WLC Placement

Hello,
I'm getting ready to migrate from standalone AP's to using a 2504 WLC. WLC is new to me and I've read several of the configuration guides, but the one item that keeps escaping me is best practice for the placement of the management interface on our network. I understand the AP's need to be able to route to it, but I'm not sure if this interface should be considered an untrusted connection and be placed in a less restricted VLAN or if this interface is strictly used for management and AP's connecting to it and there is no chance WiFi connected users can gain access to servers should it be placed in our secure VLAN?
My second question is for Guest users and Internet access. Should the interface the WLC is using to for Internet access sit behind a firewall, or can it be placed in front of the firewall?
Thank you,
Denny

Hello,
Thank you for your suggestions.
So far I have done the following.
Configured the management interface (untagged) on port 1. My 1142 AP discovered and automatically connected to it.
I configured a guest interface (port 2) with an IP address for my guest VLAN and entered the VLAN ID.
I configured my switch port for trunking and set the tag for the guest VLAN.
I setup a WLAN and associated it with the guest interface
I setup an Internal DHCP pool and verified the guest WLAN pointed to it.
Attached a router port to the guest VLAN and assigned an IP in the guest subnet
My test client can connect to the Guest SSID and obtain an IP address from the internal DHCP server. The client can ping the Guest interface.
My problem is, my router cannot ping the guest interface of the WLC and the WLC cannot ping the Interface of the router. The client connected to the guest network cannot ping the routers interface either. To verify the router connectivity, I put a workstation in the guest VLAN, put an IP address on it and it can ping the router, but not the WLC.
Any suggestions?
Thank you,
Denny

Similar Messages

  • Savant and WLC 2504

    The customer have 1x WLC 2504 and 7x AP 3502i.
    He are installing a automation system called Savant, this system use the Bonjour protocol to discovery the services on the network.
    I've configured the multicast group on controller and switch (SG300) with IP 239.xxx.xxx.xxx, but the Savant (on iPad) don't finds the service.
    Somebody has gone through a similar scenario?
    I've used this document: http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_tech_note09186a0080bb1d7c.shtml
    PS: The customer haven't VLAN
    Best regards.

    #Disable mdns/bonjour on wlc. place the WLC Management and AP vlan on same subnet. keep the savant server and iphone on same wlan and try.
    #WLC 2500 supports only Multicast to Multicast for AP mode, be sure that wired side Multicast is configured properly and working.
    #Try with any standard app to verify bonjour and AP mode multicast works.
    #it is possible there may be any specific string that require to be added onto bonjour profile for savant to work. do debug mdns all enable and see what is missing.
    it is suggested to open TAC case for troubleshooting.

  • VLAN concept with WLC

    Hi guys,
    This is my VLAN background:
    VLANs are used  to segment the network and break up the broadcast  domains in order to  reduce congestion and isolate network problems as  well as providing  scalability, performance improvement, security and  making network  additions, moves, and changes easier and more manageable.
    And this is my wireless VLAN background with the controllers:
    Host  A is a wireless LAN client communicating with the wired device, Host  B.  At the access point, the access point adds an LWAPP Header to the    frame and send it to the controller. After processing the 802.11 MAC    Header by WLC, it  extracts the payload (the IP packet), encapsulates  it   into an Ethernet  frame, and then forwards the frame onto the    appropriate wired network,  typically adding an 802.1Q VLAN tag.
    According to Cisco's "Fundamentals of Wireless Controllers" video (starting at 2:53), the 5508 controller allows you to use much larger subnets and less wireless VLANs. So with a 5508 controller in a completely wireless  infrastructure (no wired hosts),
    1. I don't need to break up broadcast  domains and have multiple subnets and I'm free to use a giant flat network?
    2. If I'm allowed to use large subnets, as far as the broadcast traffics (other than ARP and DHCP which are specially handled by WLC) are concerned, how does the controller handle that? I think I still will need multiple VLANs to control them according to my following WLC broadcast handeling background:
    "All traffic including broadcast sent to any destination by wireless  client get forwarded to WLC from its connected AP. WLC places the  broadcast message on to that VLAN, both wired and wireless clients that  are part of that vlan interface will get this broadcast message. Now,  the receiving wireless clients on that vlan can be associateded on to  any/different APs, APs mapped to different AP groups, even APs using  different L3 addresses from one or multiple WLCs, WLC inteligently  identifies the mapped VLAN interfaces and its respective APs through AP  group and forwards the broadcast(encapsulates) as Multicast packet to  those specific AP groups. Once APs receives the Multicast(broadcast), it  places it on the respective Radio's BSSID(where WLAN/ssid mapped) of AP  to reach the right wireless client. AP Radio's BSSID to SSID/WLAN to  interface mapping is pushed to AP by WLC at AP join. Also, Wired PCs  will receive the broadcast on its vlan as tagged(if tagged, otherwise  untagged) from WLC's interface, so does the other WLCs that spans this  vlan interface."
    Regards,
    Saman

    You should still follow your best practice for your subnet size. Remember that wireless is half duplex and only one device can talk at a given time. Also... The AP can be in a different vlan, ap group, etc, but the clients are still on the same vlan. So it means that the clients need to be on the same vlan, but the AP's can be on a different subnet since this doesn't matter.
    Sent from Cisco Technical Support iPhone App

  • Wireless design help

    Hi guys........just have  few qestions about designing WLC 5508
    The  scenario is  that currently one of the client has a firewall Tiering T1 internet facing and T2 internal whioch has multiple DMZ connected.
    T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
    Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
    Now my question is as follwow.
    1- Keeping in mind that there is only one WLC where should i physically put it?
    2- How guest users will work ? How the authentication will be done?
    3-There are 8 SFP ports in WLC how physical topology will look like?
    4-How many Vlans i have to make for wirless users  will that be 10? (1 at each site) ?
    my last question is that how these ports work on WLC are they just like swicth e.g  one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfces concept)
    Thanks guy and hope to get a response ASAP.

           OSITAN N Many thanks  please comment
                                        Internet
                                                   FW 1
                                                       !                                                        <---------------------Traffic comming this way
                                                    FW2--------DMZ--------------SW---------- Router -----------------IP MPLS-----------------
                              ------Trusted-----  !                                                                                                        !
                                                       !                                                     ------Branch Router------->               RT 
                                    !           !               !                                                                                               SW
                                 DSN      AD            DHCP                                                                                          !
                                                                                                                                                                AP  
                                                                                                                                                              USER
    1 Where WLC Place so that Guest trafice dont go to Trusted area?
    2. Its gona be H-Reap so DHCP would be local for branch
    3. Voce user  Qos? priority how ? example
    4 Guest Firewall rules to use only internet ?

  • Cisco 526 Wireless Express Mobility Controller

    We have just purchased at UC520, 526 Controller and a LAP521 controller. We got the UC520 up and running in 15 mins, but the 526 does not include very much documentation. We can not get it to find the 521 AP on the network nor will it go to layer 2 mode. I don't want to setup layer 3 routing for a 4 PC office. During the setup the only option it gives is layer 3 and the documentation says it will do layer 2? Can anyone give me any assistance?

    The controller reference between layer2 and layer3 is a little misleading. Having the WLC (WLAN Controller) in layer2 mode means that it uses layer 2 frame headers to place the LWAPP information in. With the WLC in layer3 mode, the WLC places the LWAPP header in the IP packet header instead of on the layer 2 frame header. The newer AP's support only understanding the layer3 mode of placing LWAPP info in the layer3 packet header. In either mode, you can still configure your network with only one VLAN/subnet, which sounds like your goal. To summarize, the WLC's mode of layer2 vs layer3 only references where the LWAPP header is placed in either the frame or the packet and in no way correspondes to how you design the vlan's/subnet's of your network.

  • WLC 5508 Web Auth Splash Page: Is it possible to place a download?

    Hi,
    I know it is possible to create custom web auth splash pages on the WLC 5508. Is it also possible to embedd a small document (less than 1MB) that users can download directly from the controller? I need this for providing the terms of use for the Guest WLAN.
    Thanks
    Michael

    It could be done, but you will want to stay within the limits of the WebAuth bundle size (~ <10MB I believe).  This shouldn't be a problem considering a .doc size, but I have to ask the same question.   Why would you want to do this as opposed to just putting your terms of use inline to the page as just text/html?  Maybe there is a good reason, but I can't really think of any scenario.  Feel free to elaborate.

