WLC Flex7500 in HA on VLAN1

Hi guys.
We provide wireless with a couple of Flex7500 in HA Deployment. Both WLC are in LAG (10Gx2) to a Nexus 7K. Management and Redundancy-Management Interface are untagged while in N7K their subnet IP belongs to VLAN1. (I know VLAN1 is not a best-practice, but I can't change it now)
N7K is configured with a port-channel (vPC) and both works properly till the moment I enable SSO. A message say to set VLAN tagging for Redundancy-Management Interface. Then enabling tagging to VLAN1 both Management and Redundancy gets device unreachable.
I've solved the problem with a workaround changing Native Vlan to a fake ID, leaving Management (and Redundancy) VLAN1 tagged on WLCs.
I'm runnig WLC version 8.0.110.0 on both Flex7500.
Any idea about this strange behaviour? Is it a bug?

It is not a strange behavior. Cisco has changed their stance on management being tagged from being I tagged like you find in older documents. so in the design of AP SSO, it's sort of understood that management and RP will be on a vlan that is tagged. You did find a good workaround, but might get someone confused later when they look at the switchport configuration and start scratching their head:)
-Scott

Similar Messages

WLAN Clients not browsing on Cisco Wireless Controller WLC NME-AIR-WLC12-K9

HiI have a question and i need a solution and expert help.I have done a deployment which involves Security (ASA5540), Routing/voice gateway/wlc NME-AIR-WLC12-k9) and Switching (Cisco3845-ccme/k9)Below is the list of equipment used:1. Cisco ASA 5540 - which is connected at the edge to the ISP router
2. Core Switch WS-C4948E as core and DHCP Server for all VLANs
3. Access/Distribution Switches WS-C3560G-48PS-S connected as trunk to the core switch
4. Router/Voice Gateway/WLC Cisco3845-CCME/K9 - This is the voice gateway and also the WLC
5. Wireless APs AIR-LAP1242AG-E-K9 (12 qty)Here is the deployment scenario:1. G0/0 of the ASA is connected to a 7200 router from the ISP (Public IP Add)
2. G0/1 of the ASA is connected to gig 1/3 on the Core Switch on VLAN 2 which is the management VLAN (Local IP 10.1.1.2)
3. Port 3 of the Core switch is on vlan 2 connected to ASA - Management IP of Core Switch is 10.1.1.1. Core Switch is the DHCP Server for all VLANS on the network.
4. All the Access/Distribution switches are configured with IP Addresses on VLAN 2
5. Telephony Services is configured on the router and DHCP Pool for Access Points and Wireless Clients is running on the router.
6. Two DHCP pools were created on the router for APs and Wireless Clients.
7. G0/0 of the router is configured on the same network that issues dhcp ip to the AP and is connected to gig 1/1 on the core switch
8 G0/1 of the router is configured as the voice port for the IP Telephony Services and is connected to G 1/2 on the core switch1. Clients receiving DHCP IP on the Core Switch can communicate with all vlans and can browse to the Internet.
2. IP Telephony Services is running well.
3. Client on wireless can get IP from the DHCP on the router but cannot browse.I have pings from the router to the core switch and firewall, but clients connected to the wireless
cannot ping other vlans on the core switch and vice versa.The port connecting the router to the core switch is an Access Port, i have changed to to trunk but still no changes.My biggest problem now is how to make the clients on the wireless communicate with other clients on the network and be able to browse to the Internet.Below is the configs on the router and core switch.Router ConfigNimc_Voice_Router#sh run
Building configuration...
Current configuration : 10513 bytes
! Last configuration change at 13:03:55 Nigeria Mon Nov 29 2010 by admin
! NVRAM config last updated at 13:03:56 Nigeria Mon Nov 29 2010 by admin
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Nimc_Voice_Router
boot-start-marker
boot-end-marker
! card type command needed for slot/vwic-slot 0/2
logging message-counter syslog
enable secret
aaa new-model
! aaa authentication login default local
aaa session-id common
clock timezone Nigeria 1
dot11 syslog
ip source-route
ip dhcp excluded-address 10.1.12.1 10.1.12.10
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp pool LWAAP-AP
network 10.1.12.0 255.255.255.0
default-router 10.1.12.1
option 43 hex f104.c0a8.0002
dns-server 83.229.88.30 4.2.2.2 193.238.28.249
option 60 ascii "Cisco AP c1240"
ip dhcp pool Wireless
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
ip cef
no ip domain lookup
ip domain name nimc.gov.ng
ip name-server 83.229.88.30
ip name-server 193.238.28.249
ip name-server 4.2.2.2
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
archive
log config
hidekeys
interface GigabitEthernet0/0
description Connection to AP
ip address 10.1.12.1 255.255.255.0
ip helper-address 192.168.0.2
load-interval 30
duplex auto
speed auto
media-type rj45
interface Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/1
ip address 10.1.2.2 255.255.255.0
duplex auto
speed auto
media-type rj45
interface FastEthernet0/0/0
no ip address
shutdown
duplex auto
speed auto
interface Serial0/1/0
no ip address
shutdown
no fair-queue
clock rate 2000000
interface Serial0/1/1
no ip address
shutdown
clock rate 2000000
interface Integrated-Service-Engine1/0
ip address 192.168.0.1 255.255.255.0
no keepalive
interface Integrated-Service-Engine1/0.15
encapsulation dot1Q 15
ip address 192.168.1.1 255.255.255.0
interface Integrated-Service-Engine1/0.100
encapsulation dot1Q 100
ip forward-protocol nd
ip forward-protocol udp 12223
ip route 10.1.0.0 255.255.255.0 10.1.1.1
ip route 10.1.1.0 255.255.255.0 10.1.1.1
ip route 10.1.2.0 255.255.255.0 10.1.1.1
ip route 10.1.3.0 255.255.255.0 10.1.1.1
ip route 10.1.4.0 255.255.255.0 10.1.1.1
ip route 10.1.5.0 255.255.255.0 10.1.1.1
ip route 10.1.6.0 255.255.255.0 10.1.1.1
ip route 10.1.7.0 255.255.255.0 10.1.1.1
ip route 10.1.8.0 255.255.255.0 10.1.1.1
ip route 10.1.9.0 255.255.255.0 10.1.1.1
ip route 10.1.10.0 255.255.255.0 10.1.1.1
ip route 10.1.11.0 255.255.255.0 10.1.1.1
ip route 10.1.12.0 255.255.255.0 10.1.1.1
ip route 192.168.0.0 255.255.255.0 10.1.1.1
ip route 192.168.1.0 255.255.255.0 10.1.1.1
no ip http server
ip http secure-server
!Core Switch Configsh run
Building configuration...Current configuration : 10622 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
hostname Nimc_Core
boot-start-marker
boot-end-marker!
aaa new-model
aaa authentication login default local
aaa session-id common
storm-control broadcast include multicast
ip subnet-zero
no ip domain-lookup
ip domain-name nimc.gov.ng
ip dhcp excluded-address 10.1.2.1 10.1.2.10
ip dhcp excluded-address 10.1.4.1 10.1.4.10
