WLC and IPv6

Similar Messages

• IPv6 for management and control plane on WLCs and LWAPs

  Good morning, everybody!
  I am trying to find answer to a question that has been previously asked by people but never successfully answered
  The question is about IPv6 support on Cisco Wireless LAN Controllers and access points... Does Cisco have a roadmap to include support for IPv6 used in CAPWAP, control plane and management? There are couple of posts on this topic that do not unfortunately provide any answer to this point.
  https://supportforums.cisco.com/message/3018843
  https://supportforums.cisco.com/docs/DOC-15667
  Infamous "Cisco IPv6 Solution" at http://www.cisco.com/en/US/partner/technologies/collateral/tk648/tk872/tk373/technologies_white_paper_09186a00802219bc_ps6553_Products_White_Paper.html briefly states "Wireless Solutions... In future, IPv6 control plane features may get added to those components."
  Has anyone heard of any more specific roadmap for IPv6 support for CAPWAP, control plane and management on WLCs and LWAPs?

  Full ipv6 support will never be available on the Wism and 440x controllers because they have a NPU to forward traffic and it was not designed with ipv6 in mind.
  The 5508 and Wism2 and all new controllers all have CPU based forwarding and ipv6 is coming in next releases.
  WLC 8.0 is only for december 2011/2012 and I have to say I don't know if it will support native ipv6.
  my 2 cents

• ISE 1.2 With WLC and AD

  Hi everyone,
  What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
  The wireless network is configured with 2 SSID (Staff and Guest) 
  Active Directory, DNS, DHCP, and  NTP configured & synced.
  ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
  Please provide your thoughts and assistance.
  Regards

  You have to implement dot1x and radius between your NAD and ISE device.
  Using the switch 3850, that are the steps: 
  username RADIUS-HEALTH password radiusKey1 privilege 15
  aaa new-model
  aaa authentication login default local
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  !this password will be used to communicate with ISE and to verify reachability
  !between ISE and Switch
  aaa server radius dynamic-author
   client 172.16.1.18 server-key 7 radiuskey
   client 172.16.1.20 server-key 7 radiuskey
  ip domain-name lab.local
  ip name-server 172.16.1.1
  dot1x system-auth-control
  interface GigabitEthernet1/0/3
   switchport mode access
   switchport voice vlan 50
   switchport access vlan 10
   ip access-group ACL-ALLOW in
   authentication event fail action next-method
   authentication event server dead action authorize voice
   authentication event server alive action reinitialize
   authentication host-mode multi-auth
   authentication open
   authentication order dot1x mab
   authentication priority dot1x mab
   authentication port-control auto
   authentication periodic
   authentication timer reauthenticate server
   authentication violation restrict
   mab
   dot1x pae authenticator
   dot1x timeout tx-period 10
   spanning-tree portfast
  ip access-list extended ACL-ALLOW
   permit ip any any
  !the comm between radius and ise will occur on these Port
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  ip radius source-interface Vlan100
  logging origin-id ip
  logging source-interface Vlan100
  logging host 172.16.1.20 transport udp port 20514
  logging host 172.16.1.18 transport udp port 20514
  snmp-server community ciscoro RO
  snmp-server community public RO
  snmp-server trap-source Vlan100
  snmp-server source-interface informs Vlan100
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 10 tries 3
  radius-server vsa send accounting
  radius-server vsa send authentication
  !defining ISE servers
  radius server ISE-RADIUS-1
   address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
   automate-tester username RADIUS-HEALTH idle-time 15
   key radiusKey
  Please be sure that NTP servers and time are synchronized. 
  enable dot1X on windows machine, or using cisco NAM. 
  you can enable debugging on aaa authentication to see the events. 
  you have to create this user on ISE (RADIUS-HEALTH). 
  3850#test aaa group radius username password new-code 
  and observe the result. You are supposed to have user authenticated successfully. 
  You Must also have define these device in ISE on the radius interface.
  ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE. 
  administration-->network resources -->Network Devices-->Add
  input the name
  input the Ip address for radius communication
  select the authentication settings and field the corresponding shared secret radius key
  select snmp settings and select version 2c. 
  snmp community : ciscoro
  you can customize the polling interval if you want and that all. 
  you are supposed to received message communication between your NAD and ISE. 
  After you can do the procedure for WLC device. 
  I will fill it after you have passed the first steps (3850 authentication). 

• Cisco IOS Zone Based Firewall and IPv6

  Hello,
  I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
  Which protocols must be alloved to and from router?
  IOS version: 15.1.2T1 (Adv.ip services)
  Setup:
  HE (tunnel-broker)  --- Internet (IPv4)  ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
  Config on router:
  IPv4 (self to internet and internet to self)
  policy-map type inspect Outside2Router-pmap
  class type inspect SSHaccess-cmap
    inspect
  class type inspect ICMP-cmap
    inspect
  class type inspect IPSEC-cmap
    pass
  class type inspect Protocol41-cmap
    pass log
  class class-default
    drop
  interface Tunnel1
  description Hurricane Electric IPv6 Tunnel Broker
  no ip address
  zone-member security IPv6tunnel
  ipv6 address 2001:47:25:105B::2/64
  ipv6 enable
  ipv6 mtu 1300
  tunnel source FastEthernet0
  tunnel mode ipv6ip
  tunnel destination xxx.66.80.98
  interface FastEthernet0
  description WAN interface
  ip address xxx.xxx.252.84 255.255.0.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  zone-member security WAN
  duplex auto
  speed auto
  zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
  service-policy type inspect IPv6-out-pmap
  zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
  service-policy type inspect IPv6-out-pmap
  policy-map type inspect IPv6-out-pmap
  class type inspect IPv6-internet-class
    inspect
  class class-default
    drop
  class-map type inspect match-all IPv6-internet-class
  match protocol tcp
  match protocol udp
  match protocol icmp
  match protocol ftp
  ipv6 route ::/0 Tunnel1
  ipv6 unicast-routing
  ipv6 cef
  parameter-map type inspect v6-param-map
  ipv6 routing-header-enforcement loose
  sessions maximum 10000

  OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
  policy-map type inspect pm-selftowan
  class type inspect cm-selftowan-he-out
    inspect
  class type inspect cm-dhcpwan
    pass
  class class-default
    drop
  class-map type inspect match-all cm-selftowan-he-out
  match access-group name HETunnelOutbound
  ip access-list extended HETunnelOutbound
  permit 41 any any
  permit ip any host 64.62.200.2
  permit ip any host 66.220.2.74
  permit ip any host 216.66.80.26
  Now we see the same error, just on the 'new' first cmap in the pmap:
  *Oct  5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to  Invalid Segment with ip ident 0
  Yet as you can see above, we are allowing proto 41 any any.
  I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
  any ideas?
  Thanks,
  //TrX
  EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
  I decided to change the outbound cm-selftowan-he-out action to 'pass'.
  I suddently noticed the following log:
  *Oct  5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session  216.66.80.26:0 :0 on zone-pair wantoself class  cm-wantoself-he-in due to  Invalid Segment with ip ident 0
  Notice this is now inbound having trouble where as before was outbound.
  I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
  Looking at the original outbound PMAP:
  policy-map type inspect pm-selftowan
  class type inspect cm-selftowan
    inspect
  class type inspect cm-selftowan-he-out
    inspect
  class type inspect cm-dhcpwan
    pass
  class class-default
    drop
  cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
  This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
  Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
  Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
  Hope this helps the OP too
  //TrX

• Problem share folder WLC and pc macbookpro

  I am doing a migration from my wireless network in the old network in the PC MacBookPro I can see shared files on the network. But when I connect to the SSID configured on the WLC and I can not see shared files on the network. I have no ACL configured on the SSID.

  Bonjour is a non-routabe multicast based service. A trick I use sometimes is to configure the WLAN to be in hreap mode if the ap is located locally to the target bonjour device.if your running in local mode, make sure they are on the same vlan and global multicast is enabled.
  Sent from Cisco Technical Support iPad App

• Network Load Balancing and IPv6 Ping Timeout

  I've noticed interesting behavior with NLB on Windows 2012 R2 and IPv6. I have two systems that use NLB on a Hyper-V cluster, each system is on a different node in the cluster. When I do an IPv6 ping within the same subnet, I notice that the reply time is
  normally 1-3ms, but every so often it goes to 100+ms. I also notice that both members of the NLB reply to a ping to the cluster IPv6 address. This is interesting.
  When I do a ping to the cluster IPv6 address from a different subnet, I notice that the reply is intermittent. The NLB nodes will either both reply to the ping or both won't. At first I thought that there was an issue with my network, but when I do a span
  on the ports that the cluster is attached to, I see that the IPv6 ping packets arrive, but the NLB nodes don't always send a reply.
  What is also interesting is that the NLB web farm I have setup seem to be working fine and is not intermittent, so this issue only has to do with ping. Has anyone else seen this type of issue, or is this a bug?
  Thanks!

  Hi Nathan,
  So are you running both IPV6 and IPV4? Do you have any clients that can't connect at all? Just on ping?
  The reason I ask is we had a server that was receiving IPV6 fine, but on receiving IPV4 would switch to IPV6 to connect SSL back to the client. Of course the clients never received it and just got a timeout. Funny thing is cell phones had no issue
  at all because they were straight IPV6. Only clients with both protocols got the timeout.
  So the ack was send back via the wrong protocol and nothing but the timeout is what the client sees. This may be an LLMNR issue. It came out from 2008R2 but think it may still apply
  Check this out:
  http://technet.microsoft.com/en-us/library/bb878128.aspx
  David Perkins
  IT Help Point, Inc.