  • LAP 1240 won't join WLC across subnets

    I am having a problem getting LAPs that are in other subnets to join our WLC. If I take the LAP and place it on the same VLAN/subnet as the WLC, it joins as expected. If I move it to another subnet, I get the following:
    *Mar 1 00:00:13.065: %SYS-5-RESTART: System restarted --
    Cisco IOS Software, C1200 Software (C1200-K9W8-M), Version 12.4(13d)JA, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2008 by Cisco Systems, Inc.
    Compiled Fri 08-Feb-08 17:24 by prod_rel_team
    *Mar 1 00:00:13.119: %SSH-5-ENABLED: SSH 2.0 has been enabled
    *Mar 1 00:00:13.519: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    *Mar 1 00:00:14.519: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    *Mar 1 00:00:14.536: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar 1 00:00:14.545: %DOT11-6-FREQ_SCAN: Interface Dot11Radio0, Scanning frequencies for 24 seconds
    *Mar 1 00:00:15.536: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Mar 1 00:00:28.133: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
    *Mar 1 00:00:28.171: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    *Mar 1 00:00:28.177: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Mar 1 00:00:28.192: SSC Load Current Size crypto_mykey 120, offset 9389, Saved Size soap_cert_crypto_mykey 124
    *Mar 1 00:00:28.390: %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    *Mar 1 00:00:28.892: Logging LWAPP message to 255.255.255.255.
    %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 255.255.255.255 started - CLI initiated
    %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
    %LINK-3-UPDOWN: Interface Dot11Radio1, changed state to up
    %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
    %DHCP-6-ADDRESS_ASSIGN: Interface FastEthernet0 assigned DHCP address 192.168.115.75, mask 255.255.255.192, hostname AP0013.c3a7.bf97
    Translating "CISCO-LWAPP-CONTROLLER.mydomain.here"...domain server (X.X.X.X) [OK]
    %LWAPP-3-CLIENTEVENTLOG: Did not get vendor specific options from DHCP.
    %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP.
    %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.mydomain.here
    %LWAPP-3-CLIENTEVENTLOG: Controller address Y.Y.Y.Y obtained through DNS
    %LWAPP-5-CHANGED: LWAPP changed state to JOIN
    %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
    %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
    %LWAPP-3-CLIENTERRORLOG: Join Timer: did not recieve join response (controller - 2169-WLC4402-1)
    %LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
    %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: DID NOT GET JOIN RESPONSE.
    %LWAPP-5-CHANGED: LWAPP changed state to DOWN
    I have checked the WLC for any messages that look like crypto or other problems, but I don't see anything that stands out. Any suggestions or pointers would be greatfully accepted.

    %LWAPP-3-CLIENTERRORLOG: Set Transport Address: no more AP manager IP addresses remain
    Can you provide more information such as:
    1. How many APs can the WLC4402 support and how many are currently joined?
    2. What is your WLC's firmware?
    3. Is there a possibility of a duplicate IP address in your network?
    Troubleshoot a Lightweight Access Point Not Joining a Wireless LAN Controller
    http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a00808f8599.shtml

  • Converged Access Design Help (Catalyst 3850 and WLC 5508...Mobility Oracle)

    Hello,
    I am an engineer working with a Cisco Gold Partner in Saudi Arabia. We have a large university as our client where they are constructing a new
    building and require our services to build the network infrastructure. Therefore, we are to implement the routing and switching infrastructure as
    well as the Wireless solution.
    At present, I have no issues in implementing the R&S infrastructure as it is very straight forward but it has implications on the deployment of
    the wireless solution which I explain further below. The R&S infrastructure comprises of the typical Core, Distribution, and Access layers and we
    are focusing on the local distribution and access switches with regards to the new building. The client has a converged Layer 3 network spanning
    from distribution layer to core layer and they are running EIGRP for this convergence. This is not a problem and has already been implemented.
    Yet, the challenge arises in deploying the WLAN infrastructure. The client already has a Cisco WLAN infrastructure in place where they have a
    large number of LAPs that are registered with their controllers in the Data Center. They have two WLC 5508 where one is the Primary and the other
    the Secondary. The local distribution switch to which the WLC are connected also is the gateway for the SVIs for the SSIDs that are configured on
    the controllers. This means that once the packets from the AP come in to the WLC, they are tagged with the correct VLAN and sent to the directly
    connected distribution switch which then routes it into the rest of the Layer 3 network. Interestingly, the WLC 5508 are running AireOS 7.6 and
    support the "New Mobility" feature. The two controllers have formed a Mobility Group (MG) between each other.
    Now, the new building will have two Catalyst 3850 switches installed where each one has a total of 40 AP licenses pre-installed and activated
    i.e. a total of 80 APs can be supported by the two switches. A total of 67 LAPs will be deployed in the new building which can be accommodated
    between the two switches and their integrated controller.
    Yet, based on my understanding and research about Converged Access is that, ideally, the Catalyst 3850 will only run the Mobility Agent (MA)
    feature while a central controller would provide the Mobility Controller (MC) service. unfortunately, there are not enough licenses on the
    existing WLC 5508 nor can we migrate the new licenses that will facilitate such a split deployment.
    This means that I would need to configure the two Catalyst 3850 as independent MC and form a MG between them. I have done this and tested this
    already and the mobility is working fine. But my concern is not about getting the Catalyst 3850 to work as this is simple but rather it is
    focused on creating a common Mobility Domain (MD) so that clients can roam from this new building to the rest of the campus while maintaining the
    state of their connections to the WLAN infrastructure.
    To make things more complicated, since the new building will have its own Layer 3 distribution switch and the Catalyst 3850 switches will connect
    to this distribution switch, it means that new VLANs and SVIs need to be created for the SSIDs broadcast in the new building. This means that new
    subnets need to be assigned to the SSIDs.
    As such, I have the following questions:
    Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means
    that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG
    as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to
    the solution as per the next question. Please advise which is a better option?
    Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can
    then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD).
    Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
    Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
    Please advise at your earliest. To assist further, I have attached a topology diagram which may aid in explaining the situation with more
    clarity. If these things are clarified, I will be better able to wrap my head around the technology and in turn service my clients better.
    Regards,
    Amir

    Hi Amir,
    Q1) If we create new SVIs for the SSIDs (same SSIDs names will be used in the new building as in the rest of the university campus) this means that new subnets will be assigned to these SSIDs. Now, I believe I have two options...one is to make the new Catalyst 3850s to be in the same MG as the existing WLC 5508 which then cater for Layer 3 client roaming or I have to treat this as a totally seperate WLAN network and follow on to the solution as per the next question. Please advise which is a better option?
    I would configure them in the same mobility group. Also configure same SPG for those two 3850 stacks if users are frequently roaming within these two buildings.
    Q2) I could create separate MG i.e. the new building Catalyst 3850s can be in one MG and the existing controllers can be in another MG. I can then have one of the existing WLC 5508 (the primary one) to run the Mobility Oracle (MO) feature so as to create a single Mobility Domain (MD). Would this facilitate in Layer 3 client roaming and RRM for all the controllers in the same MD?
    MO is not required (it is only for very large scale deployments)
    Q3) If I do create a MD, how is this accomplished in such an environment since the documentation is severely limited in this regard?
    Yes, documents are hard to find :(
    These notes may be useful to you based on my experience. I am running IOS-XE 3.6.1 in my production.
    http://mrncciew.com/2014/05/06/configuring-new-mobility/
    http://mrncciew.com/2013/12/14/3850ma-with-5760mc/
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • WLC 5508 with LAP-1142n - Several Errors

    Hello all,
    I had installed a WLC 5508 with 7 LAP 1142n and 2 converted AP 1131abg.
    I am seeing some errors relating 2 issues.
    1st- One particular AP 1142 is disassociating and reseting the radios.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";}
    Thu Oct 28 11:50:49 2010
    AP's Interface:0(802.11b)   Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
    Thu Oct 28 11:50:49 2010
    AP's Interface:0(802.11b)   Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
    Thu Oct 28 11:50:49 2010
    AP's Interface:1(802.11a)   Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
    Thu Oct 28 11:50:49 2010
    AP's Interface:1(802.11a)   Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio interface   reset. Status:NA
    Thu Oct 28 11:50:46 2010
    AP's Interface:1(802.11a) Operation   State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio reset due to Init.   Status:NA
    Thu Oct 28 11:50:46 2010
    AP's Interface:0(802.11b)   Operation State Up: Base Radio MAC:e8:04:62:23:ac:e0 Cause=Radio reset due to   Init. Status:NA
    Thu Oct 28 11:50:46 2010
    AP 'AP3', MAC:   e8:04:62:23:ac:e0 disassociated previously due to AP Reset. Uptime: 1 days,   10 h 24 m 23 s . Last reset reason: operator changed 11g mode.
    Thu Oct 28 11:50:35 2010
    AP Disassociated. Base Radio   MAC:e8:04:62:23:ac:e0
    Thu Oct 28 11:50:35 2010
    AP's Interface:1(802.11a)   Operation State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=New Discovery Status:NA
    Thu Oct 28 11:50:35 2010
    AP's Interface:0(802.11b) Operation   State Down: Base Radio MAC:e8:04:62:23:ac:e0 Cause=New Discovery Status:NA
    I had some search, and the new discovery cause, might be that the AP didnt know what WLC do associate, in a multi-controller environment. This is not the case. I only have one WLC in the same management vlan.
    2st-The Radius server is beeing related in the logs as been deactivated. I raise the server time-out on Radius configuration option, but it still continues to do it.
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";}
    Thu Oct 28 10:24:41 2010
    RADIUS server 10.67.128.36:1812 deactivated in global list
    Thu Oct 28 10:24:41 2010
    RADIUS server 10.67.128.36:1812 failed to respond to request (ID 172)   for client e8:06:88:51:c0:2b / user 'unknown'
    Is this meaning the WLC stop sending request to the Radius Server ? We dont have BackUp Radius.
    As far as i know, its always the same mac-address client that is associated to that error, maybe a iphone.
    I had so many clients in that SSID and they are all working good.
    The Radius server is a NPS from windows Server 2008
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";}
    , and the client says that the medium response time is 0,02 sec, so im wondering why the controller is not getting response from Radius for a particular client?! My client also says, that didnt found any log related to that mac-address client ... what is weird...
    WLC with last software available 7.0.164
    Hope some one help me here.
    Best Regards,
    Bruno Petrónio

    Thanks Scott,
    I understand what you are mentioning, and i really didnt do it yet.
    I realize that the primary controller was not configured on the
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin:0cm;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:10.0pt;
    font-family:"Times New Roman","serif";}
    Wireless –> All APs –> High Availability tab, and did it only to the AP that is taking this beahviour.
    Is this mandatory for a 1 controller only ?
    No mather what the manual say, after that the AP is rebooting 2 mins in 2 mins... with the same kind of messages.
    The interface on the switch is getting a few input errors and the same numbers of crc... but are so few...
    Next step ... i will change it to another one's place/pathing cable.
    Regarding the Radius messages... any ideas ?
    I'm already on 30 sec's of server timeout.
    Best Regards,
    Bruno Petrónio

  • Best Practice for NM-WLC ?

    In the last couple of weeks, I have been trying to setup a NM-AIR-WLC6-K9 on a 2811 router.
    I tried various setup combinations as described in :-
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807112e2.shtml
    My network is very simple (just a few subnets with a router on a stick in between) , and initially I wanted to place all the wireless clients in the same subnet as the wired clients.
    The only way I could get that to work, was by using BVI and sub-interfaces on the 2811 hosting the NM-WLC. (This 2811 is not the default gateway / router-on-a-stick. I have another router that enables routing between subnets.)
    While that works, I have a problem with SNMP replies packets that get sent from the NM-WLC to wired/wireless subnet.
    Finally, I have come to the conclusion (perhaps incorrectly, and therefore this post), that the best way to set wireless clients is :-
    1. To have them in their own separate subnets.
    2. Have a separate subnet for the WLC
    So for example:-
    Data Net :- 10.1.1.0/24 (wired)
    Voice Net :- 10.1.2.0/24 (wired)
    Wireless Net :- 10.1.3.0/24 (wifi)
    Network for WLC Management and AP :- 10.1.10.0/24 (wlan-controller subnet)
    Can anyone who uses a NM-WLC please share their thoughts ?
    Thanks

    I have the same hardware setup and I'm having issues as well. I'd like to see what you and others have done.
    I can't figure out how to get traffic from outside the router to enter the WLC. I've configured my int service-module wlan-controller 1/0 with an IP, and then configured the controller mgmt interface IP on the same subnet.
    If I plug my laptop into the router, I cannot browse to the WLC GUI or even ping it.

  • WLC cert to avoid the security warning page

    Hi guys,
    I am doing some tests with installiing a 3rd party cert on a WLC to avoid the security warning page when trying to access the WLC through https, and I am following the following configuration example:
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml
    I have followed the same precedures given in the above document, and I am using windows CA to sign the CSR just for a test, I could install the final .pem cert successfully onto the WLC however I am still getting the same warning page when I was trying to login to the WLC through https. I have checked in my certificate store and I have trusted the root CA which is the windows CA in this case.
    I have also tried to access the WLC from the CA server (windows 2008 box) still getting the same warning message.
    so what should I do in order to make this to work with windows CA? did I missed something in the configuration?
    Thanks in advance for your time and help.
    Andy

