Wireless LAN Controller

Unanswered Question
Feb 25th, 2009

Hello Everybody,

I have a WLC 4402 plugged into a Catalyst 4507R. My problem is I am unable to ping the WLC from a different VLAN. While reading the document about best practices, it mentions that the fiber port should be configured using dot1q encapsulation but when I try to configure that, I do not get encapsulation as an option. The wierd thing is, other ethernet ports on the switch do have encapsulation configured. Please advise!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jeff.kish Wed, 02/25/2009 - 14:29

Some versions of IOS do not support ISL, so Dot1q is the only option for encapsulation. As such, it does not give you the option to configure encapsulation.

Rather than checking encapsulation, check to make sure the port is in trunk mode. Run the "switchport mode trunk" command on the switchport and see if that works for you.

I will say that this sounds more like a routing issue than anything. By saying that you can't ping it from other VLANs, are you implying that you can ping it from the same VLAN? If so, it sounds like your network isn't able to route to the controller.

A few questions - is this a new subnet? Can the 4507 ping the WLC? Can you ping it from the 4507 from different VLAN interfaces (will require an extended ping to test). Can you ping any other devices on the same subnet as the controller from different VLANs?

Also, make sure you're not trying to ping the AP Manager interface. This interface does not respond to pings.

Thanks,

Jeff

nickh2022 Thu, 02/26/2009 - 05:26

The IOS version is 12.2 (25).

I do have “switchport mode trunk" configured on the port already.

I can ping the WLC on the same VLAN. My computer for example is on a different VLAN and I can not ping the WLC, however from my PC I can ping other devices on the same VLAN as the WLC

It is not a new subnet. I can ping the WLC from the 4507

I am pinging the management interface and it is responding to pings.

tkhan Thu, 02/26/2009 - 05:35

Check for proper mask and default gateway configured in the WLC.

nickh2022 Thu, 02/26/2009 - 06:13

The SM and GW have the correct information. Some of my antonomus AP's have the exact same information as far as SM and GW and I can ping those devices.

tkhan Thu, 02/26/2009 - 07:15

Check your switchport config for the proper "native vlan" assignment for the controller.

nickh2022 Thu, 02/26/2009 - 07:42

I have set the "native vlan" to the appropriate vlan that the controller is located on...Still no communication.

Here is what I have configured on the Fiber port that the controller plugs in to

interface GigabitEthernet6/15

description ***Wirless Controller***

switchport trunk native vlan 20

switchport mode trunk

Now, when I set the native VLAN, I lose the ability to ping the WLC from the switch

tkhan Thu, 02/26/2009 - 07:53

The ap-manager and management interfaces should both be, "untagged", for VLAN Identifier. You set this on initial setup of the WLC.

nickh2022 Thu, 02/26/2009 - 07:55

Ok..right now I do have them "tagged" Do you believe that if I set the Native VLAN and change those two interfaces to "untagged" that it may resolve my issue?

jeff.kish Thu, 02/26/2009 - 08:05

It sounds like a potential VLAN mismatch. Best practice is to have your management interface configured for untagged traffic, so I would advise that.

Is your management interface on VLAN 20? If so, your other option would be to remove the native VLAN statement from the switchport. But I would advise making the change on the controller itself.

nickh2022 Thu, 02/26/2009 - 08:29

Ok...I changed the two interfaces mentioned above to untagged and added back the Native Vlan statement.

However, I still can not ping the WLC from outside its own VLAN.

I setup switchport trunk allowed for the two VLAN's, still no communication.

jeff.kish Thu, 02/26/2009 - 11:18

Can you ping the controller's default gateway from the controller?

tkhan Thu, 02/26/2009 - 11:59

Either clear your arp tables in your router and/or reboot your controller.

nickh2022 Thu, 02/26/2009 - 12:20

I've rebooted the controller several times.

Im just confused as to why I can not communicate.

tkhan Thu, 02/26/2009 - 12:28

Ok, enough speculation. Please post the switchport config and controller config. At least the networking part of the controller config.

nickh2022 Fri, 02/27/2009 - 07:11

I am only testing..So I can post my config. Here it is.

