved by using following:
1) Receive a message into an Orchestration.
2) In Orchestration set the file name dynamically based on the received file and following code shall help you to set the name of the file to dynamic.
msgToBeSend(FILE.ReceivedFileName)="YourDynamicFileNameUWantToAssign";
Use the above while constructing the outgoing message.
3) Create a “Provider” Role-Link with send port type following the wizard.
4) In Orchestration’s expression shape may be before sending the message out,
performs the party resolution using a code similar to the following:
YourRoleLinkName(Microsoft.XLANGs.BaseTypes.DestinationParty) = new Microsoft.XLANGs.BaseTypes.Party(msgToBeSend.YourDistingushedPropertyToIdentifyParty, "OrganizationName");
5) In the above sample code “YourDistingushedPropertyToIdentifyParty” refer for the code which could identify the partyname where the send port is configured.
6) Create Parties representing different type of message to be send like flat-file or XML messages.
7) Create a static send port and populate the outbound URL dynamically by using a custom pipeline component. In the custom pipeline component URL can be dynamically bound by calling the database as per your reqirement i.e based on the received message by
accessing its content in custom pipeline access the database, find the destination URL and assign the “OutboundTransportLocation” context property of the outbound message something like this
msgToBeSend.Context.Promote("OutboundTransportLocation", "http://schemas.microsoft.com/BizTalk/2003/system-properties", YourOutboundURLFromDatabase);
Refer this article on this topic:
http://www.codit.eu/blog/2013/03/06/adding-dynamic-behavior-to-static-send-ports-a-caveat/
8) In the Parties you have created assign the send ports.
9) GoTo your “Role-Links” folder within the deployed BizTalk application and enlist the parties.
These steps enable you to achieve the dynamic requirement you want to implement with the mentioned Role-Link.
Regards,
M.R.Ashwin Prabhu
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

Dynamic VLAN/SSID assignment using 4402/MS IAS

Greetings,
In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
Joe

Shaun,
My LAG - etherchannel interface
interface Port-channel8
description WLC-portchannel
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
end
My 2 WLC Fiber ports:
Current configuration : 382 bytes
interface GigabitEthernet7/47
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
2200-3A#sh run int g7/48
Building configuration...
Current configuration : 382 bytes
interface GigabitEthernet7/48
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
interface FastEthernet4/48
description AP-PoE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1004
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
end
Jim

Mgmt Via Dynamic Interface not working on 5505 version 7.2.111.3

Folks,
         I have posted this question a couple of times on the forum but did not get a solution. I am trying to manage my 5508 controller from a dynamic interface which is assigned to port 7 of the controller. I have a switch connected to that port which has a PC on the same subnet as the dynamic interface. From the PC, I can ping the dynamic interface IP Address, but can not telnet,SSH,http or https to it. There is no clear doc that specifics how to effectly use the command "config network mgmt-via-dynamic-interface" command.
Mgmt Via Wireless Interface................. Enable
Mgmt Via Dynamic Interface.................. Enable
Interface Name                   Port Vlan Id IP Address      Type    Ap Mgr Guest
173                                      7    173      172.16.101.100 Dynamic Yes    No
management                         1    172      172.16.100.100 Static Yes    No
service-port                           N/A N/A      0.0.0.0         DHCP    No     No
virtual                                    N/A N/A      1.1.1.1         Static No     No
7 Normal Forw Enable Auto       1000 Full Up     Enable N/A     1000BaseTX
Any guidence would be highly appreciated.

Im having a similar issue and have 2 TAC cases open.
TAC CASE#1: issue is that even when disbaled I can still access the dynmic interface via HTTPS/HTTPS/TELNET/SSH. But this is on a WISM1.
Thanks a lot for your quick and prompt response, I see that there is an internal Bug with an ID CSCty32586.
I see that the bug is fixed told be fixed in 7.0.230.0, but it’s not fixed. The bug is fixed in 7.2.x version.
I understand that you are using Wism on which 7.1.x version and above is not supported.
As 7.0.235.3 is released recently to overcome some of the changes and to fix some of the Bugs with older version on these devices.
Kindly try to upgrade the software version of the WLC to 7.0.235.3 and check the compatibility.
Please do let me know in case of any concerns and I will be glad to assist you.
TAC CASE#2: Just like you I can not access the dynamic interface. Still working that one .. The holiday dropped when I just opened that case.
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Adding (dynamic) interfaces to WLC 2504 causes loss of network

