VLAN concept with WLC

Hi guys,
This is my VLAN background:
VLANs are used  to segment the network and break up the broadcast  domains in order to  reduce congestion and isolate network problems as  well as providing  scalability, performance improvement, security and  making network  additions, moves, and changes easier and more manageable.
And this is my wireless VLAN background with the controllers:
Host  A is a wireless LAN client communicating with the wired device, Host  B.  At the access point, the access point adds an LWAPP Header to the    frame and send it to the controller. After processing the 802.11 MAC    Header by WLC, it  extracts the payload (the IP packet), encapsulates  it   into an Ethernet  frame, and then forwards the frame onto the    appropriate wired network,  typically adding an 802.1Q VLAN tag.
According to Cisco's "Fundamentals of Wireless Controllers" video (starting at 2:53), the 5508 controller allows you to use much larger subnets and less wireless VLANs. So with a 5508 controller in a completely wireless  infrastructure (no wired hosts),
1. I don't need to break up broadcast  domains and have multiple subnets and I'm free to use a giant flat network?
2. If I'm allowed to use large subnets, as far as the broadcast traffics (other than ARP and DHCP which are specially handled by WLC) are concerned, how does the controller handle that? I think I still will need multiple VLANs to control them according to my following WLC broadcast handeling background:
"All traffic including broadcast sent to any destination by wireless  client get forwarded to WLC from its connected AP. WLC places the  broadcast message on to that VLAN, both wired and wireless clients that  are part of that vlan interface will get this broadcast message. Now,  the receiving wireless clients on that vlan can be associateded on to  any/different APs, APs mapped to different AP groups, even APs using  different L3 addresses from one or multiple WLCs, WLC inteligently  identifies the mapped VLAN interfaces and its respective APs through AP  group and forwards the broadcast(encapsulates) as Multicast packet to  those specific AP groups. Once APs receives the Multicast(broadcast), it  places it on the respective Radio's BSSID(where WLAN/ssid mapped) of AP  to reach the right wireless client. AP Radio's BSSID to SSID/WLAN to  interface mapping is pushed to AP by WLC at AP join. Also, Wired PCs  will receive the broadcast on its vlan as tagged(if tagged, otherwise  untagged) from WLC's interface, so does the other WLCs that spans this  vlan interface."
Regards,
Saman

You should still follow your best practice for your subnet size. Remember that wireless is half duplex and only one device can talk at a given time. Also... The AP can be in a different vlan, ap group, etc, but the clients are still on the same vlan. So it means that the clients need to be on the same vlan, but the AP's can be on a different subnet since this doesn't matter.
Sent from Cisco Technical Support iPhone App

Similar Messages

  • Dynamic VLAN assignment with WLC and ACS for

    Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
    dot11 vlan-name STUDENT vlan 2903
    dot11 vlan-name FACSTAF vlan 2905
    As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
    http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
    However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
    With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
    Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?

    We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
    This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this?

  • Vlan management with WLC and WCS

    I'd like to know if it is possible to use the same vlan for the management of the WCS and for configuring a wlan?
    I try to make this lab and when I declare a dynamic interface that is in the same subnet as the WCS ip address, the reliability between controler and WCS is lost.

    I know that I should not put servers on the same vlan as wireless client but I just want to know if it is possible or if Cisco implemented something to avoid this to understand why my lab didn't work with this configuration.
    Thanks

  • WLC- dynamic Vlan assignment with Radius

    Hello, we would like to use this feature in our company and because of that I am now testing it. But I found one problem.
    I created one testing SSID and two Vlans on WLC. On ACS I use an IETF atributes (064,065,081) for my account and I am changing Vlan ID (081) during testing.
    It works with LEAP but when I use PEAP-GTC (which we use commonly in our company) the ip address is not assigned properly (ip which was assigned before remains).
    Could you please help me?

    There is good document which explains how to configure Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller. This will help you. You will find the document at http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml

  • Connecting Cisco AIR-CAP2602E over WAN with WLC - Procedural Details

    Hi,
    I have a Wireless LAN Controller Installed in one of the subnets where some AIR-CAP2602E's are connected with the WLC. WLC acts as DHCP for the AIR-CAP2602E Devices.
    I have additional AIR-CAP2602E access-points at other location (Subnet) and Need to connect them with WLC. 
    Challange faced by me is creating DHCP on Cisco 2950 (L2) or 3750 (L3) with DHCP option 43. Can any one has detailed configuration of enabling DHCP for specific VLAN on Cisco L2 and L3 Devices. 

