Managment VLAN - SSID mapping
I'm implementing a large WLAN for a hospital. they will be using Cisco VPN and RSA OTP to provide authentication and data confidentiality/integrity. They also desire a Wireless LAN Solution Engine.
I wish to create a "user" VLAN-SSID mapping, and a "wireless network management" VLAN-SSID mapping, so I can require users to use VPN to get off their local segment, but also use WLSE & HPOV to manage the WAPs via a managment interface.
To trunk the mgmt vlan, I think i need to map it to an ssid on the WAP. However, I do not want the mngmt vlan/ssid to accept client associations. I basically only want the mngmt vlan to exist on the wire and at the AP, not on the RF.
How would I accomplish this?
It is a little bit of a kludge to do this but.
On the vlan SSID page set the max allowed associations to 1 ( 0 will mean max number of associations will be 2047) This will allow only on client to associate, now you can block this one by creating a MAC address filter on that VLAN that has no MAC address in it and the default action for both multicast and unicast is discard.
You could do just the filter but if the filtre is ever turned off then you have the added bonus of only one client getting through
David
Similar Messages
-
Autonymouse AP1121 - Management Vlan and SSID Vlan
Hello,
We are using an ACS server to authenticate wireless users to active directory this works fine. The issue occurs when we try to pull an ip and we can't fomr the dhcp. The vlan we have the SSID on is vlan 10 and the management vlan of the AP is vlan 500. The ip-helper info is correct because wired users on vlan 10 get an ip immedialty. We just can't pull one with the AP. Does anyone know the config for this? Here is my current config, the client authenticate through the ACS 4.2 but pull no ip, the only way for me to manage the ap is to have the native vlan command on there, once i remove it i can't telnet. What is the fix for this? Thanks
current switch port config ap is plugged into.
interface FastEthernet1/0/48
switchport trunk encapsulation dot1q
switchport trunk native vlan 500
switchport mode trunkDo you have sub interfaces for vlan 10 being brigged through the radio interface?
Example config below...
interface Dot11Radio0.10
description Secure Wireless access
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
bridge-group 10 spanning-disabled
interface FastEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
no bridge-group 10 source-learning
bridge-group 10 spanning-disabled
Also verify that vlan 10 is allowed on the trunk interface of the switch by typing "show int trunk" -
VWLC clients getting DHCP address from management VLAN
Hi,
We have a strange scenario whereby some wireless employees are obtaining addresses from the management VLAN.
Some details:
DHCP managed by MS DHCP 2008 R2 (in remote data centre)
Cisco vWLC AIR-CTVM-K9 running v7.6.110.0
AP's are a mix of 2602 and 3702 (46 and 2 of each respectively)
SSID's are employee, guest, and production devices (all mapped to their own interface with relevant VLAN tag as per normal)
AP's all in FlexConnect mode as per vWLC caveats
Some employees are receiving addresses in the wireless management VLAN. This network only has six DHCP addresses available as it is solely for AP's, WLC and HSRP gateway. Obviously this gets exhausted very quickly leaving us with a scenario where clients are not obtaining DHCP addresses.
I understand that with FlexConnect mode, it will assign IP's from the native VLAN. What I don't understand is why most clients receive addresses in the correct VLAN, but a handful do not, and then cannot get an address from DHCP. Obviously the ideal scenario would be to put the AP's into local mode but unless this has changed in a SW release then I don't believe it's possible...
My question is: How do I get ALL the employees to obtain addresses from their interface and not the management VLAN?
Thanks in advance.Hi,
I think we need a closer look to your configurarion to eliminate some possibilities:
- What is the WLAN security you choose?
- What is the interface that is configured under the WLAN?
- Does your WLAN have local switching enabled?
- If your security is using RADIUS server, do you have AAA override enabled under the WLAN config?
- If your security is using RADIUS server, do you send any attributes to the users?
- You have eliminate that clients that got management vlan IPs are always on same AP or they can be on any AP.
HTH
Amjad -
Dynamic VLAN/SSID assignment using 4402/MS IAS
Greetings,
In short we have a WLC4402 (50 AP license) and approx 30 1252s LAPs in place. Right now we have three VLANs/SSIDs in place - one for admin, one for teachers and one for students. The WLC uses a MS Windows 2003 server running IAS for PEAP authentication. The clients are Windows XP, the SSID is entered manually based on "pre-designation" of the laptop's "type" (either admin, teacher or student).
This is working fine. However more and more frequently our users have been "sharing" laptops so a student may need to use a teacher's laptop and vice-versa. In short we would like to use dynamic VLAN/SSID assignment so that if a student does have a teacher's laptop the "student" VLAN/SSID would be assigned to them when log in (and the proper ACLs, QoS policies, etc would be applied)
We have found documentation on how to perform this with an ACS but is there anything available for this configuration with a MS IAS server.
Any input/information would be greatly appreciated.
JoeShaun,
My LAG - etherchannel interface
interface Port-channel8
description WLC-portchannel
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
end
My 2 WLC Fiber ports:
Current configuration : 382 bytes
interface GigabitEthernet7/47
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
2200-3A#sh run int g7/48
Building configuration...
Current configuration : 382 bytes
interface GigabitEthernet7/48
description CiscoWLC-LAG-Ports
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,3,24-26
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
spanning-tree bpdufilter enable
channel-group 8 mode on
end
I use vl1 for ap mgmt, vl3 for hotspot, and vl24-26 for WPA2 clients and wireless voip devices.
One of my AP switchports on the same switch. I let the trunk port to the AP carry a range of vlan's, and then a manage the vlans assigned to clients with IAS and the WLC.
interface FastEthernet4/48
description AP-PoE
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1-1004
switchport mode trunk
service-policy output autoqos-voip-policy
qos trust cos
auto qos voip trust
tx-queue 3
bandwidth percent 33
priority high
shape percent 33
end
Jim -
Wireless AP Management VLAN and BVIs
Hi All,
I've been looking around and I can't find a solution to what I am trying to achieve and I was hoping the community may have had more luck than I have.
I'm looking to have my management VLAN for my AP setup as a tagged BVI but I'm struggling to get it setup. I can set it up fine using BVI1 and having it just accessed on the native VLAN but I see this as a security flaw, I don't really want direct access into my management network on the switch.
Now there may be a better way of preventing this but I am, at least compared to many, still fairly new to Cisco and this seems to be the best approach. Please see below for my current config, hopefully you can let me know where I am going wrong.
Also, as a note, at the moment I am mainly focusing on the management security of the AP before I check the wifi config, hence the radios still being shutdown so there may also be small errors in this. I have also removed some elements which are not relevant.
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname AP01
no ip source-route
no ip cef
dot11 syslog
dot11 ssid <Guest secure network SSID>
vlan 30
authentication open
authentication key-management wpa version 2
guest-mode
wpa-psk ascii <key>
dot11 ssid <Internal Secure SSID>
vlan 10
authentication open
authentication key-management wpa version 2
wpa-psk ascii <key>
ip ssh version 2
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
packet retries 64 drop-packet
channel 2437
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
encryption vlan 10 mode ciphers aes-ccm tkip
encryption vlan 30 mode ciphers aes-ccm tkip
ssid <Guest secure network SSID>
ssid <Internal Secure SSID>
antenna gain 0
peakdetect
no dfs band block
packet retries 64 drop-packet
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 port-protected
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio1.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
interface Dot11Radio1.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 subscriber-loop-control
bridge-group 30 spanning-disabled
bridge-group 30 block-unknown-source
no bridge-group 30 source-learning
no bridge-group 30 unicast-flooding
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
bridge-group 10 spanning-disabled
no bridge-group 10 source-learning
interface GigabitEthernet0.30
encapsulation dot1Q 30
no ip route-cache
bridge-group 30
bridge-group 30 spanning-disabled
no bridge-group 30 source-learning
interface GigabitEthernet0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
bridge-group 100 spanning-disabled
no bridge-group 100 source-learning
interface GigabitEthernet0.101
encapsulation dot1Q 999 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
interface BVI1
no ip address
no ip route-cache
shutdown
interface BVI100
mac-address <Actual ethernet address>
ip address 10.33.100.101 255.255.255.0
no ip route-cache
ip default-gateway 10.33.100.254
ip forward-protocol nd
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
bridge 100 protocol ieee
bridge 100 route ip
line con 0
logging synchronous
line vty 0 4
transport input ssh
end
As you can see I am using BVI100 as the management VLAN for the device and BVI1 is shutdown with vlan 999/int gi0/101 holding bridge group 1.
With this setup I can't get any IP communication, send or receive but I can see the MAC address on the switch in the MAC address table on vlan100. There is also no entries in the ARP table of the AP.
The switch is setup with vlan 999 untagged and vlans 10,30,100 as tagged.
Hope you can help! Thanks for any advice in advanced.
Many thanks,
Martin.Yea that would work and I have set it up like this without issue but I'm trying to limit access to the management VLAN, I don't want someone to be able to plug directly into the switch and be on the same broadcast domain as alll of the other equipment.
There are otherways of achieving this but I felt like I was so close with the above config but I was just missing something. -
HI, I want to use the management VLAN254 for my 4 WAP321. but after changing the management vlan in the unit from 20 th 254 I lost contact with the unit.
The switch I use is a Cisco 2960. Here's the config of the port :
interface FastEthernet0/23
switchport trunk native vlan 254
switchport trunk allowed vlan 5,20,254,1002-1005
switchport mode trunk
spanning-tree portfast
Vlan 5 and 20 are my two SSID Vlan
I was able to connect to the unit when the management vlan was set to 20 with an IP of 192.168.254.51 but since I chaged the vlan in the unit can't connect to it, I can't even ping it from the switch ...
Any ideas ?Hi Tom,
Got it back to work by setting the native Vlan in my 2960 to vlan 20
I also have an issue with my 2nd wireless network, vlan 20 if I don't set the untagged vlan to 20 I can't reach that network. but no problem with my wireless network with vlan 5 which is the first one. It looks like the vlan tagging only work for the first network. Is this a normal behaviour of that AP ?
Ben -
Hi Everyone,
I m working with a leading ISP in India.The issue is that our engineering team has come up with the plan of migrating all management vlans for metro and other switches to vlan1.Presently we are using spearate vlans for management.Somethig like below.
Aggregation router#show runn inter gi0/2.137
Building configuration...
Current configuration : 250 bytes
interface GigabitEthernet0/2.137
description Connectivity for ABC
encapsulation dot1Q 137
ip address 203.154.26.97 255.255.255.240
ip policy route-map ABC
no cdp enable
end
Switch 1 end:(2950)
interface Vlan137
ip address 203.154.26.101 255.255.255.240
no ip route-cache
ip default-gateway 203.154.26.97
switch 2:(2950)
interface Vlan137
ip address 203.154.26.103 255.255.255.240
no ip route-cache
ip default-gateway 203.154.26.97
The router inter gi0/3 is connected to the trunk port on summit switch and a wireless device provides connectivity to the switch 1 and further another oen to switch 2.
The entire pasth is on layer 2.
Please suggest as to how can i migrate to mgmt vlan 1.
Can it be something like
inter gi0/2.1
encapsulation dot1q 1
ip addres
since 2950s dont support more thane one active mgmt vlan wat can be the best way of migration???This is a tricky proposition. Best way you mean without getting disconnected, right? Cause when you start to change the mgmt interface via telnet, you are risking of getting disconnected once the mgmt inteface is change. for example, you know that there can only be one active interface vlan on 2950 for mgmt purpose. If you are changing the interface vlan from vlan 237 to vlan 1, if they will have the same ip address, you'll have to shut down one of them. Let's say you are able to do that, then how will you bring up the other interface with getting disconnected? remember you are telneted in. the best way will be to console in when you make changes on the mgmt vlan. You'll probably have to walk to the switch anyway if you made the change via telnet. changing the mgmt vlan will not affect the switch's ability to switch packets.
-
1200: Native VLAN & Management VLAN
I want to keep the management VLAN and native VLAN seperate. Is this the correct setup when using VLAN 999 as the native VLAN and VLAN 100 for the management VLAN.
Management VLAN 100 (10.100.0.0/24)
### Trunk SW ###
description "AP"
switchport trunk encapsulation dot1q
switchport trunk native vlan 999
switchport trunk allowed vlan
switchport mode trunk
switchport nonegotiate
speed 100
duplex full
### AP ###
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 99 key 1 size 128bit 7 3831CB248113D952741376BEC352 transmit-key
encryption vlan 99 mode wep mandatory
encryption vlan 11 mode ciphers tkip
ssid xoxoxo
vlan 11
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
ssid xxx
vlan 99
authentication network-eap eap_methods
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0
rts threshold 2312
station-role root
interface Dot11Radio0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
bridge-group 11 subscriber-loop-control
bridge-group 11 block-unknown-source
no bridge-group 11 source-learning
no bridge-group 11 unicast-flooding
bridge-group 11 spanning-disabled
interface Dot11Radio0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
bridge-group 99 subscriber-loop-control
bridge-group 99 block-unknown-source
no bridge-group 99 source-learning
no bridge-group 99 unicast-flooding
bridge-group 99 spanning-disabled
interface dot11radio 0.999
encapsulation dot1q 999 native
interface dot11radio 0.100
encapsulation dot1q 100
interface FastEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
ntp broadcast client
interface FastEthernet0.11
encapsulation dot1Q 11
no ip route-cache
bridge-group 11
no bridge-group 11 source-learning
bridge-group 11 spanning-disabled
interface FastEthernet0.99
encapsulation dot1Q 99
no ip route-cache
bridge-group 99
no bridge-group 99 source-learning
bridge-group 99 spanning-disabled
interface fastethernet 0.999
encapsulation dot1q 999 native
interface fastethernet 0.100
encapsulation dot1q 100
interface BVI100
ip address 10.100.0.110 255.255.255.0
no ip route-cache
ip default-gateway 10.100.0.1This looks correct to me. Do you have a non_root bridge on their other side?
Are you able to trunk all 4 VLANS with this config? -
1300 bridge with native and management vlan in different vlans
Hello,
We are going to set up a wireless bridge between two 1300 accesspoints. In our network the native vlan and the management vlan are different vlan's. Will we be able to manage the ap and switch at the "remote" site? Do we have to set up two ssid's, one for native and one for management?
regards,
RutgerToo answer my own question:
I don't think it is possible. Things work fine by making our management vlan the native vlan on switches and ap's involved. Management IP address on the BVI1 interface and everything works!
Rutger -
Management VLAN on a WAP371.
Hello,
When I try and configure the WAP371 to use my management VLAN, I lose control of the WAP. I am connecting it to my 3750-X stack, and I have the port it is connected to configured as an 802.1Q trunk, and the 3750-X shows the port up as an 802.1Q trunk. I have configured VLAN 501 as the management VLAN and when I configure the management VLAN on the WAP371 to use VLAN 501, and I set an appropriate static IP for this VLAN, and an appropriate default gateway, I can no longer communicate with the WAP371. I do know it is properly using VLAN tags, as the other SSIDs are communicating with hosts on the respective VLANs associated with each SSID. I have tried leaving the untagged VLAN support on, I have turned it off. I am out of ideas on what else to try. If anyone else has successfully configured the WAP371 to use a tagged VLAN I would love to hear about what was needed.
Thx
BryanMy name Eric Moyers. I am an Engineer in the Small Business Support Center.
I am sorry to hear that you are experiencing this issue.
What is the management VLAN that is used on the other parts of your network? I would suggest calling in to open a case with one of our phone engineers so that we can work with you.
Eric Moyers
.:|:.:|:. CISCO | Eric Moyers | Cisco Technical Support |
Wireless and Surveillance Subject Matter Expert
Please rate helpful Posts and Let others know when your Question has been answered. -
3702i AP's not Joining WLC - Layer 3 discovery request not received on management VLAN
Hi Guys,
This is a follow up post to this thread: https://supportforums.cisco.com/discussion/12400481/3702i-not-joint-2504
Have been playing around with my AP's and made sure the time is correct on all the devices ( WLC and Switch). I have also moved the AP's to the same Vlan as the management IP of the WLC.
if I move the AP's to the same Vlan as the WLC they join and are happy, as soon as I move them to a different Vlan they cant join and there time goes back to the default plus they do not seem to save the WLC details to flash but still remember the test names I give them.
it appears that option 43 is working fine as I can see it look for the WLC IP and I have done some trouble shooting on the WLC and it looks like it see's the AP but doesn't except it.
please see below for the boot up of the AP and the WLC logs:
AP
IIOS Bootloader - Starting system.
*** deleted for breverity *****
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1"...#########################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1" uncompressed and installed, entry point: 0x2003000
executing...
Secondary Bootloader - Starting system.
Montserrat Board
*** deleted for breverity *****
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1;flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1'
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1"...###############################################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1" uncompressed and installed, entry point: 0x1003000
executing...
*** deleted for breverity *****
cisco AIR-CAP3702I-Z-K9 (PowerPC) processor (revision A0) with 376810K/134656K bytes of memory.
Processor board ID FGL1838X4T1
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.110.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F4:4E:05:B7:1E:84
Part Number : 73-15243-01
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC18343WPR
Top Assembly Part Number : 068-05054-03
Top Assembly Serial Number : FGL1838X4T1
Top Revision Number : A0
Product/Model Number : AIR-CAP3702I-Z-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:19.295: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:19.755: Registering HW DTLS
*Mar 1 00:00:19.763: APAVC: Initial WLAN Buffers Given to System is 2500
*Mar 1 00:00:19.815: APAVC: WlanPAKs 42878 RadioPaks 42270
*Mar 1 00:00:22.127: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:26.055: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:26.167: Loading Power Tables from ram:/Q2.bin. Class = A
*Mar 1 00:00:26.167: record size of 3ss: 1168 read_ptr: 4F9698E
*Mar 1 00:00:31.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:31.251: Loading Power Tables from ram:/Q5.bin. Class = Z
*Mar 1 00:00:31.251: record size of vht: 2904 read_ptr: 4F9698E
*Mar 1 00:00:31.407: Wait until the stile protocol list is initialized.
*Mar 1 00:00:32.651: Start STILE Activation
*Mar 1 00:00:34.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:35.447: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 19-Dec-14 11:20 by prod_rel_team
*Mar 1 00:00:35.447: %SNMP-5-COLDSTART: SNMP agent on host Test_1 is undergoing a cold start
*Mar 1 00:00:36.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:37.787: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:37.939: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:37.939: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:47.567: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Mar 1 00:00:48.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Mar 1 00:00:50.431: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Mar 1 00:00:50.431: DPAA Initialization Complete
*Mar 1 00:00:50.431: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:51.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:53.435: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Mar 1 00:00:53.867: Currently running a Release Image
*Mar 1 00:00:54.287: Incorrect certificate in SHA2 PB !
*Mar 1 00:00:54.287: Using SHA-1 signed certificate for image signing validation.
*Mar 1 00:00:54.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:59.787: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.2, mask 255.255.255.0, hostname Test_1
*Mar 1 00:01:02.707: APAVC: Succeeded to activate all the STILE protocols.
*Mar 1 00:01:02.707: APAVC: Registering with CFT
*Mar 1 00:01:02.707: APAVC: CFT registration of delete callback succeeded
*Mar 1 00:01:02.707: APAVC: Reattaching Original Buffer pool for system use
*Mar 1 00:01:02.707: Pool-ReAtach: paks 42878 radio42270
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:01:10.103: AP image integrity check PASSED
*Mar 1 00:01:10.187: Incorrect certificate in SHA2 PB !
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:11.591: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
*Mar 1 00:01:12.691: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.947: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:14.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:20.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 CLI Request Triggered
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:01:31.215: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
*Mar 1 00:02:11.599: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:02:11.603: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:02:11.611: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:02:12.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:02:12.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:02:12.647: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 1 00:02:12.655: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:02:13.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:02:13.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:02:13.699: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:02:14.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Not in Bound state.
*Mar 1 00:02:44.719: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:02:49.839: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.3, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:02:55.719: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
Not in Bound state.
*Mar 1 00:03:59.219: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:04:04.343: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.4, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:04:10.223: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
WLC:
isco Controller) >show time
Time............................................. Tue Jan 27 17:44:47 2015
Timezone delta................................... 0:0
Timezone location................................ (GMT +8:00) HongKong, Bejing, Chongquing
NTP Servers
NTP Polling Interval......................... 3600
Index NTP Key Index NTP Server NTP Msg Auth Status
1 0 150.101.176.226 AUTH DISABLED
(Cisco Controller) >show ap join stats summary
Incorrect input! Use 'show ap join stats summary [all/<ap-mac>]'
(Cisco Controller) >show ap join stats summary all
Number of APs.............................................. 2
Base Mac AP EthernetMac AP Name IP Address Status
f4:4e:05:aa:a6:a0 f4:4e:05:94:c3:98 APf44e.0594.c398 10.1.1.22 Joined
f4:4e:05:b6:ce:f0 N A Test_1 10.1.20.7 Not Joined
(Cisco Controller) >show ap join stats detailed f4:4e:05:b6:ce:f0
Sync phase statistics
- Time at sync request received............................ Not applicable
- Time at sync completed................................... Not applicable
Discovery phase statistics
- Discovery requests received.............................. 45
- Successful discovery responses sent...................... 21
- Unsuccessful discovery request processing................ 24
- Reason for last unsuccessful discovery attempt........... Layer 3 discovery request not received on management VLAN
- Time at last successful discovery attempt................ Jan 27 17:45:49.705
- Time at last unsuccessful discovery attempt.............. Jan 27 17:45:49.705
Join phase statistics
- Join requests received................................... 0
- Successful join responses sent........................... 0
- Unsuccessful join request processing..................... 0
- Reason for last unsuccessful join attempt................ Not applicable
- Time at last successful join attempt..................... Not applicable
- Time at last unsuccessful join attempt................... Not applicable
Configuration phase statistics
--More-- or (q)uit
- Configuration requests received.......................... 0
- Successful configuration responses sent.................. 0
- Unsuccessful configuration request processing............ 0
- Reason for last unsuccessful configuration attempt....... Not applicable
- Time at last successful configuration attempt............ Not applicable
- Time at last unsuccessful configuration attempt.......... Not applicable
Last AP message decryption failure details
- Reason for last message decryption failure............... Not applicable
Last AP disconnect details
- Reason for last AP connection failure.................... Not applicable
- Last AP disconnect reason................................ Not applicable
Last join error summary
- Type of error that occurred last......................... Lwapp discovery request rejected
- Reason for error that occurred last...................... Layer 3 discovery request not received on management VLAN
- Time at which the last join error occurred............... Jan 27 17:45:49.705
AP disconnect details
- Reason for last AP connection failure.................... Not applicable
Ethernet Mac : 00:00:00:00:00:00 Ip Address : 10.1.20.7
(Cisco Controller) >show interface summary
Number of Interfaces.......................... 4
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
ap LAG 20 10.1.20.231 Dynamic No No
guest LAG 30 10.1.30.231 Dynamic No No
management LAG 10 10.1.1.231 Static Yes No
virtual N/A N/A 1.1.1.1 Static No No
SWITCH
witch#show run
Building configuration...
*** deleted for breverity *****
no aaa new-model
clock timezone AWST 8
system mtu routing 1500
ip routing
ip dhcp pool WAP_Pool
network 10.1.20.0 255.255.255.0
default-router 10.1.20.1
option 43 hex f104.0a01.01e7
ip dhcp pool Clients
network 10.1.30.0 255.255.255.0
default-router 10.1.30.1
dns-server 203.0.178.191
ip dhcp pool test
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
crypto pki trustpoint TP-self-signed-4082587776
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4082587776
revocation-check none
rsakeypair TP-self-signed-4082587776
*** deleted for breverity *****
*** deleted for breverity ***** !
interface FastEthernet0/3
description *** WLC ****
switchport trunk encapsulation dot1q
switchport mode trunk
interface FastEthernet0/4
description **** AP *****
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface FastEthernet0/5
description **** AP ****
switchport access vlan 20
switchport mode access
spanning-tree portfast
interface FastEthernet0/6
i*** deleted for breverity ***** !
interface Vlan10
description *** Managment ***
ip address 10.1.1.230 255.255.255.0
interface Vlan20
description *** WIRELESS APS ***
ip address 10.1.20.1 255.255.255.0
interface Vlan30
ip address 10.1.30.1 255.255.255.0
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip http server
ip http secure-server
ip sla enable reaction-alerts
l*** deleted for breverity *****
ntp clock-period 36028827
ntp source FastEthernet0/1
ntp server 121.0.0.42
ntp server 202.127.210.37
end
I have also placed a Device in Vlan 20 and it is able to ping the WLC and the WLC can ping it s routing is working.
ThanksHey Scott,
I gave that a shot and still no luck, log's from AP boot up:
IIOS Bootloader - Starting system.
flash is writable
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 67 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 20894208
flashfs[0]: Bytes available: 20264448
flashfs[0]: flashfs fsck took 20 seconds.
Base Ethernet MAC address: f4:4e:05:b7:1e:84
Ethernet speed is 100 Mb - FULL Duplex
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1"...#########################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-mx.153-3.JA1" uncompressed and installed, entry point: 0x2003000
executing...
Secondary Bootloader - Starting system.
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Xmodem file system is available.
flashfs[0]: 67 files, 9 directories
flashfs[0]: 0 orphaned files, 0 orphaned directories
flashfs[0]: Total bytes: 41158656
flashfs[0]: Bytes used: 20894208
flashfs[0]: Bytes available: 20264448
flashfs[0]: flashfs fsck took 21 seconds.
flashfs[1]: 0 files, 1 directories
flashfs[1]: 0 orphaned files, 0 orphaned directories
flashfs[1]: Total bytes: 12257280
flashfs[1]: Bytes used: 1024
flashfs[1]: Bytes available: 12256256
flashfs[1]: flashfs fsck took 1 seconds.
Base Ethernet MAC address: f4:4e:05:b7:1e:84
Boot CMD: 'boot flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1;flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1'
Loading "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1"...###############################################
File "flash:/ap3g2-k9w8-mx.153-3.JA1/ap3g2-k9w8-xx.153-3.JA1" uncompressed and installed, entry point: 0x1003000
executing...
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.
cisco Systems, Inc.
170 West Tasman Drive
San Jose, California 95134-1706
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 19-Dec-14 11:20 by prod_rel_team
Montserrat Board
40MB format
Tide XL MB - 40MB of flash
Initializing flashfs...
flashfs[2]: 67 files, 9 directories
flashfs[2]: 0 orphaned files, 0 orphaned directories
flashfs[2]: Total bytes: 40900608
flashfs[2]: Bytes used: 20894208
flashfs[2]: Bytes available: 20006400
flashfs[2]: flashfs fsck took 14 seconds.
flashfs[2]: Initialization complete.
flashfs[4]: 0 files, 1 directories
flashfs[4]: 0 orphaned files, 0 orphaned directories
flashfs[4]: Total bytes: 11999232
flashfs[4]: Bytes used: 1024
flashfs[4]: Bytes available: 11998208
flashfs[4]: flashfs fsck took 0 seconds.
flashfs[4]: Initialization complete.
Copying radio files from flash: to ram:
Copy in progress...CCCCC
Copy in progress...CCC
Copy in progress...CCCC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCC
Copy in progress...CC
Copy in progress...CCCCC
Copy in progress...CCCC
Copy in progress...CC
Uncompressing radio files...
...done Initializing flashfs.
Radio0 present 8764 8000 0 A8000000 A8010000 0
Rate table has 650 entries (20 legacy/224 11n/406 11ac)
POWER TABLE FILENAME = ram:/Q2.bin
Radio1 present 8864 8000 0 80000000 80100000 4
POWER TABLE FILENAME = ram:/Q5.bin
Radio2 not present 0 0 0 0 0 8
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AIR-CAP3702I-Z-K9 (PowerPC) processor (revision A0) with 376810K/134656K bytes of memory.
Processor board ID FGL1838X4T1
PowerPC CPU at 800Mhz, revision number 0x2151
Last reset from power-on
LWAPP image version 8.0.110.0
1 Gigabit Ethernet interface
2 802.11 Radios
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: F4:4E:05:B7:1E:84
Part Number : 73-15243-01
PCA Assembly Number : 000-00000-00
PCA Revision Number :
PCB Serial Number : FOC18343WPR
Top Assembly Part Number : 068-05054-03
Top Assembly Serial Number : FGL1838X4T1
Top Revision Number : A0
Product/Model Number : AIR-CAP3702I-Z-K9
% Please define a domain-name first.
Press RETURN to get started!
*Mar 1 00:00:19.295: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed (15)
*Mar 1 00:00:19.755: Registering HW DTLS
*Mar 1 00:00:19.763: APAVC: Initial WLAN Buffers Given to System is 2500
*Mar 1 00:00:19.815: APAVC: WlanPAKs 42878 RadioPaks 42270
*Mar 1 00:00:22.127: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:26.055: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0 (4)
*Mar 1 00:00:26.167: Loading Power Tables from ram:/Q2.bin. Class = A
*Mar 1 00:00:26.167: record size of 3ss: 1168 read_ptr: 4F9698E
*Mar 1 00:00:31.207: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1 (4)
*Mar 1 00:00:31.251: Loading Power Tables from ram:/Q5.bin. Class = Z
*Mar 1 00:00:31.251: record size of vht: 2904 read_ptr: 4F9698E
*Mar 1 00:00:31.407: Wait until the stile protocol list is initialized.
*Mar 1 00:00:32.651: Start STILE Activation
*Mar 1 00:00:34.571: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to down
*Mar 1 00:00:35.447: %SYS-5-RESTART: System restarted --
Cisco IOS Software, C3700 Software (AP3G2-K9W8-M), Version 15.3(3)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2014 by Cisco Systems, Inc.