Cisco Controller) >show running-config

802.11a cac voice tspec-inactivity-timeout ignore

802.11a cac voice stream-size 84000 max-streams 2

802.11b cac voice tspec-inactivity-timeout ignore

802.11b cac voice stream-size 84000 max-streams 2

aaa auth mgmt local radius

Location Summary

Algorithm used: Average

Client

RSSI expiry timeout: 5 sec

Half life: 0 sec

Notify Threshold: 0 db

Calibrating Client

RSSI expiry timeout: 5 sec

Half life: 0 sec

Rogue AP

RSSI expiry timeout: 5 sec--More-- or (q)uit

Half life: 0 sec

Notify Threshold: 0 db

RFID Tag

RSSI expiry timeout: 5 sec

Half life: 0 sec

Notify Threshold: 0 db

location rssi-half-life tags 0

location rssi-half-life client 0

location rssi-half-life rogue-aps 0

location expiry tags 5

location expiry client 5

location expiry calibrating-client 5

location expiry rogue-aps 5

ap syslog host global 255.255.255.255

--More-- or (q)uit

auth-list add lbs-ssc 00:1b:24:df:f2:5c cbd944156e8248baf99fac0356770099d9dadf5

5

cdp advertise-v2 enable

dhcp create-scope Test

dhcp address-pool Test 10.1.220.50 10.1.220.60

dhcp default-router Test 10.1.220.237

dhcp enable Test

dhcp dns-servers Test 66.109.229.5 66.109.229.6

dhcp network Test 10.1.220.0 255.255.255.0

local-auth method fast server-key *****

interface create data 220

interface address ap-manager 10.1.120.251 255.255.255.0 10.1.120.237

interface address dynamic-interface data 10.1.220.237 255.255.255.0 10.1.220.237

interface address management 10.1.120.250 255.255.255.0 10.1.120.237

--More-- or (q)uit

interface address service-port 10.1.5.212 255.255.255.0

interface address virtual 1.1.1.1

interface dhcp ap-manager primary 10.1.5.45

interface dhcp dynamic-interface data primary 10.1.5.45

interface dhcp management primary 10.1.5.45

interface dhcp service-port disable

interface vlan data 220

interface port ap-manager 29

interface port data 29

interface port management 29

lag enable

load-balancing window 5

--More-- or (q)uit

memory monitor error disable

memory monitor leak thresholds 10000 30000

mesh security eap

mgmtuser add administrator **** read-write

mobility group domain MVE-WLAN

network telnet enable

network mgmt-via-wireless enable

network otap-mode disable

network rf-network-name MVE-WLAN

sessions timeout 160

snmp version v2c enable

--More-- or (q)uit

snmp version v3 enable

spanningtree port mode off 1

spanningtree port mode off 2

sysname MVE-WLC

time ntp interval 3600

time ntp server 1 192.168.1.253

wlan create 1 MVE MVE

wlan broadcast-ssid disable 1

wlan radio 1 802.11g

wlan session-timeout 1 1800

wlan wmm allow 1

wlan security static-wep-key encryption 1 104 1

--More-- or (q)uit

wlan security wpa akm 802.1x disable 1

wlan security wpa akm psk enable 1

wlan security wpa wpa1 enable 1

wlan security wpa wpa1 ciphers tkip enable 1

wlan dhcp_server 1 0.0.0.0 required required

(Cisco Controller) >

My switchport config is

interface GigabitEthernet6/15

description ***Wirless Controller***

switchport trunk native vlan 20

switchport trunk allowed vlan 2,20

switchport mode trunk

tkhan Fri, 02/27/2009 - 07:51

Hmmm...you should have a "switchport trunk encapsulation dot1q" on your switch config. Your switch should support dot1q trunking. If that doesn't work, try upgrading the IOS on the switch.

nickh2022 Fri, 02/27/2009 - 08:15

That's kind of my issue. For whatever reason when I go to setup Encapulation on that port, it is not an option. However, other ethernet ports and other fiber ports have it enabled. So I know that my IOS supports it. I have tried other fiber ports, but encapsulation is not an option on those other ports either.

tkhan Fri, 02/27/2009 - 08:27

Try another switch that you know supports dot1q trunking.

nickh2022 Fri, 02/27/2009 - 09:05

The IOS does support it. Plus other ports are configured with it.

tkhan Fri, 02/27/2009 - 10:11

Do a "show run-config" and compare it to below:

witch Configuration

802.3x Flow Control Mode......................... Disable

Current LWAPP Transport Mode..................... Layer 3

LWAPP Transport Mode after next switch reboot.... Layer 3

FIPS prerequisite features....................... Disabled

Secret obfuscation............................... Enabled

nickh2022 Fri, 02/27/2009 - 10:18

This is what I have

Switch Configuration

802.3x Flow Control Mode........ Disable

Current LWAPP Transport Mode..... Layer 3

LWAPP Transport Mode after next switch reboot.... Layer 3

FIPS prerequisite features.... Disabled

Secret obfuscation............. Enabled

tkhan Fri, 02/27/2009 - 10:28

Well, I'm all out of ideas other than taking the controller out of lag mode and configuring the switchport as a host, just to see if the controller's hardware, including gbics and cable is ok. The controller should respond at layer3 if there are no hardware issues. We have about 80 controllers in offices across the country and I have yet to see a problem at layer3 with these.

