Remote WLC 5508

Similar Messages

• WLC 5508 and remote site (DMVPN) Access Points

  Hi All,
  We just purchased a WLC 5508 and would like to know if it will control remote VPN site Access Points.  Here are the details:
  The 5508 will live at our home office.  We have multiple remote sites that are connected via Cisco's DMVPN.  Each site has one Cisco 1131 Access Point hanging off of either a Cisco 1841 or a 2811 that is using DMVPN back to the home office 2811.  Can the 5508 manage the remote Access Points?
  Thanks for your help guys!

  Are you are talking about OfficeExtend?
  Cisco OfficeExtend
  https://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/solution_overview_c22-523307_ns348_Networking_Solution_Solution_Overview.html
  OfficeExtend supports 1130 & 1140 as long as you have the Wireless PLUS (WPLUS) Software.
  OfficeExtend Access Point
  http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0apcfg.html#wp1069890

• Mapping Multiple VLANs to Multiple SSIDs as one-one in WLC 5508 via H-REAP?

  Hi All,
  Can anyone please show me how to map a SSID/WLAN ID to a local vlan of a LAP in WLC 5508 using H-REAP local switched? The reason of doing this is to separate Data subnet/traffic from Voice as currently all 7925 handsets using same SSID as PCs. I would like to create two VLANs on APs and map them to two SSIDs. I could not see any option in WLC5508 to do this. Also when I change the AP mode from H-REAP to local and configuring sub interface using dot1q on the interface Gi0 then unable write running-config to startup-config because I get NVRAM Verification Failed as WLC protects any local changes on any registered LAP at NVRAM.
  Your help is much appreciated.

  Mehdi:
  I am talking about HREAP groups, not AP groups.
  You can not achieve what you want if you are using the same SSID on same AP with only a WLC (same AP with same SSID is mapped to different VLANs). You may need a radius server to dynamically assign a VLAN to the clients if you are using same SSID for data and voice.
  If you are using different SSIDs for voice and data, you can map each SSID to its corresponding VLAN on the remote site using the VLAN mapping option under HREAP tab in the AP config page.
  You can not configure the AP from its console. Lightweight APs can only be configured from the controller. (a few exceptions are available that do not apply here) .
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Anchor mobility configuration getting lost in wlc 5508 ios code 7.4.100.0

  It is observed that in WLC 5508 , ios 7.4.100.0 ,  mobility anchor configuration on wlan  is getting lost .  we configure anchor ip address on  guest wlan > mobility anchor >  Switch IP Address (Anchor).
  We have configured the template on NCS 2.0 to push the anchor mobility ip address on all WLC
  Has anyone oberved this behavoiur. We have more than 100 WLC  , and  everyweek  mobility anchor configuration is lost on some WLC having code  7.4.100.0.

  I am having this exact same problem.  I am running 7.3 on 5508 WLC.   My remote site LAP's are using Flex (HREAP).  The initial access point that my laptop associates to connects with no problem, as soon as I wander out of range of the initial LAP and into the area of another access point, I lose data connectivity.   The was validated like the original post as I start a constant ping on the LAN and watch as the ping latency increases and then ping replies stop.  The only way to correct the problem is resetting of the wireless adapter on the laptop.  Side note my DroidX has no problem wandering from AP to AP.
  Laptop: Windows 7 32bit
  I then returned to my home site and test where I have a secondary controller and the LAP's are configured for local mode, no problems roaming from access point to access point.   Validated with constant ping test.  The pings drop for a second and re-
  continues as the laptop reconnects.
  **Edit: I am going to try the removing the DHCP Addr. Assignment required option, and report that back to the TAC engineer.
  Message was edited by: Michael Dunki-Jacobs
  **Edit Solved:***
  The problem is in deed solved by turning the "DHCP Address Required" but why?

