Wireless design - Cisco 5508

Similar Messages

• Cisco 5508 interface design problem

  Cisco 5508 interface design
  now i have connect wlc into infra same picture but ap can't register into wlc. How create interface for this diagram. please help me because access switch is unmanage switch i can't config trunk on this.i can install for this solution this isn't ?
  thank you for best support.
  samy

  Why are your AP's on different Vlans?
  If you plan to create SSID's on different Vlans then you will need a trunk port to the WLC as the switch needs to pass tagged frames to it and the WLC needs to pass tagged frames back.
  Out of interest, you are using a 5508 which is a fairly expensive piece of kit yet you are connecting it to an unmanaged switch. Why?

• Cisco 5508 Hreap - slow wireless throughput

  I have a Cisco 5508 setup at a host site with 3 other sites connected using hreap on 1252APs. When doing testing of network speed I find that the throughput from the wireless to wired network is at about 18mbps yet the same test  on wired side is 85-100mbps and wireless to wireless is 18mbps
  Any ideas what could cause this                  

  Hm, just guessing is hard. So ...
  Can you upload the configuration?
  Which standard do you use? .11n? Encryption method?
  Where you the only one on ap while taking the tests?
  Have you tried some tests at various daytimes?
  Any chances to check for interference or change channels?
  Sebastian
  Sent from Cisco Technical Support iPad App

• Redirect to web authentication not working on Cisco 5508 Wireless Controller

  Hi,
  I have a wlan with web authentication:
  http://i55.tinypic.com/w145zk.png
  and
  http://i51.tinypic.com/344sfm0.png
  When I connect to  the SSID (I get correct IP from the Cisco 5508 Controller) and try to  surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
  The virtual interface is 1.1.1.1.
  Here is a screenshot of interface and internal dhcp:
  http://i52.tinypic.com/2vkm1d2.png
  Any idea why clients are not redirecting?
  Thanks!

  Thanks for the reply dmantil!
  When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
  I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users.

• How can I set up 3 different VLANs on Cisco 5508

  Dear  Community Members,
    I have a need to setup three (3) VLANs with different SSID's for students , staff and visitors in a  College.
  The controller is Cisco 5508  with Cisco 3502E-E-K9 AP
  presently the wireless  network is flat with just one VLAN 
  NB.
  Staff would log in using active directory user name and password.
  Student would log in using username and Registration number  Possibly using RADIUS SERVER
  How best can i achieve this.

  Scenes  you are using single vlan so the point of have multiple SSID is useless  and the better approach will be using the AD for both authentication  and managing the Group policy for both. In this way you can manage both  students and Staff Kindly see the following link for step by step config  and understand Group policy
  Server 2008/2012
                  http://jackstromberg.com/2013/05/tutorial-802-1x-authentication-via-wifi-active-directory-network-policy-server-cisco-wlan-group-policy/
  cisco document server 2003  (another explaining in detail the flow)
                http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml

• Wireless design guide/help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

  1- Keeping in mind that there is only one WLC where should i physically put it?
  Well since you will also be supporting Corporate and I'm guessing that is where the WLC sites, it should be in the inside network.  You would just need to allow udp 5246 & 5247
  2- How guest users will work ? How the authentication will be done?
  Guest users can use webauth in which the credentials will be stored on the WLC.
  3-There are 8 SFP ports in WLC how physical topology will look like?
  This is the tricky part.  You can either lag or not lag.  You can't split up the lag (etherchannel).  So you can either use all 8 if you with and create an etherchannel and then acl the guest traffic out the internet or you can put the guest on a layer 2 vlan in which you would connect that out to the dmz.  Or you can use one port for the management and also have a backup port, one for your internal wireless and also have a backup port and the same for guest.  SO it would look like this:
  Management primary port 1 backup port 2
  SSID primary port 3 backup port 4
  Guest primary port 5 guest port 6
  OR
  Management & SSID's primary port 1 backup port 2
  Guest primary port 3 guest port 4
  4-How many Vlans i have to make for wireless users will that be 10? (1 at each site) ?
  If you use local switching which I would think you would, the vlans for the SSID at the remote site will be created locally at each remote site.  If you want to centrally switch, means all traffic will come back to the WLC, then you will need at least one.  Now you can use a large subnet or have a subnet for each site, its up to you.  You would use AP Groups for that.
  my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interface concept)
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Wireless design help

  Hi guys........just have  few qestions about designing WLC 5508
  The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
  T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
  Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
  Now my question is as follwow.
  1- Keeping in mind that there is only one WLC where should i physically put it?
  2- How guest users will work ? How the authentication will be done?
  3-There are 8 SFP ports in WLC how physical topology will look like?
  4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
  my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
  Thanks guy and hope to get a response ASAP.

