Wireless VLANs and WLC

Similar Messages

• Wireless VLANs and Layer2/3 VLANs

  Dear,
  The vlans created for the mapping of SSID in embedded AP on cisco 1941 can be connected/communicated to the VLAN created on Layer2/3 switch.
  Lets say i have created 3 vlans (say 200,201,202) for 3 ssid and the vlan created on switch (say 200,201,202) can be communicated?
  Or these wireless vlan are purely for the mapping of ssid?. Thanks

  yes that should be a trunk.. the below link is the configuration guide..
  https://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/Software_Configuration.html
  http://www.cisco.com/en/US/docs/routers/access/1900/software/configuration/guide/wlan.html
  Regards
  Surendra

• Wireless Bridging and WLC

  Hi everyone,
  We were planning to perform outdoor wireless bridging between different buildings in a city.
  I wanted to know if it was necessary to install a Wireless LAN controller for this kind of deployment (outdoor only) ?
  Thanks!
  Regards,
  Fadel

  Well what is the requirement for the link. The Exalt bridges do a good job and you can get up to 160mbps half duplex. The mesh is a bit more expensive and are intended not for such a long distance but requires a WLC. If you require higher throughput, then you need to look at another vendors point to point bridging.
  Sent from Cisco Technical Support iPhone App

• SonicWALL = Guest Wireless, VLANs, and DHCP

  All,I'm going to attempt to set up corporate and guest WIFI using Ubiquiti UniFi APs. I'm new to VLANs in general but understand that this is the likely approach. The equipment that I will be using is below- SonicWALL TZ-400 configured for PTP VPN to a SonicWALL E6500.- Ubiquiti toughswitch just for the APs- 4 Ubiquiti APsThe SonicWALL E6500 (central location) does DHCP over VPN to all of the remote offices such as where this TZ-400 will be. I'm struggling with how to handle DHCP. If I set up VLANs say VLAN 10 for corporate to pull DHCP as normal and VLAN 20 for guest WIFI. How can I tell VLAN 20 to get a different range of IPs so that I can restrict from the corporate network range? The toughswitch would be using its own interface on the TZ400. Does what I'm trying to accomplish make sense and is it possible?
  This topic first appeared in the Spiceworks Community

  Setup:Sonicwall TZ205Created a sub-interface – X0:V100 with an IP address of10.45.1.1.Created a DHCP scope for said IP ranged associated withX0:V100 within Sonicwall.Three Netgear switches:A.24 Port + 4 SFPB.24 Port + 4 SFPC.48 Port + 4 SFP1.Sonic wall connected to switch C on port 12.Switch C connected to switch B using port 473.Switch B connected to switch C using port 234.Switch B connected to switch A using port 25 –(GB SFP over fiber)5.Switch A connected to switch B using port 25 –(GB SFP over fiber)6.Ubiquiti AP connected to switch A on port 2VLAN 1 – default·All ports on all switches are untagged fordefault VLAN 1VLAN 100 – meant for wireless guests·Ports 2 and 25 are Tagged for V100 on switch A –all other ports are blank for V100·Ports 23 and 25 are Tagged for V100 on switch B– all other ports are blank for V100·Ports 1 and 47...
  This topic first appeared in the Spiceworks Community

• Wireless VLAN and Native VLAN

  OK, I’m a bit confused about what to do with the native VLAN. I know that for QoS/CoS, I should not use VLAN1 as the native VLAN. I also know that I should use a separate VLAN as the management VLAN. So I’m left thinking, do I need a native VLAN? If I do, can I just make a dumb VLAN that goes nowhere and use that as the native VLAN? Or am I just completely missing something. Thanks

  The native VLAN must also be your management VLAN for Cisco APs.
  The Native VLAN can be any number, as long as you configure it accordingly.
  Also keep in mind that the local RADIUS server, and DHCP will only deliver to the native VLAN. If you intend to use either of those services on the non-native VLAN/SSID, you'll need to have a layer three device on the line to forward that traffic.
  Good Luck
  Scott

