WLC HA requirements

Similar Messages

• DMZ Anchor WLC setup for Wireless Guest Access

  I have the following setup.
  A DMZ WLC 4402 connected to firewall DMZ interface in 10.10.73.0/24 network.
  An Inside WLC 2106 connected to firewall Inside interface in 10.10.71.0/24 network.
  Both WLCs are running the same 4.2.176 code.
  DMZ WLC is anchor to itself and Inside WLC select the DMZ WLC as the anchor point.
  I have setup EoIP between DMZ and Inside WLCs successfully with both the control and data path both show as UP status. >> "show mobility anchor"
  The main issue: Clients cannot obtain IP addresses after connected to Guest SSID.
  1. Inside WLC, the guest WLAN ingress is 802.11b/g radio and egress port is set to management interface (EoIP) of type WLAN.
  What is the DMZ WLC setting? Is the ingress set to "802.11b/g" which does not make sense because the ingress is EoIP from Inside WLC?
  Or I still set as 802.11b/g? Same config as Inside WLC? I read from other threads suggested by Terry that the config must be the same for both WLCs.
  In the Inside WLC, I saw alot of pdu encapsulation errors for broadcast packets which is ffff.ffff.ffff xxxx which I think is the DHCP request from the connected Wireless clients not making through the EoIP tunnel. I have set static ip for the Wireless client but the packets cannot route through the EoIP tunnel to the far end.
  2. DHCP server is provided by DMZ WLC with the scope 10.10.76.0/24. In the Inside WLC, which DHCP server IP adddress to set to? DMZ WLC mgmt ip address? DMZ WLC, the DHCP server is also set to DMZ WLC mgmt ip?
  3. Layer 2 authentication. I read that DMZ WLC is supposed to be the DHCP server, Layer 2 or 3 authentication for Wireless Clients. However, it seems like Inside WLC is required to configure the Layer 2 authentication parameters and the DMZ WLC is set to providing the DHCP service?
  4. Lastly, anyone has done DMZ WLC sending the Wireless clients traffic to Bluecoat proxy server before hitting the Internet?
  Thanks.

  One of the biggest things is to make sure the wlan is configured exactly the same. The DMZ WLC ingress is the management and also is the egress port. You can create a dynamic interface on the DMZ WLC, but this way makes thing easier. The DMZ WLC should provide the dhcp, so the dhcp scope of course will be on the same subnet as the management of the DMZ WLC. The DHCP Server will be the ip address of the management interface of the DMZ WLC. The authentication also has to be configured exactly the same on the inside wlc and the DMZ wlc. Since you are pushing clients through the tunnel to the DMZ WLC, that is where clients will need to get their ip address, since that DMZ WLC has a network interface to the guest network. I haven't had luck when a proxy is involved, but I know there was a post a while ago on how to setup the proxy to allow the wlc to bypass the users initial dns resolution.

• ISE deployment in wireless infra without WLC (only Access Point 1240AG)

  Hello All,
  I am having access point 1240AG and planning to deploy ISE as a exteral radius server. I would like to know how deifferent authorization policy need to configure in AP/ISE. Whether I can use named ACL or VLANs (CoA) as a enforcement types without use of WLC. If yes then how?
  Thanks in advance.

  Hi,
  You can perform COA on standalone APs you will need to have an inline posture node in order to reap the benefits of COA, you may have heard this from any vpn related deployments. If you are in the design phase of this project, you may want to purse controllers because the latest rumor is that the inline posture node may be dropped since Cisco is planning on supporting coa on all their devices once the 9.x code drops for the ASAs. However please contact your Cisco rep for an official response.
  Here is the footnote in the following link: "Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support."
  http://www.cisco.com/en/US/docs/security/ise/1.1/compatibility/ise_sdt.html#wp55038
  Thanks,
  Tarik admani

• Upgrading from Prime 1.2 to 1.3 - What about WLC version?

  If I upgrade to prime v1.3, from v1.2, am I required to upgrade my WLC controllers to v7.4, or will my current version (v7.2) work fine?
  Thanks.

  No upgrade to your WLCs is required. Any v7.0 or later should be fine. See the Release Notes here for details.

• Error Loading WLCS - ?build compatibility?

  Hi:
  Just trying to run WLPS, which is sometimes talked about as a separate
  product,
  but it all seems to come together.
  I get the following errors on WLCS startup (required to do anything with
  WLPS).
  I'm running WLS 5.1 SP 8, and the latest WLCS/PS (no service packs),
  and just going with Cloudscape defaults.
  Any ideas?
  Thanks
  Matt
  =============== Initializing Logger ======================
  Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
  COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================WebLogic
  Commerce Servers PRODUCT ERROR======================"
  Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
  COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"Current WebLogic build may not be
  compatible with the WebLogic Commerce Server implementation. Minimum
  Build: 83914 Current Installation Build: 66825"
  Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
  COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================END
  WebLogic Commerce Servers PRODUCT ERROR======================"
  Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Disable Server Logins
  requested by system
  Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server Logins are now
  disabled
  Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server shutdown by
  system
  [Matt.Taylor.vcf]

  Hi Matt,
  Check to make sure that the WLS service packs are installed
  correctly and the environment settings are okay. Were there
  any other error messages above? Often EJBs won't deploy with
  incompatible service packs.
  Thanks,
  Skip
  "Matt Taylor" <[email protected]> wrote in message
  news:[email protected]..
  >
  Hi:
  Just trying to run WLPS, which is sometimes talked about as a separate
  product,
  but it all seems to come together.
  I get the following errors on WLCS startup (required to do anything with
  WLPS).
  I'm running WLS 5.1 SP 8, and the latest WLCS/PS (no service packs),
  and just going with Cloudscape defaults.
  Any ideas?
  Thanks
  Matt
  =============== Initializing Logger ======================
  Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
  COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================WebLogic
  Commerce Servers PRODUCT ERROR======================"
  Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
  COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"Current WebLogic build may not be
  compatible with the WebLogic Commerce Server implementation. Minimum
  Build: 83914 Current Installation Build: 66825"
  Tue Mar 27 19:32:31 PST 2001:<E> <T3Services>
  COMMERCE_SERVER_FRAMEWORK,LOG_ERROR,"==========================END
  WebLogic Commerce Servers PRODUCT ERROR======================"
  Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Disable Server Logins
  requested by system
  Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server Logins are now
  disabled
  Tue Mar 27 19:32:31 PST 2001:<I> <WebLogicServer> Server shutdown by
  system

• Wireless 5508 WLC's in a Mobility Group

  All,
  Scenario: Would like redundancy on 2 x 5508's but unable to utilise HA (SSO) due to internal WLC DHCP requirements.
  Mobility groups - Can 2 controllers in the same mobility group share a DHCP scope? I.E overlapping addresses or would the scope need to be split across controllers?
  If scopes are slit hat happens to DHCP requests once the primary DHCP server has allocated all leases? Also what happens if a clients joined controller A receives valid IP address then controller A goes off line? AP's re-establish with controller B but client has invalid scope IP?
  Cheers,
  Jay   

  Hi,
  Actually in the Mobility Group you enable the user to move form one WLC APs coverage to other WLC APs coverage with same client IP configuration.. so if we  make groups then obviously we should make different DHCP scope to avoid network address range exhausted.
  As far as controller A is up, IP configuration on wireless client would be remain same, but if your controller A goes off then the client will acquire the new IP from different DHCP scope which is assigned to controller B.

• How do WLC's work out coverage holes etc

  Hi all
  with the cisco wlc and lwapp access points, how do the access points adjust there power settings to compensate, what are they looking for?
  do they look for noise / interference from the nearby ap, then increase or backoff the power until there is roughly 50% overlap between access points, can anyone explain how it works here?
  cheers
  Carl

  Hello Carl,
  ok , to make it clear for you how WLC power and channel settings work will explain here how RRM ( radio resource management work).
  RRM consist of 3 componenets , DCA ( dynamic channel assignment) , TPC ( transmit power control)  , CHD ( coverage hole detection).
  1) DCA: once the WLC boot and AP's registered the WLC will force channel configuration to the AP to make sure the least possibile co-channel interference between the AP's.
  so this algorithm will configure for each AP at will channel it need to operate.
  the DCA can be configured from wireless ->>> 802.11 A/B/G->>> RRM ->>> DCA.
  the DCA interval specify how frequent the WLC handle the channel updates on the AP's.
  note after boot the WLC will require 6 DCA iterations to stabilize the RF.
  2) TPC: this algorithm will configure how much power the AP transmit.
  it has levels from 1-7 ( 1 is the maximum level)
  note : this algorithm can downgrade the pwoer level if it find it is too high...
  how the algorithm determine this is too high? and how much overlapping?
  this is based on TPC configuration that can be configured from wireless ->>> 802.11 A/B/G->>> RRM ->>> TPC.Power Threshold (-80 to -50 dBm)
  so if you configure here lets say -65 , if the AP hearing other neighbours with signal strongest than -65 (lets say -50)then there is possibility RF issues and the WLC will instruct corresponding  AP's to downgrade their power to meet the criteria ( - -65 or less from other neighbours)
  this will minimize co-channel interference.
  note for TPC/DCA to work fine each AP should be designed (places) to be heraed by 3 other neighbours. with signal no stonger than X ( that is configured as power threshold)
  3) CHD: this will increase the power level of the AP in case it notices some clients has bad signal.
  when it will instrcut to increase power?
  if you go to  wireless ->>> 802.11 A/B/G->>> RRM ->>> coverage you can see two components (RSSI and Min Failed Client Count per AP (lets say X).
  now if single AP hearing that number of X clients with signal strengh below the configured RSSI . then this is coverage hole and WLC instruc to increase its power to cover those clients with better signal.
  for more details about WLC radio managment please refer to:
  1)                 WLAN Radio Frequency Design Considerations
  http://tools.cisco.com/squish/1Ea09
  2) Deploying Cisco 440X Series Wireless LAN Controllers ( Radio Management and RF Domains section)
  http://tools.cisco.com/squish/51a58
  hope this helps.
  Kind regards
  Talal
  ===========
  please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

• How to create a custom DACL in ISE

  Hello once again,
  I'm puzzled over the note that I found at
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_authz_polprfls.html#wp1136540
  Namely the one that says:
  The Name and DACL Content fields require that values be entered and are marked with an asterisk (*).
  How would I interpret it? What's the proper syntax to create an DACL?
  I created my own one the way I would do it in ACS, i.e.
  ip:inacl#1=permit udp any host 192.168.1.100 eq 53
  ip:inacl#1=deny ip any 192.168.1.0 255.255.255.0
  ip:inacl#2=permit ip any any
  But it doesn't work when I apply it to the authorization profile

  Sorry about that, WLC do not support the dacl feature, this for switches and ASAs that support DACL feature. I assumed you were wanting this for wired.
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html
  Here is the note that metions this in the release notes:
  4
  Wireless  LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but  support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA  and require deployment of an ISE Inline Posture Node to support posture  services. Use of Inline Posture Node requires WLC version 7.0.98 or  later. Autonomous AP deployments (no WLC) also require deployment of an  Inline Posture Node for posture support. Profiling services are  currently supported for 802.1X-authenticated WLANs only on the WLC with  CoA support. HREAP is not supported. WLCs do not currently support MAC  Authentication Bypass (MAB).
  thanks,
  Tarik Admani
  *Please rate helpful posts*

• ISE vs Packet Fence

  Hello,
  I'm currently studying a solution for AAA in my company. Since I've got an almost full Cisco network architecture, I've read a lot about ISE.
  But recently I hear about Packet Fence, an open source project which seems to offer the same features.
  So I'd like to get some of your advices about this software against ISE : is it worth it to get it ? What are advantages and drawbacks of this one ?
  Since we're on a Cisco forum i'm not expecting you to tell me that Packet Fence is better, but I'd just like to get objective reviews.
  Thankfully,
  Yoshipower.

  Hi Ravi,
  I am also looking at the same options and I was heading entirely in the ISE direction until I realised that there is not full support for non-WLC WiFi systems.  So since I have an AP1141 this seems to mean that I would be as well to go with Packet Fence as the best I will get from either solution is basic 802.1x authentication?
  Footnote number 4 on Table 1 of this document seems to cover most of the limitations:-
  http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html
  "Wireless LAN Controllers (WLCs) do not support downloadable ACLs (dACLs), but support named ACLs. WLCs prior to release 7.0.116.0 do not support CoA and require deployment of an ISE Inline Posture Node to support posture services. Use of Inline Posture Node requires WLC version 7.0.98 or later. Autonomous AP deployments (no WLC) also require deployment of an Inline Posture Node for posture support. Profiling services are currently supported for 802.1X-authenticated WLANs only on the WLC with CoA support. HREAP is not supported. WLCs do not currently support MAC Authentication Bypass (MAB)."
  So based on the above the ISE is not able to offer me profiling services or CoA.  And I can only get posture support if I have an inline node everywhere that I have an AP?
  Thanks
  David

• Aps not finding secondary controller

  I have just installed a secondary WLC 4402 where a client has 1121 APs and 1010 APs and I am slightly confused.
  We have 2 CISCO-LWAPP-CONTROLLER entries in DNS
  The WLCs are WLC1 and WLC2
  The 1010 APs fail over to the secondary controller perfectly well.
  The 1121 APs do not fail over.
  I have given the APs primary and secondary controller names of WLC1 and WLC2.
  Is this due to Option 43 not being configured correctly.
  I believe though I have not investigated that there is a single entry for the 1121 APs in the DHCP scope for option 43 of the original conmtroller but there is no entry for the 1010 APs.
  They are using the same DHCP scope in a layer 2 implementation.
  Any help appreciated

  When the ap has joined a wlc, the dns and dhcp option 43 is not used. The information created in the mobility group (mac address, ip address and mobility group name) is used. This is how ap's learn of the other wlc. Setting the ap's primary and secondary and or tertiary wlc is required for ap's to be able to join the other wlc. Option 43 and dns is used if the ap goes throught the proccess of finding a wlc if the primary, secondary and or tertiary wlc is not found. It seems to me that the ap's have properly joined a wlc, there for, you need to verify why the 1121'a are not joining the secondary.
  First of all, is the mobility group configured correctly and is ap fallback enabled or not. Also, verify that you can mping and eping the controllers. Is the wlc set to layer 2 or layer 3 mode? I think that the 1121 needs the wlc to be in layer 3, but I will check.
  What you should also do is console into the ap and post the log so we can see what errors the ap is getting.
  Here is a link. Search for layer 2
  http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps6306/prod_bulletin0900aecd80321a2c_ps6521_Products_Bulletin.html
  Here is a link for AP Fallback:
  http://www.cisco.com/en/US/tech/tk722/tk721/technologies_tech_note09186a00807a85b8.shtml

• Wireless Guest SOX compliance

  Hello,
  A customer has stated that they need to be "SOX compliant" and I need to confirm whether for that compliancy, a dedicated Guest anchor WLC is required.  Can't find any Cisco reference to it other than "Secure Guest Access" which is the tradition Foreign-Anchor WLC architecture.
  thanks in advance for any comments

  Hi,
  Below Cisco AP with
  software version : 5.2.157.0 , 5.2.178.5
  Cisco Aironet Lightweight AP1131, AP1142, AP1242, AP1252, AP1522 Wireless LAN Access Points

• QoS - LYNC

  Hi
  In a deployment with QoS configured on switches, we are going to do QoS on wireless as well (for LYNC optimization)
  Right now we use flexConnect on ver. 7.4.. Looking on the new AVC feature, it already have a profile for LYNC (when doing central switching).
  Can someone clarify the following:
  - If going to use Central switching instead of flexConnect, to implement a AVC LYNC-profile, then we will have to config QoS on switches to prioritize CAPWAP ?
  - Would it be better to keep flex connect and do some "old" QoS on WLC (Does QoS on WLC always require central switching) ?
  - Anyone have done QoS for LYNC on WLC ?
  Regards
  Kasper

  Hi
  QoS in Lync is a tricky one. Normally you would have a Generic QoS profile on the Lync Server. However, to better optimize QoS for the client, you would have to configure Policy based QoS on the laptops. This can be done through the local computer group policy. Normally, the DSCP value for voice is 46, while that for video is 34.
  The big question is how you can do this on all laptops in your domain. If you can find a way to push it through the domain group policy, then that would ease your pain. I would also recommend that you configure your AP switch port to trust dscp.
  A noteworthy point is that QoS becomes ineffective in a poor wireless environment. Hence you would have to make sure that your wireless LAN set up was properly done. Prioritizing CAPWAP will no major effect for LYNC.

• Personalization server 2.0.1

  I'm presently evaluating the WebLogic products. Couple of questions
  WLPS requires WLS? Yes
  Are WLCS and WLPS completely separate products? or is WLPS part of WLCS?
  Alex

  Hi Alex,
  Let me try to answer your questions:
  WLS is the application server on which WLPS was built. Therefore WLPS does
  require WLS (and comes packaged that way). WLCS is WLPS and commerce
  components. Therefore, WLCS does require WLPS. You can buy the products
  pre-packaged as follows:
  WLS
  WLS/WLPS
  WLS/WLPS/WLCS
  Hope this helps!
  Cindy Eldenburg
  BEA Systems, Inc.
  Alex Dewsbury wrote:
  I'm presently evaluating the WebLogic products. Couple of questions
  WLPS requires WLS? Yes
  Are WLCS and WLPS completely separate products? or is WLPS part of WLCS?
  Alex

• Webauth - private IP to public IP

  I'm looking for a solution/advice to our webauth WLAN. When a user connects, I want them to get a private IP. Once they hit the authentication page and logon, I want them to get a public IP. I have a lot of devices connected to the WLAN, but they're not authenticated. They're just occupying space in the dhcp pool.
  I've been thinking about doing this with ACS, but wanted to know if there's any other alternatives.
  Any input would be appreciated.
  Sent from Cisco Technical Support iPad App

  Making one thing clear : if you want to change the ip address of the client, you're on the wrong track.
  WLC webauth requires the client to already have an ip address. So you cannot change the client ip after he authenticated, otherwise he'll have to reauthenticate again.
  How about natting ? I'm no natting expert, but wireless client traffic will only hit the network once they authenticated so then maybe you could do some dynamic natting to a public ip ?
  Last thing : the behavior you are looking for might be offered by NAC where the client will start in a "untrusted" vlan which can only do webauth on clean access (not on the WLC due to the ip issue of point 1) and move to a trusted vlan after that.

• Requirements for VLAN select feature in 5508 WLC

  Hello,
  We implemented WLC 5508 software version 7.3, with 8 Aironet devices, most of them are AIR-LAP1131AG-E-K9, and two AIR-LAP1242AG-E-K9.
  I could really have benefits of VLAN select feature, but I noticed that it's not working like it should. Two interfaces are in Interface group, but from 45 clients only few of them has IP address from one subnet, others have from second sub.
  I see requirements for this to work is 32 MB of flash on LWAP devices..I only have 16 MB..
  Is there a way to work this thing out? upgrade of flash on devices or something ?
  Thank you in advance and kind regards..
  Lovro

  Thx L - as usual, I need to read before speaking
  Interesting topic though.  I would assume that the MAC hashing algorithm used would be similar to how etherchannel maintaines load balancing (src-dst) etc..  What I don't quite understand is the definition of "dirty".  What makes an interface "dirty"?  Given the flow chart depicted in the link you sent, I'm wondering how the interface assignments are kept in te switch.  I'm assuming you create the interfaces, create the interface group, assign the interfaces to the group and finally assign the interface group to the WLAN.  During all this time, how are the stations using that WLAN being handled?  Almost should clear everything out, create the group tied to the wlan, THEN join the stations one at a time and see what interface they get assigned to.  At that point it should be balanced.  Also, it's my understanding that those stations should keep their assigned interface the next time they connect unless there is a "dirty" condition which I don't quite understand yet.
  Anyway - rambling now.  Loking forward to your test results.  Thx again! //art