ip dhcp excluded-address 10.1.5.1 10.1.5.10
ip dhcp excluded-address 10.1.6.1 10.1.6.10
ip dhcp excluded-address 10.1.7.1 10.1.7.10
ip dhcp excluded-address 10.1.8.1 10.1.8.10
ip dhcp excluded-address 10.1.9.1 10.1.9.10
ip dhcp excluded-address 10.1.10.1 10.1.10.10
ip dhcp excluded-address 10.1.3.1 10.1.3.10
ip dhcp pool Voice
network 10.1.2.0 255.255.255.0
next-server 10.1.2.1
option 150 ip 10.1.2.2
default-router 10.1.2.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
ip dhcp pool SF_DGs_Office
network 10.1.3.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.3.1
dns-server 81.199.3.7
lease 10
ip dhcp pool Admin_Process_Fac_Mgt
network 10.1.4.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.4.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool SF_IDD
network 10.1.5.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.5.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool Finance_Fin_Inv
network 10.1.6.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.6.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool Finance_CS
network 10.1.7.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.7.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool FF_Human_Capital_Mgt
network 10.1.8.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.8.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool FF_Legal_Services
network 10.1.9.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.9.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip dhcp pool SF_Procurement_Serv
network 10.1.10.0 255.255.255.0
domain-name nimc.gov.ng
default-router 10.1.10.1
dns-server 83.229.88.30 193.238.28.249 4.2.2.2
lease 10
ip vrf mgmtVrf
errdisable recovery cause bpduguard
errdisable recovery interval 180
power redundancy-mode redundant
spanning-tree mode mst
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree mst configuration
name xxxx
revision 1
instance 1 vlan 1-20
spanning-tree mst 1 priority 0
spanning-tree vlan 1-20 priority 0
vlan internal allocation policy ascending
interface FastEthernet1
ip vrf forwarding mgmtVrf
no ip address
speed auto
duplex auto
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/2
switchport access vlan 4
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/3
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/4
switchport mode access
spanning-tree portfast
interface GigabitEthernet1/5
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/6
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/7
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/8
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast!
interface GigabitEthernet1/9
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/10
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/11
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/12
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/13
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/14
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/15
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/16
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/17
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/18
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/19
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/20
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/21
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/22
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/23
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/24
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/25
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/26
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/27
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/28
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/29
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/30
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/31
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfastinterface GigabitEthernet1/32
switchport access vlan 2
switchport voice vlan 4
interface GigabitEthernet1/33
switchport mode access
interface GigabitEthernet1/34
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/35
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/36
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/37
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/38
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/39
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/40
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/41
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/42
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/43
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/44
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/45
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/46
switchport access vlan 2
switchport mode access
switchport voice vlan 4
spanning-tree portfast
interface GigabitEthernet1/47
switchport trunk encapsulation dot1q
switchport mode trunk
interface GigabitEthernet1/48
switchport trunk encapsulation dot1q
switchport mode trunk
interface Vlan1
no ip address
shutdown
interface Vlan2
description Management
ip address 10.1.1.1 255.255.255.0
interface Vlan3
description Enterprise
ip address 10.1.0.1 255.255.255.0
interface Vlan4
description Voice
ip address 10.1.2.1 255.255.255.0
interface Vlan5
description SS_DGs_Office
ip address 10.1.3.1 255.255.255.0
interface Vlan6
description Admin_Process_Fac_Management
ip address 10.1.4.1 255.255.255.0
interface Vlan7
description SF_National_Identity_Database
ip address 10.1.5.1 255.255.255.0
interface Vlan8
description Fin_Finance_Investment
ip address 10.1.6.1 255.255.255.0
interface Vlan9
description Fin_Corporate_Services
ip address 10.1.7.1 255.255.255.0
interface Vlan10
description FF_Human_Capital_Management
ip address 10.1.8.1 255.255.255.0
interface Vlan11
description FF_Legal_services
ip address 10.1.9.1 255.255.255.0
interface Vlan12
description SF_Procurement_Services
ip address 10.1.10.1 255.255.255.0
ip default-gateway 10.1.1.2
ip route 0.0.0.0 0.0.0.0 10.1.1.2
ip route 10.1.1.0 255.255.255.0 10.1.1.2
ip route 10.1.2.0 255.255.255.0 10.1.1.2
ip route 10.1.3.0 255.255.255.0 10.1.1.2
ip route 10.1.4.0 255.255.255.0 10.1.1.2
ip route 10.1.5.0 255.255.255.0 10.1.1.2
ip route 10.1.6.0 255.255.255.0 10.1.1.2
ip route 10.1.7.0 255.255.255.0 10.1.1.2
ip route 10.1.8.0 255.255.255.0 10.1.1.2
ip route 10.1.9.0 255.255.255.0 10.1.1.2
ip route 10.1.10.0 255.255.255.0 10.1.1.2
ip route 10.1.11.0 255.255.255.0 10.1.1.2
ip http server
--More--
control-plane
line con 0
stopbits 1
line vty 0 4
end
Please i need somebody to help me