         OSITAN N Many thanks  please comment
                                      Internet
                                                 FW 1
                                                     !                                                        <---------------------Traffic comming this way
                                                  FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
                            ------Trusted-----  !                                                                                                        !
                                                     !                                                     ------Branch Router------->               RT 
                                  !           !               !                                                                                               SW
                               DSN      AD            DHCP                                                                                          !
                                                                                                                                                              AP  
                                                                                                                                                            USER
  1 Where WLC Place so that Guest trafice dont go to Trusted area?
  2. Its gona be H-Reap so DHCP would be local for branch
  3. Voce user  Qos? priority how ? example
  4 Guest Firewall rules to use only internet ?

• Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS

  Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
  I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication.  I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user"  along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
  Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
  Any ideas of what might be the issue or misconfiguration?

  Jim,
  I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
  It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
  May need to open a TAC case to see if this issue is on the 550x controllers also.
  Thanks,
  Tarik

• Cisco 5508 Firmware update 6.x 7.0.98 Questions

  Hi guys,
  Have not done an update on any cisco gear since about 2001
  We have a cisco services contract with IBM that supplies us access to the usb drivers, firmwares etc, and we have a Cisco 5508 6.x running ~30 Cisco 1252's, some 1231's and (potentially) some 1262's once the firmware update is done.
  We have a base-count license(permanent) of 50AP's, no expiry
  So I guess my questions are:
  1) When flashing the new firmware - do the licenses require any sort of modification, or will they work as per normal
  2) Are any serial numbers or codes required to be entered once the 7.0.98 firmware is installed?
  3) I assume that the old firmware/config becomes 2nd in line to the primary boot option of the firmware during boot process?
  Thanks

  7.0.98.0 is deferred code.
  Browse to deferred release on bottom:-
  http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=280926587&release=7.2.110.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest
  Deferral Notice:-
  Wireless Lan Controller (WLC) software version 7.0.98.0 is being deferred due to the following issue :
  CSCtj21464 - WLC data plane core crashes, causing WLC reboot
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
  5500 supports 7.2 code but AP 123X is not supported on 7.2, And 126x supported from 7.0.116.0 code. it is suggested to update to 7.0.235.0.

• Cisco 5508 HA

  Hi all,
  We recently installed a pair of Cisco 5508 controllers running 7.6.110.0. Right now I don't want to use the 'Redundancy' / 'HA' features, preferring instead to run with an Active/Standby pair controller through the HA tab configured in all APs.
  As part of the upgrade to 7.6.110.0 we upgraded the secondary controller first, moved APs over one by one, then upgraded the primary. Right now I am having an issue moving the APs back to the primary. To confirm:
  - the mobility group is the same on both devices
  - mobility is up
  - I am allowing MIC certificates
  - AP fallback is enabled
  - device names, etc all match as I appreciate there can be issues as this is case sensitive
  As far as I was aware that was all that needed to match for this to work. One thing I have noticed however is that if I go into Redundancy -> Global Configuration both the Primary and Seconday are defined as the 'Primary' redundant unit. I've not activated, at least I thought I had not activated, this level of redundancy. Could this be what is causing it? I'm a bit wary of changing this value as I believe the controller will reboot.
  Can anybody shed any light on this. The intention was to eventually enable the redundancy and SSO, etc but not right now.
  Thanks

  Hi Leo, Scott
  So I was doing a bit more reading on this http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html it is an old document but working through it the document suggested that you didn't need to specify the IP address of the Primary or Secondary controller in the Wireless -> All AP -> AP_NAME -> High Availability. I removed this from one of the APs that was at the time serving no clients and tried to move it to the secondary and it worked. I then moved it back to the primary and it worked again.
  Any reason why this would happen? The IP addresses I was using were 100% correct. The only difference I see for this controller as opposed to others we manage is the introduction of new interface types i.e. 'redundancy management' , 'redundancy port' ,etc. I do not have redundancy enabled so I'm guessing not, but having trawled through the configuration this is the only difference I can see?

• Cisco 5508 HA - Webauth Bundle for multiple SSID/multiple web pages

  Hi Guys,
  I have 2* cisco 5508 WLC in HA mode . Both are running IOS 7.5.102.0 . Everything is working perfectly fine.
  I need to Creat 3 differnet SSID and Creat 3 different login Pages for them . Each user from respective SSID will get specified login Page. like
  I have few questions :
  1) I have downloaded webauth bundle from cisco Support Site and in that itself so many files are there. So based on my scenario , in which folder do i need to copy my login and logo file.
  2) i have used Picozip to convert the file in .tar format but its giving me following error "
  % Error: Webauth Bundle file transfer failed - No reply from the TFTP serve" but i can ping my tftp server easliy.
  3) As Controllers are in HA mode , so once i am successful in uploading webauth bundle then it will be replicated on secondary controller or do i have to turn off SSO and upload in both one by one.
  Please help me out in this.
  Cheers