Compiled Fri 19-Dec-14 11:20 by prod_rel_team
*Mar 1 00:00:35.447: %SNMP-5-COLDSTART: SNMP agent on host Test_1 is undergoing a cold start
*Mar 1 00:00:36.563: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:37.787: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to uplwapp_crypto_init: MIC Present and Parsed Successfully
*Mar 1 00:00:37.939: %SSH-5-ENABLED: SSH 2.0 has been enabled
*Mar 1 00:00:37.939: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:00:38.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:00:47.567: %LINK-6-UPDOWN: Interface BVI1, changed state to down
*Mar 1 00:00:48.567: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
*Mar 1 00:00:50.431: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed (2-16)
*Mar 1 00:00:50.431: DPAA Initialization Complete
*Mar 1 00:00:50.431: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited
*Mar 1 00:00:51.431: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up
*Mar 1 00:00:53.435: %LINK-6-UPDOWN: Interface BVI1, changed state to up
*Mar 1 00:00:53.867: Currently running a Release Image
*Mar 1 00:00:54.287: Incorrect certificate in SHA2 PB !
*Mar 1 00:00:54.287: Using SHA-1 signed certificate for image signing validation.
*Mar 1 00:00:54.575: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up
*Mar 1 00:00:59.787: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.2, mask 255.255.255.0, hostname Test_1
*Mar 1 00:01:02.707: APAVC: Succeeded to activate all the STILE protocols.
*Mar 1 00:01:02.707: APAVC: Registering with CFT
*Mar 1 00:01:02.707: APAVC: CFT registration of delete callback succeeded
*Mar 1 00:01:02.707: APAVC: Reattaching Original Buffer pool for system use
*Mar 1 00:01:02.707: Pool-ReAtach: paks 42878 radio42270
%Default route without gateway, if not a point-to-point interface, may impact performance
*Mar 1 00:01:10.103: AP image integrity check PASSED
*Mar 1 00:01:10.187: Incorrect certificate in SHA2 PB !
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:01:10.203: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:01:11.591: %CDP_PD-4-POWER_OK: 15.4 W power - NEGOTIATED inline power source
*Mar 1 00:01:12.691: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.691: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:01:13.947: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:01:14.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Mar 1 00:01:20.211: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 port 514 CLI Request Triggered
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:01:31.215: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
*Mar 1 00:02:11.599: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source
*Mar 1 00:02:11.603: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Mar 1 00:02:11.611: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Mar 1 00:02:12.603: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Mar 1 00:02:12.639: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Mar 1 00:02:12.647: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Mar 1 00:02:12.655: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Mar 1 00:02:13.639: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Mar 1 00:02:13.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Mar 1 00:02:13.699: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Mar 1 00:02:14.699: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
Not in Bound state.
*Mar 1 00:02:44.719: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:02:49.839: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.3, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:02:55.719: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP
Not in Bound state.
*Mar 1 00:03:59.219: %CAPWAP-3-DHCP_RENEW: Could not discover WLC. Either IP address is not assigned or assigned IP is wrong. Renewing DHCP IP.
*Mar 1 00:04:04.343: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.1.20.4, mask 255.255.255.0, hostname Test_1
Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
*Mar 1 00:04:10.223: %CAPWAP-5-DHCP_OPTION_43: Controller address 10.1.1.231 obtained through DHCP -
Dynamic VLAN/SSID assignment w/IPv6
I have followed the answer in this discussion which instructs on how to get Dynamic VLAN/SSID assignments using WLCs + MS IAS:
https://supportforums.cisco.com/thread/339396
This works great for IPv4. This does not appear to work for IPv6.
I have CT2504 WLCs running v7.0.116.0 and AP 3502s. I have a Windows 2003 IAS working for 802.1x authentication using PEAP and per-user/group dynamic VLAN/SSID assignments. Based on who you authenticate as, you are placed on the appropriate VLAN.
However, IPv6 does not function properly. I believe this is due to the nature that the WLC only bridges IPv6 from the Interface Group that the WLAN is assigned to and/or whatever Multicast VLAN you assign.
If I connect as a user assigned to the same matching VLAN as the WLAN Interface / Multicast VLAN, IPv6 works just fine. I do not even have to have the "Enable IPv6" box checked in the Advanced tab, nor does the "Multicast Vlan Feature" need to be enabled - IPv6 still works.
If I connect as a user that is assigned to a different VLAN than the WLAN Interface / Multicast VLAN, I see the IPv6 Router Advertisement from the WLAN Interface / Multicast VLAN, and not the VLAN that "Allow AAA Override" switched me to. Naturally since I'm getting as IPv6 prefix for a different VLAN, when I try to route traffic through the IPv6 default gateway (which isn't on the VLAN I'm connected to), it doesn't work.
One work-around to have IPv6 support is to use distinct, non-dynamic per VLAN/SSID assignments. This is ugly and doesn't scale (16 max SSIDs).
Has anyone else experienced this and know of a solution?
For now I'll just have to set the WLAN Interface to a VLAN which does not have IPv6 enabled and my wireless users won't have IPv6 unless they VPN on top of Wifi. Rather disappointing.this sounds alot like another implication of IPv6 with "more than one VLAN on the same SSID".
see this thread:
https://supportforums.cisco.com/thread/2157621?tstart=60
not with dynamic vlan, but vlan select - which, on the L2/L3 on SSID-side is essentially the same.
as mentioned in the thread, 7.2 has a feature that "automatically sends the correct RA to the correct clients via L2 wireless unicast. By unicasting the RA, clients on the same WLAN, but a different VLAN, do not receive the incorrect RA."
lucky for you, 7.2 is available for the 2504 - with my WiSM1s I am out of luck :-(
so this feature *could* solve this problem, as the problem is that the wrong IPv6-RAs are broadcasted for the client (because the SSID is the same) -
Best Practices for management VLAN
Hi guys,
I have a client with a data center where they have lots of VLANs running off a 3750 (main switch) and then they have a 3550 and a 2950 running off from this main 3750.