nickh2022 Fri, 02/27/2009 - 10:40

Well..I really appreciate you trying..I currently do have LAG enabled but am not taking advanatge of it...I only have 1 gbic installed. So, I do not have port-channeling enabled on the switch either. Could that be a problem?

tkhan Fri, 02/27/2009 - 11:01

Well, I think you just thought through your entire problem. You need to setup a port channel for lag mode. It will take you all of about 10 seconds! heheheh

nickh2022 Fri, 02/27/2009 - 11:57

Even if Im not technically using it because Im only using 1 distribution port on the 4402?

nickh2022 Mon, 03/02/2009 - 05:53

I disabled LAG, still can not ping the WLC outside its own VLAN

tkhan Mon, 03/02/2009 - 10:29

Start from scratch, erase config on WLC and rebuild without using LAG.

tekjansen101 Thu, 05/07/2009 - 02:55

Hi

Lets do this OSI Style !!!

Layer 1 ? Does the port come up ? Can you see port status up both on the Cisco switch and the controller ? If not there might be something wrong with:

a) cable type

b) SFP module (make sure you are using Fiber SFP and not Ethernet SFP because these are not supported by the controller)

regards...

CFayNTAdmin83 Thu, 05/07/2009 - 09:28

Hi Everyone. I just thought I'd add my 2 cents here. I'm have my WLC connected to a 4500 switch chassis. The port config definitely should work if it has the following defined.

switchport mode trunk

switchport trunk encapsulation dot1q

The only other thing I have on the port is a description...

I have every interface on my WLC tagged with a vlan identifier for dot1q; well the ones that let you define an identifer. All interfaces work fine. I have about 9 other controllers running like this. You should be able to ping the mgmt interface ip, but not the ap manager interface. Your dynamic interfaces should also be pingable, at least at the switch the controller's on. I agree with the dot1q command statement. Some switches have the dot1q turned on automatically. If you have it defined on other ports on the same switch, I'd make sure it is in the config. I'd also take the native vlan entry out of your trunk port config. I'd only trunk on the native if I was using some kind of autonomous AP or bridge with multiple vlans, or if you wanted to add another command to prune the vlans. The simple "switchport mode trunk" should definitely work, and does not cause adverse effects, unless you have an ungodly amount of vlans. Are you running a VTP client server domain or are your switches in transparent mode?

c.jolliffe Thu, 05/07/2009 - 10:59

Can you ping the service port from other subnets? I have had some strange issues with pinging the management interface from other subnets and after I cleared the IP off of the service port it responds with no problems.

CFayNTAdmin83 Thu, 05/07/2009 - 11:11

The service port should be pingable. However, I would not connect it to the production network. That's what the MGMT interface is for. I used the service port before but only for troubleshooting / service. For example, I had one of the fiber cables get pinched in between racks, which of course killed my MGMT / https interface to check out the controller. I remembered that I configured the service port address, so I used Cat5e and a static IP on my laptop to gain access to the controller. I wanted to make sure that the controller didn't get hosed. It turned out to be the kink in the fiber cable though. You should be able to give it a unique address and still be able to ping the original MGMT ip if the fiber connection / trunk port is working correctly. Maybe the address you gave the service port was in use (assuming it was plugged in too)? Also, the code version I'm on is 4.1....

Leo Laohoo Thu, 05/07/2009 - 15:18

Service Port, used for OOBM, should NOT ping-able from anywhere in your network unless you've created a static route for it.

If you plug your host directly to the service port, this is possible.

Leo Laohoo Thu, 05/07/2009 - 15:19

Hi Nick,

I'd recommend take your WLC offline and/OR off the 4507 switch and connect it to another switch model.

tekjansen101 Sun, 05/10/2009 - 20:04

Ok I kinda have the same issues as Nick over here...however whats weird is I can telnet into the controller ... but cannot ping it !!

In my scenario the wlc4402 is sitting in a DMZ behind a (pix) firewall that connects to our corporate network. This controller is supposed to be our guest anchor in the DMZ (mobility anchor setup).

I have performed the following steps:

1. Management and apmanager interfaces are on untagged vlan in WLC

2. Switch X (that connects controller to firewall in DMZ) - port going to the the WLC is trunk.

3. Switch X access port going to firewall is on native vlan (default 1)

4. The wlc can ping its gateway (firewall in this case)

5. Ports UDP 16666 opened, TCP 23, TCP 80/443 and Protocol 1 and 97.

6. Telnet, HTTP, ping all work fine from a workstation ip configured in the ACL to allow tcp and icmp.

7. Ping fails from the corporate controller into the DMZ controller.

8. Ping is successful from the corporate controller into the Firewall hosting the DMZ and the F/W counters indicate the ping packets are going through to the DMZ controller ... but the DMZ controller seems to be dropping the echo packets.

9. Tested routes exist b/w F/W and corporate controller.

Any ideas ?

Actions

This Discussion

 

 

Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode