WLC, mapping new dynamic interface to an already used port

This is my question
We have a multiple wlc deployment and a wlan which is running dhcp issues (scopes exhausted)
The main Wlan is mapped to a dynamic interface group (2 vlans), both vlans are mapped to a single physical port
adding a new dynamic interface (vlan) to the interface group is needed,
- a new dynamic interface will be created and mapped to the same physical port of the other two (3 vlans)
- the new interface will be addad to the interface group
the question is:
does this operation will require some network downtime (controller reboot,ap reboot... etc.) or will it be a seamless operation?
thank you

Does this mean, when utilizing an 802.1x WLAN in an AP Group, you can  not dynamically assign an interface via radius because itw ill be  ignored due to the AP Group settings?  If so, that seems short sited to  me?
AAA override get priority when AAA override and AP group is used. the debug client output should show site specific over-ride for AP group initially and once it goes into .1x auth it will return the overrided vlan.

Similar Messages

  • ISA550 permit HTTPS inbound, error that SSLVPN is already using port

    I'm trying to permit HTTPS from anywhere to an internal web server. The ISA is running SSLVPN on one IP address. I am trying to create an ACL and NAT that allows HTTPS on a totally different IP address than the SSLVPN runs on. If I go to Firewall>NAT>Port Forwarding and create a port forwarding rule as follows:
    Original Service: HTTPS
    Translated Service: HTTPS
    Translated IP: Internal server IP address
    WAN: WAN1
    WAN IP: External server IP address - not the same as the interface IP address
    I get the following error:
    The service HTTPS already is used by SSLVPN. Please use another service.
    I feel like I'm missing something simple/stupid as I can't imagine that you can't have both SSLVPN and an internal HTTPS server running on two totally different IP addresses at the same time. TIA.

    Hi,
    You can try with :
    Original Service: 8080
    Translated Service: HTTPS
    Translated IP: Internal server IP address
    regards
    Moorthy

  • Adding (dynamic) interfaces to WLC 2504 causes loss of network

    I'm trying to add a new dynamic interface, that I will tie a specific WLAN to so that clients on that WLAN is in the correct vlan. After adding it I loose connectivity both to the main management address (10.99.0.60) and to the ip address of the dynamic interface (10.99.12.4). In fact, the dynamic interface address responds and prompts me to login, but after doing so all I get is a blank page. Here's the two interfaces pulled from the CLI - what am I doing wrong?
    And oh, not adding an IP to the dynamic interface makes it impossible to use within a WLAN.
    Interface Name................................... management
    MAC Address...................................... c0:8c:60:c7:99:00
    IP Address....................................... 10.99.0.60
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.99.0.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 31        
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1         
    Primary Physical Port............................ 1         
    Backup Physical Port............................. Unconfigured
    DHCP Proxy Mode.................................. Global
    Primary DHCP Server.............................. 10.99.0.1
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    IPv4 ACL......................................... Unconfigured
    mDNS Profile Name................................ Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    Interface Name................................... lan
    MAC Address...................................... c0:8c:60:c7:99:04
    IP Address....................................... 10.99.12.4
    IP Netmask....................................... 255.255.252.0
    IP Gateway....................................... 10.99.12.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 33        
    Quarantine-vlan.................................. 0
    NAS-Identifier................................... mob-wlc
    Active Physical Port............................. 1         
    Primary Physical Port............................ 1         
    Backup Physical Port............................. Unconfigured
    DHCP Proxy Mode.................................. Global
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    IPv4 ACL......................................... Unconfigured
    mDNS Profile Name................................ Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No