    ok guys.... I was wrong last time... actually after double check again it was NOT working .... I think i just simply trusted the cert last time when i was using firefox....
    I have tried a number of different things and double checked the places that mentioned previously in this thread however I could not pick up anything wrong in particular, although I know there must be something I have missed out.....
    so this time I have also read through some other references on the web, and found the following:
    http://www.my80211.com/home/2011/1/16/wlcgenerate-third-party-web-authentication-certificate-for-a.html
    I think I did very similar config and only difference is that I am using unchained cert.
    I have double checked the following:
    on virtual interface configuration, I have ip address 1.1.1.1 and DNS host name as "wlc2112.mydomain.local"
    from the controller GUI --> Security --> web auth --> certificate, under subject name, I have CN=wlc2112.mydomain.local, however under Issuer name, I have CN=mydomain, this is a bit different from the last screen shot in the above link. could this be a problem?
    in windows 2003 server, with DNS server I have a field called "wlc2112" with IP address 1.1.1.1
    as mentioned by Scott previously, I went to the mmc certificate snap in, and under trusted root certificate authorities, I have installed the WLC cert there and I could see it there as well.
    now if I try to access the WLC GUI from here I am still getting the error message same as the one below:
    http://www.vistaclues.com/the-security-certificate-presented-by-this-website-was-issues-for-a-different-website%E2%80%99s-address/
    I then followed the instruction and continue to the website, and when I go file --> properties --> certificate, it actually shows the certificate is issued to 169.254.1.1 and issued by 169.254.1.1, with a red cross on the cert itself....... I have no idea where is this come from, so I just want to ask when I try to access the WLC GUI through a web browser, after I type in https://wlc-ip-address, how does the browser know / search for which certificate it needs to look into? I think in my case here it clearly points to the wrong certificate?
    also on the server I went to http://127.0.0.1/certsrv and selected "download a CA certificate, certificate chain or CRL" and then "install this CA certificate chain", does this mean I acknowledge to trust the root CA by doing this?
    I am not sure what I have missed out but it just does not work for some reason... is there any other places that I need to check/verify?
    Sorry for the long writing but any comments would be highly appreciated.
    Thanks in advance for your help.

  • AIR-CAP3702I booting up in mesh mode and not joining our 5508 WLC

    I have a batch of 30+ AIR-CAP3702I-A-K9 APs that I need to setup but none of them are joining to the 5508 WLC and when I connect a console cable and view the output from the AP it shows that it is trying to initiate in mesh mode. I have read other forums that are showing that I need to put in the APs MAC address to a filter list on the WLC for it to show up and then I will be able to change it from mesh mode to local mode. The only issue I'm having with that solution is not knowing how it will affect my current production environment off of that 5508 WLC. I have 69 active production APs with clients working off them and there are no MAC filters currently in place on the WLC. By adding a MAC filter entry for the new APs would the WLC create an implicit deny for all other clients that don't have their MAC addresses entered?? If so is there another work around? Can the mode be changed via the CLI on the AP itself to make it local instead of mesh? 