• Ask the Expert: Cisco BYOD Wireless Solution: ISE and WLC Integration

  With Jacob Ideji, Richard Hamby  and Raphael Ohaemenyi   
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about  the new Identity Solutions Engine (ISE) and Wireless LAN Controller (WLC) hardware/software, integration, features, specifications, client details, or just questions about  Cisco's Bring-your-own device (BYOD) solution with cisco Experts Richard Hamby, Jacob Ideji, and Raphael Ohaemenyi. The interest in BYOD (Bring You Own Device) solutions in the enterprise has grown exponentially as guests and company users increasingly desire to use personal devices to access .  Cisco BYOD enhances user experience and productivity while providing security, ease-of-administration, and performance. The heart of the Cisco wireless BYOD solution is Identity Solutions Engine (ISE) utilizing the Cisco Unified Wireless portfolio.  Starting with ISE v1.1.1MR and WLC (Wireless LAN Controller) code v7.2.110.0 and higher, end-to-end wireless BYOD integration is reality. 
  Jacob Ideji is the technical team lead in the Cisco authentication, authorization and accounting (AAA) security team in Richardson, Texas. During his four years of experience at Cisco he has worked with Cisco VPN products, Cisco Network Admission Control (NAC) Appliance, Cisco Secure Access Control Server, and Dot1x technology as well as the current Cisco Identity Services Engine. He has a total of more than 12 years experience in the networking industry. Ideji holds CCNA, CCNP, CCSP, CCDA, CCDP, and CISM certifications from Cisco plus other industry certifications.
  Richard Hamby  works on the Cisco BYOD Plan, Design, Implement (PDI) Help Desk for Borderless Networks, where he is the subject matter expert on wireless, supporting partners in the deployment of Cisco Unified Wireless and Identity Services Engine solutions. Prior to his current position, Hamby was a customer support engineer with the Cisco Technical Assistance Center for 3 years on the authentication, authorization, accounting (AAA) and wireless technology teams. 
  Raphael Ohaemenyi  Raphael Ohaemenyi is a customer support engineer with the authentication, authorization and accounting (AAA) team in the Technical Assistance Center in Richardson, Texas, where he supports Cisco customers in identity management technologies. His areas of expertise include Cisco Access Control Server, Cisco Network Admission Control (NAC) Appliance, Cisco Identity Services Engine, and IEEE 802.1X technologies. He has been at Cisco for more than 2 years and has worked in the networking industry for 8 years. He holds CCNP, CCDP, and CCSP certification.
  Remember to use the rating system to let Jacob, Richard and Raphael know if you have received an adequate response.  
  Jacob, Richard and Raphael might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the wireless mobility sub community forum shortly after the event. This event lasts through Oct 5th, 2012. Visit this forum often to view responses to your questions and the questions of other community members.

  OOPS !!
  I will repost the whole messaqge with the correct external URL's:
  In  general, the Trustsec design and deployment guides address the specific  support for the various features of the 'whole' Cisco TS (and other  security) solution frameworks.  And then a drill-down (usually the  proper links are embedded) to the specifc feature, and then that feature  on a given device.  TS 2.1 defines the use of ISE or ACS5 as the policy  server, and confiugration examples for the platforms will include and  refer to them.
  TrustSec Home Page
  http://www.cisco.com/en/US/netsol/ns1051/index.html
  http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/at_a_glance_c45-654884.pdf
  I find this page very helpful as a top-level start to what features and capabilities exist per device:
  http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html
  The TS 2.1 Design Guides
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  DesignZone has some updated docs as well
  http://www.cisco.com/en/US/netsol/ns982/networking_solutions_program_home.html#~bng
  As  the SGT functionality (at this point) is really more of a  router/LAN/client solution, the most detailed information will be in the  IOS TS guides like :
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/6_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_6.x.html
  http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_cts/configuration/xe-3s/asr1000/sec-usr-cts-xe-3s-asr1000-book.html
  http://www.cisco.com/en/US/docs/switches/lan/trustsec/configuration/guide/trustsec.html

• WLC 7.4.110.0 where native vlan and SSID vlan is the same vlan

  Hi
  We have app. 1500 accespoints in app. 500 locations. WLCs are WiSM2s running 7.4.110.0. The AP are 1131LAPs.In a FlexConnect configuration we use vlan 410 as native vlan and the ssid (LAN) also in vlan 410. This works fine, never had any problems with this.
  Now we have started use 1602 APs and the client connection on ssid LAN becomes unstable.
  If we configure an different ssid, using vlan 420 and native vlan as 410, everything works fine.
  I can't find any recommandations regarding the use of native vlan/ssid vlan
  Is there anyone experiencing similar problems? Is this a problem with my configuration or is it a bug wittin 1602 accespoints?
  Regards,
  Lars Christian