    So take a look at this. I have the dynamic interface used in wlan 2 (mytestssid as shown above). Now the management address, 10.99.0.60 cant be reached:
    Nmap scan report for 10.99.0.60
    Host is up.
    PORT    STATE    SERVICE
    22/tcp  filtered ssh
    443/tcp filtered https
    After removing wlan 2 and the dynamic interface, mgmt access starts to work again:
    config wlan disable 2
    config wlan delete wlan 2
    config interface delete lan
    Nmap scan report for 10.99.0.60
    Host is up (0.0037s latency).
    PORT    STATE SERVICE
    22/tcp  open  ssh
    443/tcp open  https
    So... here's me adding the dynamic interface in cli AGAIN:
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    1        someotherssid / someotherssid              Enabled   management  
    (Cisco Controller) config> interface create lan 33
    (Cisco Controller) config> interface address dynamic-interface lan 10.99.12.4 255.255.252.0 10.99.12.1
    (Cisco Controller) >config wlan disable 1
    (Cisco Controller) >config wlan interface 1 lan
    (Cisco Controller) >config wlan enable 1
    Voila, management access lost again:
    Nmap scan report for 10.99.0.60
    Host is up.
    PORT    STATE    SERVICE
    22/tcp  filtered ssh
    443/tcp filtered https
    This time, there's no physical port assigned to the dynamic interface 'lan':
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    lan                              -    33       10.99.12.4      Dynamic No     No   
    management                       1    31       10.99.0.60      Static  Yes    No   
    virtual                          N/A  N/A      1.1.1.1         Static  No     No   
    Adding that:
    (Cisco Controller) config interface port lan 1
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    lan                              1    33       10.99.12.4      Dynamic No     No   
    Still no management access..:
    Nmap scan report for 10.99.0.60
    Host is up.
    PORT    STATE    SERVICE
    22/tcp  filtered ssh
    443/tcp filtered https
    For reference, the detailed interface config (which clearly shows that 'management' should be ap mgmt.. and dynamic interface 'lan' shouldn't (and thus shouldn't affect it - RIGHT?)):
    Interface Name................................... lan
    MAC Address...................................... c0:8c:60:c7:99:04
    IP Address....................................... 10.99.12.4
    IP Netmask....................................... 255.255.252.0
    IP Gateway....................................... 10.99.12.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 33        
    Quarantine-vlan.................................. 0
    NAS-Identifier................................... mob-wlc
    Active Physical Port............................. 1         
    Primary Physical Port............................ 1         
    Backup Physical Port............................. Unconfigured
    DHCP Proxy Mode.................................. Global
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    IPv4 ACL......................................... Unconfigured
    mDNS Profile Name................................ Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No
    Interface Name................................... management
    MAC Address...................................... c0:8c:60:c7:99:00
    IP Address....................................... 10.99.0.60
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.99.0.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 31        
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1         
    Primary Physical Port............................ 1         
    Backup Physical Port............................. Unconfigured
    DHCP Proxy Mode.................................. Global
    Primary DHCP Server.............................. 10.99.0.1
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    IPv4 ACL......................................... Unconfigured
    mDNS Profile Name................................ Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    By the way, the switchport of my (C3560G) doesnt specifically allow some VLANs - meaning they allow all vlans:
    interface GigabitEthernet0/28
     description cisco_wlc
     switchport trunk encapsulation dot1q
     switchport mode trunk
    And the vlans in question are present:
    31   enet  100031     1500  -      -      -        -    -        0      0   
    32   enet  100032     1500  -      -      -        -    -        0      0   
    33   enet  100033     1500  -      -      -        -    -        0      0   
    34   enet  100034     1500  -      -      -        -    -        0      0   

  • 2125 WLC Dynamic interfaces and their physical interface

    I'm trying to broadcast multiple SSIDs per AP. I would like the new second SSID to be on a different VLAN. I have been reading this article http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml#dyn-interface and it looks like you create a trunk port on the switch that the WLC is connected to, which makes sense to me. A friend however told me to use a seperate physical interface on the WLC and assign the dynamic interface to it and connect it to the desired VLAN, instead of using the interface that is currently in production. I liked this idea because I would have downtime trying to reconfigure the port as a trunk that's in production.
    So I guess my question is, if I use a secondary port on the WLC to connect to a different network than what the AP is on how will communication work? When the AP sends data to the WLC will everything be encapsulated in CAPWAP? How about the primary link connecting the WLC to the primary production network? Will this data to and from the WLC on the switch retain it's CAPWP encapsulation? Now that I'm thinking about it I guess it would have to since the WLC is what decapsulates the CAPWAP data and not the switch...
    I would just like some advice on if I'm doing this correctly. Thanks a lot!  -Mark