I wouldn't configure an ip address on the service engine subinterface.
Try setting up a vlan interface on the router with that ip address and the subinterface will be linked to the vlan interface through the encapsulation command. A vlan interface will better work as a gateway for the wireless clients
Nicolas

3850 WLC - 5760 Anchor: Multiple Guest SSIDs issue

Hi,
I have configured a 3850 Foreign WLC and a 5760 as anchor WLC in a DMZ behind an ASA FW. The Anchor Controller is configured to advertise 3 GUEST Wireless:
(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- L3 Link-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
GUEST1: 10.9.65.0/24 – VLAN 11
GUEST2: 10.9.66.0/24 – VLAN 12
GUEST3: 10.9.67.0/24 – VLAN 13
Management VLAN 1: 10.8.252.1 (Anchor Management VLAN – Mobility)
The link between the WLC and the Guest OUT Interface on the ASA Firewall is a L3 Link, NOT a Trunk.
The 5760 WLC is also a DHCP server for the three client VLANs above. I have also configured 3 SVIs as default gateways for these VLANs:
Interface vlan 11 – 10.9.65.1
Interface vlan 12 – 10.9.66.1
Interface vlan 13 – 10.9.67.1
wgh-anchorwlc5760-primary#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan1                  10.8.252.1      YES NVRAM up                    up
Vlan11                 10.9.65.1       YES manual up                    up
Vlan12                 10.9.66.1       YES manual up                    up
Vlan13                 10.9.67.1       YES manual up                    up
GigabitEthernet0/0     10.8.252.85     YES NVRAM down                  down
Te1/0/1                unassigned      YES unset up                    up
Te1/0/2                10.8.253.1      YES NVRAM up                    up
Capwap0                unassigned      YES unset up                    up
If a client connects to GUEST1 SSID it gets an IP address in VLAN 11 and its default gateway is 10.9.65.1.
If a client connects to GUEST2 SSID it gets an IP address in VLAN 12 and its default gateway is 10.9.66.1.
If a client connects to GUEST3 SSID it gets an IP address in VLAN 13 and its default gateway is 10.9.67.1.
Mobility is UP and I can see clients connected to the Anchor WLC either in IPLEARN or WEBAUTH_PEND state. DHCP is working fine, clients get an IP and the right default gateway and DNS servers when connect, for example, to GUEST1.
anchorwlc5760-primary#show wireless client summary
Number of Local Clients : 3
MAC Address    AP Name                          WLAN State              Protocol
04f7.e482.b21c N/A                              2    IPLEARN            Mobile
bc3e.6d32.17f6 N/A                              2    IPLEARN            Mobile
a826.d5b3.5ae8 N/A                              2    WEBAUTH_PEND       Mobile
However, they are not able to ping the default gateway – SVI VLAN 11: 10.9.65.1, so I can not see any traffic leaving the Anchor WLC to continue with the Web Authentication Process (cwa) using ISE. I can see that the authorization policy (“unkown” and the URL to ISE) has been pushed to the clients but I am not redirected to ISE Web Authentication Portal when I open my web browser. I have done some captures on the FW interfaces but I cannot see any traffic coming from the clients.
I know that usually there is a Trunk (that allows client VLANs) between a WLC and L3 Switch when you configure multiples SSIDs and then configure the SVIs on the L3 Switch. However, I think this design with a L3 Link should work too because 5760 is a WLC+L3Switch.
My question is: Why clients are not able to ping their default gateway?
I hope it makes sense.
I appreciate any thoughts and help. Thanks in advance.
Joana.