  It is the recomended design to put FlexConnect AP mgt into native vlan & user traffic to a tagged vlan.
  From the QoS perspective if you want to enforce WLC QoS profile values, you have to tag SSID traffic to a vlan (other than native vlan) & trust CoS on the switch port connected to FlexConnect AP (usually configured as trunk port)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Wireless controller ha between wlc5508 and wlc 4402

  We have 2 wlc:  a wlc 5508 ( license 100 AP ) and  wlc 4402 ( license 12AP).
  We try to setup when 5508 down, 12 identify AP (important AP -Group A) will join 4402 and all other AP (not improtan AP -Group B)
  wont joint  wlc 4402.
  First, all AP join wlc 5508, 2 WLC have same mobility group.
  After that, we  config 12 APs belongto group A have primary and secondary wlc, group B only has primary wlc.
  When wlc 5508 down, some of APs of GroupA and   some of APs of GroupB join wlc 4402. We test many times and we have differnet result each times.
  is theare any way to resolve our problem?
  Thanks.

  Just to add, make sure that the WLC is running the same code, if not, then make sure the ap is supported on the code that is running on the 5508. The issue with mixed code is the ap will upgrade and downgrade very time they switch to a different WLC.
  http://www.cisco.com/en/US/docs/wireless/controller/5500/tech_notes/Wireless_Software_Compatibility_Matrix.html
  Sent from Cisco Technical Support iPhone App

• How to change IP addresses of APs and WLC to the ones from different VLAN

  I'm trying to figure out what is the best practice to change IP addresses on all my access points connected/managed by the WLC.
  I have one WLC2504 controler and three AIR-LAP1041N access points the idea is to change management IP of the WLC from 192.168.2.100 (vlan1) to 192.168.12.100 (vlan79) and all access points accordingly:
  ap1 192.168.2.101 (vlan1) to 192.168.12.101 (vlan79)
  ap2 192.168.2.102 (vlan1) to 192.168.12.102 (vlan79)
  ap3 192.168.2.103 (vlan1) to 192.168.12.103 (vlan79)
  FYI all my APs obtain IP from DHCP server which sits in the vlan1 and each AP is connected to trunk port on Catalyst switch, trunk port (vlan1, vlan79, vlan80, vlan81, vlan82) carries traffic for different WLANs, so my question is what is the best way to change management IP on each device with the minimal downtime.
  Thank you for your advice,
  Luu Manioro

  Well, you will have downtime anyways, but how I would do this is the following:
  Make sure the WLC trunk port has vlan 79 being allowed
  Change the high availability on each AP to point to the hostname of the WLC and the new ip address, you don't need the old ip address anymore
  Console into the WLC or use the service port and change the management ip address and at the same time if possible, move the AP's to the new vlan 79, since they have already joined the WLC, they will know of the ip address of the WLC
  Reboot the AP by shutting down the PoE port or powering off/on the AP
  The AP will find the WLC since you have defined the high availability and also since the AP and WLC are on the same subnet.
  Scott

• Question about Wireless Design and Controller

  Hi Everyone,
  Although I am not new to Cisco, I have somewhat limited experience with Wireless in general.  I was hoping to get your help with the following:
  We currently have a total of 8 1130AG, 4 on each floor.  They were configured a few years ago, and now we are looking to update the design a bit.  Each AP has its own SSID, and just provide internet access.  Looking at the configuration, I noticed that they are not configured to use proper channels, just random channels (9, 10, 11, instead of 1, 6, 11, etc.).  I noticed that when I roam between one AP to another, I lose about 4-8 pings before I re-establish connectivity again.
  Here are my questions:
  1.  Do I need a controller in order to use just one SSID for the whole setup instead of the 8 seprate ones we currently have?
  2.  Will the controller helps in providing seamless transition when a client roams between AP's?
  3.  Is it normal to loose connectivity roaming around?
  4.  Can I reconfigure the current setup to use just one SSID and provide better transition between AP without the use of a controller?
  5.  Which controller would you recommend?
  We don't have a need to anything fancy ,I am aware that I can enable multiple SSID, VLAN's, etc.  Just trying to keep it as simple as possible, yet reliable.
  Your input is appreciate.
  Thanks

