WLC configuration
Hello,
I need a little more info. I have the controller setup and the APs are all registering. However I need some more info regarding the Dynamic interfaces. It is my understanding that for wireless clients to communicate across the network I have to have a Dynamic Interface assigned. This interface is supposed to be on a different VLAN and subnet than all the other interfaces. So my question is do I have to set this VLAN up on the switch the controller is connected to or does the controller take care of passing the traffic from the VLAN my wireless clients are on to the VLAN my LAN uses?
THanks
The switch ports that the controller connect to need to be trunking 802.1q and passing the vlans in question. It is recommended that you prune all unneeded vlans from the trunk going to the controller. You will put the vlan # in the interface settings when you create a dynamic interface. You will then create a wlan and bind it to the dynamic interface on the controller.
wlan|dynamic interface|vlan
Similar Messages
-
Wireless Design - WLC Configuration
Soon to be working on a design for a Wireless installation across one of our buildings. The wireless survery has been completed, and we'll be installing 175 APs, across the 3 floors of the
building.
With regards to the back-end WLC setup, I have a few queries around the WLC configuration. We're looking at implementing the 4400 series of devices, and due to us having nearly 200 APs, we'll need at least 2 x 4404 or 4 x 4402 - I'm assuming its simpler to have fewer devices to make management simpler.
Also, looking at the Cisco reference material, they recommend that a 4404 can support up to 100 APs, with regards configuring the ports on the box, would I need to configure LAG across the WLC
ports in order for it to accomodate all of the Access Points. If we were to go with a scenario of using 2 x 4404 devices, would we be in a position whereby if we lost a Controller, we'd lose
all of the Access Points associated with that Controller? In order for us to have full resiliency, we'd need an additional 4404 controller for the APs to failover on too?
From a licensing perspective, we'll be purchasing a licence to cover 200 APs.
TIADo you think that the phone carrier change the Android OS kernel and removed the proxy setting option before they sell it to consumers? If it's so why would they do such thing?
As far as I'm aware, no. Phone carriers don't care about wi-fi proxy. They won't make any money if they do and they equally won't make money if they don't. This "proxy" issue came straight from the developers of the Android OS themselves. It's been highlighted since day one of the Android release. This is why some browsers have incorporated proxy settings to their application because the Android OS developers are not interested to fix this shortfall.
RE: iPhone and iPad users if you use Windows proxy server and intergrated Windows authentication is enabled the credential should not be prompted for user if it's already entered in their devices.
Unfortunately, I don't have the details with me right now but I'll try to see if I still have this information when I go back to work. -
Hi,
I am tring to set up a Cisco WLC 2006 with EAP-TLS + WPA.
Everytime I try to log in to the network my wireless card gives a message saying " validating user", but nothing else happens.
I cannot find any manual for configuring this. Can anyone perhaps assist?
Regards
DeanMore details would be helpful:
What RADIUS server are you using, what CA are you using, where (what VLAN) they located, which port of the WLC are you connected to (RADIUS/CA)?
Are you using the Vendor's client software or MS wireless zero config? Which version? or Linux? Which distribution/version?
Having this info will be a good start ...
Let us know
Scott -
QOS & Switch & AP & WLC Configuration
Hi,
Following sample configuration:
WLC Switchport Configuration
interface GigabitEthernet1/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11-12 ( Management VLAN is 10 )
switchport mode trunk
mls qos trust cos
AP Switchport Configuration
interface GigabitEthernet1/0/1
switchport access vlan 12
switchport mode access
mls qos trust dscp
spanning-tree portfast
What is still not clear for me is how I´ve to configure my management port on the WLC 5508 ( v7.2 ).
Have I configure the VLAN tagging with 0 ( untagged ) or with 10. I checked several entries
but it´s still not 100% clear to me.
Can anyone explain to me ?!
Thanks in advance.
RegardsHi Alex,
You should always TAG the management interface into the WLC. If you make that vlan native and trust COS
On the WLC if you put 0 - that means untagged / native.
The latest config guides state to tag the management interface.
Hope this helps
"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
"I'm in a serious relationship with my Wi-Fi. You could say we have a connection." -
Guest wireless WLC configuration doubts
Hi Experts,
I have one WLC which is configured as a Foreign controller and other is configured with Anchor which is connected in DMZ ( behind firewall ) ...
I have one more Anchor controller which is physically connected to other remote office ...