• WLC 5508 tunneling issue

  Hi,
  I have a WLC 5508 connected in a hub and spoke topology. The WLC is located at the hub which is the main office. In one of the remote spoke locations I have five Access Points that are connected to the local LAN and the model for the APs is AIR-CAP3602I-E-K9. The APs are all connected to access ports on the switch in vlan 1. I have two WLAN configured on the controller. I have two interfaces configured on the controller. The management and the guest interface. WLAN 1 is associated with the management interface. In the WLAN 1 advanced setting the flex local switching option is enabled. WLAN 2 is associated with the guest interface and this interface is tunneling vlan 248 the guest vlan. The problem I am having is that the devices can not communicate with each other if they are connected to the wireless connection WLAN 2 which is the tunneled vlan.
  Example: The client would like to be able to connect his ipad to the apple tv for presentation. If I connect both devices to the WLAN 1 which is using flex local switching option they can communicate with no problem, but if the devices are connected to WLAN 2 the guest vlan they can't communicate with each other. Is it possible to get this to also work on WLAN 2 ?
  Note: Both WLAN types are WLAN and P2P Blocking Action is set to default (disabled).
  Does any one have any ideas what could be causing my issue?
  Thanks in advance for your help,

  Well since your talking about Apple TV, you need to look at this reference guide for Apple's bonjour. This will explain how to get it to work and the limitation when an AP is in local or FlexConnect mode. The bonjour just doesn't work as people think it should because they can get it to work with a linksys AP.
  http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
  Sent from Cisco Technical Support iPhone App

• WLC 5508 and ACS server

  Hi,
  Apologies if this has been answered before. I did a search, but unable to find anythimg.
  What I would like to do is be able to have a WLC 5508 as the local RADIUS DB and authenticator, but then be able to have an ACS server in a central location as a backup and then replicate between them.
  In other words set up groups for my remote sites in the central ACS server, which then replicates only the correct group to the remote sites. This allows less adminstrative overhead, as we just update the central one.
  Is this possible and how would I configure the WLC to do this ?
  Thanks

  Hi,
  if I understood your request, you want to replicate user information between an ACS and a WLC right ?
  That's impossible.
  ACS can only replicate with other ACS running the same version. No other ways of synchronization exists.
  Regards,
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• WLC 5508 and Multiple DHCP servers in different sites?

  Hi
  I work for health authority in our region and we just purchased a Cisco wlc 5508 controller along with 25 3500 AP's. We have multiple sites with different IP subnets in each, all connected by a frame relay (owned by ISP). Each site has its own DHCP server. I have the controller in our main site. So when I take an AP to a remote site, the Ap gets an DHCP address from local DHCP server (which is great) and contacts controller and joins controller. Everything is good. BUT, when a client joins at the remote site, it gets an address from a previous site which will not work because the client is now on a different subnet. We dont use Vlans as they dont transvers the frame relay. I need those clients to obtain DHCP from the local DHCP server from the site they are on. Is that possible??
  I have updated the controller to latest version as well.
  Thanks
  Bryan Yaciuk, CCNA
  Parkland Regional Health Authority

  We call this as HREAP LOCAL SWITCHING!! but here is the catch.. everytime the AP joins the new site.. we need to configure the VLAN mapping and this wil do it for you!! Here is the link which will resolve ur issue..
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml#ll
  Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
  Regards
  Surendra

• Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users

  Cisco WLC 5508 with 3702APs - mobile hotspot for 2000 Guest users
  I've been given a fantastic "opportunity" by my boss to use our existing wireless infrastructure to provide internet access to potentially upto 2000 VIP guests arriving with BYOD devices, in a very densely populated area for a 3 day event. We are talking an area of approx 200m x 15m. Think of it as an awards ceremony/concert. The solution will also be mobile so we will be using internet breakout from different telcos as it will move to approx 20 countries. The area is also incredibly densely populated with other wifi APs. I did a brief site survey and AirMagnet could detect over 2500 other 'rogue' APs from where I was stood! I hope CleanAir works!
  We need a simple authentication method for them to connect with zero admin from our side. We don't want to just offer up a rolling daily PSK as that's a bit amateur and we don't really want the VIP guests sharing the PSK with others during their stay. Ideally they could self-provision by providing an email address.
  I know the WLC can handle webauth for local users but I don't think it scales very well. ie I don't think I can offer the account to several hundred people.
  Cisco ISE looks a very expansive (and expensive) product but I don't think we need all it's capabilities (do I?). It would be nice to just ask a potential user for their email address and grant them access and email them next year. I've seen Cisco NAC but that looks over the top too for just guest users who will only be accessing a shared internet connection.
  I've seen 3rd party supposed software solutions from Kiosk Antamedia etc do they work with Cisco Enterprise WLC solutions?
  We'd like to limit users to a certain (low) bandwidth and block (say) torrent traffic to keep the general user experience worthwhile.
  Does anybody have any case study documents or experience of such a project? As well as the authentication it's how well the APs will handle the dense potential number of clients trying to connect in such a confined space. 
  Any suggestions would be gratefully appreciated from the knowledgeable community.
  Cheers,
  Mike

  Hi Rasika,
  We are having WLC 5508 model with software version running 7.4.121.0. AP Models are AIR-CAP2602I.
  Normally our WAN links are good even while the issue pertains. We are connected to remote offices over ipsec site to site vpn for WAN. The link latency in WLC between the AP and the controller shows  <1ms.
  currently the Guest network is using WPA2-PSK auth given in the controller. we are trying to find a option to make the Guest wireless auth local to the office, and see if this solves the problem. 
  any suggestions,
  Thank you,
  Arjun

• One WLC 5508, Multiple Sites/Networks

  So I'm trying to think this design out in my head.  Here is what I have:
  Corp Office with a WLC 5508 configured with a management port and a guest WLAN port for guest wireless etc to the corp Layer 3 switch in a wireless VLAN, using 802.1q trunk of course.  The WLC is configured to be a DHCP server for the Guest WLAN.
  (Side note:  the sites are connected using WAN routers at each location configured with bundled T3's and all routes are setup and each network successfully traverses to the other)
  First phase will be to install 30 APs.  5 at the corporate office and 25 and two other sites.  I'm using a class A network but have subnetted the networks so to speak to make each site have multiple VLANs using class C networks.  I want to be able to implement the WLC 5508 at the corporate office and manage the APs centrally at all locations.  The APs are already configured for lightweight mode and I have successfully configured 5 of them and connected. 
  My question is if I install the other 25 APs at the other 2 offsite locations and connect them to the network, will it automatically contact the WLC and get a DHCP address from the Corporate WLAN DHCP even though it is at another site?  Am I overlooking a step or configuration method for this type of implementation?
  Thanks for all contributions!

  Ok so I have configured my environment as suggested.  I can see the new IP Address lease to the AP at my remote site on
  the DHCP Server (Windows Server DHCP at the remote site).  I can ping that IP from the Central office to the remote site however the WIreless Controller is not associating the AP at all.  Although I can ping the AP from the WLC.  I checked the logs and I dont see any association attempt from that IP or MACt.  So here is what I have:
  Central Site-
       WLC 5508 With Internal DHCP for local APs
       APs associating successfully
  Remote Site
       Windows DHCP with Option 43 Configured per Cisco AP Option 43 Whitepaper
       AP 1142-Light-Weight attached to switchport (Wireless Vlan configured) and reachable via ping through all of network.
       AP obtained IP from Windows DHCP from Wireless Scope I configured successfully.
  So it doesn't seem the CAPWAP tunnel was built successfully.  I do have an ASA 5520 in the environment but all traffic to remote sites is wide open as I do not block any ports so CAPWAP traffic should flow well.
  Mission a step?
  Dee

• WLC 5508, LAP1262, Security Features Design

  Dears,
  I am planning to get the following Hardware;
  AIR-CT5508-50-K9
  5508 Series Controller for up to 50 APs
  AIR-LAP1262N-E-K9
  802.11a/g/n Ctrlr-based AP; Ext Ant; E Reg Domain
  During my design, i am considering to get the following security features.
  NOTE: I don't have WCS and Mobility Services Engine (MSE).
  Managing Access Points at remote/WAN office.
  wIPS configuration (without WCS and MSE)
  How Rouge APs will be detected and Prevented. Can Automated prevention be implemented.
  Is wIPS (with WLC 5508) support to detect and prevent Rouge AP.
  Is Proxy Redirection supported on WLC so that the traffic from Wireless clients will automatically be redirected to Proxy (without adding the proxy in explorers of Wireless Clients).
  Unfortunatelly i dont have LAB to test these features, so please respond.......

  Dear Scott,
  Thanks for your detailed response. I still have confusion regarding the Point5. Find the following details;
  Current Design:
  All the Internet traffic (http, https) for Wired and Wireless users is forwarded to proxy server (microsoft ISA/10.1.100.1)) for internet access.
  For this purpose, all users have to add proxy to their explorers.
  New Design/Requirements for Wireless Guest Users:
  For the Wireless Guests users to get internet, they will have to add the proxy in their Explorers.
  I would like to provide them Internet Access without additing proxy in their Explorers (not to bother them with configuring their laptops).
  Is it possible, if WLC can automatically redirect the Internet traffic from Guests users to proxy Server (10.1.100.1).

• IPad & 3502i WAP wlc 5508 H-REAP

  I have a wierd situation occouring at a new remote location.
  Here is my scheme.
  At my phyiscal location =WHQ
  wlc 5508 (7.0.98.0)
  vlan 800
  ssid KWD-Guest
  open authentication
  wep 48bit key
  (ACL restricted to internet only access)
  Remote physical location = 80NY 
  2821 router (12.4ios) - routes and dhcp for the locations networks.
  3560-48 switch     - user connections and WAP connections.
  3502i WAP - H-REAP back to WHQ for management and configuration.
  Remote physical location = 1441NY
  3825 router (12.4ios) - routes and dhcp for the locations networks.
  3560-48 switch     - user connections and WAP connections.
  1131AG WAP - H-REAP back to WHQ for management and configuration.
  Here is the issue we are running into.
  At 80NY the users want to connect to the guest vlan 800 ssid KWD-Guest with iPads and smart phones (model unknown).
  They can see the ssid broadcasting. Try to connect to the ssid, input the wep key. wait, wait and time out on dhcp, giving themselves a 168.x.x.x addy
  From the router side, I can see the dhcp request on the correct vlan hitting the correct dhcp pool.
  The router hands out a valid ip address and associates it to the correct wireless devices Mac-Address
  But as I said the client times out waiting for the dhcp address.
  Now the kicker here is that the very same iPad and smart phone CAN connect to the guest ssid at 1441NY which is also hosted off the same 5508 at WHQ.
  The only difference I see is the WAP model and the network addresses I hand out at each location.
  To the best of my ability I have double checked my router/switch and controller/WAP configurations against each site to make sure there is a mirror in place.
  Any ideas?
  SR 617433573

  dmantill,
  Good morning and thank you for linking in the pdf.
  I read it and hit several of the hyperlinks included in the pdf.
  While I found the information useful and informative overall I did not really see anything that explained or covered the issue I am encountering.
  I have a SR open now and the TAC engineer wants me to capture some debugs on the client mac. Once I can get the local tech onsite again we will perform the connection attempt with the debugging enabled.
  FYI this is what the engineer wants to see.
  Here is the information that I need to see when the problem occurs:
  Disable/Disconnect the wireless client from the network – wait 1-2 mins
  Open Telnet/SSH session to the WLC CLI - (Use Putty/SecureCRT with logging enabled)
  type: Debug client
  Turn the wireless device back on and let it authenticate/associate to the wireless network.  Once the client experiences the problem, disable the debug process using the command: 
  debug disable-all
  Filename: DebugClient.TXT

• WLC 5508 configuraton

  We are planning to add a WLC 5508 to our network to support about 100 APs with two interfaces one for internal users and the other for guest users. This later will be integrated with WLC 4402 which will be installed in the remote site.
  Is there any documents that can help me to do so..
  Appricate your support 

  Here is the link which gives u all the info that u need!!
  http://www.cisco.com/en/US/tech/tk722/tk809/tech_configuration_examples_list.html
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra

• WLC 5508 in HA

  Hi everyone,
  I have a doubt with a scheme of WLC in HA, I hope someone can help me.  
  I have 6 remote sites and 2 main sites, in coming year at least 3 remote sites will be opened.  Each remote site has one WLC 5508, I want to deploy HA for these ones, however I want to know if only I must put other WLC at each remote site?  or exists other way in order to deploy a  Cisco WLC in Main Site for working like WLC HA for every one at remote sites?
  Thanks

  1. That is up to you and what you need for redundancy. With that low of licensing and the cost you may just want to buy a 50 count controller and not bother with an HA SKU. (2 could fail)
  2. I believe this was back when they were selling HA only SKUs, you couldn't upgrade an HA to a permanent license. 
  3.  Yes, I mentioned that the APs will lose CAPWAP connections. There will be an outage during fail over
  4. It will not, N+1 is for redundancy on one. 
  Some designs with smaller sites use FlexConnect with AP SSO on redundant controllers in a data center, minimizing downtime.There are some caveats though.
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html

• AIR-CAP1602I-E-K9 Not Talking to WLC 5508

  hi all,
  can't seem to get my APs to talk to WLC 5508.
  can someone advise which WLC firmware to use and where can i get/download (link pls).
  currently WLC is running 6.0.199.4.
  Mar  1 00:00:47.839: %CDP_PD-4-POWER_OK: All radios disabled - NEGOTIATED inlin
  e power source
  *Mar  1 00:00:53.931: %CAPWAP-3-ERRORLOG: Not sending discovery request AP does
  not have an Ip !!
  *Mar  1 00:00:55.963: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP addre
  ss 172.28.159.15, mask 255.255.255.192, hostname APfc99.47a3.4d22
  Translating "CISCO-CAPWAP-CONTROLLER"...domain server (255.255.255.255)
  *Mar  1 00:01:06.899: %CAPWAP-3-ERRORLOG: Did not get log server settings from D
  HCP.
  *Mar  1 00:01:15.899: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROL
  LER
  *Mar  1 00:01:15.899: %CAPWAP-3-ERRORLOG: Discovery response from MWAR 'Cisco_f8
  :72:64'running version 6.0.199.4 is rejected.    <<<<
  APfc99.47a3.4d22>sh ve
  Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE
  SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 11-Dec-12 04:52 by prod_rel_team
  ROM: Bootstrap program is C1600 boot loader
  BOOTLDR: C1600 Boot Loader (AP1G2-BOOT-M) LoaderVersion 15.2(2)JAX, RELEASE SOFT
  WARE (fc1)
  APfc99.47a3.4d22 uptime is 11 minutes
  System returned to ROM by power-on
  System image file is "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"
  Last reload reason:
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  cisco AIR-CAP1602I-E-K9    (PowerPC) processor (revision B0) with 98294K/32768K
  bytes of memory.
  Processor board ID FGL1726W6DQ
  PowerPC CPU at 533Mhz, revision number 0x2151
  Last reset from power-on
  LWAPP image version 7.4.1.37
  1 Gigabit Ethernet interface
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: FC:99:47:A3:4D:22
  Part Number                          : 73-14671-04
  PCA Assembly Number                  : 000-00000-00
  PCA Revision Number                  :
  PCB Serial Number                    : FOC17182J4J
  Top Assembly Part Number             : 800-38552-01
  Top Assembly Serial Number           : FGL1726W6DQ
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP1602I-E-K9
  Configuration register is 0xF

  Hi,
  Date and time is ok on the WLC,
  I configured Accept Self Signed Certificate (SSC) under Security / AP policy, once done the WLC recognized the AP, but output from the console of the AP  power cycle the access point is:
  IOS Bootloader - Starting system.
  FLASH CHIP: Micronix MX25L256_35F
  Xmodem file system is available.
  flashfs[0]: 5 files, 2 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 31936000
  flashfs[0]: Bytes used: 6551040
  flashfs[0]: Bytes available: 25384960
  flashfs[0]: flashfs fsck took 9 seconds.
  Reading cookie from SEEPROM
  Base Ethernet MAC address: 4c:00:82:9a:47:a3
  ************* loopback_mode = 0
  Loading "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx"...####################
  File "flash:/ap1g2-rcvk9w8-mx/ap1g2-rcvk9w8-mx" uncompressed and installed, entr
  y point: 0x100000
  executing...
                Restricted Rights Legend
  Use, duplication, or disclosure by the Government is
  subject to restrictions as set forth in subparagraph
  (c) of the Commercial Computer Software - Restricted
  Rights clause at FAR sec. 52.227-19 and subparagraph
  (c) (1) (ii) of the Rights in Technical Data and Computer
  Software clause at DFARS sec. 252.227-7013.
             cisco Systems, Inc.
             170 West Tasman Drive
             San Jose, California 95134-1706
  Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE
  SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 11-Dec-12 04:52 by prod_rel_team
  Initializing flashfs...
  FLASH CHIP: Micronix MX25L256_35F
  flashfs[2]: 5 files, 2 directories
  flashfs[2]: 0 orphaned files, 0 orphaned directories
  flashfs[2]: Total bytes: 31808000
  flashfs[2]: Bytes used: 6551040
  flashfs[2]: Bytes available: 25256960
  flashfs[2]: flashfs fsck took 9 seconds.
  flashfs[2]: Initialization complete.
  flashfs[3]: 0 files, 1 directories
  flashfs[3]: 0 orphaned files, 0 orphaned directories
  flashfs[3]: Total bytes: 11999232
  flashfs[3]: Bytes used: 1024
  flashfs[3]: Bytes available: 11998208
  flashfs[3]: flashfs fsck took 1 seconds.
  flashfs[3]: Initialization complete....done Initializing flashfs.
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  memory validate-checksum 30
  ^
  % Invalid input detected at '^' marker.
  no ip http server
         ^
  % Invalid input detected at '^' marker.
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  login authentication default
    ^
  % Invalid input detected at '^' marker.
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Warning:  the compile-time code checksum does not appear to be present.
  cisco AIR-CAP1602I-N-K9    (PowerPC) processor (revision B0) with 98294K/32768K
  bytes of memory.
  Processor board ID FGL1730S57A
  PowerPC CPU at 533Mhz, revision number 0x2151
  Last reset from power-on
  LWAPP image version 7.4.1.37
  1 Gigabit Ethernet interface
  32K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address: 4C:00:82:9A:47:A3
  Part Number                          : 73-14671-04
  PCA Assembly Number                  : 000-00000-00
  PCA Revision Number                  :
  PCB Serial Number                    : FOC17284HL9
  Top Assembly Part Number             : 800-38552-01
  Top Assembly Serial Number           : FGL1730S57A
  Top Revision Number                  : A0
  Product/Model Number                 : AIR-CAP1602I-N-K9
  % Please define a domain-name first.
  logging facility kern
          ^
  % Invalid input detected at '^' marker.
