WLC and ap vlan communication

Unanswered Question
Nov 1st, 2007


I have a need to vlan tag traffic between my wlc and aps. I see where you can set this under controller -> interfaces -> management and ap-manager interfaces and vlan identifier. My question is...once this is done, how does the ap know to tag its traffic bound for the wlc? Is there a command I need to run on the ap? Or is there something I can do in the wlc software?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dennischolmes Thu, 11/01/2007 - 08:32

I would use a separate vlan identifier for the APs from my client SSID/WLANs. For the WLANs add a dynamic interface for each in the subnet it exists. Make sure to tag the appropriate vlan tag here. You can do the same thing for the APs on the mgt and AP mgr interfaces. Make sure all ports on the switches are trunked for appropriate vlans. oOnce this is done the APs get their configuration from the controller. You only must insure that they can discover the controller. You can achieve this through the use of option 43, DNS discovery, or priming the APs.

luthierone Thu, 11/01/2007 - 10:17


That's what I gathered from cisco's site when they said that lwapp ap's dont understand vlan tagging. So I just set them up in another subnet and used dns to find the CISCO-LWAPP-CONTROLLER. I have two wlans, one is a guest wlan that uses the cisco controller to authenticate. That one is working great with the new ap's. The other..however uses a microsoft ias server for auth. and that doesn't seem to be working with the new ap's in the other subnet. It does work fine with the other ap's though. Is there something I overlooked?

santosengineer Sat, 11/03/2007 - 21:26

are you using laps in reap mode or hreap? To my understanding you cant do multiple vlans with reap laps.

luthierone Wed, 11/07/2007 - 07:37

Actually it does work...just seems to connect slower on the different subnet.


erikszewczyk Wed, 11/07/2007 - 08:08

You should be connecting your APs to access ports, not trunks; so VLAN tagging is irrelevant (even if you were to tag it the switch would overwrite). The VLANs where clients are terminated are all defined on the WLCs (which is the client data ingress/egress point).

I'd double-check your RADIUS and IAS configuration, you should have only a single client for each WLC defined in your RADIUS server, and need only one RADIUS server defined on any given WLC (although once you have it working you should setup a secondary for redundancy). Remember, it's not the APs that are performing authentication, it's the WLCs.



This Discussion



Trending Topics - Security & Network