Management via Dynamic interface

Similar Messages

• Mgmt Via Dynamic Interface not working on 5505 version 7.2.111.3

  Folks,
           I have posted this question a couple of times on the forum but did not get a solution. I am trying to manage my 5508 controller from a dynamic interface which is assigned to port 7 of the controller. I have a switch connected to that port which has a PC on the same subnet as the dynamic interface. From the PC, I can ping the dynamic interface IP Address, but can not telnet,SSH,http or https to it. There is no clear doc that specifics how to effectly use the command "config network mgmt-via-dynamic-interface" command.
  Mgmt Via Wireless Interface................. Enable
  Mgmt Via Dynamic Interface.................. Enable
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  173                                      7    173      172.16.101.100  Dynamic Yes    No
  management                         1    172      172.16.100.100  Static  Yes    No
  service-port                           N/A  N/A      0.0.0.0         DHCP    No     No
  virtual                                    N/A  N/A      1.1.1.1         Static  No     No
  7  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A     1000BaseTX
  Any guidence would be highly appreciated.

  Im having a similar issue and have 2 TAC cases open.
  TAC CASE#1:  issue is that even when disbaled I can still access the dynmic interface via HTTPS/HTTPS/TELNET/SSH. But this is on a WISM1.
  Thanks a lot for your quick and prompt response, I see that there is an internal Bug with an ID CSCty32586.
  I see that the bug is fixed told be fixed in 7.0.230.0, but it’s not fixed. The bug is fixed in 7.2.x version.
  I understand that you are using Wism on which 7.1.x version and above is not supported.
  As 7.0.235.3 is released recently to overcome some of the changes and to fix some of the Bugs with older version on these devices.
  Kindly try to upgrade the software version of the WLC to 7.0.235.3 and check the compatibility.
  Please do let me know in case of any concerns and I will be glad to assist you.
  TAC CASE#2: Just like you I can not access the dynamic interface. Still working that one .. The holiday dropped when I just opened that case.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• Color Management via Dynamic link

  Hey guys.
  I know I don't know too much about color management right now, but a read a handy article linked from this forum that suggested that all comps should be set to a 32 bit (or 16) linearized workflow with the sRGB 2.1 working space.
  So far I have found the colors to be more accurate than AE's default setting and I like it. My problem now lies via Dynamic Link with Premiere Pro.
  I am working on a sequence handed over to me for VFX'ing. Using Dynamic link makes it easier to work between the 2 programs, but when I work with the above color management settings, the resulting image in AE looks fine, but the image updating in Premiere is several notches darker.
  Is there a way to effective work via dynamic link and color management between the 2 projects?
  Many thanks.

  Actually, I notified you DO NOT linearise your working space until you fully understand linear workflow. That, among other things, means you shouldn't linearise working space in all AE projects. Quite contrary, you should understand, when to linearise them and when not. That Stu Maschwitz blogpost, the link to which I submitted, contains a lot of other links, including this one to the discussion on when to go linear.
  Your current issue relates to the question that neither PrPro nor AME is colour manageable (color aware) application. It can be corrected in several ways:
  1. As Rick said, just turn Linearize Working Space off (it can ruin your current colour correction as well).
  2. Apply Gamma Correction effect onto your dynamically linked comp in PrPro timeline (which is not quite correct workaround, actually).
  3. So as not to rebuild Dynamic Link, pre-compose what is in your dynamically linked comp now into another one. In your modified dynamically linked comp go to View menu and disable Use Display Color Management. Apply Color Profile Converter onto your pre-comp layer and set Output Profile to sRGB, leaving Input one in default 'Project Working Space' mode.

• Disabling Management via Wireless - is there any point?