  logging trap emergencies
          ^
  % Invalid input detected at '^' marker.
  Press RETURN to get started!
  *Mar  1 00:00:12.451: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. In
  itialising Cfg
  *Mar  1 00:00:13.683: %LINK-6-UPDOWN: Interface GigabitEthernet0, changed state
  to up
  *Mar  1 00:00:14.687: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEth
  ernet0, changed state to up
  *Mar  1 00:00:15.123: %SYS-5-RESTART: System restarted --
  Cisco IOS Software, C1600 Software (AP1G2-RCVK9W8-M), Version 15.2(2)JB, RELEASE
  SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 11-Dec-12 04:52 by prod_rel_team
  *Mar  1 00:00:15.151: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. In
  itialising Cfg
  *Mar  1 00:00:15.151: %CAPWAP-3-ERRORLOG: Failed to load configuration from flas
  h. Resetting to default config
  *Mar  1 00:00:16.195: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, chan
  ged state to uplwapp_crypto_init: MIC Present and Parsed Successfully
  no bridge-group 1 source-learning
                     ^
  % Invalid input detected at '^' marker.
  %Default route without gateway, if not a point-to-point interface, may impact pe
  rformance
  *Mar  1 00:00:48.695: %CDP_PD-4-POWER_OK: All radios disabled - INJECTOR_CONFIGU
  RED_ON_SOURCE inline power source
  *Mar  1 00:00:48.923: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP addre
  ss 10.2.3.100, mask 255.255.255.0, hostname AP4c00.829a.47a3
  Translating "CISCO-CAPWAP-CONTROLLER.campeche.ecosur.mx"...domain server (10.2.3
  .10) [OK]
  *Mar  1 00:00:59.915: %CAPWAP-3-ERRORLOG: Did not get log server settings from D
  HCP.
  *Mar  1 00:00:59.919: %CAPWAP-3-ERRORLOG: Dropping dtls packet since session is
  not established. A0203E6, 147E, A020364, A47B, 0
  *Mar  1 00:01:09.915: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Jan 29 09:33:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
  p: 10.2.3.230 peer_port: 5246
  *Jan 29 09:33:18.535: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
  peer_ip: 10.2.3.230 peer_port: 5246
  *Jan 29 09:33:18.535: %CAPWAP-5-SENDJOIN: sending Join Request to 10.2.3.230
  *Jan 29 09:33:23.535: %CAPWAP-5-SENDJOIN: sending Join Request to 10.2.3.230
  logging facility kern
          ^
  % Invalid input detected at '^' marker.
  logging trap emergencies
          ^
  % Invalid input detected at '^' marker.
  *Jan 29 09:34:17.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 10.
  2.3.230:5246
  *Jan 29 09:34:17.999: %LWAPP-3-CLIENTERRORLOG: LWAPP LED Init: incorrect led sta
  te 255
  *Jan 29 09:34:17.999: %LWAPP-3-CLIENTERRORLOG: Config load from flash failed. In
  itialising Cfg
  *Jan 29 09:34:17.999: %CAPWAP-3-ERRORLOG: Failed to load configuration from flas
  h. Resetting to default config
  *Jan 29 09:34:28.015: %CAPWAP-3-ERRORLOG: Go join a capwap controller
  *Jan 29 09:34:28.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_i
  p: 10.2.3.230 peer_port: 5246
  *Jan 29 09:34:28.535: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully
  peer_ip: 10.2.3.230 peer_port: 5246
  *Jan 29 09:34:28.535: %CAPWAP-5-SENDJOIN: sending Join Request to 10.2.3.230
  *Jan 29 09:34:33.535: %CAPWAP-5-SENDJOIN: sending Join Request to 10.2.3.230
  and debug command output enable CAPWAP events
  (Cisco Controller) >debug capwap events enable
  (Cisco Controller) >*spamApTask7: Jan 29 03:39:08.092: acDtlsPlumbControlPlaneKeys: lrad:10.2.3.100(42107) mwar:10.2.3.230(5246)
