WLC 5508 management interface

Similar Messages

• Wlc 5508 management interface vlan - access point vlan

  Is it required that the access points are in the same vlan as the management interface on a wlc 5508?

  There is a story behind this .. Just yesterday my guy was like "aps wont join" .. I let him hammer away at it .. It was the check box
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• WLC 5508 Management Interface Connection

  I'm setting up a new 5508.  I've used the config from a 4402, have successfully connected to the Service port to manage the device, but for some reason cannot connect to the Management interface.  In this case, port 1.
  The service port is connected to a Catalyst switch and grabbed an ip address (10.2.x.x subnet) no problem.  I can access the 5508 via https using the SP.  However, port 1 is connected to the same Catalyst switch, but on a different vlan (subnet 10.20.x.x).  Both ends show that the interfaces are up, I can ping the interface from any other host on the network, but when I try to manage the device via https I cannot connect.  We are using WCS and I cannot add the device from the WCS.  About all I can do is ping that interface.
  I've probably overlooked something very basic, but I'm baffled.

  Thanks for the reply.
  No, definitely not that.  I have all of those enabled.  I have the SP connected to another vlan on the same switch and can manage through that port(https, telnet).  I've tried about every combination of trunk port, access port, etc.  I'm beginning to suspect the GBICs (10baseT), but both ends show that I am connected at 1000 and I can ping the ip address of the management interface.

• WLC 5508 Multiple Interfaces for Multiple SSIDs

  Hello guys,
  I am trying to build a new network from scratch, I have the WLC 5508 w/ Aironet 3600e APs connected to my Netgear Smart Switches and a Linksys RV082 router that I'm using as my DHCP server with several VLANs for several stuff on my Switches.
  I have 2 questions:
  1. Can I have 5 Interfaces configured on 5 different VLANs, each SSID on each a different Port:
  Port 1: Controller management only=> 192.168.x.x /24
  Port 2: SSID 1: WiFi Internal=> 172.16.x.x/12 (Radius Auth with no sharing)
  Port 3: SSID 2: WiFi Internal w/ sharing=> 192.168.x.x/24 (Radius Auth with sharing)
  Port 4 :SSID 3: WiFi Guest=> 10.0.x.x/8 (Web Auth)
  Port 5: SSID 4: WiFi IT=> 192.168.x.x/24 ( Radius or certificate Auth with access to the controller management interface)
  2. How can I use the Controller as the DHCP server for all the WiFi traffic, and how should that be configured to work with my other DHCP server?

  Yes you can... but you have to disable LAG.  Each post will need to be connected to a dot1q trunk and you will only allow the vlan that is required for that port.  Also on the interface, you will define what port is primary and what is backup.  I'm guessing you will not be using the backup port.  For example... port 1 that connects to a trunk port will only allow the management vlan.  Here is a link to setup dhcp on the WLC
  http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080af5d13.shtml
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Help with Cisco 5508 management interface

  Hello,
  I'm trying to verify some behaviors I'm seeing with my 5508 controller setup and forgive me for missing anything obvious, I've zero experience with this hardware and clueless on the best practices. With that said... out of the box I ran through the AutoInstall process.
  I gave my service port an IP address on my subnet, 10.10.8.0/24 vlan 100 and gave the management interface the ip address 10.10.30.5/24 vlan 130
  From my host I can ping the management interace 10.10.30.5 and the interface gateway 10.10.30.1
  I cannot connect to the controller via 10.10.30.5 either through the web GUI or telnet
  I can connect to the controller via 10.10.8.200 both through the web interface and telnet
  while connected to the service port, I can ping the management port IP but I cannot ping the 10.10.30.1 gateway.
  We have attached two test 3502I AP's and they found the controller and pulled correct ip addresses, clients can authenticate and access network resources as well as the Internet so for the most part, things are working but it concerns me that the management interface can't ping its own gateway.
  Keep in mind, I did no other configurations besides what got configured in the AutoInstall process. What should I look at to resolve?
  Thanks!
  Mike

  The service port is for out of band management and should not be connected to the network.  If connected tot he network, it should not have connectivity to the management interface of the wlc. 
  You can create an ACL to block the service port ip to the managment vlan if you want.  I normally do not connect the service port to the network.

• Need Information of cisco WLC 5508 LAG Interface

  HI
  We have cisco WLC 5508 in our network and right now ,this WLC is connected to two ports of each core switches.Both CORP and GUEST SSID are configured on this WLC.
  Now we want to segregate the trafffic og GUEST to on core switches from WLC. SO my question is ,how can we achieve this without using guest anchor controller ?
  Can i use one interfcae cisco WLC 5508 and connect it to the firewall or any device ?
  Thanks
  Puneet

  Hi
  Thanks ...I am using WLC as a DHCP server for Guest.
  So  i want to know ,is there any requirement that GUEST subnet should be pingable from WLC management IP address.
  my topology is here...
  Corp network and management network are reachable however management metwork is not pinagble from guest netowrk.