  1.  With 8 AP's only, a WLC would be nice-to-have but not necessary. You can configure WLSE and it will do some limited functions.
  2.  This depends on the signal strengths, wireless coverage and configuration.  If you enable WLSE, for instance, and you have no wireless black spots, then roaming should be no issues.
  3.  See #2.
  4.  You can configure multiple SSID (up to 16 are broadcasted) but if one AP doesn't have the SSID you use for roaming, the association will drop when the client tries to join that particular AP.  It's like mobile phone towers.  If your carrier is not in the area, you sure won't be able to use your mobile phone in that area.
  5.  For 8 1130 APs, I'd recommend the smallest of the lot:  2106 with either 6, 12 or 25 AP licenses.  I'd recommend you the 25 AP licenses.  If your finances allow you something bigger, then consider either the 4402 (25 AP licenses) or the 5508.
  Cisco 2100 Series Wireless LAN Controllers
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps7206/ps7221/product_data_sheet0900aecd805aaab9.html
  Cisco 4400 Series Wireless LAN Controllers
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps6307/product_data_sheet0900aecd802570b0_ps6366_Products_Data_Sheet.html
  Cisco 5500 Series Wireless Controllers Data Sheet
  http://www.cisco.com/en/US/prod/collateral/wireless/ps6302/ps8322/ps10315/data_sheet_c78-521631.html

• Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

  Hello,
  I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
  building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
  well as the Wireless solution.
  At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
  the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
  are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
  from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
  Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
  large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
  the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
  the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
  connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
  support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
  Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
  i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
  between the two switches and their integrated controller.
  Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
  feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
  existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
  This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
  already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
  focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
  state of their connections to the WLAN infrastructure.
  To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
  to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
  subnets need to be assigned to the SSIDs.
  As such, I have the following questions:
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
  that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
  as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
  the solution as per the next question. Please advise which is a better option?
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
  then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
  Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
  clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
  Regards,
  Amir

  Hi Amir,
  Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
  I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
  Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
  MO is not required (it is only for very large scale deployments)
  Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
  Yes, documents are hard to find :(
  These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
  http://mrncciew.com/2014/05/06/configuring-new-mobility/
  http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Web Redirection Problem on Cisco ISE 1.2 and WLC 7.5

  Hello,
  We are at initial phase of deploying ISE 1.2 in our environment for Wireless Guest Users.
  I have configured ISE and WLC to talk to each other which is working fine. An SSID with MAC-Filtering is also configured on WLC and ACL only allowing ISE and DNS traffice.
  I have configured proper authentication and authorization policies on ISE. Now, when I try to connect my device (laptop and android mobile), I see my device gets associated with the SSID (Demo) and gets the right IP Address from DHCP and right VLAN from WLC. The log process on ISE is as follows.
  11001
  Received RADIUS Access-Request
  11017
  RADIUS created a new session
  11027
  Detected Host Lookup UseCase (Service-Type = Call Check (10))
  15049
  Evaluating Policy Group
  15008
  Evaluating Service Selection Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule
  15041
  Evaluating Identity Policy
  15006
  Matched Default Rule
  15013
  Selected Identity Source - Internal Endpoints
  24210
  Looking up User in Internal Users IDStore - B8:B4:2E:A6:7D:75
  24216
  The user is not found in the internal users identity store
  24209
  Looking up Endpoint in Internal Endpoints IDStore - B8:B4:2E:A6:7D:75
  24211
  Found Endpoint in Internal Endpoints IDStore
  22037
  Authentication Passed
  15036
  Evaluating Authorization Policy
  15048
  Queried PIP
  15048
  Queried PIP
  15048
  Queried PIP
  15004
  Matched rule - Guest Redirection
  15016
  Selected Authorization Profile - Test_Profile
  11002
  Returned RADIUS Access-Accept
  I also see a redirect url in the detailed authentication logs. But the problem is that when I open my browser on my device, it doesn't get redirected to the guest portal url. Now since I can't get there, I can't continue with the rest of the process of authentication, COA and final ACL for internet access.
  Can some one please either guide me the correct steps that I need to follow, if I have mis configured something or advise if this is a bug.
  Thanks in advance.
  Jay

