WLC and IPv6
Hi All,
has anybody experiences with WLC and IPv6? I have activated the Check Box for IPv6 Support, but it does not work. Regards, Michael
Hi ,
Have you configued uplink router/sw to support ipv6 ; the sample config would look like this
ipv6 unicast-routing
interface FastEthernet0/0.6
encapsulation dot1Q 56
ip address 10.50.56.1 255.255.255.0
ip access-group GNS2 in
ip access-group GNS2 out
ip helper-address 10.50.1.21
ip pim sparse-dense-mode
ip multicast ttl-threshold 1
no snmp trap link-status
ipv6 address 2006::/64 eui-64
ipv6 address autoconfig
ipv6 enable
let me if this works for you or not
regards
Seema
Similar Messages
-
IPv6 for management and control plane on WLCs and LWAPs
Good morning, everybody!
I am trying to find answer to a question that has been previously asked by people but never successfully answered
The question is about IPv6 support on Cisco Wireless LAN Controllers and access points... Does Cisco have a roadmap to include support for IPv6 used in CAPWAP, control plane and management? There are couple of posts on this topic that do not unfortunately provide any answer to this point.
https://supportforums.cisco.com/message/3018843
https://supportforums.cisco.com/docs/DOC-15667
Infamous "Cisco IPv6 Solution" at http://www.cisco.com/en/US/partner/technologies/collateral/tk648/tk872/tk373/technologies_white_paper_09186a00802219bc_ps6553_Products_White_Paper.html briefly states "Wireless Solutions... In future, IPv6 control plane features may get added to those components."
Has anyone heard of any more specific roadmap for IPv6 support for CAPWAP, control plane and management on WLCs and LWAPs?Full ipv6 support will never be available on the Wism and 440x controllers because they have a NPU to forward traffic and it was not designed with ipv6 in mind.
The 5508 and Wism2 and all new controllers all have CPU based forwarding and ipv6 is coming in next releases.
WLC 8.0 is only for december 2011/2012 and I have to say I don't know if it will support native ipv6.
my 2 cents -
ISE 1.2 With WLC and AD
Hi everyone,
What is the steps and Procedure implement Wired and wireless authentication with ISE, WLC and AD for a LAB environment. currently the following are done.
The wireless network is configured with 2 SSID (Staff and Guest)
Active Directory, DNS, DHCP, and NTP configured & synced.
ISE and AD running on C220 VMs, and WLC is 5760 Appliance.
Please provide your thoughts and assistance.
RegardsYou have to implement dot1x and radius between your NAD and ISE device.
Using the switch 3850, that are the steps:
username RADIUS-HEALTH password radiusKey1 privilege 15
aaa new-model
aaa authentication login default local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa authorization auth-proxy default group radius
aaa accounting update periodic 5
aaa accounting auth-proxy default start-stop group radius
aaa accounting dot1x default start-stop group radius
!this password will be used to communicate with ISE and to verify reachability
!between ISE and Switch
aaa server radius dynamic-author
client 172.16.1.18 server-key 7 radiuskey
client 172.16.1.20 server-key 7 radiuskey
ip domain-name lab.local
ip name-server 172.16.1.1
dot1x system-auth-control
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 50
switchport access vlan 10
ip access-group ACL-ALLOW in
authentication event fail action next-method
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
ip access-list extended ACL-ALLOW
permit ip any any
!the comm between radius and ise will occur on these Port
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
ip radius source-interface Vlan100
logging origin-id ip
logging source-interface Vlan100
logging host 172.16.1.20 transport udp port 20514
logging host 172.16.1.18 transport udp port 20514
snmp-server community ciscoro RO
snmp-server community public RO
snmp-server trap-source Vlan100
snmp-server source-interface informs Vlan100
radius-server attribute 6 on-for-login-auth
radius-server attribute 8 include-in-access-req
radius-server attribute 25 access-request include
radius-server dead-criteria time 10 tries 3
radius-server vsa send accounting
radius-server vsa send authentication
!defining ISE servers
radius server ISE-RADIUS-1
address ipv4 172.16.1.20 auth-port 1812 acct-port 1813
automate-tester username RADIUS-HEALTH idle-time 15
key radiusKey
Please be sure that NTP servers and time are synchronized.
enable dot1X on windows machine, or using cisco NAM.
you can enable debugging on aaa authentication to see the events.
you have to create this user on ISE (RADIUS-HEALTH).
3850#test aaa group radius username password new-code
and observe the result. You are supposed to have user authenticated successfully.