    sh capwap client rcb
    AdminState                  :  ADMIN_ENABLED
    SwVer                       :  7.6.1.118
    NumFilledSlots              :  2
    Name                        :  AP88f0.4290.7184
    Location                    :  default location
    MwarName                    :  xxxxx
    MwarApMgrIp                 :  x.x.x.x !<it has the correct name and IP of the WLC>
    MwarHwVer                   :  0.0.0.0
    ApMode                      :  Bridge
    ApSubMode                   :  Not Configured
    OperationState              :  JOIN
    CAPWAP Path MTU             :  576
    LinkAuditing                :  disabled
    ApRole                      :  MeshAP
    ApBackhaul                  :  802.11a
    ApBackhaulChannel           :  0
    ApBackhaulSlot              :  2
    ApBackhaul11gEnabled        :  0
    ApBackhaulTxRate            :  24000
    Ethernet Bridging State     :  0
    Public Safety State         :  disabled
    AP Rogue Detection Mode     :  Enabled
    AP Tcp Mss Adjust           :  Disabled
    AP IPv6 TCP MSS Adjust      :  Disabled
    Predownload Status          :  None
    Auto Immune Status          :  Disabled
    RA Guard Status             :  Disabled
    Efficient Upgrade State     :  Disabled
    Efficient Upgrade Role      :  None
    TFTP Server                 :  Disabled
    Antenna Band Mode           :  Unknown
    802.11bg(0) Radio
    ADMIN  State =  ENABLE [1]
    OPER   State =    DOWN [1]
    CONFIG State =      UP [2]
    HW     State =      UP [4]
      Radio Mode                : Bridge
      GPR Period                : 0
      Beacon Period             : 0
      DTIM Period               : 0
      World Mode                : 1
      VoceraFix                 : 0
      Dfs peakdetect            : 1
      Fragmentation Threshold   : 2346
      Current Tx Power Level    : 0
      Current Channel           : 11
      Current Bandwidth         : 20
    802.11a(1) Radio
    ADMIN  State =  ENABLE [1]
    OPER   State =    DOWN [1]
    CONFIG State =      UP [2]
    HW     State =      UP [4]
      Radio Mode                : Bridge
      GPR Period                : 0
      Beacon Period             : 0
      DTIM Period               : 0
      World Mode                : 1
      VoceraFix                 : 0
      Dfs peakdetect            : 1
      Fragmentation Threshold   : 2346
      Current Tx Power Level    : 1
      Current Channel           : 165
      Current Bandwidth         : 20
    It is showing the following error on our WLC in the log file:
    Tue Jul 15 14:01:26 2014
    AAA Authentication Failure for UserName:88f042907184 User Type: WLAN USER
    And here are some of the errors it's showing on the AP after bootup:
    *Jul 15 17:47:30.471: %CAPWAP-5-SENDJOIN: sending Join Request to x.x.x.x
    *Jul 15 17:47:31.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Jul 15 17:47:31.031: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Jul 15 17:47:31.039: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Jul 15 17:47:31.047: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Jul 15 17:47:32.067: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Jul 15 17:47:33.067: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Jul 15 17:47:35.471: %CAPWAP-5-SENDJOIN: sending Join Request to x.x.x.x
    *Jul 15 17:47:35.471: %DTLS-5-ALERT: Received WARNING : Close notify alert from x.x.x.x
    *Jul 15 17:47:35.475: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
    *Jul 15 17:47:35.483: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
    *Jul 15 17:47:36.475: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
    *Jul 15 17:47:36.503: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
    *Jul 15 17:47:37.503: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
    *Jul 15 17:48:15.007: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join timer expired
    *Jul 15 17:48:15.007: %MESH-3-TIMER_EXPIRED: Mesh Lwapp join failed expired
    *Jul 15 17:48:15.007: %MESH-6-LINK_UPDOWN: Mesh station 88f0.4290.7184 link Down
    *Jul 15 17:48:17.007: %LINK-6-UPDOWN: Interface BVI1, changed state to down
    *Jul 15 17:48:22.507: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to down
    *Jul 15 17:59:10.099: %CAPWAP-3-ERRORLOG: Invalid event 31 & state 4 combination
    *Jul 15 17:59:10.099: %CAPWAP-3-ERRORLOG: SM handler: Failed to process timer message. Event 31, state 4

  • Ap not showing up in wlc

    Hey All,
    i have an AP that is not showing up in the wlc. when i place the WLC on a diffrent vlan to the WLC it shows up in the WLC but once it is placed on the same vlan to the WLC it dosnt show at all. the vlan the WLC on has spare IP's in DHCp so its not that. here is a log from wlc when that AP is not on the same Vlan:
    Last AP Connection Failure -
    Last Error Occurred Lwapp join request rejected
    Last Error Occurred Reason Reachability info not found
    client's are joinning up with the AP ( very odd??).
    but once it is on the same vlan as the wlc it dosnt show up.
    thanks

    we are running ver:
    7.0.98.0
    shows up on the switch for cdp but not on the wlc ( tested in diffrent vlans)
    the ap is running
    AIR-LAP1231G-A-K9
    also the ap has an IP in the 1 vlan but when it goes to the 10 vlan ( the vlan with the wlc on it) in cdp neighbors it still have the ip from vlan 1

  • Certificate problem (webauth and WLC/WCS login pages)

    Hello,
    When I try to web in to the WCS or the WLC controls I get a message saying that the certificate could not be verified. I can add it into the trusted CA on IE6 but the message will still pop up anyway. It also says "The name on the security certificate is invalid or does not match the name of the site".
    This problem is also happening for the WebAuth login page. This is more critical for me, as we have two WLANs which require WebAuth. When the clients use IE6 or Firefox it's not an issue, but when using IE7 it seems to randomly drop their connection due to the certificate being viewed as 'invalid' by the browser, forcing them to reauthenticate. I need to get this figured out and resolved so that the wireless webauth network is more reliable - I can't expect people to not upgrade to IE7.
    Has anyone managed to get through this problem without purchasing a valid certificate from a CA like Verisign? Let me know please!
    Thanks,
    Jeff
    P.S. My WCS is version 4.0.97.0 and I just upgraded my WLCs to 4.0.217.0 with plans to upgrade to the new 4.1.171.0 in the next week.