• Backup Port of WLC 5508 MGMT interface

  Dear All,
  Since WLC5508 MGMT interface is configured a AP-Mgr at the same time, can I set a Backup Port to WLC5508 MGMT interface?
  Refer to WLC configuration Guide:
  In the Backup Port text box, enter the number of the backup port assigned to the management interface. If the primary port for the management interface fails, the interface automatically moves to the backup port.
  NoteDo not define a backup port for an AP-manager interface. Port redundancy is not supported for AP-manager interfaces. If the AP-manager interface fails, all of the access points connected to the controller through that interface are evenly distributed among the other configured AP-manager interfaces
  I am confuse on this. Thus, if I need to configure the backup port for MGMT interface, i need to remove the AP-manager on MGMT interface and create a network dynamic interface for AP-Manager ?
  Thanks all.
  Jeff Chiu

  Jeff:
  You are right. The config guide is confusing.
  The config guide is talking about AP-Manager interfaces you create other than the management one. For the management interface it is called "management" but it acts as an AP-Manager interface as well. When the config guide metnions "AP-Manager interface" it does not mean the management interface but it means AP-Manager interfaces that you create beside the management interface.
  So, for the management interface you can create a backup port and I think if you are not using LAG it is a best practice to define a backup port for management.
  For other AP-Manager interfaces that you create (other than the management interface) you don't need to define the backup port.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• WLC 4402 Management Interface

  I am in the process of installing a 4402-12. It's being connected to a HP Procurve GB PoE switch.  The Management and AP Manager are untagged.  2 VLANS were created 201 (SECURE) and 221 (GUEST).  HP switch has VLAN 1 disabled with no native VLAN being used.  Only VLAN currently being used on HP switch is 201. It was my intention to allow complete access to anyone using SECURE while I would redirect all GUEST traffic onto on HP port to a DMZ.  When I connect the management and both AP mgr ports (LAG) I have a HTTPS connection to the management interface and it can also be pinged.  As soon as I tag or trunk the AP manager interfaces (or physically remove the AP manager cables) the management link drops and I no longer have any access to the 4402?  It's as if the 4402 is using the AP Manager interface to connect to the Management port.  Why?

  Figured it out.  Was thinking that the management port and service port were the same where in reality the management port is virtual and the physical service port has no purpose at this time.

• WLC 2006 Management interface

  I have my WLC configured as follows:
  management intf - 10.10.254.42
  ap-manager intf - 10.10.254.41
  Both are untagged, and the switch port has the native vlan set to 1.
  However, I am unable to reach either address from any other subnet. What gives?

  Hi Friend,
  Can you ping your gateway from your controller? Can you ping this controller from anywhere in your network if you TAG the interfaces instead on untagg?
  Regards,
  Ankur

• WLC 5508 - management frames without DSCP marking

  hello,
  we are facing an issue that our wireless lan controller (5508 with version 7.6.100) doesn´t mark management frames (e.g. reassociation repsonse - necessary for roaming) with CS6. therefore some of them are dropped leaving the clients not to roam...
  does anybody have an idea? in my view it can only be a biug because it´s noit possible to reconfigure this....
  thx

  we are seeing managemt frames getting marked on Wism. i strongly believe they were marked in the past also on 5508. moreover frames are getting marked when they arinitiated by the AP
  if we trust CoS frames are getting marked because it contains the dot1p tag. the switch generates the dscp-value out of it. but we want to trust dscp. 
  we see also a very strange behaviour when trusting COS that sometimes a reassociation request has dot1p value 2 and the next one has 5. so it seems that the tag is there, but not working properly.
  changing to CoS in general would mean testing the whole infrastructure for voip over wireless lan again. and i don´t want to do that

• Reconfiguring WLC's Management Interface Gateway

  Dears
  I am trying to change gateway which was previously configured wrong.But facing error.Below is command which i am using and error facing.
  configure interface address managent IP-ADDRESS SUBNETMASK GATEWAY
  "Request failed - Active WLAN using interface. Disable WLAN first

  WLANs can be disabled in two ways; CLI or GUI.
  CLI
  config wlan disable
  or GUI
  WLAN tab
  Click a Profile Name
  Uncheck the "Enable" checkbox
  Apply

• WLC 5508 AP-Manager interface

  Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
  But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.

  Hello,
  I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs.  This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port.  As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration.  The LAG will overcome this limitation.
  George was correct about your DNS entry, this needs to point to the WLC's management interface.  This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
  This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
  "If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface.  You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management.  All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed.  The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
  1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire. 
  2. You will need to create another dynamic interface mapped to the next port.  enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt.  Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
  *NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
  I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs.