  Hello Sandeep,
  i have uploaded the tar which you have sent to me. When i supply my username and pwd, after that it keeps on going and not showing any end result. so it stays on same page and nothing happening after that.
  Are there any more radius ACL's to be defined ? 10.10.13.x is wireless client network , 192.168.10.21 is Radius Server , 192.168.10.215 is proxy server. Is there any other ACL need to be defined ??
                         Source                         Destination                 Source Port  Dest Port
  Index  Dir       IP Address/Netmask               IP Address/Netmask       Prot    Range       Range    DSCP  Action      Counter
       1 Any      10.10.13.0/255.255.255.0     192.168.10.21/255.255.255.255  Any     0-65535     0-65535  Any Permit           0
       2 Any   192.168.10.21/255.255.255.255      10.10.13.0/255.255.255.0    Any     0-65535     0-65535  Any Permit           0
       3 Out      10.10.13.0/255.255.255.0           1.1.1.1/255.255.255.255  Any     0-65535     0-65535  Any Permit           0
       4  In         1.1.1.1/255.255.255.255      10.10.13.0/255.255.255.0    Any     0-65535     0-65535  Any Permit           0
       5 Any      10.10.13.0/255.255.255.0    192.168.10.215/255.255.255.255  Any     0-65535     0-65535  Any Permit          98
       6 Any  192.168.10.215/255.255.255.255      10.10.13.0/255.255.255.0    Any     0-65535     0-65535  Any Permit          98
  DenyCounter : 12

• Cisco 5508 and Ipads

  We have cisco 5508.
  We had problems with the connection of the first and second iPad version. Firmware: 7.0.235.3. Putting firmware 7.x. we can not because we have a point of 1310. But we put the firmware 7.2 ipad still have not get wireless. Then we rolled back.  It is interesting that not only work the first and second iPads. All the above works.  Played with TKIP instead of AES, did not help ...
  P.s. iphone works.

  (Cisco Controller) >show wlan 45
  WLAN Identifier.................................. 45
  Profile Name..................................... Test
  Network Name (SSID).............................. Test
  Status........................................... Disabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 6400 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ guestwifi
  Multicast Interface.............................. Not Configured
  --More-- or (q)uit
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Silver (best effort)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... 802.11g only
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Global Servers
  --More-- or (q)uit
     Accounting.................................... Global Servers
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     H-REAP Local Switching........................ Disabled
     H-REAP Local Authentication................... Disabled
     H-REAP Learn IP Address....................... Enabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  --More-- or (q)uit
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status

• Cisco 5508 Email Notification

  I have 2 Cisco 5508 Wireless LAN Controllers.
  They are NOT connected to a WCS.
  Is there a way to confiure the 5508's to send email notifications when an AP drops off line?
  Is not is this functionality available with either a WCS or new NCS?

  Hi,
  You can't send SMTP alerts directly from the controllers.
  The options you have are
  to configure a Syslog server under the Management tab of the controller to enable logging of alarms to the Syslog server. When the alarm arrives at the syslog server, there needs to be an event configured to email the particular alarm to SMTP recipients
  Install WCS at version 7.x providing support for the 5508 controllers and 350x WAPs. Via WCS, with the controllers and WAPs managed by the application, the alarms will be emailed to the configured SMTP recipients
  Hope this is of help
  Regards
  David

• Creating new Bridge Group names in Cisco 5508 WLC??

  How do we Create new Bridge Group names on Cisco 5508 WLC, with 1552E Access Point??

  You create it on the 1552 once the AP joins.  One it joins, you will have to choose that AP and then set the AP mode to Bridge and then apply.  This will reboot the AP.  Once the AP comes back, you will have a MESH tab on that specific AP or any AP that you have set to Bridge mode.  You then set the AP role and the bridge group name there.  Here is an older MESH deployment guide to follow.
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70mesh.html
  Scott

• Cisco 5508 Controller 5GHz band selection

  hi,
  today i installed one Cisco 5508 Controller with 1262 APs only with 5GHz antennas. all radios are came up excpet 5ghz band, i tried all my level of best to get it UP. can anybody tell me if there is anything we need to really inspect to enable 5 GHz band.
  Anvar

  hi Nocolas,
  please find below answers, and attached snapshot
  1) what is your AP exact model ? -A ? -E ?
  Ans:-    AP Model No  - AIR-LAP1262N-A-K9
  2) What country did you configure your WLC for ?
  Ans:-    Saudi Arabia
  3) did you enable 802.11a network on the "wireless" tab ?
  Ans:-  Yes
  4) if you go to the AP radio list on the WLC, what does it say for your AP ? up ? down ?
  Ans:-  802.11a/n Radios      DOWN
            802.11 b/g/n Radios  UP
  Thanks,
  Anvar