  *spamApTask7: Jan 29 03:39:08.093: 4c:00:82:9a:47:a0 DTLS keys for Control Plane deleted successfully for AP 10.2.3.100
  *spamApTask7: Jan 29 03:39:08.100: 4c:00:82:9a:47:a0 DTLS connection closed event receivedserver (10.2.3.230/5246) client (10.2.3.100/42107)
  *spamApTask7: Jan 29 03:39:08.100: 4c:00:82:9a:47:a0 Entry exists for AP (10.2.3.100/42107)
  *spamApTask7: Jan 29 03:39:08.100: 4c:00:82:9a:47:a0 No AP entry exist in temporary database for 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:08.104: 4c:00:82:9a:47:a0 Discovery Request from 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:08.104: 4c:00:82:9a:47:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 500, joined Aps =0
  *spamApTask7: Jan 29 03:39:08.104: apModel:
  *spamApTask7: Jan 29 03:39:08.104: apType = 38 apModel:
  *spamApTask0: Jan 29 03:39:08.105: 4c:00:82:9a:47:a3 Received LWAPP DISCOVERY REQUEST to 6c:41:6a:5f:95:2f on port '13'
  *spamApTask0: Jan 29 03:39:08.105: 4c:00:82:9a:47:a3 Discarding discovery request in LWAPP from AP supporting CAPWAP
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Discovery Response sent to 10.2.3.100 port 42107
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Discovery Response sent to 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Discovery Request from 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 500, joined Aps =0
  *spamApTask7: Jan 29 03:39:08.105: apModel:
  *spamApTask7: Jan 29 03:39:08.105: apType = 38 apModel:
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Discovery Response sent to 10.2.3.100 port 42107
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Discovery Response sent to 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Discovery Request from 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:08.105: 4c:00:82:9a:47:a0 Join Priority Processing status = 0, Incoming Ap's Priority 1, MaxLrads = 500, joined Aps =0
  *spamApTask7: Jan 29 03:39:08.105: apModel:
  *spamApTask7: Jan 29 03:39:08.105: apType = 38 apModel:
  *spamApTask7: Jan 29 03:39:08.106: 4c:00:82:9a:47:a0 Discovery Response sent to 10.2.3.100 port 42107
  (Cisco Controller) >*spamApTask7: Jan 29 03:39:08.106: 4c:00:82:9a:47:a0 Discovery Response sent to 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:18.104: 4c:00:82:9a:47:a3 DTLS connection not found, creating new connection for 10:2:3:100 (42107) 10:2:3:230 (5246)
  *spamApTask7: Jan 29 03:39:18.638: acDtlsPlumbControlPlaneKeys: lrad:10.2.3.100(42107) mwar:10.2.3.230(5246)
  *spamApTask7: Jan 29 03:39:18.638: 4c:00:82:9a:47:a3 Allocated index from main list, Index: 397
  *spamApTask7: Jan 29 03:39:18.638: 4c:00:82:9a:47:a3 Using CipherSuite AES128-SHA
  *spamApTask7: Jan 29 03:39:18.638: 4c:00:82:9a:47:a3 DTLS keys for Control Plane are plumbed successfully for AP 10.2.3.100. Index 398
  *spamApTask6: Jan 29 03:39:18.638: 4c:00:82:9a:47:a3 DTLS Session established server (10.2.3.230:5246), client (10.2.3.100:42107)
  *spamApTask6: Jan 29 03:39:18.638: 4c:00:82:9a:47:a3 Starting wait join timer for AP: 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:23.636: 4c:00:82:9a:47:a0 Join Request from 10.2.3.100:42107
  *spamApTask7: Jan 29 03:39:23.636: 4c:00:82:9a:47:a3 Deleting AP entry 10.2.3.100:42107 from temporary database.
  *spamApTask7: Jan 29 03:39:23.637: 4c:00:82:9a:47:a0 MIC AP is not allowed to join by config
  *spamApTask7: Jan 29 03:39:23.637: 4c:00:82:9a:47:a0 Join Request failed!

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****