    Recieved this from TAC which may play into your issue.
    The description of the Microsoft post-login bug is as follows but we have the code with this fix in the attached:
    There is known bug filed with Microsoft in reference to the tag. There
    is also one with Netscape. The work-around is below:
    The Pragma statement fails in IE because of the way IE caches files.
    There is a 64K buffer that must be filled before a page is cached in
    IE. The problem is that the vast majority of the pages using the Pragma
    statement put it between the HEAD tags.
    The HEAD loads and the Pragma comes into play. The browser gets the go
    ahead to not cache the page, however there is not yet a page to not
    cache. Since the page hasn't filled the 64K buffer, there's no page so
    the Pragma is ignored. Thus...the page is cached.
    The solution is to play to the buffer. If you're really serious about
    the Pragma working, place another set of HEAD tags at the bottom of the
    document, before the end HTML tag and re-enter the Pragma. This is a
    suggestion straight from Microsoft Support. The page would look like
    this:
    Text in the Browser Window

  • Using MS SQL Server 2000 for WLCS 3.50 DB

    I'm using WebLogic 6.0sp1 with Commerce Server 3.5 and I've successfully
    installed the demo. I would like to create another commerce server
    installation, this time using Microsoft SQL Server 2000 as the database
    instead of Cloudscape. I've downloaded and installed the BEA jDriver
    for MS SQL 7/2000 and tested it using dbping. My question is: where are
    the db scripts for creating and populating the commerce database? I've
    found the WLCS_320_DB_DDL_1.1.zip file on the BEA downloads site, but
    I'm concerned that this schema is for Version 3.20 of Commerce Server.
    Is there a similar file for WLCS 3.50? If not, is it safe to use this
    one?
    If this is posted in the wrong place, please let me know and I'll repost
    to the appropriate newsgroup as required.
    Sincerely,
    Michael Schulz

    Hi Michael,
    At this time SQL Server 2000 is not certified for WLCS 3.5. Since the
    schema has changed between 3.2 and 3.5, running the 3.2 scripts is not a
    good idea.
    I can tell you that certification is in progress for SQL Server 2000. Your
    best bet is to contact your Sales Representative to get an idea of when
    certification might be coming.
    I hope this helps.
    - Ginny
    "Michael Schulz" <[email protected]> wrote in message
    news:[email protected]..
    I'm using WebLogic 6.0sp1 with Commerce Server 3.5 and I've successfully
    installed the demo. I would like to create another commerce server
    installation, this time using Microsoft SQL Server 2000 as the database
    instead of Cloudscape. I've downloaded and installed the BEA jDriver
    for MS SQL 7/2000 and tested it using dbping. My question is: where are
    the db scripts for creating and populating the commerce database? I've
    found the WLCS_320_DB_DDL_1.1.zip file on the BEA downloads site, but
    I'm concerned that this schema is for Version 3.20 of Commerce Server.
    Is there a similar file for WLCS 3.50? If not, is it safe to use this
    one?
    If this is posted in the wrong place, please let me know and I'll repost
    to the appropriate newsgroup as required.
    Sincerely,
    Michael Schulz

Maybe you are looking for

  • Ipad and itouch not recognized by itunes

    Pleas has to anyone, just updated itunes and all of the sudden ipad not to bein seen by itunes at all! same for my old itouch ipod but at the same time my new nano ipod and the very old classic ipod is seen and syncronized with no problems what shoud

  • MacBook Pro Will Not Boot Past Apple Loading Screen At All.

    I am having a major problem with my MacBook Pro and it just wont boot past the apple loading screen at all I have tryed al lot of ways to fix this and it just wont work It does not go into safe mode, it does not boot from cd, the PRAM thing wont work

  • How can I set VM parameter in NW developer studio?(not in configtool)

    hi all,      where can I set VM parameter in NW developer studio? thanks very much!!!

  • SAAJ (Web Service Client) and Integrated windows Authentication

    Hello I have build a web service client using SAAJ, the Web services is deployed on MS IIS. Every thing seems to work fine, The problem appears when I apply directory security on the Web Service Directory. When I apply Basic authentication SAAJ manag

  • Systemd suddenly became slow at booting up

    Hi! This is gonna be a long post, sorry I've been messing around with this problem for too long time, so i know really need your help The facts: 1) since, i guess, a month, my netbook takes 10seconds more to boot. I was used to have something near 12