    We generally recomment one trunk port to be configured for different VLAN (for management and AP inetreface) but we can use other ethernet port also on WLC for any differnt VLAN config.
    For all your port related queries please find the attach link with the diagramme.:-
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
    Q. How does a WLC switch packets?
        A. All the client (802.11) packets are encapsulated in a LWAPP packet by the LAP and sent to the WLC. WLC descapsulates the LWAPP packet and acts based on the destination IP address in the 802.11 packet. If the destination is one of the wireless clients associated to the WLC, it encapsulates the packet again with the LWAPP and sends it to the LAP of the client, where it is decapsulated and sent to the wireless client. If the destination is on the wired side of the network, it removes the 802.11 header, adds the Ethernet header, and forwards the packet to the connected switch, from where it is sent to the wired client. When a packet comes from the wired side, WLC removes the Ethernet header, adds the 802.11 header, encapsulates it with LWAPP, and sends it to the LAP, where it is decapsulated, and the 802.11 packet is delivered to the wireless client. For more information about this, refer to the LWAPP Fundamentals section of the document Deploying Cisco 440X Series Wireless LAN Controllers.
    Q. What are the various options available to access the WLC?
        A. This is the list of options available to access the WLC:
            GUI access with HTTP or HTTPS
            CLI access with Telnet, SSH, or console access
            Access through service port
        For more information on how to enable these modes, refer to the Using the Web-Browser and CLI Interfaces section of the document Cisco Wireless LAN Controller Configuration Guide, Release 5.1. Usually, the management interface IP address is used for GUI and CLI access. Wireless clients can access the WLC only when the optionEnable Controller Management to be accessible from Wireless Clients is checked. In order to enable this option, click the Management menu of the WLC, and click Mgmt via Wireless on the left-hand side. WLC can also be accessed with one of its dynamic interface IP addresses. Use the config network mgmt-via-dynamic-interface command to enable this feature. Wired computers can have only CLI access with the dynamic interface of the WLC. Wireless clients have both CLI and GUI access with the dynamic interface.

  • Doubt with Dynamic Interfaces and VLANs

    Hello.
    I am trying to get wirelles clientes and APs to be on the same VLAN/subnet, now is working with management interface on my WLC 5508. My problem comes up when I change them to a new dynamic interface.
    Before any change:
    VLAN: 8
    Management Interface IP: 192.168.9.2/23
    Gateway: 192.168.8.1
    DHCP Server: 192.168.8.2
    WLAN SSID linked to Managment interface: Ray123
    APs on VLAN 8 and subnet static IP range192.168.9.0/23
    There is no dynamic interface.
    After changes.
    VLAN: 0
    Management Interface: 192.168.6.2/23
    Gateway: 192.168.6.1
    DHCP Server: 192.168.6.2
    Dynamic interface name: Wireless-1
    VLAN: 8
    Management Interface IP: 192.168.9.2/23
    Gateway: 192.168.8.1
    DHCP Server: 192.168.8.2
    WLAN SSID linked to Dynamic interface: Ray123
    APs still on VLAN 8 and subnet static IP range192.168.9.0/23
    After all this done i can see by cdp neighbors all my APs i can ping them and management interface too, but APs are not registered, no clients too.
    According to this guide:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00805e7a24.shtml
    Dynamic interfaces and APs should be on the same VLAN.
    But this another guide states the opposite:
    http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70mint.html
    "Set the APs in a VLAN that is different from the dynamic interface configured on the Controller. If the APs are in the same VLAN as the dynamic interface, the APs are not registered on the Controller and the 'LWAPP discovery rejected' and 'Layer 3 discovery request not received on management VLAN' errors are logged on the Controller"
    I cant understand why VLANs for APs and dynamic interfaces should be on different, it has no sense to configure a vlan intended for APs which shouldnt be on the same vlan.
    Please tell me what is wrong.
    Thanks in advance.

    You have to tell the APs where the WLC lives now, 192.168.6.2.
    You can do this in the following ways:
    Manual Prime the APs
    option 43
    dns
    ip forward udp 5246
    move the aps to the same vlan as the management interface let them join and then chnage the vlan
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Mgmt Via Dynamic Interface not working on 5505 version 7.2.111.3

    Folks,
             I have posted this question a couple of times on the forum but did not get a solution. I am trying to manage my 5508 controller from a dynamic interface which is assigned to port 7 of the controller. I have a switch connected to that port which has a PC on the same subnet as the dynamic interface. From the PC, I can ping the dynamic interface IP Address, but can not telnet,SSH,http or https to it. There is no clear doc that specifics how to effectly use the command "config network mgmt-via-dynamic-interface" command.
    Mgmt Via Wireless Interface................. Enable
    Mgmt Via Dynamic Interface.................. Enable
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    173                                      7    173      172.16.101.100  Dynamic Yes    No
    management                         1    172      172.16.100.100  Static  Yes    No
    service-port                           N/A  N/A      0.0.0.0         DHCP    No     No
    virtual                                    N/A  N/A      1.1.1.1         Static  No     No
    7  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A     1000BaseTX
    Any guidence would be highly appreciated.

    Im having a similar issue and have 2 TAC cases open.
    TAC CASE#1:  issue is that even when disbaled I can still access the dynmic interface via HTTPS/HTTPS/TELNET/SSH. But this is on a WISM1.
    Thanks a lot for your quick and prompt response, I see that there is an internal Bug with an ID CSCty32586.
    I see that the bug is fixed told be fixed in 7.0.230.0, but it’s not fixed. The bug is fixed in 7.2.x version.
    I understand that you are using Wism on which 7.1.x version and above is not supported.
    As 7.0.235.3 is released recently to overcome some of the changes and to fix some of the Bugs with older version on these devices.
    Kindly try to upgrade the software version of the WLC to 7.0.235.3 and check the compatibility.
    Please do let me know in case of any concerns and I will be glad to assist you.
    TAC CASE#2: Just like you I can not access the dynamic interface. Still working that one .. The holiday dropped when I just opened that case.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

  • Cannot contact Non-native dynamic interfaces on WLC 4402

    Hi,
              In my company we are recently planning to get a DMZ anchor for Guest WLAN. Our setup is as following
    We have two 5508 WLCs in inside corporate network which serves for the corporate wlan. Recently we put one 4402 in DMZ in LAG mode. Two SSID has been created in 4402 namely guest and consultant. We have mobility configured perfect between these three. For the the two ssids the 4402 is the anchor.   We have created sub interfaces in ASA for management and two WLANs. The port channel is also configured proper with the native vlan for management and allowing all three vlans through it. The concern is that we cannot ping the untagged dynamic interface of WLC. The WLAN clients are getting DHCP ip perfectly on each ssid, I mean in different networks. But the clients cannot reach the gateway which is the subinterface of ASA. If I am using the webauth I am not getting redirected to the authentication page. but if I set the security to none (both L2 and L3) I can reach up to the corresponding dynamic interface and not beyond that.
    Below are my configuration details
    At switch side
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 177
    switchport trunk allowed vlan 177-180
    switchport mode trunk
    interface GigabitEthernet2/0/26
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 177
    switchport trunk allowed vlan 177-180
    switchport mode trunk
    channel-group 1 mode on
    interface GigabitEthernet1/0/26
    switchport trunk encapsulation dot1q
    switchport trunk native vlan 177
    switchport trunk allowed vlan 177-180
    switchport mode trunk
    channel-group 1 mode on
    WLC configurations
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
    ap-manager                        LAG  untagged 192.168.7.3     Static  Yes    No
    management                      LAG  untagged 192.168.7.2     Static  No     No
    qd-consultant                     LAG  179      192.168.9.254   Dynamic No     No
    qd-guest                            LAG  178      192.168.8.254   Dynamic No     No
    qd-test                              LAG  180      192.168.10.254  Dynamic No     No
    service-port                         N/A  N/A      0.0.0.0               DHCP    No     No
    virtual                                 N/A  N/A      192.0.2.1           Static  No     No

    Your configuration looks good except you should assign an ip address to the service port. Never leave that at 0.0.0.0. Change that to an ip address that is non routable in your network.
    Now for your issue. Have you tried plugging in a laptop to the dmz switch in those vlans to see if it works wired. Since these are new subnets, are you sure they are being NAT'd to your public address. Check that first and let us know. The WLC should be able to ping the gateway and out into the Internet if things are setup right in the dmz.
    Sent from my iPhone

  • Force WLAN client to renew ip on WLC with dynamic interfaces

    Hi there
    we would like to have a "two tier" authentication for the corporate WLAN clients:
    Requirements
    1. Machine Authentication
    The client gets machine authenticated based on the machine account in the Active Directory with PEAP. At this stage, the client will get a IP from VLAN A. VLAN A has limited access to the corporate infrastructure (DNS, AD, some volumes / shares, and so on). The filtering is done with an IP access list on the layer 3 VLAN interface on the core switches.
    2. User Authentication
    The users logs in on the client and gets user authenticated based on his user account in the Active Directory with PEAP - only users with a valid Machine Access Restriction (MAR) are allowed to login. Now the client is moved to another VLAN B. VLAN B has full access to the corporate infrastructure, here is no IP access list.
    Infrastructure
    We have the following:
    2 x WLC 5508 with 7.3.101.0
    2 x ACS 5.3.0.40.6
    Problem
    Now we have the problem, that the Windows client sometimes takes up to 3 minutes to connect to the WLAN after the users loggs in. In the debug, I can see that this happens because the client is stuck in DHCP renewal:
    1. After the machine has been authenticated it has an IP assigned from VLAN A. This works pretty well if the client gets rebooted.
    2. If the user loggs in the first time after the reboot, the users gets connected within 10 seconds, what is pretty good. The client has now an IP in VLAN B.
    3. Now the user logs out of Windows and I can see in the debug, that the client is putted into VLAN A (machine authentication) again, but the client still tries to DHCPREQUEST the IP address from VLAN B (user authentication). Because this request is sent out on the wrong dynamic interface on WLC, the DHCPREQUEST is not acknowleged an the client get stuck in this situation.
    4. If the user or another users logs in again shortly after the logout, the client still tries to DHCPREQUEST the IP of VLAN B and now the "3 times DHCP failure on WLC" comes into play, because WLC thinks that the DHCP server is not reachable -> but it only does not answer a wrong DHCPREQUEST.
    Question
    On ISE there is a way to force the client to renew the DHCP address (via CoA, but this has its limitations too --> need to install Active X or Java applet). I think there is now way to force the client to renew its IP with ACS, but my question is, is there a workaround and are there any others, that maybe already solved this problem?
    Alternative
    If there is now way to bring this to work with two different VLAN's, I could try to realize this with only one VLAN. After the machine authentication I could apply a WLC ACL to restrict access to the corporate infrastructure. If the user authentication happens, I could "remove" this ACL to grant full access for this user / client. But I am still interested in the other solution ;-)
    Thanks in advance for any advise and best regards
    Dominic

    Your second option is what you should do. Changing the vlan on a client that already has an IP address especially on wireless will not know it has been put in a different vlan and that's why it breaks. If There was a way to change the vlan and send something to the WLC to disassociate the client, that might work.
    Sent from Cisco Technical Support iPhone App

  • ISE and WLC dynamic interface group assignment ?

    I have a somewhat large deployment coming up with several WLC dynamic interfaces assigned to an interface group, replicated across for multiple sites.  I understand that ISE can return the VLAN ID to the WLC to place the client in, but if I'm using interface groups, this seems to negate the usefulness of the interface group to load clients across multiple VLANs.  Not only that, but with the number of dynamic interfaces (VLAN ID's), multiplied by the number of sites, would seem to be overwhelming on the ISE side policy configuration.
    Is it possible for ISE to return an Interface name/group to the WLC instead of just a VLAN ID ?
    TIA

    I understand that WLC 7.2 code can now accept the interface group name as a AAA override, which is great, but it doesn't specify the AAA source (ISE vs. ACS).
    This is the example I'm questioning: (they use the VLAN ID only, instead of an interface name)
    http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bba10d.shtml#topic17
    Edit:
    Found the correct Attribute Under "Adv. Attribute Settings" in the Airspace Authorization Profiles (Airespace:Airespace-Interface-Name).

  • WLC Dynamic Interface

    I wonder why we need Dynamic Interfaces. I have created two WLANs. One is WPA2-Enterprise obtaining vlan id's per user from Radius server and the other WEP wlan for guest users whose traffic should go to a specific guest vlan. I am using an external DHCP server and configured WLC not to proxy dhcp requests and to act as a bridge.
    I had to create dynamic interfaces on WLC (we are using 5508 with software version 7) for all the VLANs which radius server returns. I could make it with only defining the dynamic interfaces and entering 0.0.0.0 for ip addresses.
    For the other WLAN with WEP, I have to enter and IP for the dynamic interface to work. I am not sure if this is a requirement or my misconfiguration, but I do want a way not to set an IP address for the dynamic interface. I do not want to waste addresses and also do not want the clients to be able to access wlc through that IP address.
    I appreciate any comment on why I need IP addresses for dynamic interfaces.