  Hey guys.
  Firstly, yes, I do know that allowing management of controllers over an unsecured WLAN is a bad idea (although even that would be SSL-secured by default, but open to brute-forcing I'd guess).
  Secondly, let's assume that Management via Dynamic Interfaces is disabled too (why anyone would want to enable that is a bit beyond me too?).
  This 1 little tickbox manages to justify an entire page in the GUI, so it definitely looks pretty darn important!
  The problem is that in a multi-controller environment the only controller that knows you're connecting over wireless is the one that you're connecting through. Any other controller will be happy to accept the management connection on it's management interface address because it sees it as coming from the wired network. To prevent this from happening I think you could do either of two things...
  1) Apply a CPU ACL that blocks the client IP ranges, which will work equally well for wireless and wired-side connections, i.e. it's the equivalent of the "management via wireless" setting but works for all controllers simultaneously. You'd have to remember to keep this updated though if ever your WLANs and client ranges change.
  2) Put the management interfaces of all controllers in an isolated management VLAN (which will potentially complicate all your supporting services access, e.g. DHCP/RADIUS/etc.). That'll stop the undesirable "wired" access on the n-1 controllers and then the mgmt-via-wireless will take care of the wireless access to the other 1 controller.
  So the setting seems rather pointless on it's own in anything other than in a single-controller environment. I'm sure I've read somewhere that the controllers do tell each other about their current clients (for things like CCKM and rogue management), so wouldn't it be cool if this centralised awareness logic was applied to management connections?
  What are the experiences out there with this feature? Is it generally seen as worthwhile, or does it really need some extra planning and possible augmentation via other features to be of any value?
  In general, other than popular paranoia about wireless being "less secure" than wired access, what are the compelling reasons for denying management via wireless? As I mentioned above, even over a completely non-secured WLAN you'd still have SSL/SSH security if you configure your allowed management protocols right.
  Thanks,
  Justin

  Yes "It makes the auditors happy" is definitely a good and valid reason.
  I've just co-incidentally come across this in the 5.0.148 release notes:
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn501480.html#wp234100
  "Preventing Clients from Accessing the Management Network on a Controller
  To prevent or block a wired or wireless client from accessing the management network on a controller (from the wireless client dynamic interface or VLAN), the network administrator should ensure that there is no route through which to reach the controller from the dynamic interface or use a firewall between the client dynamic interface and the management network."
  That makes sense, but do many folks out there do it that way? Generally there's not much control between the management VLAN and the users' VLAN because the latter is usually where the wireless-supporting services reside.

• 2125 WLC Dynamic interfaces and their physical interface

  I'm trying to broadcast multiple SSIDs per AP. I would like the new second SSID to be on a different VLAN. I have been reading this article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml#dyn-interface and it looks like you create a trunk port on the switch that the WLC is connected to, which makes sense to me. A friend however told me to use a seperate physical interface on the WLC and assign the dynamic interface to it and connect it to the desired VLAN, instead of using the interface that is currently in production. I liked this idea because I would have downtime trying to reconfigure the port as a trunk that's in production.
  So I guess my question is, if I use a secondary port on the WLC to connect to a different network than what the AP is on how will communication work? When the AP sends data to the WLC will everything be encapsulated in CAPWAP? How about the primary link connecting the WLC to the primary production network? Will this data to and from the WLC on the switch retain it's CAPWP encapsulation? Now that I'm thinking about it I guess it would have to since the WLC is what decapsulates the CAPWAP data and not the switch...
  I would just like some advice on if I'm doing this correctly. Thanks a lot!  -Mark

  We generally recomment one trunk port to be configured for different VLAN (for management and AP inetreface) but we can use other ethernet port also on WLC for any differnt VLAN config.
  For all your port related queries please find the attach link with the diagramme.:-
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
  Q. How does a WLC switch packets?
      A. All the client (802.11) packets are encapsulated in a LWAPP packet by the LAP and sent to the WLC. WLC descapsulates the LWAPP packet and acts based on the destination IP address in the 802.11 packet. If the destination is one of the wireless clients associated to the WLC, it encapsulates the packet again with the LWAPP and sends it to the LAP of the client, where it is decapsulated and sent to the wireless client. If the destination is on the wired side of the network, it removes the 802.11 header, adds the Ethernet header, and forwards the packet to the connected switch, from where it is sent to the wired client. When a packet comes from the wired side, WLC removes the Ethernet header, adds the 802.11 header, encapsulates it with LWAPP, and sends it to the LAP, where it is decapsulated, and the 802.11 packet is delivered to the wireless client. For more information about this, refer to the LWAPP Fundamentals section of the document Deploying Cisco 440X Series Wireless LAN Controllers.
  Q. What are the various options available to access the WLC?
      A. This is the list of options available to access the WLC:
          GUI access with HTTP or HTTPS
          CLI access with Telnet, SSH, or console access
          Access through service port
      For more information on how to enable these modes, refer to the Using the Web-Browser and CLI Interfaces section of the document Cisco Wireless LAN Controller Configuration Guide, Release 5.1. Usually, the management interface IP address is used for GUI and CLI access. Wireless clients can access the WLC only when the optionEnable Controller Management to be accessible from Wireless Clients is checked. In order to enable this option, click the Management menu of the WLC, and click Mgmt via Wireless on the left-hand side. WLC can also be accessed with one of its dynamic interface IP addresses. Use the config network mgmt-via-dynamic-interface command to enable this feature. Wired computers can have only CLI access with the dynamic interface of the WLC. Wireless clients have both CLI and GUI access with the dynamic interface.

• WLC2504 - Dynamic interface problem

  Hi,
  I have problem with my WLC2504. My WLC is  connected through two ports (1 and 2 of four) to my distro switch, where  I have dot1q trunks configured. WLC is configured with Management interface  (IP address 192.168.255.9/24), over which my  LAPs are correctly joined.  However, once I'm trying to add additional Dynamic WLC interface, which  has VLAN TAG 10 and which I'd like to associate with my WLANS, my WLC  stop responding through GUI and SSH, but pings on the management and dynamic interface IP addresses are sucesfull. Just as a note, dynamic AP management is not enabled on mentioned dynamic interface. In a case when I enable dynamic AP management on the dynamic interface (activated also on management interface), GUI and SSH work, but I can not associated WLAN to the dynamic interface, only to the management one
  Thanks for soon answer
  palo73

  The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. The management interface is also used for communications between the controller and APs. The management Interface is the only consistently "pingable" in-band interface IP address on the controller. The management interface will act like an AP manager interface by default.
  The dynamic interface with the “Dynamic AP Management” option enabled on it is used as the tunnel source for packets from the controller to the AP, and as the destination for CAPWAP packets from the AP to the controller. The dynamic interfaces for AP manager must have a unique IP address. Typically, this is configured on the same subnet as the management interface, but this is not necessarily a requirement. In the case of the Cisco 2500 Series Wireless Controller, a single dynamic AP manager can support any number of APs. However, as a best practice, it is suggested to have 4 separate dynamic AP manager interfaces and associate them to the 4 Gigabit interfaces. By default, the management interface acts like an AP-manager interface as well and it is associated to one Gigabit interface. As a result, if you are using the management interface, you need to create only 3 more dynamic AP manager interfaces and associate them to the remaining 3 Gigabit interfaces.
  The virtual interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The virtual interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is 1.1.1.1. The virtual interface address is not pingable and should not exist in any routing table in your network.
  Dynamic interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The Cisco 2500 Series Wireless Controller will support up to 16 dynamic interfaces. Dynamic interfaces must be configured on a unique IP network and VLAN. Each dynamic interface acts as a DHCP relay for wireless clients associated to wireless LANs (WLANs) mapped to the interface. A WLAN associates an SSID to an interface and is configured with security, QoS, radio policies, and other wireless network parameters. There can be up to 16 WLANs configured per controller.
  Guidelines for Deploying the Cisco 2500 Wireless Controller
  Ethernet ports on Cisco 2500 Series Wireless Controllers do not work as Switch ports (that is, 2 machines directly connected to these ports will not be able to communicate with each other). You should not connect servers like DHCP, TFTP etc. on these ports and expect Wireless Clients and APs to receive an IP address from this DHCP server.
  Ethernet ports on the Cisco 2500 Series Wireless Controller should only be used to connect/uplink to an infrastructure network configured as a data interface (management interface and dynamic interfaces) or an AP-managers interface.
  If multiple Ethernet ports on a Cisco 2500 Series Wireless Controller are uplinked to an infrastructure switch, you should make sure data interfaces (management or dynamic interfaces) or AP-managers interfaces are configured for these uplinked physical ports. Physical Ethernet ports which are used as an uplink to an infra switch should not be left un-configured. This may result in unexpected behaviors.
  Multicast unicast is not a supported configuration on Cisco 2500 Series Wireless Controller. As a result, HREAP APs are not able to receive multicast traffic because HREAP APs only work with multicast unicast.
  For more information you can refer to the link -
  http://www.cisco.com/en/US/products/ps11630/products_tech_note09186a0080b8450c.shtml

• FAQ: BC-LDAP-USR (Directory Interface for User Management via LDAP )

  Version: 20060317
  Q: Where can i find more information to the BC-LDAP-USR interface ?
  A: Have a look on our ICC webpage in the SDN:
  SAP NetWeaver AS - Directory Interface for User Management via LDAP (BC-LDAP-USR)[1] [original link is broken]
  Q: What costs a arising when we want our product to be certified ?
  A: See also our SDN page under the headline "Price List".
  Q: Is there a link/page for the already certified products for this interface ?
  A: Sure, have a look on our ICC page under the headline "Certified Solutions"
  Q: Who can we ask in case of general question ?
  A: Have a look at our general ICC forum:
  SAP Integration and Certification Center (SAP ICC)
  Of course, if you have urgent requests you can send them also directly to our local ICC's:
  ICC Walldorf in Germany: [email protected]
  ICC Palo Alto in USA: [email protected]
  ICC Bangalore in India: [email protected]
  Q: Who can we ask in case of technical questions ?
  A: This depends on the state of your certification project.
  1.) If the certification contracts have been signed then you can ask in this forum and if this does not solve your question go back to your assigned integration consultant.
  2.) When the certification contracts have not been signed then you can ask questions in this forum.

  I distinguish it using the passwordExpirationTime(or something like that, i don't have code here with me).
  This is possible if after password is expired user has at least one more access.It is a user policy that can be set in the Ldap server.
  If it is possible, user can still login and perform operations.You chan search the passwordExpirationTime attribute and determine if password is expired, and the send a message to the user, telling him to change it.(If only one access is allowed and you change the password with the same application or service then do not close context, else you should not be able to connect again.) Instead, if you use an external script, then the last acces should not give you problems.
  Hope i made myself clear.

• Dynamic interface: dynamic AP management + NAT enabled

  Hello,
  I would like to ask for I have not found any supporting documents with regard to my concern.
  I would like to deploy our 2504 WLC connecting 600 Series OEAPs to it using a dynamic interface with dynamic AP management and NAT enabled disabling the management interface's dynamic AP management and NAT. Apparently, I was not able to connect the OEAPs to the WLC. But if I change the setting in using the management interface instead of my created dynamic interface, with dynamic AP management and NAT enabled, the OEAP successfully joins the controller.
  Are there any solutions that I could use a dynamic interface as ap-manager with NAT or is it that the management interface can only be used?
  Cheers!

  IIRC, you need the OEAP to join to the management address since that is where you will be entering the nat'd address. So using a dynamic interface will not work and really can only work when APs are local mode.
  Sent from Cisco Technical Support iPhone App

• Management via wireless after H-REAP config

  Hi,
  Before I turned on H-REAP, created dynamic interfaces and did all the trunking to the AP's I could https to our controller on the management interface from the wireless network. After I put the config in place for the new SSID's, H-REAP etc.. I can't get to it from the wireless network. I can get to it from the local LAN. Any ideas??
  Thanks.

  Hi Mike,
  I'm trying to understand your question here ... If you have H-REAP enabled, you are UNABLE to HTTP/HTTPS into the WLC even when "Mgmt Via Wireless" is ticked (enabled)? What firmware are you using?
  I am asking because I am using 5.2.178.0 and Cisco has confirmed that there is a bug (CSCsz06335). With "Mgmt Via Wireless" is ticked (enabled) the bug ALLOWS you to manage the WLC via Wireless.
  This problem is only evident in the 5.2.178.0 version.
  According to Cisco TAC, a new firmware should be made available by early June 2009.
  Hope this helps.

• Wireless lan Controller 4402 / ping dynamic interface failed

  hi,
  i've a problem with a Wireless Lan Controller 4402.
  When i configure the dynamic interface on the my network , with wired lan
  i don't reach (i use the ping command) the ip address of the WLC.
  In my case (wired):
  On my pc i've a ip 10.1.78.1 255.255.0.0 and dgw 10.1.1.1 (vlan721)
  The lan WLC have a ip of management 10.12.2.4 /24 (vlan799) [dgw 10.12.2.1]
  dynamic vlan 792 ip add 10.12.78.100 / 22 (vlan792) [dgw 10.12.68.1]
  i ping these interfaces (10.12.2.4 and 10.12.78.100) and the ping is ok.
  When i create a dynamic interface vlan 721 starting the problem:
  dynamic vlan 791 ip address 10.1.1.240 / 16 (vlan721)
  After this ......the ping on 10.12.2.4 and 10.12.78.100 don't respond very well
  and i lose the 80-90% of the ping packages.
  through the wi-fi instead I do not have problems.
  the problem exist only via wired (cable).
  Can you help me?
  Thanks
  FCostalunga

  Hello,
  Pinging the dynamic interface is officially not supported. The reason why is because the controller places a very low priority on ICMP traffic. Typically, you will not have an issue with doing so on your wireless network because this interface is basically a gateway for the client. However, from the wired network - the only interface designed to respond to pings 100% of the time is the management interface. Hope this helps!
  -Mark

• Prime Infrastructure 2.1.1 cannot add more than two interfaces in Dynamic Interface Controller Templates

  Cisco Prime Infrastructure is a damned nightmare of browser bugs (some features work in IE8, some in IE9, and some only in Firefox).  And I am not sure if what I am experiencing is a browser bug - or a real bug - or something that I was able to do before and can't any more?  I would love for someone to either explain why this is happening to me, or reproduce the bug!
  I'm running Prime 2.1.1.  I am doing this ...
  Configure > Controller Template Launchpad
  System > Dynamic Interface
  Select a command > Add interface (GO)
  Enter all the properties - roll to the bottom of the page, and click Apply to Controllers
  I have four controllers.  And normally I would add an interface for each controller.  But I can only create two out of the four.  It doesn't matter which two I choose.  When I click Add under Manage Interfaces for the third controller, I cannot click the Done button to apply it (see screenshot, attached).  I have found that if I change the VLAN to something else, it will let me save it.  But ... why?  I went back and reviewed all of my existing interface templates and I am not doing anything different.  Although, they were all created a long while ago using WCS 7.x.
  Any help, guidance, or confirmation of insanity would be appreciated.
  -Steve Ballantyne

  I doubt I will get any hits on this here but I always try.  I opened a TAC case.  I will come back and comment on whatever they find.

• MIGO - Distribute quantities via an interface.

  Hi All,
  We currently use subcontracting to record the consumption of components in a BOM via a goods receipt.  Where a component of a BOM is batch managed, we can use the distribute quantities button against a line item to allocate more than 1 batch to the component.  For example we want to GR 10kg for a component, and 5kg comes from batch A and 5kg from batch B.
  The above scenario works well using MIGO (no similar distribute quantities functionality appears to exist in MB01).  We are attempting to do the same via an interface.  WE are currently investigating the use of basic type MBGMCR02 (BAPI_GOODSMVT_CREATE) and WMMBID02 (function L_IDOC_INPUT_WMMBXY) but have had no luck.  Before we delve into these IDOCs deeper, I wanted to check to find out if anyone else had done something similar via an interface?
  Our other option, as we cannot record a MIGO session, is to build our own wrapper around function module MB_CREATE_GOODS_MOVEMENT but  I want to avoid this development if we can use a standard interface.
  I'd appreciate any help or guidance in dealing with the above scenario.
  Many thanks,
  James.

  It is enough if you:
  1. Distribute the stub and skeleton.
  2. Make sure you know the proper string throught which the server was bound to the registry.
  3. Make sure you call the appropriate objects and the proper method names on those objects.

• Dynamic interface port assignment

  Good Day,
  I am setting up a 4402 (50 ap license ver 5.0) that will manage about 40 aps. Following the Cisco docs, I have created two ap manager intefaces for load balancing. Each physical port is attached to one of two Cat 6509s (no lag).
  Our network ultimately connects to a router (over which I have no control) with six 100 mps ports each representing a subnet/vlan. So my intent is to create six dynamic interfaces each coresponding to a vlan for load balancing and bandwidth optimization.
  My question regards assinging each dynamic interface to a physical port. Simple logic would have me assinging 3 interfaces to port #1 and three to port #2, then assigning a proportionate number of aps to each interface.
  Is it that simple, or are there other considerations.
  Thanks

  You're correct. Creating a dynamic interface for each VLAN is exactly what you need to do. This will load-balance the traffic from the multiple VLANs across your links.
  I would highly recommend that you consider LAGging the two uplinks. It provides better load-balancing and better redundancy. Since you're connecting to a 6509, you can LAG between two blades for redundancy purposes.
  Whether you LAG or not is completely up to you, of course. But you seem to be good to go if you want to leave them unLAGged.
  Jeff

• WLC Dynamic Interface

  I wonder why we need Dynamic Interfaces. I have created two WLANs. One is WPA2-Enterprise obtaining vlan id's per user from Radius server and the other WEP wlan for guest users whose traffic should go to a specific guest vlan. I am using an external DHCP server and configured WLC not to proxy dhcp requests and to act as a bridge.
  I had to create dynamic interfaces on WLC (we are using 5508 with software version 7) for all the VLANs which radius server returns. I could make it with only defining the dynamic interfaces and entering 0.0.0.0 for ip addresses.
  For the other WLAN with WEP, I have to enter and IP for the dynamic interface to work. I am not sure if this is a requirement or my misconfiguration, but I do want a way not to set an IP address for the dynamic interface. I do not want to waste addresses and also do not want the clients to be able to access wlc through that IP address.
  I appreciate any comment on why I need IP addresses for dynamic interfaces.

  Vadood... The WLC does use that IP address as it needs to have layer 2 connection to any subnet it will place users on. Even is your doing AAA override, the radius tell the WLC that that device needs to be on vlan x and the WLC will put that device on vlan x, but if the WLC has no IP address on that subnet, well then the communication stops there. The user will never get an IP address if using dhcp or if the device has a static, the WLC has no way to communicate to that subnet.
  By the way, users can't access the dynamic interface by default. You have to enable that. But then again, they can try to access the management interface also, unless you disable globally management over wireless.
  Sent from Cisco Technical Support iPhone App

• Adding (dynamic) interfaces to WLC 2504 causes loss of network

  I'm trying to add a new dynamic interface, that I will tie a specific WLAN to so that clients on that WLAN is in the correct vlan. After adding it I loose connectivity both to the main management address (10.99.0.60) and to the ip address of the dynamic interface (10.99.12.4). In fact, the dynamic interface address responds and prompts me to login, but after doing so all I get is a blank page. Here's the two interfaces pulled from the CLI - what am I doing wrong?
  And oh, not adding an IP to the dynamic interface makes it impossible to use within a WLAN.
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No