    If you have control of the DNS environment for these network segments, just make an entry for :
    cisco-lwapp-controller aliases cisco-capwap-controller (IP list) as the CAP will hunt for those two name sets.
    My WLC provides DHCP support only to the wlans supported by the AP but not the AP it self..
    hope this helps

  • Help me : Problem with WLC and AP

    Hi,
    We have a few AP on our network which work fine.
    But, those which are behind our fw don't work.
    LAN WI-FI with WLC  <>--------Lan Routed---with Ap (Ok) ------------------
                                     <> -------FW <> Vlan behind Fw and APs not work fine.
    WLC = Software Version                 7.0.220.0
    Logs  on WLC :
    spamApTask2: Jun 04 11:49:59.494: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask1: Jun 04 11:48:49.323: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask2: Jun 04 11:47:39.149: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask1: Jun 04 11:46:28.978: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask2: Jun 04 11:45:18.806: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *spamApTask1: Jun 04 11:44:08.632: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:631 Failed to complete DTLS handshake with peer 172.37.251.71
    *osapiBsnTimer: Jun 04 11:43:51.235: %DTLS-3-HANDSHAKE_FAILURE: openssl_dtls.c:2202 Failed to complete DTLS handshake with peer 172.37.251.71
    debud dtls :
    *spamApTask1: Jun 04 11:22:42.434: 64:a0:e7:5f:e5:70 record=Alert epoch=0 seq=2
    *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 SSL_do_handshake: SSL_ERROR_SSL while communicating with 172.37.251.71 : (null)
    *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70  Requested by openssl_dtls_process_packet
    *spamApTask1: Jun 04 11:22:42.435: dtls_conn_hash_delete: Deleting hash for Local 172.18.3.2:5246  Peer 172.37.251.71:52258
    *spamApTask1: Jun 04 11:22:42.435: 64:a0:e7:5f:e5:70 DTLS Connection 0x145520d0 closed by controller
    *spamApTask1: Jun 04 11:22:42.436: dtls_conn_hash_search: Searching hash for Local 172.18.3.2:5247  Peer 172.37.251.71:52258
    Cordially,

    HI,
    - On the fw-
    a. Make sure the FW is open for udp 5246 and 5247 ports required for the capwap process.
    If this is a cisco ASA, you can set up ingress and egress packet captures to see what packets enter and leave the FW for this AP-
    cap capin interface match udp any
    cap capout interface match udp any
    **match captures bidirectional flow for the interesting traffic.
    b. Check the logs on the firewall for any drops.
    c. cap capdrop type asp-drop all
    This will tell you if the pkt was dropped and the reason for the drop
    d. You can run the packet-tracer command on the firewall tracking this udp flow-
    e.g. packet-tracer input inside udp 3.3.3.3 1212 2.2.2.3 5246 detailed
    - What AP model is this? Is it the same AP that connects to the controller if there is no fw in the path?
    - Does it use MIC or SSC cert? If SSC, make sure you have SSC checked and you will need to manually enter the hash for the AP on the controller under AP Authorization List -
    Security> AP Policies
    You can get the hash of the AP (f you dont have it) by enabling the following debug on the controller
    debug pm pki enable
    Other controller debugs for the AP-
    debug mac address
    debug capwap error enable
    debug capwap events enable
    - What about AP console log? Do you have access to that?

  • Trunk with WLC and 1400BR problem

    hi everybody,
    i have the next proble, i hope someone can help me
    Actually I wrok with a 1522 Mesh Network,1130 LWAPP and Bridge 1400 point to point. 1522 and 1130 are asociated with WLC.
    I have a WLC4402 (4.1.192.22M (Mesh)image) this wlc is conected via trunk to Sw3750 ex:
    interface GigabitEthernet1/0/1
    switchport trunk encapsulation dot1q
    switchport mode trunk
    RAP1 is connected to the sameSw3750 ex:
    interface FastEthernet1/0/23
    description RAP1
    switchport access vlan 10
    **(VLAN 10 is Mgmt)**
    AP1(1130) is connected to the same Sw3750 ex:
    interface FastEthernet1/0/1
    description AP1
    switchport access vlan 10
    The 1410BR Root is connected via trunk to same Sw3750 ex:
    interface FastEthernet1/0/19
    description BR-1400R
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 10
    switchport mode trunk
    In the other point is the Non-Root connected to a Sw2960 ex:
    interface GigabitEthernet1/0/1
    switchport trunk native vlan 10
    switchport mode trunk
    AP2(1130) connected to the same Sw2960 ex:
    interface fa0/23
    descriptipon AP2
    switchport access vlan 10
    The network is work fine, Mesh UP (RAP and MAPs), and 1130 too.I connected the 1400 Bridge point after the Mesh is up, and the link between Root and Non Root is UP
    Now, when the Sw3750 goes down or reboot,the RAP and AP1(1130) can't associated to WLC. The ports of RAP and 1130 are down and up many times, so can't associated to a WLC. Only the Bridge point 1400 Root and Non-root are UP, and the AP2(1130) in the other side can associated to the WLC.
    When shutdown the port of the Root Bridge, Now the RAP1 and AP1(1130) can associated to the WLC and the Mesh Net is UP. Then no shutdown the Root Bridge port and the link between Bridges are UP, AP2(1130) up to the controller too.
    But after several minutes the Bridge down, and the event log in the Root is:Interface Dot11Radio0 Radio transmit power out of range.
    So i have this problems
    1) Trunks between WLC and 1400 BR
    2) Bridge conectivity range.
    Regards
    Antonio

    The Outdoor Bridge Range Calculation Utility uses parameters that include regulatory domain, device type, data rate, antenna gain, and a few others as inputs.
    You can avoid connectivity problems with the Outdoor Bridge Calculation Utility, as this tool helps you to predict the distance between devices. In a wireless environment without a tool like this, you cannot predict the distance between the bridges, the height at which you must place the antennas for maximum throughput, and other variables. This utility also helps you decide on the type of antenna that you must use in order to cover the distance between the bridges.

  • Super vlan concept on ASR 9k

    Hello,
    On some non Cisco routers/switches there is Aggregation/super vlan concept, I wanted to configure something similar with ASR with evc/l2vpn.
    I want to have one big IP addres pule on dhcp server - all request should be sending from one  BVI helper address.
    On subinterfaces l2 I pop tag and join them inside one broadcast domain. Are there any pros and cons for that  config ?
    LAN10 (vlan10) -----  g0/0/0.10 l2transport |  
    LAN20 (vlan20)  -----  g0/0/0.10 l2transport |
    LAN30 (vlan30) -----  g0/0/0.10 l2transport | -------------- BVI 1  (helper address) ---------------- G0/5/0/0 ------    dhcp server
    LAN40 (vlan40)-----  g0/0/0.10 l2transport  |
    Configuration:
    interface GigabitEthernet0/0/0/0.10 l2transport
    encapsulation dot1q 10
    rewrite ingress tag pop 1 symmetric
    interface GigabitEthernet0/0/0/0.20 l2transport
    encapsulation dot1q 20
    rewrite ingress tag pop 1 symmetric
    interface GigabitEthernet0/0/0/0.30 l2transport
    encapsulation dot1q 30
    rewrite ingress tag pop 1 symmetric
    interface GigabitEthernet0/0/0/0.40 l2transport
    encapsulation dot1q 40
    rewrite ingress tag pop 1 symmetric
    l2vpn
    bridge group agg
      bridge-domain agg1
    interface GigabitEthernet0/0/0/0.10
        split-horizon group
    interface GigabitEthernet0/0/0/0.20
         split-horizon group
    interface GigabitEthernet0/0/0/0.30
        split-horizon group
    interface GigabitEthernet0/0/0/0.40
    split-horizon group
       routed interface BVI1
    interface BVI1
    ipv4 helper-address vrf default 192.168.1.1
    ipv4 address 192.168.2.1 255.255.255.0

    I think its better to look into the new bng features on the ASR9K, like "ambiguous vlan" functionality. This feature does exactly what you looking for, but then much easier. You just create a single interface and put al the different vlan's as ambiguous vlans which then belong to a single layer 3 interface. I do believe you need the newest RSP and linecards for it.
    Sent from Cisco Technical Support iPad App

  • Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points

    Hi Guys,
    I would like to go for "Dynamic VLAN Assignment with RADIUS Server and Aironet Access Points 1300". I want the AP to broadcast only 1 SSID. The client find the SSID ->put in his user credential->Raudius athentication->assign him to an specific vlan based on his groupship.
    The problem here is that I don't have a AP controller but only configurable Aironet Access Points 1300. I can connect to the radius server, but I am not sure how to confirgure the AP's port, radio port, vlan and SSID.
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
    I go through some references:
    3.5  RADIUS-Based VLAN Access Control
    As discussed earlier, each SSID is mapped to a default VLAN-ID on the wired side. The IT administrator may wish to impose back end (such as RADIUS)-based VLAN access control using 802.1X or MAC address authentication mechanisms. For example, if the WLAN is set up such that all VLANs use 802.1X and similar encryption mechanisms for WLAN user access, then a user can "hop" from one VLAN to another by simply changing the SSID and successfully authenticating to the access point (using 802.1X). This may not be preferred if the WLAN user is confined to a particular VLAN.
    There are two different ways to implement RADIUS-based VLAN access control features:
    1. RADIUS-based SSID access control: Upon successful 802.1X or MAC address authentication, the RADIUS server passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge.
    2. RADIUS-based VLAN assignment: Upon successful 802.1X or MAC address authentication, the RADIUS server assigns the user to a predetermined VLAN-ID on the wired side. The SSID used for WLAN access doesn't matter because the user is always assigned to this predetermined VLAN-ID.
    extract from: Wireless Virtual LAN Deployment Guide
    http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_technical_reference09186a00801444a1.html
    ==============================================================
    Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml#switch
    ==============================================================
    Controller: Wireless Domain Services Configuration
    http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801c951f.shtml
    Any help on this issue is appreicated.
    Thanks.

    I'm not sure if the Autonomous APs have the option for AAA Override.  On the WLC, I can go into the BSSID, Security, Advanced, and there's a checkbox that I would check to allow a Radius server to send back the VLAN.
    I did a little research and it looks like the 1300 may give this option but instead is defined as "VLAN Override".  I've found the release notes for 12.3(7)JA5 (not sure what version you're running) that give mention and a link to configuring EAP on page 4: http://www.ciscosystems.ch/en/US/docs/wireless/access_point/1300/release/notes/o37ja5rn.pdf
    Hope this helps

  • Dynamic VLAN assignments with ACS

    Hello all.
    I am trying to do dynamic vlan assignments with dot1x auth.  I am using ACS5.3 and Cisco 3560.
    I have configured them correctly to the best of my knowledge but it doesn't seem to be working correctly.
    aaa group server radius nac_serversserver-private 84.93.219.163 auth-port 1812 acct-port 1813 key 7 xxxxxxaaa authentication dot1x default group nac_serversaaa authorization network default group nac_serversinterface FastEthernet0/2 switchport mode access switchport voice vlan 364 srr-queue bandwidth share 10 10 60 20 srr-queue bandwidth shape 10 0 0 0 priority-queue out authentication event no-response action authorize vlan 303 authentication host-mode multi-domain authentication port-control auto mls qos trust cos auto qos voip trust dot1x pae authenticator
    When the user connects I get the following via debug:
    Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    However "show int status" still shows the port on vlan 1 and the end device is stuck with a 169.x.x.x address (Windows PC).
    Any idea what config I'm missing?
    Thanks
    Paul

    Hello.
    Here is whats left in the log.
    Apr 30 15:19:36.253: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
    Apr 30 15:19:36.253: EAPOL pak dump rx
    Apr 30 15:19:36.253: EAPOL Version: 0x1  type: 0x0  length: 0x007B
    Apr 30 15:19:36.253: dot1x-ev:
    dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 123
    Apr 30 15:19:36.253: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                        pae-ether-type = 888e.0100.007b
    Apr 30 15:19:36.253: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
    Apr 30 15:19:36.269: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Sending out EAPOL packet
    Apr 30 15:19:36.278: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.278: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
    Apr 30 15:19:36.278: EAPOL pak dump rx
    Apr 30 15:19:36.278: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Apr 30 15:19:36.278: dot1x-ev:
    dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                        pae-ether-type = 888e.0100.002b
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
    Apr 30 15:19:36.286: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Sending out EAPOL packet
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:36.294: dot1x-ev:Enqueued the eapol packet to the global authenticator queue
    Apr 30 15:19:36.294: EAPOL pak dump rx
    Apr 30 15:19:36.294: EAPOL Version: 0x1  type: 0x0  length: 0x002B
    Apr 30 15:19:36.294: dot1x-ev:
    dot1x_auth_queue_event: Int Fa0/2 CODE= 2,TYPE= 25,LEN= 43
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): Received pkt saddr =70cd.6066.988a , daddr = 0180.c200.0003,
                        pae-ether-type = 888e.0100.002b
    Apr 30 15:19:36.294: dot1x-ev(Fa0/2): dot1x_sendRespToServer: Response sent to the server from 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:36.303: %DOT1X-5-SUCCESS: Authentication successful for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:36.303: dot1x-ev(Fa0/2): Sending event (2) to Auth Mgr for 70cd.6066.988a
    Apr 30 15:19:36.303: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:36.303: %AUTHMGR-5-VLANASSIGN: VLAN 300 assigned to Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:37.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to up
    Apr 30 15:19:37.335: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (70cd.6066.988a) on Interface Fa0/2 AuditSessionID 000000000000001F8B7214D7
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Received Authz Success for the client 0x55000021 (70cd.6066.988a)
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending EAPOL packet to 70cd.6066.988a
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Role determination not required
    Apr 30 15:19:37.335: dot1x-ev(Fa0/2): Sending out EAPOL packet
    Hope that helps

  • ISE device registration webauth with wlc 7.0 lwa

    Is it possible to use the DRW feature with WLCs running 7.0 code?  All configuration examples refer to 7.2 code.  Its only for guest user device registration.  No profiling / provisioning.
    Compatibility matrix says that "Wireless Controllers support MAC filtering with RADIUS lookup. For WLCs that support version 7.2.103.0, there is support for session ID and COA with MAC filtering so it is more MAB-like."
    Thanks.

    Hi,
    The reason you need to run the upgraded code is that the radius NAC feature coupled with a mac-filtering enabled SSID will work together. On the release prior you were unable to get both features to work with one another.
    For your reference here is the item in the New Features section of the 7.2 WLC release notes:
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html#wp855314
    thanks,
    Tarik Admani
    *Please rate helpful posts*

  • What is the lowest ISE version supported with WLC 7.3.112.0

    Dears
    Kindly i want to know what is the lowest version of ISE supported with WLC 7.3.112.0 or WLC 7.3.101.0
    Please need your feedback.
    Regards,

    the lowest version of ise supported wlc 7.3 is ISE 1.2 as per document :
    Wireless LAN Controller (WLC) 2500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Wireless LAN Controller (WLC) 5500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    Wireless LAN Controller (WLC) 7500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    No
    Yes
    Wireless LAN Controller (WLC) 8500 8
    7.3.112.0.(ED), 7.4.x, 7.5
    Yes 9
    Yes
    Yes
    Yes
    Yes
    Yes
    Yes
    No
    Yes
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/compatibility/ise_sdt.html
    ISE 1.1 won't support wlc 7.3 :
    http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/compatibility/ise_sdt.html
    Wireless LAN Controller (WLC) 2100, 4400
     7.0.116.0
     No6
     Yes
     No
     Yes
     Yes
     Yes
     Yes
     No
     No
     Wireless LAN Controller (WLC) 2500, 5500
     7.2.103.0
     No6
     Yes
     Yes
     Yes
     Yes
     Yes
     Yes
     Yes
     No
     WLC 7500 Series
     7.2.103.0 (basic RADIUS auth supported in 7.0.116.0)
     Yes6
     Yes
     No
     Yes (local only)
     No
     Yes
     No
     No
     No

  • Troubleshoot Cisco Airlap 1242 with WLC 4400 Series LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response