Hi,
I couldn't get it working (I doubt if it is really possible). I had to add a switch between the 5760 Anchor Controller and the ASA Firewall:
(INSIDE) ---- ASA FW (guest in interface) -------------------------- (Te1/0/1) 5760 ANCHOR (Te1/0/2) -------------------- SWITCH-------------------- (guest out interface) ASA FW ---- (OUTSIDE)
The link between the 5760 and the Switch is configured as a Trunk and it allows the 3 Guest SSIDs (VLANs). The link between the Switch and the ASA FW is configured as a Layer 3 link. I also set up the default gateways for the 3 GUEST VLANs in the Switch (3 vlan interfaces) and the 5760 as DHCP Server.
I hope it helps.
Joana.

WLC 2504 LAG - Issue

Hello All,
I am having difficulty connecting via gui to my 2504 WLC controller, with code 7.4 VIA a Lag link. i have configured a tagged vlan (vlan 40) on the WLC ap-management port.
I have configured a port-channel on a C2960s
interface Port-channel2
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
I have configured the interfaces on the C2960S
interface range GigabitEthernet1/0/1 - 4
description BH-C2960SPSL24-01 connection to BH-C2504WLC-01
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 2 mode active
I can ping the interface, but cannot bring up a gui.

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.01.17 22:27:37 =~=~=~=~=~=~=~=~=~=~=~=
show run
Building configuration...
Current configuration : 10532 bytes
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
no aaa new-model
switch 1 provision ws-c2960s-24ps-l
crypto pki trustpoint TP-self-signed-131252096
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-131252096
revocation-check none
rsakeypair TP-self-signed-131252096
crypto pki certificate chain TP-self-signed-131252096
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333132 35323039 36301E17 0D393330 33303130 30303830
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3133 31323532
30393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
D1D20BAE AE0D9EF4 049AF361 1FFAC404 33C7940F 0EC84FA3 52470085 11BE1B6F
EF7795D5 D81F0AD5 25D3668A 7004C157 BC4C4AE6 84A3302A CE774AAF E388A3BE
1249476C 396F042A 90DA38B8 5C413D4E 1C6A9405 80A12F74 50F6571E DC11306E
6AFFB6DF FB6E9292 96EE61A6 9EF87310 E4722DB3 3B10368D C737BAE4 93F3B759
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820753 77697463 682E301F 0603551D 23041830 168014CE 95CAC648
8F3F96AE B382A38E 4AC7B6BF 9DEB9F30 1D060355 1D0E0416 0414CE95 CAC6488F
3F96AEB3 82A38E4A C7B6BF9D EB9F300D 06092A86 4886F70D 01010405 00038181
0063BCAE 64F7D969 244A07C3 B0D70FEF 00E78CF7 4EF017BE 72745FED 090AF5DA
7420B4BD EAB89849 C7241FAE A8496714 5BF6331F A6936762 A861756E A55A43D8
9366AAB5 C55DECEE F84AFC63 964834C0 E917FCF5 DA5B9043 FD0365B6 03351CA8
7C4EAB92 831BA642 DD210D4B 0C21E6A8 F0BDA231 3AF9652C D376DAC2 1E17ABFC DB
quit
spanning-tree mode pvst
spanning-tree extend system-id
auto qos srnd4
port-channel load-balance src-dst-ip
vlan internal allocation policy ascending
interface Port-channel1
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
interface Port-channel2
switchport trunk native vlan 99
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
interface FastEthernet0
no ip address
shutdown
interface GigabitEthernet1/0/1
switchport trunk native vlan 99
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet1/0/2
switchport trunk native vlan 99
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet1/0/3
switchport trunk native vlan 99
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet1/0/4
switchport trunk native vlan 99
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 2 mode on
interface GigabitEthernet1/0/21
description BH-C2960S-01 GI 1/0/21 trunk connection to Watchguard Firebox
switchport trunk native vlan 99
switchport mode trunk
interface GigabitEthernet1/0/22
description Switch connection to AP
interface GigabitEthernet1/0/23
description BH-2960S-01 GI 0/22-24 trunk connection to BH-HPJ9022A-01 gi 47-48
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet1/0/24
description BH-2960S-01 GI 0/22-24 trunk connection to BH-HPJ9022A-01 gi 47-48
switchport trunk allowed vlan 1,40,45,50,55,60
switchport mode trunk
channel-group 1 mode active
interface GigabitEthernet1/0/25
interface GigabitEthernet1/0/26
interface GigabitEthernet1/0/27
interface GigabitEthernet1/0/28
interface Vlan1
ip address 192.168.87.14 255.255.255.0
interface Vlan40
ip address 172.16.10.3 255.255.255.0
no ip http server
ip http secure-server
line con 0
exec-timeout 30 0
password admin
line vty 0 4
access-class vty_ports in
exec-timeout 30 0
password admin
login
length 0
line vty 5 15
access-class vty_ports in
exec-timeout 30 0
password admin
login
end