You Must also have define these device in ISE on the radius interface.
ip radius source-interface ..... use this interface ip address to define Ip address of the NAD device in ISE.
administration-->network resources -->Network Devices-->Add
input the name
input the Ip address for radius communication
select the authentication settings and field the corresponding shared secret radius key
select snmp settings and select version 2c.
snmp community : ciscoro
you can customize the polling interval if you want and that all.
you are supposed to received message communication between your NAD and ISE.
After you can do the procedure for WLC device.
I will fill it after you have passed the first steps (3850 authentication). -
Cisco IOS Zone Based Firewall and IPv6
Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX -
Problem share folder WLC and pc macbookpro
I am doing a migration from my wireless network in the old network in the PC MacBookPro I can see shared files on the network. But when I connect to the SSID configured on the WLC and I can not see shared files on the network. I have no ACL configured on the SSID.
Bonjour is a non-routabe multicast based service. A trick I use sometimes is to configure the WLAN to be in hreap mode if the ap is located locally to the target bonjour device.if your running in local mode, make sure they are on the same vlan and global multicast is enabled.
Sent from Cisco Technical Support iPad App -
Network Load Balancing and IPv6 Ping Timeout
I've noticed interesting behavior with NLB on Windows 2012 R2 and IPv6. I have two systems that use NLB on a Hyper-V cluster, each system is on a different node in the cluster. When I do an IPv6 ping within the same subnet, I notice that the reply time is
normally 1-3ms, but every so often it goes to 100+ms. I also notice that both members of the NLB reply to a ping to the cluster IPv6 address. This is interesting.
When I do a ping to the cluster IPv6 address from a different subnet, I notice that the reply is intermittent. The NLB nodes will either both reply to the ping or both won't. At first I thought that there was an issue with my network, but when I do a span
on the ports that the cluster is attached to, I see that the IPv6 ping packets arrive, but the NLB nodes don't always send a reply.
What is also interesting is that the NLB web farm I have setup seem to be working fine and is not intermittent, so this issue only has to do with ping. Has anyone else seen this type of issue, or is this a bug?
Thanks!Hi Nathan,
So are you running both IPV6 and IPV4? Do you have any clients that can't connect at all? Just on ping?
The reason I ask is we had a server that was receiving IPV6 fine, but on receiving IPV4 would switch to IPV6 to connect SSL back to the client. Of course the clients never received it and just got a timeout. Funny thing is cell phones had no issue
at all because they were straight IPV6. Only clients with both protocols got the timeout.
So the ack was send back via the wrong protocol and nothing but the timeout is what the client sees. This may be an LLMNR issue. It came out from 2008R2 but think it may still apply
Check this out:
http://technet.microsoft.com/en-us/library/bb878128.aspx
David Perkins
IT Help Point, Inc. -
Cisco 8510 WLC and RTU licence
Hi Guys,
I have a simular issue where is shows the status as active, not-in-use.
What does this mean and how do I get this to be in use.
This is a Controller with HA-SKU license.
The licenses has been inherited from the Primary Controller.
Any license on HA-SKU controller is disregarded.
Feature name: ap_count (adder)
License type: Permanent
License state: Active, Not-In-Use
License Nodelocked: No
RTU License Count: 50
Hope to hear from you soon.
Regards,
Clifton.Hi,
since this is a HA-SKU WLC, and the license is inherited from the active then no need to have a permenant license on it.
is the HA working fine?
please review the following link for the HA licensing requirements
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bd3504.shtml#licensing -
Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel
Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
NickWe have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick -
Firewall and IPv6, how to block ports?
I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool, but I am willing to deal with this until Apple sorts this out through a security update (please?).
The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.Hi Andre,
The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.
What speed is it? 867
Leopard requirements...
* Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor
minimum system requirements
* 512MB of memory
* DVD drive for installation
* 9GB of available disk space
Not sure on IPv6, since the whole purpose seems to be to pinpoint individual computers to the whole world, but IPFW may still work...
WaterRoof is a firewall management frontend with bandwidth tuning, NAT setup, port redirection, dynamic rules tracking, predefined rule sets, wizard, logs, statistics and other features...
http://www.macupdate.com/info.php/id/23317
See also...
http://oreilly.com/pub/a/mac/2005/03/15/firewall.html
http://tadek.pietraszek.org/blog/2007/05/01/adding-custom-firewall-rules-in-osx/ -
Hi I am currently using 21 X WLC with N+1 Redundancy and 1X WCS with 1000++ of LAP1020. If had been observed that the antenna type and power TX had been changed with no reason. Is there any settings that may affect with AP customized Tx Power and antenna settings other than using the WCS template to push the configure to the APs instead of the WLC.
Sorry for jumping in on the question with another question but it seemed the right place.
I have an AIR-CT5508-25-K9 WLC and +25AP license : L-LIC-CT5508-25A.
As far as I understand it the WLC should already have a 25AP license installed and with the adder license I should have a count of 50 APs.
However, after installing the adder license the count is still 25.
Could you please let me know if it's just something wrong in my reasoning or should a case be opened?
Thank you,
Barbara -
Guest-Anchor-WLC and NAC integration guide
I was trying to find some design reference for the Guest-WLC and NAC integration guide. Anyone can share some experience/cisco docs/links?
User traffic is locally bridged on a 1030 in REAP mode so packet forwarded to the default gtw would follow the NAT rules on the firewall but the real challenge is the LWAPP control channel. In that past using 1:1 NAT I was successful with a CP firewall but I had to play tricks with the mobility group and use the FW logs to track and define the right ports.
-
Cisco wlc and steel belted radius
we have cisco wlc controller that have two ssid one for user and one for guest
we need the user in ssid 1 take user name and password from user group in active directory through steel belted radiu
please send to me any integrated guide between cisco wlc and steel belted radius
regardsHi Mohammad,
I am unaware of a specific Steel Belted RADIUS intrgration guide for the WLCs, however the configuration process on the controller will be the same:
Cisco WLC Configuration Guide 7.0 - Configuring RADIUS:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70sol.html#wp1388328
You may wish to contact your RADIUS vendor for additional configuration steps on the server.
Best,
Drew -
Hi to all,
i want to use local-eap+LDAP (microsoft AD) and i'm experiencing some issue.
First of all i'm not able to bind WLC and LDAP...if a perform a debug aaa ldap enable i get this output:
Any idea about how to solve this issue?
Regards
AleIt sounds like .... invalid credentials ? :-)
Please post your LDAP config on WLC.
Is your admin username with which you're binding within the search context that you defined ? this is very important -
Hi Netpro
what is the difference between the WLC and WLSE?
thanksBasically the WLSE is no longer around:) the WLSE was a management box for autonomous ap's. The WLC manages lightweight access points and that is really what everyone is moving towards if not already.
http://www.learnios.com/viewtopic.php?f=5&t=33687
https://supportforums.cisco.com/thread/328073
https://supportforums.cisco.com/thread/338936 -
WLC and LWAP Registration Log Question
We have a Cisco 4404 WLC and and about 70 Cisco 1131 APs. I am very new to the Cisco WLC and I need to know how to view its AP registration and unregistration logs. We have a AP that has unregistered and we can't seem to find what switchport it was attached to. It would be helpful to know the IP address and ideally any CDP information it had. Unfortunately you can only view this information in the WLC if the AP is registered, but at this point it is not. Any help would be appreciated.
You will not be able to find that info unless you still see the information on the log about the AP. You would have to either review the switch cdp info as long as the AP is still functioning or else you will just need to physically track it down. If you have WCS or NCS, you should be able to review the past history and the maps would show you where that AP was located if the ap were positioned correctly.
Thanks,
Scott Fella
Sent from my iPhone
Maybe you are looking for
-
Connecting iBook to Windows XP Through Ethernet
I need to get a bunch of files from my friends laptop. I figure using an ethernet connection would be easiest I just don't know how. What would be the best way of doing this? ibook G4 Mac OS X (10.4.3)
-
Using systemd-coredumpctl as a regular user
Hi, With systemd, core dumps are now stored in the journal. For now that's fine to me, except it seems I can't retrieve my core dumps as a regular user, only root seems to be able to get a useful use of systemd-coredumpctl. I did search the forum but
-
How to insert into DB in batches using XSU
Hello, I am inserting data from xml files into different tables .I have got four queries .I want to inert them using batch so that if in any query exception is raised,then whole thing is rollback. Thanks in advance for any help.
-
I have one big wav file of segued tracks as a mixdown and inserted CD markers where I want marked tracks. "Export audio of selected range markers to separate files" icon is grayed out in Markers window. Tracks show start times but no end times, yet d
-
Possible to Boot from External Drive with Snow Leopard??
I have a new iMac that came with Mountain Lion installed. My previous Mac had Snow Leopard. I kept that OS drive with all my applications. I've already transferred 99.9% of my stuff from the old Mac to the new one and everything is working fine BU