I'm trying to add a new dynamic interface, that I will tie a specific WLAN to so that clients on that WLAN is in the correct vlan. After adding it I loose connectivity both to the main management address (10.99.0.60) and to the ip address of the dynamic interface (10.99.12.4). In fact, the dynamic interface address responds and prompts me to login, but after doing so all I get is a blank page. Here's the two interfaces pulled from the CLI - what am I doing wrong?
And oh, not adding an IP to the dynamic interface makes it impossible to use within a WLAN.
Interface Name................................... management
MAC Address...................................... c0:8c:60:c7:99:00
IP Address....................................... 10.99.0.60
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.99.0.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 31
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 10.99.0.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled
Interface Name................................... lan
MAC Address...................................... c0:8c:60:c7:99:04
IP Address....................................... 10.99.12.4
IP Netmask....................................... 255.255.252.0
IP Gateway....................................... 10.99.12.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 33
Quarantine-vlan.................................. 0
NAS-Identifier................................... mob-wlc
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... No
Guest Interface.................................. No

So take a look at this. I have the dynamic interface used in wlan 2 (mytestssid as shown above). Now the management address, 10.99.0.60 cant be reached:
Nmap scan report for 10.99.0.60
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
443/tcp filtered https
After removing wlan 2 and the dynamic interface, mgmt access starts to work again:
config wlan disable 2
config wlan delete wlan 2
config interface delete lan
Nmap scan report for 10.99.0.60
Host is up (0.0037s latency).
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
So... here's me adding the dynamic interface in cli AGAIN:
WLAN ID WLAN Profile Name / SSID Status Interface Name
1 someotherssid / someotherssid Enabled management
(Cisco Controller) config> interface create lan 33
(Cisco Controller) config> interface address dynamic-interface lan 10.99.12.4 255.255.252.0 10.99.12.1
(Cisco Controller) >config wlan disable 1
(Cisco Controller) >config wlan interface 1 lan
(Cisco Controller) >config wlan enable 1
Voila, management access lost again:
Nmap scan report for 10.99.0.60
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
443/tcp filtered https
This time, there's no physical port assigned to the dynamic interface 'lan':
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
lan - 33 10.99.12.4 Dynamic No No
management 1 31 10.99.0.60 Static Yes No
virtual N/A N/A 1.1.1.1 Static No No
Adding that:
(Cisco Controller) config interface port lan 1
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
lan 1 33 10.99.12.4 Dynamic No No
Still no management access..:
Nmap scan report for 10.99.0.60
Host is up.
PORT STATE SERVICE
22/tcp filtered ssh
443/tcp filtered https
For reference, the detailed interface config (which clearly shows that 'management' should be ap mgmt.. and dynamic interface 'lan' shouldn't (and thus shouldn't affect it - RIGHT?)):
Interface Name................................... lan
MAC Address...................................... c0:8c:60:c7:99:04
IP Address....................................... 10.99.12.4
IP Netmask....................................... 255.255.252.0
IP Gateway....................................... 10.99.12.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 33
Quarantine-vlan.................................. 0
NAS-Identifier................................... mob-wlc
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
Interface Name................................... management
MAC Address...................................... c0:8c:60:c7:99:00
IP Address....................................... 10.99.0.60
IP Netmask....................................... 255.255.255.0
IP Gateway....................................... 10.99.0.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. 31
Quarantine-vlan.................................. 0
Active Physical Port............................. 1
Primary Physical Port............................ 1
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Global
Primary DHCP Server.............................. 10.99.0.1
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
IPv4 ACL......................................... Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... Yes
Guest Interface.................................. No
L2 Multicast..................................... Enabled
By the way, the switchport of my (C3560G) doesnt specifically allow some VLANs - meaning they allow all vlans:
interface GigabitEthernet0/28
description cisco_wlc
switchport trunk encapsulation dot1q
switchport mode trunk
And the vlans in question are present:
31 enet 100031 1500 - - - - - 0 0
32 enet 100032 1500 - - - - - 0 0
33 enet 100033 1500 - - - - - 0 0
34 enet 100034 1500 - - - - - 0 0