Clustering issue with WLCS 3.2 weblogic 5.1 and service pack 8

I'm having a problem with Portlets on a page with commerce server 3.2 on
          Cluster A below. One Portal page has multiple portlets on it. When the
          Portal Page executes the portlets are being scheduled across both SCCWLS00
          and SCCWLS01 and they are not able to share the session. Thus they will
          throw exceptions trying to read properties from the WLCS profile which is
          shared.
          In Cluster B, When the portal page excutes all portlets are "pinned" to that
          server and they share the information perfectly. Both Cluster Groups have
          their CLUSTER-wide weblogic.properties file set for
          weblogic.httpd.clustering.enable=true
          weblogic.httpd.session.persistence=true
          weblogic.httpd.session.persistentStoreType=replicated
          weblogic.httpd.register.cluster=weblogic.servlet.internal.HttpClusterServlet
          Any ideas on why this is happening? And How I can correct it?
          David Marshall
          ==============================================
          Environmental Background
          CLUSTER Group A (Production)
          VLAN1
          StrongHold 3 (Apache 1.3.19 w/SSL) (Solaris 8)
          ! mod_wl-ssl.so
          ! WebLogicCluster
          sccwls00:nnnn,sccwls01:nnnn
          V
          <firewall translates IPs from 1 VLAN 1 VLAN 2>
          VLAN2 !
          V V
          SCCWLS00 (Solaris 8) SCCWLS01 (Solaris 8)
          CLUSTER Group B (Development)
          StrongHold 3 (Apache 1.3.19 w/SSL) (Solaris 7)
          ! mod_wl-ssl.so
          ! WebLogicCluster
          weblogic00:nnnn,weblogic01:nnnn
          V V
          WEBLOGIC00 (Soaris 8) WEBLOGIC01 (Solaris 8)


What kind of problem do you have?
If it's not connected with JDBC, you'd better post your question
in webservices newsgroup.
Regards,
Slava Imeshev
"leopld goess" <[email protected]> wrote in message
news:[email protected]..
hy out there.
i've been working with apache soap on wl 5.1 for a while now, and
everything seems to be working allright- as long as i don't try to
install a servicepack, namely sp8 or sp10. if i do that, the entire
soap service fails to deploy.
any ideas...
thanx
leopold

Multiple Guest VLANs and Shared WLC

Hi,
I would like to add a second Internet ASA5xx gateway to our guest anchor wlc in the DMZ, which is connected to a guest vlan switch, so that the guest anchor wlc can connect guest users to two separate Internet gateways (i.e. guest vlan1 and vlan2). Two guest wireless networks are created in our environment, say SSID1 and SSID2, each anchoring to the guest WLC in the DMZ by Internal wlcs. I want to assign a different ip subnet to the two guest wireless SSIDs, say 10.251.255.0/24 and 10.251.256.0/24, to be provided by DHCP servers in the two ASA5xx.
I want to implement this by creating a second guest vlan interface in the guest anchor wlc and assign/connect this to the new ASA5xx box for the second Internet gateway. The second guest wilres SSID will be homed/anchored to this guest vlan2.
Please advise how best I should implement this.
many thanks
Sankung

It sounds like you already have this done. You have the second SSID already, you would need to create the second interface with the appropriate VLAN tag and subnet range.
Then on the internal anchor the SSID to the same SSID in the DMZ
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html#wp999843
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

891w connecting to wlc 5508

Hi
I am having problems connecting an 891w to a WLC, is it possible to have to separate vlans, one for the Lan ports and another for the AP modue.
I do not want the AP part of the 891w in autonomous mode. The WAN port of the router will be connected to a DSL type service.
Is there a guide or something to get a 891W to connect to the WLC?
I would like to have users on a data vlan (vlan1) connecting to the network like a normal router, then the AP module to connect to the WLC via a different IP proablly vlan 2
On the WLC itself i do not see any attempts in the logging.