    I have a Problem with my new AIRLAP 1242 to connect with WLC 4400
    after debug in my airlap it shows :
    Reset done!
    ethernet link up, 100 mbps, full-duplex
    Ethernet port 0 initialized: link is up
    Loading "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8"...######################################################################################################################################################################################################################################
    File "flash:/c1240-k9w8-mx.123-7.JX8/c1240-k9w8-mx.123-7.JX8" uncompressed and installed, entry point: 0x3000
    executing...
                  Restricted Rights Legend
    Use, duplication, or disclosure by the Government is
    subject to restrictions as set forth in subparagraph
    (c) of the Commercial Computer Software - Restricted
    Rights clause at FAR sec. 52.227-19 and subparagraph
    (c) (1) (ii) of the Rights in Technical Data and Computer
    Software clause at DFARS sec. 252.227-7013.
               cisco Systems, Inc.
               170 West Tasman Drive
               San Jose, California 95134-1706
    Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Mon 19-Mar-07 01:42 by hqluong
    Image text-base: 0x00003000, data-base: 0x004051E0
    Initializing flashfs...
    flashfs[1]: 9 files, 3 directories
    flashfs[1]: 0 orphaned files, 0 orphaned directories
    flashfs[1]: Total bytes: 15998976
    flashfs[1]: Bytes used: 5062144
    flashfs[1]: Bytes available: 10936832
    flashfs[1]: flashfs fsck took 4 seconds.
    flashfs[1]: Initialization complete....done Initializing flashfs.
    cisco AIR-LAP1242AG-E-K9   (PowerPCElvis) processor (revision A0) with 24566K/8192K bytes of memory.
    Processor board ID FCW1411U0FZ
    PowerPCElvis CPU at 266Mhz, revision number 0x0950
    Last reset from power-on
    1 FastEthernet interface
    2 802.11 Radio(s)
    32K bytes of flash-simulated non-volatile configuration memory.
    Base ethernet MAC Address: 68:EF:BD:5F:9A:18
    Part Number                          : 73-10256-07
    PCA Assembly Number                  : 800-26918-06
    PCA Revision Number                  : A0
    PCB Serial Number                    : FOC14093XU3
    Top Assembly Part Number             : 800-29152-03
    Top Assembly Serial Number           : FCW1411U0FZ
    Top Revision Number                  : A0
    Product/Model Number                 : AIR-LAP1242AG-E-K9
    Press RETURN to get started!
    *Mar  1 00:00:05.608: %SOAP_FIPS-2-SELF_TEST_IOS_SUCCESS: IOS crypto FIPS self test passed
    *Mar  1 00:00:06.858: %DOT11-2-VERSION_INVALID: Interface Dot11Radio0, unable to find required radio version 581.18
    *Mar  1 00:00:06.858: Interface Dot11Radio0, Accepting as a test version of radio firmware
    *Mar  1 00:00:06.878: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 0
    *Mar  1 00:00:07.234: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:08.212: %DOT11-2-VERSION_INVALID: Interface Dot11Radio1, unable to find required radio version 581.18
    *Mar  1 00:00:08.212: Interface Dot11Radio1, Accepting as a test version of radio firmware
    *Mar  1 00:00:08.232: %SOAP_FIPS-2-SELF_TEST_RAD_SUCCESS: RADIO crypto FIPS self test passed on interface Dot11Radio 1
    *Mar  1 00:00:09.278: %SYS-6-LOGGERSTART: Logger process started
    *Mar  1 00:00:09.326: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1240 Software (C1240-K9W8-M), Version 12.3(7)JX8, RELEASE SOFTWARE (fc1)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2007 by Cisco Systems, Inc.
    Compiled Mon 19-Mar-07 01:42 by hqluong
    *Mar  1 00:00:09.332: %CDP_PD-4-POWER_OK: Full power - AC_ADAPTOR inline power source
    *Mar  1 00:00:09.388: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 32 seconds
    *Mar  1 00:00:10.271: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to up
    *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Mar  1 00:00:10.332: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:11.271: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0, changed state to up
    *Mar  1 00:00:28.331: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar  1 00:00:28.361: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2462 selected
    *Mar  1 00:00:28.362: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:28.363: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar  1 00:00:28.369: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5260 selected
    *Mar  1 00:00:28.372: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:28.398: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:28.399: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar  1 00:00:28.465: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar  1 00:00:29.398: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Mar  1 00:00:29.465: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    Translating "CISCO-LWAPP-CONTROLLER.ekahospital.com"...domain server (202.134.0.155)
    *Mar  1 00:00:38.351: %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 172.31.xxx.xxx, mask 255.255.255.0, hostname AP68ef.bd5f.9a18
    *Mar  1 00:00:38.820: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2417 selected
    *Mar  1 00:00:38.827: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5200 selected (203.130.196.5)
    *Mar  1 00:00:49.835: %DOT11-6-FREQ_USED: Interface Dot11Radio0, frequency 2422 selected
    *Mar  1 00:00:49.842: %DOT11-6-FREQ_USED: Interface Dot11Radio1, frequency 5220 selected
    *Mar  1 00:00:49.851: %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    *Mar  1 00:00:49.852: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar  1 00:00:50.852: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Sep 18 07:02:25.504: %LWAPP-5-CHANGED: LWAPP changed state to CFG
    *Sep 18 07:02:29.288: LWAPP_CLIENT_ERROR: lwapp_name_lookup - Could Not resolve CISCO-LWAPP-CONTROLLER.MYDOMAIN.com
    *Sep 18 07:02:30.504: LWAPP_CLIENT_ERROR_DEBUG: spamHandleCfgReqTimer: Did not recieve the Config response
    *Sep 18 07:02:30.551: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET CONFIG RESPONSE.
    *Sep 18 07:02:30.551: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file system is available.
    flashfs[0]: 9 files, 3 directories
    flashfs[0]: 0 orphaned files, 0 orphaned directories
    flashfs[0]: Total bytes: 15998976
    flashfs[0]: Bytes used: 5062144
    flashfs[0]: Bytes available: 10936832
    flashfs[0]: flashfs fsck took 26 seconds.
    Base ethernet MAC Address: 68:ef:bd:5f:9a:18
    Initializing ethernet port 0...
    Reset ethernet port 0...
    Reset done!
    and after that i check in my WLC that shows
    AP with Base Radio MAC xx:xx:xx:xx:xx:xx (APxxxx.xxxx.xxxx) is unable to associate.
    The reulatory domain configured on it '-e' does not match the controller's country
    code: USA
    i found that the problem about the region.
    question :
    1. is it possible to change the region in AIRLAP 1242 or in WLC?
    2. if possible how to change it?
    INFO :
    my first AIRLAP Product/Model Number : AIR-LAP1242AG-A-K9 and my new AIRLAP Product/Model Number : AIR-LAP1242AG-E-K9

    WLC GUI >> Wireless >> Country >> Select the country.
    Regards
    Surendra

  • OVM 3.0.3 - cannot add new server to VLAN group with bonded VLANs

    I have a new OVS 3.0.3 server built with 2 bonded interfaces and a single VLAN running on top for the management interface. It gets discovered fine by OVM Manager (I'm running Version: 3.0.3.126, Build: 20111214_126)
    I am trying to add it to a VLAN group with two VLANs -- the existing management VLAN (ID=300) plus one other (ID=301). (I already have one identical server assigned to the VLAN group, with both VLAN interfaces configured and running fine.) This works OK, and I can see VLAN 301 for the new server in Oracle VM Manager with no IP address assigned to it.
    However, when I try to apply an IP address to the VLAN (via Hardware / Resources / VLAN Groups / Edit VLAN Group / Configure IP Addresses / VLAN Interfaces) it fails with this error:
    Job Internal Error (Operation)com.oracle.ovm.mgr.api.exception.FailedOperationException: com.oracle.ovm.mgr.api.exception.FailedOperationException: OVMAPI_4010E Attempt to send command: dispatch to server: whyovmprd02 failed. OVMAPI_4004E Server Failed Command: dispatch https://?uname?:[email protected]:8899/api/1 ovs_br_config start 0004fb0010be2df bond0.301, Status: org.apache.xmlrpc.XmlRpcException: exceptions.RuntimeError:Command ['/etc/xen/scripts/ovs-network-bridge', 'start', 'bridge=0004fb0010be2df', 'netdev=bond0.301'] failed (1): stderr: ovs-network-bridge Start: No such device bond0.301
    Oracle VM Manager seems to be expecting the subinterface for VLAN 301 to exist on the server already - which it doesn't of course, because the server has just been built, so it only has its management interface VLAN in place (VLAN ID 300)
    I have managed to work around this by removing VLAN segment 301 from the VLAN group completely, then adding it back in with the IP addresses for both servers in place. This seems to convince Oracle VM Manager that it needs to create the bond0.301 subinterface before it configures it. However, I obviously had to shut down all VMs to do this, and it was really messy as VLAN 301 is the storage network, so my original server lost contact with the NFS storage for a while which caused it to fence etc.
    There must be another way??! Any pointers would be very much appreciated.

    Avi Miller wrote:
    It's fixed in 3.1. In the meantime, if you can remove and reapply the Virtual Machine role on that network, it'll recreate the bridges for you.Thanks for replying Avi. (I won't ask you for a release date for 3.1 :))
    I did try that initially, but it didn't seem to help - I got this error back:
    Job Internal Error (Operation)com.oracle.ovm.mgr.api.exception.FailedOperationException: OVMAPI_4010E Attempt to send command: dispatch to server: whyovmprd02 failed. OVMAPI_4004E Server Failed Command: dispatch https://?uname?:[email protected]:8899/api/1 ovs_if_meta bond0.301 ethernet:0004fb00100a35f{why-be-301}:STORAGE, Status: org.apache.xmlrpc.XmlRpcException: exceptions.Exception:ovs_set_metadata: interface /sys/class/net/bond0.301 does not exists
    This appears to be from ovs_if_meta in /opt/ovs-agent-3.0/OVSVMNetConfig.py, which looks to be where the agent tries to write out the new roles for the network into the metadata file - it seems to be expecting the VLAN to exist already, and specifically checks in /sys to make sure that it is there.
    Should / could I add a step to my kickstart build to force the 301 VLAN to be created maybe? This would bring it into line with the other VLAN that is used for management, which is of course sitting there ready and waiting as soon as the server is built.

  • Client get connected occationally with WLC 5508

    Hi ,
    I have one strange problem on wireless connection.
    I just upgraded several 1131 APs to LAP with 2 new Cisco 5508 controller deployed, and we found the clients sometime can get conneted to the 1131 AP, and connection well, sometimes cannot. during our test, one conecion is ok, next one cannot, the third one seems ok again and again.
    And we also have 2 new 1140 APs, seems no such problem,
    The version for controller is  6.0.196.0, and Client is Lenevo PC with XP.
    Any suggestion? or some troubleshooting procedure I can follow?
    Thanks!
    Roy

    Thanks!
    Seems some problem with open authentication.
    On the Client, it reported cannot get associated.
    on the WLC, while I am debug client it reports:
    *Jul 14 10:18:51.844: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:a5:c0 (status 12)
    *Jul 14 10:18:51.889: 00:1f:3c:c2:e9:71 Ignoring 802.11 assoc request from mobile pending deletion
    *Jul 14 10:18:51.889: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:a5:c0 (status 12)
    *Jul 14 10:18:51.928: 00:1f:3c:c2:e9:71 Ignoring 802.11 assoc request from mobile pending deletion
    *Jul 14 10:18:51.928: 00:1f:3c:c2:e9:71 Sending Assoc Response to station on BSSID c4:7d:4f:47:ae:b0 (status 12)
    *Jul 14 10:18:52.446: 00:1f:3c:c2:e9:71 apfMsExpireCallback (apf_ms.c:418) Expiring Mobile!
    *Jul 14 10:18:52.446: 00:1f:3c:c2:e9:71 apfMsExpireMobileStation (apf_ms.c:4427) Changing state for mobile 00:1f:3c:c2:e9:71 on AP c4:7d:4f:47:ae:b0 from Associated to Disassociated
    I am using remote radius with WLC only.
    The strange thing is, when get connected, it looks fine, but I tried disconnect manually, then connect again, it reported cannot get associated, then I try again, it can get connect again,....

Maybe you are looking for

  • AP Check Printing Time

    Hi, We currently implemented AP Check Printing using BI Publisher into our Production instance. We have noticed that printing is taking longer due to 3 pages processing and then a pause occurring. We expected a time increase because the checks are no

  • Spry accordion panel not lining up with top of viewport in FF3.5

    I have created a new web page using spry accordion for the first time on my site. In IE8 all works perfectly - opening and closing and moving between tabs is smoothly done. My first tab opens a very long panel (way over the web browser's height), and

  • Integration of R3 Systems(Different ECC Versions) with PI

    Hi, I have a situation where a PI system has to be integrated with R3 Systems of different ECC Version. Please explain me what is the best practiced solution for this situation? With Regards, Manikandan Rajendran

  • Iphone can't connect to wifi

    Hi, i'm using an iPhone4 (4.3.1) and it was everything fine till yesterday. This morning I woke up and i saw that the iPhone was working only in 3G so I tried to connect to the wifi network (I've got an airport extreme) manually but it said "unable t

  • Birthday Display in iCal

    The birthdays I have in Address Book are not being displayed on my iCal  calendar.  The iCal preference is set to display birthdays.  Also the birthday calendar is checked to be displayed in the select calendars to show tab (work, home birthdays) on