Cannot contact Non-native dynamic interfaces on WLC 4402

Hi,
          In my company we are recently planning to get a DMZ anchor for Guest WLAN. Our setup is as following
We have two 5508 WLCs in inside corporate network which serves for the corporate wlan. Recently we put one 4402 in DMZ in LAG mode. Two SSID has been created in 4402 namely guest and consultant. We have mobility configured perfect between these three. For the the two ssids the 4402 is the anchor.   We have created sub interfaces in ASA for management and two WLANs. The port channel is also configured proper with the native vlan for management and allowing all three vlans through it. The concern is that we cannot ping the untagged dynamic interface of WLC. The WLAN clients are getting DHCP ip perfectly on each ssid, I mean in different networks. But the clients cannot reach the gateway which is the subinterface of ASA. If I am using the webauth I am not getting redirected to the authentication page. but if I set the security to none (both L2 and L3) I can reach up to the corresponding dynamic interface and not beyond that.
Below are my configuration details
At switch side
interface Port-channel1
switchport trunk encapsulation dot1q
switchport trunk native vlan 177
switchport trunk allowed vlan 177-180
switchport mode trunk
interface GigabitEthernet2/0/26
switchport trunk encapsulation dot1q
switchport trunk native vlan 177
switchport trunk allowed vlan 177-180
switchport mode trunk
channel-group 1 mode on
interface GigabitEthernet1/0/26
switchport trunk encapsulation dot1q
switchport trunk native vlan 177
switchport trunk allowed vlan 177-180
switchport mode trunk
channel-group 1 mode on
WLC configurations
(Cisco Controller) >show interface summary
Interface Name                   Port Vlan Id IP Address      Type    Ap Mgr Guest
ap-manager                        LAG untagged 192.168.7.3     Static Yes    No
management                      LAG untagged 192.168.7.2     Static No     No
qd-consultant                     LAG 179      192.168.9.254   Dynamic No     No
qd-guest                            LAG 178      192.168.8.254   Dynamic No     No
qd-test                              LAG 180      192.168.10.254 Dynamic No     No
service-port                         N/A N/A      0.0.0.0               DHCP    No     No
virtual                                 N/A N/A      192.0.2.1           Static No     No

Your configuration looks good except you should assign an ip address to the service port. Never leave that at 0.0.0.0. Change that to an ip address that is non routable in your network.
Now for your issue. Have you tried plugging in a laptop to the dmz switch in those vlans to see if it works wired. Since these are new subnets, are you sure they are being NAT'd to your public address. Check that first and let us know. The WLC should be able to ping the gateway and out into the Internet if things are setup right in the dmz.
Sent from my iPhone

2125 WLC Dynamic interfaces and their physical interface

I'm trying to broadcast multiple SSIDs per AP. I would like the new second SSID to be on a different VLAN. I have been reading this article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml#dyn-interface and it looks like you create a trunk port on the switch that the WLC is connected to, which makes sense to me. A friend however told me to use a seperate physical interface on the WLC and assign the dynamic interface to it and connect it to the desired VLAN, instead of using the interface that is currently in production. I liked this idea because I would have downtime trying to reconfigure the port as a trunk that's in production.
So I guess my question is, if I use a secondary port on the WLC to connect to a different network than what the AP is on how will communication work? When the AP sends data to the WLC will everything be encapsulated in CAPWAP? How about the primary link connecting the WLC to the primary production network? Will this data to and from the WLC on the switch retain it's CAPWP encapsulation? Now that I'm thinking about it I guess it would have to since the WLC is what decapsulates the CAPWAP data and not the switch...
I would just like some advice on if I'm doing this correctly. Thanks a lot! -Mark

We generally recomment one trunk port to be configured for different VLAN (for management and AP inetreface) but we can use other ethernet port also on WLC for any differnt VLAN config.
For all your port related queries please find the attach link with the diagramme.:-
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
Q. How does a WLC switch packets?
    A. All the client (802.11) packets are encapsulated in a LWAPP packet by the LAP and sent to the WLC. WLC descapsulates the LWAPP packet and acts based on the destination IP address in the 802.11 packet. If the destination is one of the wireless clients associated to the WLC, it encapsulates the packet again with the LWAPP and sends it to the LAP of the client, where it is decapsulated and sent to the wireless client. If the destination is on the wired side of the network, it removes the 802.11 header, adds the Ethernet header, and forwards the packet to the connected switch, from where it is sent to the wired client. When a packet comes from the wired side, WLC removes the Ethernet header, adds the 802.11 header, encapsulates it with LWAPP, and sends it to the LAP, where it is decapsulated, and the 802.11 packet is delivered to the wireless client. For more information about this, refer to the LWAPP Fundamentals section of the document Deploying Cisco 440X Series Wireless LAN Controllers.
Q. What are the various options available to access the WLC?
    A. This is the list of options available to access the WLC:
        GUI access with HTTP or HTTPS
        CLI access with Telnet, SSH, or console access
        Access through service port
    For more information on how to enable these modes, refer to the Using the Web-Browser and CLI Interfaces section of the document Cisco Wireless LAN Controller Configuration Guide, Release 5.1. Usually, the management interface IP address is used for GUI and CLI access. Wireless clients can access the WLC only when the optionEnable Controller Management to be accessible from Wireless Clients is checked. In order to enable this option, click the Management menu of the WLC, and click Mgmt via Wireless on the left-hand side. WLC can also be accessed with one of its dynamic interface IP addresses. Use the config network mgmt-via-dynamic-interface command to enable this feature. Wired computers can have only CLI access with the dynamic interface of the WLC. Wireless clients have both CLI and GUI access with the dynamic interface.

Dynamic interface declaration

Hello,
Is it possible to have a dynamic interface declaration like you can have a dynamic object declaration?
For an object:
data: lo_object type ref to object.
create object lo_object type (lv_object_name).
Is this in some way possible to do with an interface? I need to do this for an interface at runtime.
Gr,
Jaron

You can create data of a dynamically given reference type (which may be an interface) and move the object reference to it.
Something like so:
DATA:
      my_obj TYPE REF TO object,
      lr_data TYPE REF TO data.
FIELD-SYMBOLS: <fs> TYPE ANY.
CREATE OBJECT my_obj TYPE my_object_type.
TRY.
CREATE DATA lr_data TYPE REF TO (some_interface_type_name).
ASSIGN lr_data->* TO <fs>.
   <fs> ?= my_obj.
CATCH cx_sy_move_cast_error.
CATCH cx_sy_create_data_error.
ENDTRY.
Basically, the assignment tests if my_obj is an instance of the type named some_interface_type_name.
Hope this helps,
Sebastian

WLC2504 - Dynamic interface problem

Hi,
I have problem with my WLC2504. My WLC is connected through two ports (1 and 2 of four) to my distro switch, where I have dot1q trunks configured. WLC is configured with Management interface (IP address 192.168.255.9/24), over which my LAPs are correctly joined. However, once I'm trying to add additional Dynamic WLC interface, which has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one
Thanks for soon answer
palo73

The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface is also used for communications between the controller and APs. The management Interface is the only consistently "pingable" in-band interface IP address on the controller. The management interface will act like an AP manager interface by default.
The dynamic interface with the “Dynamic AP Management” option enabled on it is used as the tunnel source for packets from the controller to the AP, and as the destination for CAPWAP packets from the AP to the controller. The dynamic interfaces for AP manager must have a unique IP address. Typically, this is configured on the same subnet as the management interface, but this is not necessarily a requirement. In the case of the Cisco 2500 Series Wireless Controller, a single dynamic AP manager can support any number of APs. However, as a best practice, it is suggested to have 4 separate dynamic AP manager interfaces and associate them to the 4 Gigabit interfaces. By default, the management interface acts like an AP-manager interface as well and it is associated to one Gigabit interface. As a result, if you are using the management interface, you need to create only 3 more dynamic AP manager interfaces and associate them to the remaining 3 Gigabit interfaces.
The virtual interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is 1.1.1.1. The virtual interface address is not pingable and should not exist in any routing table in your network.
Dynamic interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The Cisco 2500 Series Wireless Controller will support up to 16 dynamic interfaces. Dynamic interfaces must be configured on a unique IP network and VLAN. Each dynamic interface acts as a DHCP relay for wireless clients associated to wireless LANs (WLANs) mapped to the interface. A WLAN associates an SSID to an interface and is configured with security, QoS, radio policies, and other wireless network parameters. There can be up to 16 WLANs configured per controller.
Guidelines for Deploying the Cisco 2500 Wireless Controller
Ethernet ports on Cisco 2500 Series Wireless Controllers do not work as Switch ports (that is, 2 machines directly connected to these ports will not be able to communicate with each other). You should not connect servers like DHCP, TFTP etc. on these ports and expect Wireless Clients and APs to receive an IP address from this DHCP server.
Ethernet ports on the Cisco 2500 Series Wireless Controller should only be used to connect/uplink to an infrastructure network configured as a data interface (management interface and dynamic interfaces) or an AP-managers interface.
If multiple Ethernet ports on a Cisco 2500 Series Wireless Controller are uplinked to an infrastructure switch, you should make sure data interfaces (management or dynamic interfaces) or AP-managers interfaces are configured for these uplinked physical ports. Physical Ethernet ports which are used as an uplink to an infra switch should not be left un-configured. This may result in unexpected behaviors.
Multicast unicast is not a supported configuration on Cisco 2500 Series Wireless Controller. As a result, HREAP APs are not able to receive multicast traffic because HREAP APs only work with multicast unicast.
For more information you can refer to the link -
http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml

Configuring multiple dynamic interfaces in 5508

Hi,
I have 5508 controller where as ap-manager interface configuration is optional but since i have different topology at other end , I have 4507 configured with HSRP and i want to divide the AP traffic in both the switches therefore I will have to go ahead and configure multiple AP-manager interface and map with two different physical ports.
But I have challenge to configure multiple dynamic interfaces.
I want to create two wlans ( Internal wlan and guest wlan )
Internal WLAN : 192.168.10.0
default gateway : 192.168.10.1
internal DHCP server : 172.16.10.1
Physical Port : ............... ? which port to configure ? ( I have connectivity with port 1 & port 2 )
Guest WLAN : 192.168.20.0
Default gateway : 192.168.20.1
Internal DHCP server : 172.16.10.1
Physical port : ............... ? which port to configure ? ( I have connectivity with port 1 & port 2 )
I want to map it to multiple ports of dynamic interfaces for client traffic to physical ports.
how do i configure it ?

In adition to Nico's answer, I would go throught the detailed guide for the configuration of dynamic interfaces:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1167723.
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

Max # of dynamic interfaces on 4404 WLC

Can anyone tell me if there is a limit to how many dynamic interfaces I can create on a 4404 WLC?
I know that I can only have 16 SSIDs, so I have set up one SSID for my private network and am using AAA Override and configured my radius server to assign the different VLANs for each group. I have to create a dynamic interface for each individual VLAN and I just want to know if there is any kind of hard limit for the number of dynamic interfaces I can have so I don't run into a potential problem down the road.
TIA,
Deanna

I was able to verify that you only can create up to 513 dymanic interfaces. This of course does not include your management, ap-manager or VIP.
Hope this answers your question... it did for me... now I know!

Force WLAN client to renew ip on WLC with dynamic interfaces

Hi there
we would like to have a "two tier" authentication for the corporate WLAN clients:
Requirements
1. Machine Authentication
The client gets machine authenticated based on the machine account in the Active Directory with PEAP. At this stage, the client will get a IP from VLAN A. VLAN A has limited access to the corporate infrastructure (DNS, AD, some volumes / shares, and so on). The filtering is done with an IP access list on the layer 3 VLAN interface on the core switches.
2. User Authentication
The users logs in on the client and gets user authenticated based on his user account in the Active Directory with PEAP - only users with a valid Machine Access Restriction (MAR) are allowed to login. Now the client is moved to another VLAN B. VLAN B has full access to the corporate infrastructure, here is no IP access list.
Infrastructure
We have the following:
2 x WLC 5508 with 7.3.101.0
2 x ACS 5.3.0.40.6
Problem
Now we have the problem, that the Windows client sometimes takes up to 3 minutes to connect to the WLAN after the users loggs in. In the debug, I can see that this happens because the client is stuck in DHCP renewal:
1. After the machine has been authenticated it has an IP assigned from VLAN A. This works pretty well if the client gets rebooted.
2. If the user loggs in the first time after the reboot, the users gets connected within 10 seconds, what is pretty good. The client has now an IP in VLAN B.
3. Now the user logs out of Windows and I can see in the debug, that the client is putted into VLAN A (machine authentication) again, but the client still tries to DHCPREQUEST the IP address from VLAN B (user authentication). Because this request is sent out on the wrong dynamic interface on WLC, the DHCPREQUEST is not acknowleged an the client get stuck in this situation.
4. If the user or another users logs in again shortly after the logout, the client still tries to DHCPREQUEST the IP of VLAN B and now the "3 times DHCP failure on WLC" comes into play, because WLC thinks that the DHCP server is not reachable -> but it only does not answer a wrong DHCPREQUEST.
Question
On ISE there is a way to force the client to renew the DHCP address (via CoA, but this has its limitations too --> need to install Active X or Java applet). I think there is now way to force the client to renew its IP with ACS, but my question is, is there a workaround and are there any others, that maybe already solved this problem?
Alternative
If there is now way to bring this to work with two different VLAN's, I could try to realize this with only one VLAN. After the machine authentication I could apply a WLC ACL to restrict access to the corporate infrastructure. If the user authentication happens, I could "remove" this ACL to grant full access for this user / client. But I am still interested in the other solution ;-)
Thanks in advance for any advise and best regards
Dominic

Your second option is what you should do. Changing the vlan on a client that already has an IP address especially on wireless will not know it has been put in a different vlan and that's why it breaks. If There was a way to change the vlan and send something to the WLC to disassociate the client, that might work.
Sent from Cisco Technical Support iPhone App

Dynamic interface port assignment

Similar Messages

Maybe you are looking for