Interfaces on 5508 in HA

Similar Messages

• Configuring multiple dynamic interfaces in 5508

  Hi,
  I have 5508 controller where as ap-manager interface configuration is optional but since i have different topology at other end , I have 4507 configured with HSRP and i want to divide the AP traffic in both the switches therefore I will have to go ahead and configure multiple AP-manager interface and map with two different physical ports.
  But I have challenge to configure multiple dynamic interfaces.
  I want to create two wlans ( Internal wlan and guest wlan )
  Internal WLAN : 192.168.10.0
  default gateway : 192.168.10.1
  internal DHCP server : 172.16.10.1
  Physical Port : ............... ?  which port to configure ? ( I have connectivity with port 1 & port 2 )
  Guest WLAN : 192.168.20.0
  Default gateway : 192.168.20.1
  Internal DHCP server : 172.16.10.1
  Physical port :  ............... ?  which port to configure ? ( I have connectivity with port 1 & port 2 )
  I want to map it to multiple ports of dynamic interfaces for client traffic to physical ports.
  how do i configure it ?

  In adition to Nico's answer, I would go throught the detailed guide for the configuration of dynamic interfaces:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html#wp1167723.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Interfaces WLC 5508

  Hi good afternoon,
  I have an easy question, checking  how WLC with AP associated making a tunneling in CAPWAP (standard RFC 4188) using a UDP dest port looks like its necessary L3.
  Let me try to explain what i want:
  I have a WLC 5508 with a Switch the trunk pass 4 vlans. So one of the is used for Management to associated APS with the WLC and i added  full config but when i add a new interface:
  Interface Address
  VLAN Identifier
  IP Address
  Netmask
  Gateway
  Why its necessary put an IP in all vlans? If i try to use blank IP got an error, and with 0.0.0.0 i can't add SSID after this...
  WLC not works fully at L2? For every interface is necessary add an IP.
  Switch are L2 and no needs an IP.
  Router = L3 needs an IP.
  Can someone explain me this?
  Thanks and regards

  You are correct, the WLC is purely a L2 device, it does not route. 
  Don't think of the interface as an SVI, it's not.
  The reason that every interface needs an IP address, has to do with roaming.
  If you do an intercontroller roam, and both the WLC are using VLAN ID 10 on both.  What happens to your client traffic if WLCA = 10.10.10.x/24 and WLCB = 10.10.110.0/24? 
  Your client would not be able to pass traffic, as it would not have the correct IP address.  Now, if the client were to force a DHCP at every roam, you could get around this, but that would also delay the client in being able to pass traffic.
  So with the IP and the VLAN ID, the WLC is able to know if the roam is a pure L2 roam, same VLAN same IP range, and move the MSCB entry from one WLC to the other.  Or if it's supposed to be a L3 roam, where it needs to setup anchoring of the client traffic.
  Make sense?
  Steve

• 2 AP Management interface WLC 5508 at the same time

  Good afternoon,
  I have a customer that wants a few APs are managed by the interface of management and do join by that interface and another group of APs are managed and do join by another interface configured as "Enable Dynamic AP Management"
  is a WLC 5508, i created an interface by checking the option "Enable Dynamic AP Management" but does not work, by the interface of management are recorded without problems.
  Is it possible to do this? Are you supported?

  I don't know I understand your question properly or not.
  I think you want to join APs to management and AP manager interface at same time ?
  When you want to allow APs to join on two ports 1(management) & 2 at the same time, then you have use this:
  As you must be aware that only one AP manager is allowed per port. So if you leave the Management interface as an AP‐manager and just create one additional AP manager interface, you’ll allow APs to join to either port, but the Management interface will not be able to fail over since that would make two AP managers on the same interface.
  Or 
  Remove the AP management function from the Management interface and then create two new AP manager interfaces (one for each port).
  Regards
  Dont forget to rate helpful posts

• Wlc 5508 get error when use port-channel

  We have two wlc in the system 5508 and 4402.
  we config HA for 2 wlc, both wlc enable LAG
  When I connect 2 interface  of 5508 to 2 interface (in a port channel mode on, trunk, dot1q) of a
  couple of VSS switch, I cant management 5508 through web any more, and I still can do with 4402.
  If I  shutdown 1 port int the port-channel, it work well.
  Do you know what happen ?
  Thanks
  Duyen

  hi Scott,
  We have VSS ( 2 x 6509) trunk with (2 switch 4506).  one port of wlc4402 connect to one port of one swith 4506.
  2 ports of wlc 5508 conect to 6509, each port connect to one switch 6509.
  the config in VSS switch like this:
  interface gig1/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 500 mode on
  interface gig2/1/1
  switchport trunk encapsulation dot1q
  switchport mode trunk
  channel-group 500 mode on
  etherchannel load-balancer src-dst-ip
  ( I dont see this command in running config)

• WLC 5508 Multiple Interfaces for Multiple SSIDs

  Hello guys,
  I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
  I have 2 questions:
  1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
  Port 1: Controller management only=> 192.168.x.x /24
  Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
  Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
  Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
  Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
  2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?

  Yes you can... but you have to disable LAG.  Each post will need to be connected to a dot1q trunk and you will only allow the vlan that is required for that port.  Also on the interface, you will define what port is primary and what is backup.  I'm guessing you will not be using the backup port.  For example... port 1 that connects to a trunk port will only allow the management vlan.  Here is a link to setup dhcp on the WLC
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• WLC 5508 , AP client dhcp address different from WLAN interface VLAN subnet?

  Hope the title makes sense, here's my situation: I have multiple businesses on 1 WLC 5508, there's a LAG to my core switch with seperate interfaces for each, broken up by vlans.
  My question is: if i have a WLAN setup to use interface "Company A" which is vlan 10 with an ip of 10.0.1.5 which then points to 10.0.1.10 for dhcp.
  Can the WLAN client connecting to the Company A WLAN use an IP in a different IP range?(192.168.1.10?) can the wlc route? from the perspective of the DHCP server where doers the request come from? (10.0.1.5?)
  Can the DHCP server 10.0.10.10 on vlan 10 respond back with and ip on a different subnet to assign to the client to use and still be fully fonctioning? would the default gateway for the client need to be 10.0.1.5?  So the clients ip would be 192.168.1.10 /24 with a gateway of 10.0.1.5 (ip adress fo vlan10 interface on WLC) And if multiple clients on the same subnet wanted to talk to each other woudl the WLC know how to route them to each other without passing through the default gateway?
  Sorry if this is confusing I'm having a bit of a hard time explaining it in works, i can try and draw somethign up if it makes more sense.
  thanks
  Eric

  I think if you want these clients to stick to a WLAN configured on a VLAN that has a different IP addressing you could configure your VLAN with the normal IP addressing then add on the SVI the 2nd IP_Class_default_gateway.
  E.G.
  Vlan 10
  interface vlan 10
  ip address 10.0.10.1 255.255.255.0
  ip address 192.168.1.1 255.255.255.0 secondary
  Clients that receive IP address from 192.168.1.0/24 network will be able to reach 192.168.1.1 and all traffic will pass right.

• WLC 5508 AP-Manager interface

  Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
  But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.

  Hello,
  I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs.  This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port.  As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration.  The LAG will overcome this limitation.
  George was correct about your DNS entry, this needs to point to the WLC's management interface.  This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
  This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
  "If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface.  You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management.  All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed.  The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
  1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire. 
  2. You will need to create another dynamic interface mapped to the next port.  enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt.  Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
  *NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
  I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs.