• Wlc 5508 webauth subnet mask change issue

  Recenly l changed the network subnet for a particular wlc interface and scope and also an upstream router and for some reason it would only allow me to use a /24 Host mask as my plan was to go to a /22 mask to allow for over 1000 hosts within this scope.
  The Upstream Router which is a  ( RV042 ) had the following original config :
       192.168.1.1
       255.255.255.0
  I have noticed this device will not let me change the mask from a /24 to a /22 as you can only change from a pre-defined list of masks and you cannot manually add any either..
  New Config
       10.10.0.10
       255.255.255.0
  WLC 5508 Controller Interface
       Original Config
        192.168.1.25
       255.255.255.0
       192.168.1.1
       New Config
       10.10.0.25
       255.255.252.0
       Scope
       Range : 10.10.1.10 - 10.10.3.254
       Mask : 255.255.252.0
       Network : 10.0.0.0
       Router : 10.10.0.10
  When l reconfigure to this addressing the wireless clients connect and get the new dhcp scope details but following this the webauth screen doesn't appear not allowing them to connect meaning there is no routing of traffic / internet access.
  If l modify the above interface and scope masks back to a /24 - 255.255.255.0 the the wireless clients connect and webauth appears to prompt them to accept the terms and conditions and connect thus giving them internet access.
  It looks like an issue with the mask ? The main reason l am trying to change the subnet addressing is because the standard /24 mask is not providing enough dhcp addresses and we have had times were the scope has been exhausted due to the public connecting and disconnecting as the lease perod of 2 hours holds onto the address before expiring meaning there is not enough available addresses for people to connect.
  I would of thought that the upstream router ( RV042 ) even though it is only a /24 mask would still route the traffic coming from a WLC Controller interface with a /22 mask ?
  Hopefully someone can suggest a solution ?
  Thanks Simon

  Hey Scott just getting back to this issue..   If for instance l can modify the wlc interface and Scope to have a /22 mask ( 1022 Hosts ) and my upstream Router ( Cisco RV042 ) can only provide a /24 or higher mask then does that mean l am still limited to a range of 254 hosts ( /24 Mask ) ?  Would this mean l need to look into replacing my upstream Cisco RV042 VPN Router ?

• ACL blocking traffic towards the management interface on WLC 5508

  Hello All,
  I need to apply an ACL in WLC 5508 such that it would allow https traffic on management interface only from selected clients. 
  For same, I have created an ACL permitting only the intended users while blocking the rest. Have applied the same on the management interface. 
  However still the access from all devices to management interface is not blocked. The ACL hit count too is not incremented. 
  I am on WLC code 8.0.110.0. 
  Has anyone else faced similar issue while applying ACL against management interface. 
  Highly appreciate the inputs. 
  Thanks and Regards,
  Adnan

  Hi Adnan,
  you have to apply this ACL as a CPU ACL. Then it will work.
  For your reference:
  http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/109669-secure-wlc.html#t4
  Hope that helps...
  Kind regards
  Philip
  --> Pls rate useful responses <--

• 5508 WLC HA pair - change management interface settings

  Hi,
  We have a pair of 5508 WLC's in a HA configuration that is working well at the moment, however I have noticed that the management interface is configured as untagged. I would like to change this to tagged and change the attached switch to trunk for these devices but if I try and edit the management interface through the GUI the VLAN and IP address section is greyed out and cannot be changed. While I could attempt it through the CLI and am comfortable doing that, the fact that it cannot be changed through the GUI implies that this should not be changed and so I am after further information. I don't have any lab equipment other than the HA pair in production so I cannot try changing it through the CLI at the moment. 
  The WLC's are in LAG mode if that makes any difference. I realise there may be downtime required for making this change but I am trying to work out the steps to get this done without having to drastically reconfigure things. 
  Any assistance would be appreciated. 

  Introduction of New Interfaces for HA Interaction
  Redundancy Management Interface
  The IP address on this interface should be configured in the same subnet as the management interface. This interface will check the health of the Active WLC via network infrastructure once the Active WLC does not respond to Keepalive messages on the Redundant Port. This provides an additional health check of the network and Active WLC, and confirms if switchover should or should not be executed. Also, the Standby WLC uses this interface in order to source ICMP ping packets to check gateway reachability. This interface is also used in order to send notifications from the Active WLC to the Standby WLC in the event of Box failure or Manual Reset. The Standby WLC will use this interface in order to communicate to Syslog, the NTP server, and the TFTP server for any configuration upload.
  Redundancy Port
  This interface has a very important role in the new HA architecture. Bulk configuration during boot up and incremental configuration are synced from the Active WLC to the Standby WLC using the Redundant Port. WLCs in a HA setup will use this port to perform HA role negotiation. The Redundancy Port is also used in order to check peer reachability sending UDP keep-alive messages every 100 msec (default timer) from the Standby WLC to the Active WLC. Also, in the event of a box failure, the Active WLC will send notification to the Standby WLC via the Redundant Port. If the NTP server is not configured, a manual time sync is performed from the Active WLC to the Standby WLC on the Redundant Port. This port in case of standalone controller and redundancy VLAN in case of WISM-2 will be assigned an auto generated IP Address where last 2 octets are picked from the last 2 octets of Redundancy Management Interface (the first 2 octets are always 169.254).