  The ACL is definitely used to define what traffic is re-directed to ISE and what traffic is not redirected. Having the permit-all statement at the end will break redirection. If you are using flex-connect then you will need to use flex-connect ACLs and apply those to the flex-connect APs. The links below should give you an idea of what needs to be done:
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113606-byod-flexconnect-dg-000.html
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  Thank you for rating helpful posts! 

• Restrictions ACL for Wireless AP to WLC in HREAP Desgin Setup

                     Hello, Everyone  I have Wireless HREAP setup in which the Wireless LAN Controllers (WLC) are located across the WAN in DataCenter while the Wireless Access Points (AP) are located within the branches, so setup is fine but as security requirement mandates that the APs VLAN in the branch should be restricted from accessing any thing except neccessary communication to WLC across the WAN so on the interface VLAN assigned for the APs in the branch i Applied an inbound ACL as below and it works fine but after some times my be days i found that the Access points are not present in the WLC GUI and it will appear only if i removed the ACL...............So question here what else is missing in my ACL which is neccessary for AP communication to WLC?
  Extended IP access list HO_AP_Restrictions
      10 permit udp any host (WLC 1 IP) eq 12222
      20 permit udp any host (WLC 1 IP) eq 12223 (58563 matches)
      30 permit udp any host (WLC 1 IP) eq 5247
      40 permit udp any host (WLC 1 IP) eq 5246 (58563 matches)
      50 permit udp any host (WLC 2 IP)  eq 12222
      60 permit udp any host (WLC 2 IP)  eq 12223 (22270 matches)
      70 permit udp any host (WLC 2 IP)  eq 5247
      80 permit udp any host (WLC 2 IP)  eq 5246 log (22270 matches)
      90 permit udp any host (ap-manager 1 IP)  eq 12222
      100 permit udp any host (ap-manager WLC 1 IP)  eq 12223
      110 permit udp any host (ap-manager WLC 1 IP)  eq 5247 (440902 matches)
      120 permit udp any host (ap-manager WLC 1 IP)  eq 5246 (1950854 matches)
      130 permit udp any host (ap-manager WLC 2 IP)  eq 12222
      140 permit udp any host (ap-manager WLC 2 IP)  eq 12223
      150 permit udp any host (ap-managerWLC  2 IP)  eq 5247 (360037 matches)
      160 permit udp any host (ap-manager WLC 2 IP)  eq 5246 (1484968 matches)

  Thanks Amjad Abdullah and sorry for late reply i was on sick leave
  Actually the issue was due to the ACL, which was blocking the DHCP (how stupidly I overlooked that)
  I have did the same command as you instructed and it reveal that AP has timed out, so I have enabled debugging on ACL to see what kindly of communication is going on and I found many communication which I was keep allowing it based try and error till I found this log that Some APs IP address are trying to communicate to the default VLAN gateway IP address on port 67 which is DHCP then I realized this is the issue.....
  In brief....the APs are assigned to a dynamic VLAN (DHCP-enabled) so when I apply the old ACL, the APs already has obtained an IP addresses and they work fine with WLC, but when the DHCP lease timer expires, the APs try to send DHCP renew to the default gateway in which no ACE inside the ACL is matching so that request being denied and therefore doesn't get an IP address so it loses communication with the WLC....
  So I added the following ACE at the end of the above ACL
  permit udp host 0.0.0.0 any eq bootps
  NowI will always remember.......Security comes with cost

• CAPWAP Wireless VLAN in Routed Campus LAN

  I am configuring CISCO Wireless LAN Controller in College campus. we have the following components
   1. CISCO 4510R as core switch and a centralized WLC is connected to Core Switch
   2. CISCO 3560 L3 switch at Distribution Layer Switch
   3. CISCO LWAP 1142
  I want to configure Wireless VLAN in a college campus. Wireless LAN.  The requirement is to configure Distribution switch as L3 so that VLAN will not reach till the Core Switch. That is the Link between Distribution and Core Switch will be Layer 3 routed link and not a Trunk Link.
  Since it is a routed back bone environment, VLAN is configured only in distribution layer switches. So, these configured VLAN will not reach core
  switch.
  With that said, is it technically possible to achieve the Wireless VLAN in this above proposed setup.?
  Do I have to configure Trunk between Distribution Switch (APs are connected) and Core Switch (WLC is connected), to pass the Wireless VLAN in the trunk link?
  Advance Thanks for reading and helping to get it clarified
  SAIRAM