    Vadood... The WLC does use that IP address as it needs to have layer 2 connection to any subnet it will place users on. Even is your doing AAA override, the radius tell the WLC that that device needs to be on vlan x and the WLC will put that device on vlan x, but if the WLC has no IP address on that subnet, well then the communication stops there. The user will never get an IP address if using dhcp or if the device has a static, the WLC has no way to communicate to that subnet.
    By the way, users can't access the dynamic interface by default. You have to enable that. But then again, they can try to access the management interface also, unless you disable globally management over wireless.
    Sent from Cisco Technical Support iPhone App

  • WLC DHCP Settings - Under Dynamic Interface configuration

    Hi Guys,
    If I have a dynamic interface that is connected to a subnet where the router interfaces have DHCP servers configured under the helper address commands, do I need to configure the DHCP fields under the dynamic interface configuration?
    I have helper address configured on the connected routers AND these fields configured with the same DHCP servers.
    Just wondering if I can take the IPs out of the WLC configuration?
    Many thx indeed,
    Ken

    Ken, the DHCP address under the dynamic interface, is the address the WLC will unicast the DHCP request to when a client tries to use that interface. Under normal operation this address is needed. There is a way to get the WLC to bridge the packet to the wire so that it is a broadcast instead of a unicast packet. CLI command is config dhcp proxy disable.
    But I do believe that even if you issue the CLI command, the software wants the DHCP address listed under the dynamic interface.
    HTH,
    Steve

  • WLC dynamic interface limit

    Hi,
    I have a WISM with sw version 4.0.179.11 wich I try to add more dynamic interfaces on. However I get the message " Can't create more than 64 entries".
    I find in the deployment guide for WLC - quote: "Dynamic Interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The WLC will support up to 512 Dynamic Interface instances. "
    Has anybody encountered this limitation before?
    How can I add more than 64 interfaces ?
    regards rolf

    Hi.
    I have a customer wth a WLC which has DHCP Proxy disabled and Primary & Secondary DHCP servers configured (external to the WLC).
    The problem I've just started looking at is...if the Primary has run out of leasable IP addresses, the WLC doesn't appear to request one from the Secondary server.
    It looks like (without any real investigation) the "I've run out of addresses" response from the Primary server is sufficient for the WLC to believe that the Primary is still on the network and it doesn't need to go to the Secondary.
    I'll add more as and when I do more testing.

  • Max # of dynamic interfaces on 4404 WLC

    Can anyone tell me if there is a limit to how many dynamic interfaces I can create on a 4404 WLC?
    I know that I can only have 16 SSIDs, so I have set up one SSID for my private network and am using AAA Override and configured my radius server to assign the different VLANs for each group. I have to create a dynamic interface for each individual VLAN and I just want to know if there is any kind of hard limit for the number of dynamic interfaces I can have so I don't run into a potential problem down the road.
    TIA,
    Deanna

    I was able to verify that you only can create up to 513 dymanic interfaces. This of course does not include your management, ap-manager or VIP.
    Hope this answers your question... it did for me... now I know!

  • 4402 WLC Dynamic Interfaces- More than 1 Gateway Possible?

    I am configuring a guest access solution with multiple guest access gateways associated with a single VLAN. Each gateway will have its own /24 network, and obviously it own gateway. The interface configuration page requires a single gateway in the IP config section.
    Does anyone know the purpose of this IP config?
    Will command line config of the dynamic interface permit no gateway and a netmask big enough to encompass all gateways?
    Thanks

    Thanks for your replies.
    2 Coova gateways each with web authentication and a dhcp server plugged into each layer2 vlan works great with IOS APs, which do no require IP config per (vlan) subinterface.
    The objective is to loadbalance, provide redundancy and handle the total number of guests. The DHCP servers race to provide the client with IP config which then causes the client subsequently use that gateway.

  • WLC 5508 AP-Manager interface

    Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
    But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.

    Hello,
    I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs.  This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port.  As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration.  The LAG will overcome this limitation.
    George was correct about your DNS entry, this needs to point to the WLC's management interface.  This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
    This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
    "If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface.  You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management.  All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed.  The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
    1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire. 
    2. You will need to create another dynamic interface mapped to the next port.  enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt.  Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
    *NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
    I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs.

Maybe you are looking for