• Cisco 8510 WLC and RTU licence

  Hi Guys,
  I have a simular issue where is shows the status as active, not-in-use.
  What does this mean and how do I get this to be in use.
  This is a Controller with HA-SKU license.
  The licenses has been inherited from the Primary Controller.
  Any license on HA-SKU controller is disregarded.
  Feature name: ap_count (adder)
  License type: Permanent
  License state: Active, Not-In-Use
  License Nodelocked: No
  RTU License Count: 50
  Hope to hear from you soon.
  Regards,
  Clifton.

  Hi,
  since this is a HA-SKU WLC, and the license is inherited from the active then no need to have a permenant license on it.
  is the HA working fine?
  please review the following link for the HA licensing requirements
  http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml#licensing

• Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

  Hello,
  We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
  We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
  Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
  Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
  Questions:
  Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
  If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
  In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
  I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
  Please help.
  Thanks in advance,
  Nick

  We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
  If there are other suggestions, please advise.
  Thanks,
  Nick

• Firewall and IPv6, how to block ports?

  I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool, but I am willing to deal with this until Apple sorts this out through a security update (please?).
  The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.

  Hi Andre,
  The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.
  What speed is it? 867
  Leopard requirements...
  * Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor
  minimum system requirements
  * 512MB of memory
  * DVD drive for installation
  * 9GB of available disk space
  Not sure on IPv6, since the whole purpose seems to be to pinpoint individual computers to the whole world, but IPFW may still work...
  WaterRoof is a firewall management frontend with bandwidth tuning, NAT setup, port redirection, dynamic rules tracking, predefined rule sets, wizard, logs, statistics and other features...
  http://www.macupdate.com/info.php/id/23317
  See also...
  http://oreilly.com/pub/a/mac/2005/03/15/firewall.html
  http://tadek.pietraszek.org/blog/2007/05/01/adding-custom-firewall-rules-in-osx/

• WLC and WCS conflict

  Hi I am currently using 21 X WLC with N+1 Redundancy and 1X WCS with 1000++ of LAP1020. If had been observed that the antenna type and power TX had been changed with no reason. Is there any settings that may affect with AP customized Tx Power and antenna settings other than using the WCS template to push the configure to the APs instead of the WLC.

  Sorry for jumping in on the question with another question but it seemed the right place.
  I have an AIR-CT5508-25-K9 WLC and +25AP license : L-LIC-CT5508-25A.
  As far as I understand it the WLC should already have a 25AP license installed and with the adder license I should have a count of 50 APs.
  However, after installing the adder license the count is still 25.
  Could you please let me know if it's just something wrong in my reasoning or should a case be opened?
  Thank you,
  Barbara

• Guest-Anchor-WLC and NAC integration guide

  I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?

  User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.

• Cisco wlc and steel belted radius

  we have cisco wlc controller  that have  two ssid  one for user and one for guest
  we need the  user in ssid 1 take user name and password from  user group in active directory through steel belted radiu
  please send to me any integrated guide between cisco wlc and steel belted radius
  regards

  Hi                                                      Mohammad,
  I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
  Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
  http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
  You may wish to contact your RADIUS vendor for additional configuration steps on the server.
  Best,
  Drew

• WLC and LDAP

  Hi to all,
  i want to use local-eap+LDAP (microsoft AD) and i'm experiencing some issue.
  First of all i'm not able to bind WLC and LDAP...if a perform a debug aaa ldap enable i get this output:
  Any idea about how to solve this issue?
  Regards
  Ale

  It sounds like .... invalid credentials ? :-)
  Please post your LDAP config on WLC.
  Is your admin username with which you're binding within the search context that you defined ? this is very important

• WLC and WLSE

  Hi Netpro
  what is the difference between the WLC and WLSE?
  thanks

  Basically the WLSE is no longer around:)  the WLSE was a management box for autonomous ap's.  The WLC manages lightweight access points and that is really what everyone is moving towards if not already.
  http://www.learnios.com/viewtopic.php?f=5&t=33687
  https://supportforums.cisco.com/thread/328073
  https://supportforums.cisco.com/thread/338936

• WLC and LWAP Registration Log Question

  We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs.  I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs.  We have a AP that has unregistered and we can't seem to find what switchport it was attached to.  It would be helpful to know the IP address and ideally any CDP information it had.  Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not.  Any help would be appreciated.

  You will not be able to find that info unless you still see the information on the log about the AP. You would have to either review the switch cdp info as long as the AP is still functioning or else you will just need to physically track it down. If you have WCS or NCS, you should be able to review the past history and the maps would show you where that AP was located if the ap were positioned correctly.
  Thanks,
  Scott Fella
  Sent from my iPhone