WLC: sh sysinfo
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.220.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... 6.0.182.0
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... SIGNRYCC01
System Location.................................. SIG NRY
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.192.22.10
Last Reset....................................... Software reset
System Up Time................................... 49 days 19 hrs 47 mins 11 secs
System Timezone Location......................... (GMT+10:00) Sydney, Melbourne, Canberra
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... AU - Australia
--More-- or (q)uit
Operating Environment............................ Commercial (0 to 40 C)
Internal Temp Alarm Limits....................... 0 to 65 C
Internal Temperature............................. +40 C
External Temperature............................. +28 C
Fan Status....................................... OK
State of 802.11b Network......................... Enabled
State of 802.11a Network......................... Enabled
Number of WLANs.................................. 3
Number of Active Clients......................... 2
Burned-in MAC Address............................ CC:EF:48:0C:7F:20
Power Supply 1................................... Present, OK
Power Supply 2................................... Absent
Maximum number of APs supported.................. 50
ap#sh inventory
NAME: "AP801", DESCR: "Cisco AP801 Access Point with dual IEEE 802.11a/g/n radio ports"
PID: AP801AGN-N-K9     , VID: V01, SN: FGL161721MR
ap#sh ver
Cisco IOS Software, AP801 Software (AP801-K9W7-M), Version 12.4(21a)JA1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Wed 16-Sep-09 18:59 by prod_rel_team
ROM: Bootstrap program is AP801 boot loader
BOOTLDR: AP801 Boot Loader (AP801-BOOT-M) Version 12.4(23c)JX, RELEASE SOFTWARE (fc1)
ap uptime is 11 minutes
System returned to ROM by power-on
System image file is "flash:/ap801-k9w7-mx.124-21a.JA1/ap801-k9w7-mx.124-21a.JA1"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
cisco AP801AGN-N-K9        (PowerPC 8343) processor (revision B0) with 49142K/16384K bytes of memory.
Processor board ID FGL161721MR
PowerPC 8343 CPU at 400Mhz, revision number 0x0031
Last reset from power-on
1 Gigabit Ethernet interface
2 802.11 Radio(s)
32K bytes of flash-simulated non-volatile configuration memory.
Base ethernet MAC Address: 70:CA:9B:2A:F8:E8
Part Number                          : 73-11027-11
PCA Assembly Number                  : 800-28808-11
PCA Revision Number                  : B0
PCB Serial Number                    : FOC16122N66
Top Assembly Part Number             : 800-29576-05
Top Assembly Serial Number           : FGL161721MR
Top Revision Number                  : C0
Product/Model Number                 : AP801AGN-N-K9
Configuration register is 0xF
890W: sh version
Cisco 891 (MPC8300) processor (revision 1.0) with 393216K/131072K bytes of memory.
Processor board ID FGL161721MR
9 FastEthernet interfaces
2 Gigabit Ethernet interfaces
1 Serial interface
2 terminal lines
1 Virtual Private Network (VPN) Module
1 cisco Embedded AP (s)
256K bytes of non-volatile configuration memory.
250880K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
Device#   PID                   SN
*0        CISCO891W-AGN-N-K9    FGL161721MR
License Information for 'c890'
    License Level: advipservices   Type: Permanent
    Next reboot license Level: advipservices
Configuration register is 0x2102

How to change IP addresses of APs and WLC to the ones from different VLAN

I'm trying to figure out what is the best practice to change IP addresses on all my access points connected/managed by the WLC.
I have one WLC2504 controler and three AIR-LAP1041N access points the idea is to change management IP of the WLC from 192.168.2.100 (vlan1) to 192.168.12.100 (vlan79) and all access points accordingly:
ap1 192.168.2.101 (vlan1) to 192.168.12.101 (vlan79)
ap2 192.168.2.102 (vlan1) to 192.168.12.102 (vlan79)
ap3 192.168.2.103 (vlan1) to 192.168.12.103 (vlan79)
FYI all my APs obtain IP from DHCP server which sits in the vlan1 and each AP is connected to trunk port on Catalyst switch, trunk port (vlan1, vlan79, vlan80, vlan81, vlan82) carries traffic for different WLANs, so my question is what is the best way to change management IP on each device with the minimal downtime.
Thank you for your advice,
Luu Manioro

Well, you will have downtime anyways, but how I would do this is the following:
Make sure the WLC trunk port has vlan 79 being allowed
Change the high availability on each AP to point to the hostname of the WLC and the new ip address, you don't need the old ip address anymore
Console into the WLC or use the service port and change the management ip address and at the same time if possible, move the AP's to the new vlan 79, since they have already joined the WLC, they will know of the ip address of the WLC
Reboot the AP by shutting down the PoE port or powering off/on the AP
The AP will find the WLC since you have defined the high availability and also since the AP and WLC are on the same subnet.
Scott

What vlan should the WLC management be in

We are using wireless controller 5508 and 1142n ap
We have all the wireless configured on vlan 36
the dhcp server is in vlan 1
At present we have the management port on subnet 32 vlan1
And it seems to be working it see all the access points and we are using the wireless with Leo problem.
But is the proper way in setting the management interface port on the controller or should have an IP address and vlan identifier of 36.

Honeslty, that is up to you. I have customers that start off WLC and AP all in the same subnet, but it is not necessary. I also have customers that put the WLC mgmt in the 'server' VLAN, and the AP in their own.
IMHO, I like the WLC to be in 'server' or 'secured' VLAN, then I put the AP in their own VLAN that is locked down to only getting DHCP and talking to the WLC. that way if someone unplugs an AP and connects something they can't get anywhere.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

Design Help.... WLCs / HREAP?

Here is my scenario...
We have two offices and the each have a WLC 2112 and 1130ag APs.
SITE A (Main Office):
1 - WLC 2112
4 - 1130ag APs
IP: 192.168.0.x/24 (VLAN1)
IP: 192.168.100.x/24 (VLAN10)
VLAN10 is setup for the Guest wireless network using Web Auth and ACLs etc...
SITE B (Branch Office):
1 - WLC 2112
2 - 1130ag APs
IP: 192.168.1.x/24 (VLAN1)
SITE A connected to SITE B via Private T1
Each site also has their own internet...
Okay, so what I want to do is basically setup each controller to back the other one up in case of a failure at either end.
I tested HREAP and it worked great except SITE B clients receive an IP address that is on SITE A's network. They could surf the internet but it was going through SITE A's internet etc...
I can't have that and the clients need to use the internet based out of their location and be assigned an IP from their local network.
Is there a way to do this?
Each site obviously had the same SSID which is fine or they can be different. It doesn't matter... I just want to make sure if one of the WLCs go off the air, the other one picks up the APs and the clients do not notice a difference nor do they receive an IP from the site that would be remote to them.
Also I do not want each site to see the other's SSID if using different SSID's. I only want the SSID to be seen by clients at their respective site. They can use the same SSID and in fact i would like to do that, but not sure if that would work in this scenario.
If this is unclear, please let me know. i am trying to describe this as best as possible...
Thanks,
Ed

This is what you need to do. First of all, make sure the wlan ssid is set to local switching and that you use the same vlan on both sites. On the ap, I figured you already changed the ap from local to h-reap.... if not, then that is what you hvae to do. Then after the ap reboots and is back up, click on the ap and you will have a tab named h-reap. Click that and check the native vlan. Now the ap will be trunked so you need to make sure the ip of the ap is on a seperate vlan than the ssid's. The vlan the ap belongs to would be configured as native vlan on the trunk. On th eh-reap ap, set the vlan that will be the native vlan. exit out of that screen and go back to the h-reap tab. Now you will see the wlans that you specifed as local switching with a box in which you can specify the local vlan in which the user will get an ip address locally and will reside on. You will also see wlans that will not have the entry box, since you don't have local switching enabled. This means the traffic will tunnel back to the wlc it's joined with. This is why you fail one wlc and the ap goes to the other site... failover works, but users are getting address from the new site, which means you are not locally switched.
Example
Site A
Management/AP Manager vlan 100 (native) 192.168.100.x
H-REAP AP vlan 100 (native) 192.168.100.x
* AP can be on a different vlan if you want
Internal Users vlan 110 192.168.110.x
Guest Users vlan 120 192.168.120.x
Site B
Management/AP Manager vlan 100 (native) 192.168.200.x
H-REAP AP vlan 100 (native) 192.168.200.x
* AP can be on a different vlan if you want
Internal Users vlan 110 192.168.210.x
Guest Users vlan 120 192.168.220.x

Issue in connecting to WLC 2100 via switch

Hi there,    I am trying to setup my lap with a new WLC 2100. but failed to connect to the WLC via second switch.
In WLC 2100, fa0/2 connect to the second switch, Fa0/1 connect to PC.
In second switch 3560, it's fa0/2 connect to the WLC as trunk port. port fa0/1 is in vlan 1
Management int ip in WLC is 192.168.1.1 in VLAN 1 assoicarted with port is fa0/1,   the PC ip is 192.168.1.2.
When PC connect via fa0/1 in WLC, I can ping 192.168.1.1 from PC. but connect PC to fa0/1 in 3560, no reply.
To my understanding, fa0/2 in WLC is trunk port by default and the vlan1 is allowed, since fa0/2 in 3560 also configured trunk, there is no reason, why I can not ping the WLC.   any suggestion ?

Hi Guys,
I have just configure the WLC as above and the result is nagtive.
                    plug PC to Switch fa0/1 no reply
                    plug PC directly to the WLC fa0/1 no reply. (was replying first time when I configure the WLC)
seem to me there might be some error in the intial configuration in WLC, since the initial configure is very simple, I post it as following, please help to see if there is any error:
after reset to factory default in WLC 2100:
Would you like to terminate autoinstall? [yes]: yes
System Name [Cisco_32:18:a0] (31 characters max):
AUTO-INSTALL: process terminated -- no configuration loaded
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (3 to 24 characters): ********
Re-enter Administrative Password                 : ********
Management Interface IP Address: 192.168.1.1
Management Interface Netmask: 255.255.255.0
Management Interface Default Router: 192.168.1.25
Management Interface VLAN Identifier (0 = untagged): 0
Management Interface Port Num [1 to 8]: 1
Management Interface DHCP Server IP Address: 192.168.1.25
AP Manager Interface IP Address: 192.168.1.2
AP-Manager is on Management subnet, using same values
AP Manager Interface DHCP Server (192.168.1.25):
Virtual Gateway IP Address: 1.1.1.1
Mobility/RF Group Name: MRF-GP
Network Name (SSID): TEST
Configure DHCP Bridging Mode [yes][NO]: yes
Warning! Enabling Bridging mode will disable Internal DHCP server and DHCP Proxy feature.
May require DHCP helper functionality on external switches.
Allow Static IP Addresses [YES][no]: yes
Configure a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Enter Country Code list (enter 'help' for a list of countries) [US]: au
Enable 802.11b Network [YES][no]: yes
Enable 802.11a Network [YES][no]: yes
Enable 802.11g Network [YES][no]: yes
Enable Auto-RF [YES][no]: yes
Configure a NTP server now? [YES][no]: no
Configure the system time now? [YES][no]: no
Warning! No AP will come up unless the time is set.
Please see documentation for more details.
Configuration correct? If yes, system will save it and reset. [yes][NO]:yes
show interface summary
Interface Name                   Port Vlan Id       IP Address           Type        Ap Mgr    Guest
ap-manager                       1    untagged      192.168.1.2            Static       Yes        No
management                       1   untagged      192.168.1.1           Static       No          No
virtual                                        N/A N/A           1.1.1.1                 Static       No           No

Web Authentication on HTTP Instead of HTTPS in WLC 5700 and WS-C3650-48PD (IOS XE)

Hello,
I have configured a Guest SSID with web authentication (captive portal).
wlan XXXXXXX 2 Guest
aaa-override
client vlan YYYYYYYYY
no exclusionlist
ip access-group ACL-Usuarios-WIFI
ip flow monitor wireless-avc-basic input
ip flow monitor wireless-avc-basic output
mobility anchor 10.181.8.219
no security wpa
no security wpa akm dot1x
no security wpa wpa2
no security wpa wpa2 ciphers aes
security web-auth
security web-auth parameter-map global
session-timeout 65535
no shutdown
The configuration of webauth parameter map is :
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
parameter-map type webauth global
type webauth
virtual-ip ipv4 1.1.1.1
redirect on-success http://www.google.es
I need to login on web authentication on HTTP instead of HTTPS.
If I login on HTTP, I will not receive certificate alerts that prevent the users connections.
I saw how to configure it with 7.x relesae but I have IOS XE Version 03.03.05SE and I don´t know how to configure it.
Web Authentication on HTTP Instead of HTTPS
You can login on web authentication on HTTP instead of HTTPS. If you login on HTTP, you do not receive certificate alerts.
For earlier than WLC Release 7.2 code, you must disable HTTPS management of the WLC and leave HTTP management. However, this only allows the web management of the WLC over HTTP.
For WLC Release 7.2 code, use the config network web-auth secureweb disable command to disable. This only disables HTTPS for the web authentication and not the management. Note that this requires a reboot of the controller !
On WLC Release 7.3 and later code, you can enable/disable HTTPS for WebAuth only via GUI and CLI.
Can anyone tell me how to configure web authentication on HTTP instead of HTTPS with IOS XE?
Thanks in advance.
Regards.

The documentation doesn't provide very clear direction, does it?
To download the WLC's default webauth page, browse to the controller's Security > Web Login Page. Make sure the web authentication type is Internal (Default). Hit the Preview button. Then use your browser's File > Save As... menu item to save the HTML into a file. Edit this to your liking and bundle it and any graphics images up into a TAR archive, then upload via the controller's COMMAND page.

ISE 1.2 - WLC 5508 (7.5x) - Windows 7 802.1X

Hi ,
We deployed ISE 1.2 (patch 3) with 5580 WLC to authenticate machines and users using 802.1x .
We are experiencing a strange issue - randomly some machines authenticate fine over wireless and we are able to see logs on ISE and nexst day the same machine stops authenticating itself and ISE doesnt generate any log.. seems like somehow no request is coming to ISE.
we have checked all the settings including wireless settings ,services, 802.1x settings on the laptop but struggling to find the a reason why randomly machine would work and then not work.
whenever a machine works we see all the logs but when a machine doesnt work no log is generated in ise.
has anyone experienced a similar issue?
Thanks

Thanks, we have figured it out.
Machine Auth timer would expire after 12 hours and ISE had another setting where it would blacklist the client and supress logs for an hour if it sees more then certain amount of failed authentication attempts.
Thanks

ISE 1.2 and WLC 7.4 Stability

We are deploying ISE 1.2 for wireless only and have been experiencing a lot of issues with central web auth on controllers on version 7.4MR2. It appears we are hitting a bug, but I am curious what others on ISE 1.2 have found as the best stable WLC code to use? Has anyone been experiencing issues on 7.4 specific to CWA and web redirect? We are encountering a problem where users are getting constantly thrown back to the guest portal page after about 5 to 10 minutes after successfully logging in. Thanks.

Hi,
I have been running 7.4.115.0 on a production system for over 6 months with no visible issues. The 7.4.115.0 patch is a special release to fix Apple iOS7 captive portal bypass. Other than that, 7.4.110.0 was pretty stable.
You might consider changing the Guest WLAN session timeout on the advanced page on the WLAN in the WLC to a higher number which may fix your re-authentication issue every 5-10 minutes.

Does WCS come with the 5508 WLC?

Forum
I am providing a quote to a client for a wireless installation. I have two 5508 boxes and about 40 AP's on the quote, as well as associated SmartNet.
I was reading how the Cisco Unified Wireless Network is comprised of:
Controllers
Access Points
The Cisco Wireless Control System (WCS)
Cisco Mobility Services Engine
My questions are:
1. Does WCS come installed on the Controller? Is this something that the customer receives simply by virtue of the fact that they are purchasing the Controller? Or is this a separate piece of software with a cost?
2. What exactly is the Cisco Mobility Services Engine? What does it do that the Controller will not? How would I sell one to a customer?
Thank You
Kevin

WCS is a Windows 2003 application (so not "on the controller") that is completely separate and has to be purchased separately with different levels of licensing for different feature sets.
WCS is most useful when having several WLCs to manage and is offered when you buy a lot of stuff I think.
WCS alone brings better reporting features (graphs, pdf reports, ...) and maps to visualize everything.
MSE is a kind of "calculation appliance" that you link to your WCS to locate all clients and rogues in real-time on the map. Only that. But it's a cool enough feature :-) Without MSE you can only view one client at a time (when entering its mac address in the search field) on WCS maps.
Nicolas

WLC Flex7500 in HA on VLAN1

Similar Messages

Maybe you are looking for