They have lots of VLANs configured and I see that Vlan1 is not being used. Currently, all the IPs of the switches and routers belong to one of the customer Vlan's.
I've read that this is bad practice and that a management VLAN should be created. But I think I've also read that when it comes to management Vlans, one needs to stay away from Vlan1
So I am not sure how to tackle this.
any help?
thanksHere is a very good discussion which should answer all your questions.
http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=true&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc12936/14
http://www.cisco.com/warp/public/cc/pd/si/casi/ca6000/prodlit/vlnwp_wp.htm#wp39009 -
Why does management VLAN ID matter in Cisco AP541n configuration?
is working on configure AP541n AP, is able to connect to the AP wired, assign AP static IP with proper subnet mask & default gateway,
when it's done, everything looks perfectly, but since I changed the management VLAN ID from 1 to 2, I can't even connect to the AP wired from the PC, why does the change matter?
thanks.Hi,
When working with access points in IOS mode also known as autonomous the access point requiers that you configure an Ip address on the BVI1 which is linked to the bridge group 1 and set us untagged.
Now when working with VLANS if the access point has an ip address on vlan x then you will need to confiugre this as the native vlan and with the bridgroup 1.
If you do not do this then you will see the issue you are reporting.
In other words if the access point will have an ip address for vlan 30 the the native vlan on the ap will need to be vlan 30 and vlan or the subnet for vlan one linked to the bridge group 1
Sent from Cisco Technical Support iPhone App -
Management VLAN Design and Implementation
Greetings, friends. I'm having trouble getting a clear picture of how a management VLAN ought to look. I just installed a Catalyst 6509-E as my core switch, and as soon as they arrive I'm going to be replacing all of our other (HP) switches with Catalyst 3560X switches. I understand the reasoning behind segregating traffic, not using VLAN1, etc., but I've never actually implemented a management VLAN--I've always just accessed the switches via the IPs assigned to them where all the client traffic flows (not VLAN1, by the way).
Is "management VLAN" simply what we as humans call a VLAN we dedicate to management activities, or is there something official in these switches to designate a "management VLAN?"
Is it best practice to include SNMP, netflow, syslog, and NTP as "management" traffic?
There's a lot of documentation talking -about- management and management VLANs, but unless I'm blind or not looking hard enough I can't seem to find any implementation whitepapers or best practices whitepapers that demonstrate setting one up on a campus LAN. Are you able to point me in the right direction to find such documentation? Is it perhaps buried in a manual somewhere that isn't explicitly labeled "Management VLAN Design and Implementation" or somesuch?
What is the best practice for accessing the management VLAN? Inter-VLAN routing + ACLs? Multi-homed PCs or servers? Additional PCs to be used as access stations?
Thank you for your wisdom, experience, and advice!
Kevin1. Yes, you may want to keep this traffic separate of the other traffic limiting device management access to just this vlan, as this prevents eavesdropping.
2. Indeed all other housekeeping goes via this VLAN altough you could limit it to the interactive or session traffic.
3. On a campus you could think of one big VLAN spanning the campus, one a multi-site environment or where you use L3 to go to you datacenters you probably need multiple management lan's. I've seen implementations where the management traffic was kept separate and even didn't use the routing protocol in use. The whole management lan was statically routed and would work even if OSPF or BGP was down.
4. I feel a situation where the people providing support are connected on the lan giving access to the devices is probably best. A dual homed pc is a good solution I think, other customer feel the management lan should be treated as a DMZ accessible via a firewall, but the hardcore customer insist on a second pc connected to the management lan.
Points to consider are as always,
Find the single point of failure. Any device, L2 L3 firewall that could cut off management from accessing a part of the network.
Find the right balance between security, costs, easy of access for the business your in.
Cheers,
Michel
Maybe you are looking for
-
How to keep my Aperture library from showing up in other user's iPhoto?
I use an iMac 24 with OS 10.8.2 I use Aperture on my account and my wife and kids use iPhoto on their separate accounts on the same computer. For some reason, over the last few months, everytime they open thier iPhoto, my Aperture photos show up fir
-
Hi, I am calling an Entitybean(CMP) method (with Transaction attribute REQUIRED) from Stateless Session BEan. does container automatically start new transaction when i call this method or I hv to star
-
Filtyer by the sum of a fact/metric that is on the report
Hi I have a fact on the report that shows the count of apointments per day. How do I filter on this fact/report so that the report shows only the days that have more than 7 appointments please? Also I couldn't find an answer to this in the forums. Do
-
Is it possible to connect a Mac Mini into a PC monitor and keyboard, cuz thats all I have
-
i was wondering if i could embed images into html and end up with a single file