  So take a look at this. I have the dynamic interface used in wlan 2 (mytestssid as shown above). Now the management address, 10.99.0.60 cant be reached:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  After removing wlan 2 and the dynamic interface, mgmt access starts to work again:
  config wlan disable 2
  config wlan delete wlan 2
  config interface delete lan
  Nmap scan report for 10.99.0.60
  Host is up (0.0037s latency).
  PORT    STATE SERVICE
  22/tcp  open  ssh
  443/tcp open  https
  So... here's me adding the dynamic interface in cli AGAIN:
  WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
  1        someotherssid / someotherssid              Enabled   management  
  (Cisco Controller) config> interface create lan 33
  (Cisco Controller) config> interface address dynamic-interface lan 10.99.12.4 255.255.252.0 10.99.12.1
  (Cisco Controller) >config wlan disable 1
  (Cisco Controller) >config wlan interface 1 lan
  (Cisco Controller) >config wlan enable 1
  Voila, management access lost again:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  This time, there's no physical port assigned to the dynamic interface 'lan':
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              -    33       10.99.12.4      Dynamic No     No   
  management                       1    31       10.99.0.60      Static  Yes    No   
  virtual                          N/A  N/A      1.1.1.1         Static  No     No   
  Adding that:
  (Cisco Controller) config interface port lan 1
  Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
  lan                              1    33       10.99.12.4      Dynamic No     No   
  Still no management access..:
  Nmap scan report for 10.99.0.60
  Host is up.
  PORT    STATE    SERVICE
  22/tcp  filtered ssh
  443/tcp filtered https
  For reference, the detailed interface config (which clearly shows that 'management' should be ap mgmt.. and dynamic interface 'lan' shouldn't (and thus shouldn't affect it - RIGHT?)):
  Interface Name................................... lan
  MAC Address...................................... c0:8c:60:c7:99:04
  IP Address....................................... 10.99.12.4
  IP Netmask....................................... 255.255.252.0
  IP Gateway....................................... 10.99.12.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 33        
  Quarantine-vlan.................................. 0
  NAS-Identifier................................... mob-wlc
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. Unconfigured
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... No
  Guest Interface.................................. No
  Interface Name................................... management
  MAC Address...................................... c0:8c:60:c7:99:00
  IP Address....................................... 10.99.0.60
  IP Netmask....................................... 255.255.255.0
  IP Gateway....................................... 10.99.0.1
  External NAT IP State............................ Disabled
  External NAT IP Address.......................... 0.0.0.0
  VLAN............................................. 31        
  Quarantine-vlan.................................. 0
  Active Physical Port............................. 1         
  Primary Physical Port............................ 1         
  Backup Physical Port............................. Unconfigured
  DHCP Proxy Mode.................................. Global
  Primary DHCP Server.............................. 10.99.0.1
  Secondary DHCP Server............................ Unconfigured
  DHCP Option 82................................... Disabled
  IPv4 ACL......................................... Unconfigured
  mDNS Profile Name................................ Unconfigured
  AP Manager....................................... Yes
  Guest Interface.................................. No
  L2 Multicast..................................... Enabled
  By the way, the switchport of my (C3560G) doesnt specifically allow some VLANs - meaning they allow all vlans:
  interface GigabitEthernet0/28
   description cisco_wlc
   switchport trunk encapsulation dot1q
   switchport mode trunk
  And the vlans in question are present:
  31   enet  100031     1500  -      -      -        -    -        0      0   
  32   enet  100032     1500  -      -      -        -    -        0      0   
  33   enet  100033     1500  -      -      -        -    -        0      0   
  34   enet  100034     1500  -      -      -        -    -        0      0