• ACL blocking traffic towards the management interface on WLC 5508

  Hello All,
  I need to apply an ACL in WLC 5508 such that it would allow https traffic on management interface only from selected clients. 
  For same, I have created an ACL permitting only the intended users while blocking the rest. Have applied the same on the management interface. 
  However still the access from all devices to management interface is not blocked. The ACL hit count too is not incremented. 
  I am on WLC code 8.0.110.0. 
  Has anyone else faced similar issue while applying ACL against management interface. 
  Highly appreciate the inputs. 
  Thanks and Regards,
  Adnan

  Hi Adnan,
  you have to apply this ACL as a CPU ACL. Then it will work.
  For your reference:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4
  Hope that helps...
  Kind regards
  Philip
  --> Pls rate useful responses <--

• 5508 WLC HA pair - change management interface settings

  Hi,
  We have a pair of 5508 WLC's in a HA configuration that is working well at the moment, however I have noticed that the management interface is configured as untagged. I would like to change this to tagged and change the attached switch to trunk for these devices but if I try and edit the management interface through the GUI the VLAN and IP address section is greyed out and cannot be changed. While I could attempt it through the CLI and am comfortable doing that, the fact that it cannot be changed through the GUI implies that this should not be changed and so I am after further information. I don't have any lab equipment other than the HA pair in production so I cannot try changing it through the CLI at the moment. 
  The WLC's are in LAG mode if that makes any difference. I realise there may be downtime required for making this change but I am trying to work out the steps to get this done without having to drastically reconfigure things. 
  Any assistance would be appreciated. 

  Introduction of New Interfaces for HA Interaction
  Redundancy Management Interface
  The IP address on this interface should be configured in the same subnet as the management interface. This interface will check the health of the Active WLC via network infrastructure once the Active WLC does not respond to Keepalive messages on the Redundant Port. This provides an additional health check of the network and Active WLC, and confirms if switchover should or should not be executed. Also, the Standby WLC uses this interface in order to source ICMP ping packets to check gateway reachability. This interface is also used in order to send notifications from the Active WLC to the Standby WLC in the event of Box failure or Manual Reset. The Standby WLC will use this interface in order to communicate to Syslog, the NTP server, and the TFTP server for any configuration upload.
  Redundancy Port
  This interface has a very important role in the new HA architecture. Bulk configuration during boot up and incremental configuration are synced from the Active WLC to the Standby WLC using the Redundant Port. WLCs in a HA setup will use this port to perform HA role negotiation. The Redundancy Port is also used in order to check peer reachability sending UDP keep-alive messages every 100 msec (default timer) from the Standby WLC to the Active WLC. Also, in the event of a box failure, the Active WLC will send notification to the Standby WLC via the Redundant Port. If the NTP server is not configured, a manual time sync is performed from the Active WLC to the Standby WLC on the Redundant Port. This port in case of standalone controller and redundancy VLAN in case of WISM-2 will be assigned an auto generated IP Address where last 2 octets are picked from the last 2 octets of Redundancy Management Interface (the first 2 octets are always 169.254).

• Help with Cisco 5508 management interface

  Hello,
  I'm trying to verify some behaviors I'm seeing with my 5508 controller setup and forgive me for missing anything obvious, I've zero experience with this hardware and clueless on the best practices. With that said... out of the box I ran through the AutoInstall process.
  I gave my service port an IP address on my subnet, 10.10.8.0/24 vlan 100 and gave the management interface the ip address 10.10.30.5/24 vlan 130
  From my host I can ping the management interace 10.10.30.5 and the interface gateway 10.10.30.1
  I cannot connect to the controller via 10.10.30.5 either through the web GUI or telnet
  I can connect to the controller via 10.10.8.200 both through the web interface and telnet
  while connected to the service port, I can ping the management port IP but I cannot ping the 10.10.30.1 gateway.
  We have attached two test 3502I AP's and they found the controller and pulled correct ip addresses, clients can authenticate and access network resources as well as the Internet so for the most part, things are working but it concerns me that the management interface can't ping its own gateway.
  Keep in mind, I did no other configurations besides what got configured in the AutoInstall process. What should I look at to resolve?
  Thanks!
  Mike

  The service port is for out of band management and should not be connected to the network.  If connected tot he network, it should not have connectivity to the management interface of the wlc. 
  You can create an ACL to block the service port ip to the managment vlan if you want.  I normally do not connect the service port to the network.

• WLC 5508 Management Interface Connection

  I'm setting up a new 5508.  I've used the config from a 4402, have successfully connected to the Service port to manage the device, but for some reason cannot connect to the Management interface.  In this case, port 1.
  The service port is connected to a Catalyst switch and grabbed an ip address (10.2.x.x subnet) no problem.  I can access the 5508 via https using the SP.  However, port 1 is connected to the same Catalyst switch, but on a different vlan (subnet 10.20.x.x).  Both ends show that the interfaces are up, I can ping the interface from any other host on the network, but when I try to manage the device via https I cannot connect.  We are using WCS and I cannot add the device from the WCS.  About all I can do is ping that interface.
  I've probably overlooked something very basic, but I'm baffled.

  Thanks for the reply.
  No, definitely not that.  I have all of those enabled.  I have the SP connected to another vlan on the same switch and can manage through that port(https, telnet).  I've tried about every combination of trunk port, access port, etc.  I'm beginning to suspect the GBICs (10baseT), but both ends show that I am connected at 1000 and I can ping the ip address of the management interface.

• WLC 5508 management interface

  Hi, I have a particular wireless design that requires one WLC 5508 to be connected to two seperate swithces. Port 1 of WLC is connected trunk to Switch A and Port 2 of WLC is connected to Switch B. Each switch has its own local VLANS. When I connect 1130s LAPs they need to find the management interface initially and then use only AP management interfaces. since there is only one management interface, if I assign management interface on a vlan that is configured on switch A then APs on switch A join fine but those on switch B keep asking for management interface and from capwap debug on WLC it says that join request was received on wrong ineterface ....
  the only work around to this was to make routing between switch A and switch B for the two vlans on which APs reside... but for security purposes - client would like to avoid this
  any help much appreciated ..

  Hi thanks for your reply,
  Yes I agree perfectly with your explanation - On both switches I have UDP forward for 5246 and 5247 and everything works fine.
  You understood exactly what's happening for initial discovery the Guest AP asks for managemnt interface through WLC port 2 but managerment IP is on admin side WLC port 1 and then it drops packet saying that it was received on the wrong port. In fact that is why I put an ACL between the Admin switch and guest switch taht allows only 5426 capwap control - just to allow that initial discovery from guest AP to contact Management interface which can only be assigned to one port and in my case it is on the admin switch side. And that is why I had to make a route between the two independent switches.
  My question is to know if there is any other way with my given design to eliminate this initial discovery to the management inetrface, as my client would like the admin and guest switches to be completely seperated i.e. without the routing. Is there any way that the guest APs can make contact with the AP management interface on their side only skipping the discovery of the management interface ? the guest APs were primed on the admin side so they know the IP. After the initial discovery, if I remove the routing between admin and guest switch, guest APs keep their connectivity without any problems.

• WLC 5508 Cant get access via the Mgmt Interface

  Hello everybody,
  i have a wlc 5508 (version 7.0.98.0) , if i'm pinging the service port interface or try to get access via this interface, everythings is fine, but if cant get access via the management interface. (but its pingable)
  the crazy thing is, that the LAP joined successful ti the wlc, but the Upgradetool (converting an AP to an LAP) doesnt work, because the tool cant reach the mgmt interface of the wlc.
  there are no ACLs, which are blocking the traffic between wlc and my computer
  Does anyone has an idea, what i've configured wrong???
  regrads,
  Rocco

  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  wlan1                                   1    16       172.16.2.10      Dynamic No     No
  management                         1    2        172.16.1.10      Static     Yes    No
  wlan2                                   1    220      172.16.3.10   Dynamic No     No
  service-port                        N/A  N/A      10.75.100.99      Static     No     No
  virtual                                N/A  N/A      1.1.1.1               Static     No     No
  and my Pc is in the 172.16.4 subnet
  i have no access to the switch port, where the controller is connected to, but i know that this port permits access to the vlans which are used

• WLC 5508 with 6.0.188 -- ap-manager interface..

  6.0.188 code on new 5508 WLC does not show ap-manager interface.
  6.0.188 code on 4404 wlc does have ap-manager interface.
  Both are working fine.
  Why is that?

  The 5500 controllers use the management interface to function as both the management interface and ap-manager.  There will not be an ap-manager in the 5500.