As of now ,All guest clients are connecting to remote site anchor controller which is suppose to connecte locally configured anchor controller.
Can anybody suggest me ... what configuration or settings i need to look into so that guest clients can be connected to locally configured Anchor controller.
Please suggest me ....So you want the remote Anchor controller to be treated as a backup. Right ?
In my knowledge, that's not possible to use only one anchor controller at one time. since we have to enter the Anchor controller details in the foreign controller. So if we enter both the Anchor controllers in the Foreign controller they will start load balancing.
Other process is - make a manual entry in the Foreign controller at the time of primary anchor controller failure so that the traffic start moving to remote anchor controller. This is a work around.
Otherwise I don't know if there are any settings which can be done at the Primary Anchor controller to switch to backup controller in the event of failure. -
WLC configuration Backup with WCS
Hi,
What kind of backup is done with the configuration Backup Task in the WCS Administration.
Is this a backup of the actual running config on the WLC or is it the saved (startup) config on the controller?
Is there a way to view/edit a configuration backup from the controller?
Can I create a task on the WCS to do a cyclic/automatic save configuration to flash?
Regards Christianthe configuration backup is for the controllers
and the files live wherever you specified the tftp server location on install of WCS.
The WLC backup is the running config from when the backup was completed.
go to your tftproot directory to view the config
If you are running a rev that outputs in xml format AND you are not encrypting it on the WLC.
I would not try editing the file. The hash will be altered and the config backup file will be useless.
You want WCS to be able to run the command 'save config' on each controller? How handy are you with tcl scripting? -
WLC: Configuring Global Credentials for Access Points
Hi,
I have an WLC 4404 running Software Version 5.0.148.0 with 40 LWAPPs (1242AG, some 1231G). I want to configure global credentials for the LWAPPs. The configuration guide did not mention, if I have to reboot the LWAPPs after setting the credentials.
So, could I set this option during operation time? Thanks a lot for your help.
Regards
SimonHi,
Configuring the "Override global credentials" option in the GUI does not reboot the AP. It can be done in a production environment, just did it on one of my 1252s to test.
Hope it helps.
Jerome -
CPI1.3: WLC Configuration Archive - Failure
Good day, everybody!
I try to make Configuration Archive for Wireless Lan Controller. WLC managed without any mistaces, SNMP v3 and SSH v2 have already configured.
But, when I start Configuration Archive task and check Status in Jobs Dashboard - I always have Failure, like this:
Does anybody know why I can't normally save configuration? Thanks for advices!In the Jobs Dashboard I choose Configuration Archive Results - Failure and see Fetch Running information:
SNMP: Failed to establish SNMP connection to 10.0.10.101 - Cause: Device is Unreachable. Check the ReadOnly community string. SNMP: Failed to establish SNMP connection to 10.0.10.101 - Cause: Device is Unreachable. Check the ReadOnly community string.
But I don't understand, why Check the ReadOnly community string? I use SNMP v3!
For example, I've successfully got Configuration Archive from c3560G by using same SNMP v3 and SSH parametres.
Does anybody have ideas? -
Using WCS to compare WLC configurations
Hi all,
I have a number of controllers which have been individually administrered and as a result the configurations are no longer uniform. Is there a WCS feature which will allow me to compare differences between the controller configs?
Many thanks
RhodriUnder WCS
Configuration Audit : controller-audit
Reports > Report Launch Pad > Compliance > Configuration Audit >
You can run reports on configurations.
Not sure if you can diff between controllers, but you can diff between WCS values and the controller(s)
The controller to controller diffs can be easily scripted via expect script -
WLC Configuration Best practices - no updates since 2008?
There has been no updates to this doc for almost 4 years.
http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml
That's a long time for wireless, especially since it still references release 5.2, and we now it's 7.0. Plus quite a few new AP families have been announced, 802.11n, Cleanair, etc. I think this document is overdue for an update. Has there not been any lessons learned since 2008? Can anyone from Cisco comment on this?Guys:
I agree with you. many docs are old, pretty old.
You can use the Feedback button at the bottom of the doc page and send your feedback to Cisco.
Most of the time they will reply you and you can discuss your opinion about that doc is very old.
I've done this with more than one doc and config examples that describes the config by providing images for version 3.x. They updated some of the docs to reflect later releases (6.x and 7.x).
They have no problem with updating the docs, they have a good team to work on the docs to create and update. Just you be positive and hit that "Feedback" button and tell them and they'll surely help. (if not please tell me. I have a kind of personal contact with the wireless docs manager).
HTH,
Amjad
You want to say "Thank you"?
Don't. Just rate the useful answers,
that is more useful than "Thank you". -
i am using WLC 4402 with firmware 5.1 and 1252 Access Point.
i am in trouble to configure guest access with the WLC.
i have configured interface in WLC under CONTROLLER->INTERFACES->GUEST.
WHEN I SELECT THIS INTERFACE AS GUEST IT DOESN'T TAKE IP ADDRESS INFORMATION. IN THIS CASE I HAVE TO UNCHECK GUEST SELECTION BOX.
AND I GOT DYNAMIC INTERFACE WITHOUT IP ADDRESS.
AFTER DOING THIS I CREATE WLAN NAMED GUEST AND ENABLED IT.
i have put guest interface as a ingress interface and management as egress interface and applied web auth successfully but still it is not showing me guest SSID when i try to search it.
help me
plz
thanksHave you gone through these documents yet?
Wired Guest Access using Cisco WLAN Controllers Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808ed026.shtml
Guest WLAN and Internal WLAN using WLCs Configuration Example
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008070ba8f.shtml
Hope these will help you. -
WLC DHCP Settings - Under Dynamic Interface configuration
Hi Guys,
If I have a dynamic interface that is connected to a subnet where the router interfaces have DHCP servers configured under the helper address commands, do I need to configure the DHCP fields under the dynamic interface configuration?
I have helper address configured on the connected routers AND these fields configured with the same DHCP servers.
Just wondering if I can take the IPs out of the WLC configuration?
Many thx indeed,
KenKen, the DHCP address under the dynamic interface, is the address the WLC will unicast the DHCP request to when a client tries to use that interface. Under normal operation this address is needed. There is a way to get the WLC to bridge the packet to the wire so that it is a broadcast instead of a unicast packet. CLI command is config dhcp proxy disable.
But I do believe that even if you issue the CLI command, the software wants the DHCP address listed under the dynamic interface.
HTH,
Steve -
Hi,
I don't undestand this document
http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/N1_HA_Overview.html
How can the third 5508 (suport max 500 AP) backup all other WLC ? n+1 how ?
With secondary wlc configured in HA-SKU (without AP SSO) the 500 licenze are permanent ?
who can explain me.. this is a document bug ??What they're describing is HA N+1, not HA 1:1 AP SSO. This option, which is "NON-AP-SSO", allows you to use an HA-SKU or > -50-k9 SKU coverted, to operate as a dedicated +1 WLC in HA. When using this configuration, this WLC allows the use of the "hardware maximum" of the device: Thus 500 APs for WLC 5508, or 1000APs for a WISM2 (as an example). Since this WLC can wait as a backup to multiple WLCs, that's why it's not capable of the AP SSO, which requires a 1:1 pairing of the HA WLC with an Active HA WLC.
When using the HA N+1 the WLC acts the same as the pre AP-SSO "HA" concept; where you had Primary, Secondary Tertiary configs on your APs (which you may still have). All it is saying is that the N+1 HA WLC can act as one of these Secondary/Tertiary WLCs, much like a WLC you had licenesed for 250 or 500 APs could do previously.
In the past you would use, lets say a 250 WLC AP as this backup WLC. Many people were frustrated that they had to have a $60,000 WLC just sitting there "waiting for something to fail". But that's what it did. If a WLC failed, lets say one with 100 APs, this backup WLC would take on the APs and use 100 of it's 250 AP license count. If additional WLCs failed, the process continued until this backup WLC was filled.
The idea of using the HA-SKU in an N+1 is that while yes, you don't get the 1:1 AP SSO configuration, you are getting more bang for your buck in that this WLC can sit as a backup (as it did in the past) but it can accept up to the maximum it's hardware can handle in terms of AP count, not only what it was permanently licensed for. Rather than spending $100,00 on a 500 AP count WLC to backup your 2x250 AP count WLCs, why not look at a $50,000 HA-SKU that can "handle" up to 500 APs.
So given this scenario, this WLC is "backuping up all other WLCs" for whom it is a Secondary/Tertiary WLC backup.
As far as the HA-SKU "licenese", it's not "permanent" per se. With an HA SKU in N+1 you have a 90 day timer which will then "nag you" (via console) that this HA WLC is not truly intended to permanently house these APs. The idea is that if the Primary WLC failed, you would get it back online and then move your APs back to where they belong and return the HA N+1 WLC back to 0 APs. -
I'm doing a software and FUS upgrade on a set of 5508's in HA- mode (Primary and Standby) and do not want the AP's to fail over to another controller in the mobility group during the software upgrade, but I want them to during the FUS upgrade.
Do I just take the controller out of the mobility group to do this during the software upgrade, then put the controller back in the mobility group just before the FUS upgrade so the AP's will fail over?
I've heard that the AP's will still fail over to another controller on the network even if it's not in the mobility group.. is this true.If I'm right, you are already running an HA SSO pair but with other WLC's mobility members in the same mobility group. If so, all the joined access-points will automatically receive the management IPv4 address of the other WLC's within the same group. This is not the case when other WLC's are in a different mobility group (and still configured in the mobility list of the HA SSO pair WLC).
There are also some other methods for the AP to learn about other WLC's:
- The configured primary, secondary and tertiary WLC on the AP itself
- Globally configured backup WLC
- If there is still no WLC to go to, the AP will go back to normal discovery process to find other WLC's.
You can verify which WLC's your access-point knows off on the access-point itself:
AP#show capwap client config
mwarName <- Name and IPv4 address of the configured primary WLC on the AP
mwarIPAddress 0.0.0.0
mwarName <- Name and IPv4 address of the configured secondary WLC on the AP
mwarIPAddress 0.0.0.0
mwarName <- Name and IPv4 address of the configured tertiary WLC on the AP
mwarIPAddress 0.0.0.0
<< >>
Configured Switch 1 Addr x.x.x.1 <- Currently joined WLC
Configured Switch 2 Addr x.x.x.2 <- The next WLC from the mobility list with in the same mobility group as the currently joined WLC
AP#show capwap client ha
primaryBackupWlcIp 0x0 <- IPv4 address and name of the first global backup WLC
primaryBackupWlcName
secondaryBackupWlcIp 0x0 <- IPv4 address and name of the secondary global backup WLC
secondaryBackupWlcName
So to make sure your access-points wont go to other controllers when you are upgrading you need to make sure they don't know about the other ones and the can't learn about them either (like layer 3 broadcast, DHCP option 43, DNS).
Depending on your infrastructure maybe something like an temporary ACL is less time consuming and less complex as well to get the same result in the end. -
Cisco ISE and WLC Timeout Best Practices
I am fairly new to ISE. Our Cisco WLC is using 802.1x and ISE is configured for PEAP with all inner methods enabled.
I am looking for some guidance around where I should be configuring timeouts. There is a PEAP Session timeout in ISE, a session timeout on the WLC and a RADIUS reauthentication timeout that can be set in the Authorization profile results object in ISE.
Currently I have the WLC configured for its default 1800 second timeout and ISE PEAP timeout at the default 7,200 value.I ended up answering my own question. The authorization session timeouts should be set in ISE if at all.
Once I removed the session timeout value from the WLC and used the re-auth value in the ISE policy I had less complaints about disconnects.
The session timeout on the PEAP settings has not caused any ill affects at it's default. The session resume has taken a huge load off of AAA though. Its worth turning on.
Maybe you are looking for
-
I have an apple id from my mobile me account; I also have the apple id from my itunes account (with which I purchase content for my powerbook); and my husband has an apple id for itunes which he purchases content for his itunes library on his PC. Doe
-
Who can give me a solution about the following requirment?
Dear All, The requirment is very hard for me, Perhaps you can give me a detail solution about it. I will list my confusion....thank you very much. (1) On the SRM puchase order the payment terms (BBP_PDHGP-PMNTTRMS) shall be defaulted to the supplier
-
Any idea when nikon d7100 raw files will be supported by iPhoto?
any idea when nikond7100 raw files will be supported by iphoto and lightroom?
-
Do AS2 and AS3 all play together with Director?
Hi, I am about to make some incremental changes to a AS2 and Dir CD UI design. I like the AS3 for making a new movie player and its handling of XML. I need to share variables between all of them. Do I need to worry about this mixed environment? Thank
-
Internationalization in web dypro ABAP
Hi i am facing the problem in internationalization im abla to do internationalization in english to german but unable to to do for another lanuages. Can anybody provide me with solution?