  We are in the process of moving to a mostly routed Campus, and had similar questions and a few more. We will be using only EIGRP, with each enclave set-up as a stub. I was wondering if I can modify our wireless network to be strictly routed, and remove all the trunk/access configurations from the switch ports facing  theAPs, and hard code (static) all of them to IP routed ports. We only have one WLC active, with one back-up. The WLC is facing our core switches in a LAG set-up. The network was originally set-up with all the dynamic interfaces for each AP set-up in a GLBP fashion between our two cores. Each AP had a dynamic interface created in the WLC and added to one AP group. All of our APs are now connected via ethernet to the wired infrastructure, so none of our APs are in true MESH fashion anymore. We use Microsoft DHCP to issue out IPs to our APs.
  I was wondering if I can remove the dynamic interfaces from the WLC, and use EIGRP to sort of the routing of our wireless network. I would create L3 SVIs (multiple in some cases) on all the switches that APs are attached too, and modify each Microsoft DHCP scope to point to whatever AP model was used and to point to the WLC. Now, what I'm unsure on, how would this behave with no Native Vlan/User Vlans configured on trunk ports pointing toward the AP. I was thinking of using what was once used at the Native Vlan (subnet info), and using that same subnet to create a IP routed port facing the AP and modify the AP IP via the WLC to select static assign. I can place IP helper addresses under the routed port to face our DHCP server (not sure if this really matters, if I already place them under the user L3 SVIs). Before, I had a DHCP scope for the native and user subnet. Would the AP still be able to connect to the WLC correctly, if I delete the scope (used before for the native vlan), since it usually resolved the WLC IP via option 43 (it can use DNS instead). I would imagine so, since I will be placing these networks under EIGRP to advertise within our Campus, which has L3 reachability to the WLC. And under the user subnets, I would still configure the Microsoft DHCP scope to face the AP model and controller IP. There just woundn't be a scope for the subnet that use to be for the Native Vlan. For any new set-up, I would pre-provision the AP under a user subnet access port, and then hard code it within the controller a static IP, to deploy later at the new site. For routed networks, are dynamic interfaces really necessary on the WLC? As long as L3 is working as intended, and the user switch has reachability to the Microsoft DHCP server, then users should be able to pull IPs fine through, correct? I've tested already with a PTP bridge we have, and hardcoded the ports to IP routed ports, and advertised it via EIGRP, and haven't noticed any issues with the customers pulling new IPs. I wanted to gather more information before deploying this for across the board to our other types of wireless set-ups. I'm not using FlexConnect. I've moved most of our 1552e APs over to local mode recently, which have wired connections to the LAN.

• Catalyst 3750G and WLC 440x - Port Channel - Configuration - Best Pactice

  What is the best practice to use when configuring port channel between Catalystr 3750G switch stack and WLC 4402 / 4404 Wireless Lan Controllers:
  a) Negotiate to LACP
  b) Negotiate to PAgP
  or
  c) Hard-code to Port Channel without any negotiation.
  Any pointers to any useful links - much appreciated and configuration example as well.

  Answer is 'C'... channel-mode on
  Configuring Neighbor Devices to Support LAG
  The controller's neighbor devices must also be properly configured to support LAG.
  •Each neighbor port to which the controller is connected should be configured as follows:
  interface GigabitEthernet
  switchport
  channel-group mode on
  no shutdown
  •The port channel on the neighbor switch should be configured as follows:
  interface port-channel
  switchport
  switchport trunk encapsulation dot1q
  switchport trunk native vlan
  switchport trunk allowed vlan
  switchport mode trunk
  no shutdown
  Here is a link that explains it. Hope this answers your question:
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42mint.html#wp1116136
  Here is a Best Practice doc:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml