WLC 5508 management interface

Answered Question
Dec 17th, 2009

Hi, I have a particular wireless design that requires one WLC 5508 to be connected to two seperate swithces. Port 1 of WLC is connected trunk to Switch A and Port 2 of WLC is connected to Switch B. Each switch has its own local VLANS. When I connect 1130s LAPs they need to find the management interface initially and then use only AP management interfaces. since there is only one management interface, if I assign management interface on a vlan that is configured on switch A then APs on switch A join fine but those on switch B keep asking for management interface and from capwap debug on WLC it says that join request was received on wrong ineterface ....


the only work around to this was to make routing between switch A and switch B for the two vlans on which APs reside... but for security purposes - client would like to avoid this



any help much appreciated ..

Correct Answer by Stephen Rodriguez about 7 years 2 months ago

unfortunately, the initial discovery has to happen to the mgmt interface.  once that has happened the AP should know about the second AP-manager that is on the guest subnet, that's why they are able to stay up.  but if the AP rebooted, it would need to discover again, and would fail.


what is the customers concern with having all the AP routable to the mgmt network?  the guest users can't see anything there.


IMO, leave the AP able to connect to mgmt subnet, but then put a L3 ACL up, to block the guest subnet from reaching anything in the internal network.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (3 ratings)
Loading.
Leo Laohoo Thu, 12/17/2009 - 14:01

For 5500 series controllers in a non-link-aggregation (non-LAG) configuration, the management interface must be on a different VLAN than any dynamic AP-manager interface. Otherwise, the management interface cannot fail over to the port that the AP-manager is on.


Chapter 3 - Configuring Ports and Interfaces
http://www.cisco.com/en/US/docs/wireless/controller/6.0/configuration/guide/c60mint.html#wp1182892

MARVIN SPITERI Fri, 12/18/2009 - 07:45

hi thanks for your reply - my issue is not related to ap backup port - in fact the design I am given does not cater well for backup.

What I would like to confirm is if there is any way that the APs on the switch B can be joined without the need to have access to the management interface. So far I confirmed that the management interface is always required for the initial communication and then APs use the AP management.

I am using WLC 5508 so only capwap and layer 3 mode. so I found it a bit strange that even when AP has been primed it always requires connectivity to the management interface for udp 5246. I made a scatch of design attached...

Stephen Rodriguez Fri, 12/18/2009 - 17:02

No, there is no way for the AP to join, unless it has IP Connectivity to the management/ap-manager interface(s).  With two ports plugged in, the AP still sends a L2 message for discovery.  If this is not received by the management interface AP join fails.


Out of curiosity, why is there such a limitation?  is switch two for guests/non-secured WLAN?  if so, just point the interface out that port.


Cheers,

Steve

MARVIN SPITERI Sun, 12/20/2009 - 23:58

hi - many thanks for replying -

I have attached some more info to better explain the design. I have been given this design from our client and cannot change it much - I am just curious why does the AP on the guest switch needs to have access to the Management IP when I have created a dedicated AP management interface on the guets side and also I am using 5508 WLC - CAPWAP layer 3 mode only. I also added an extended ACL in between admin and guest and I only allowed UDP port 5546 control for CAPWAP and concluded that all the Guest  AP needs is to send some initial CAPWAP control packets to the management interface first to join and then continue communication with the AP management interface for the rest until it is rebooted or switched off again.


I am just curious why Guest AP still needs Management IP when it has AP management, but I guess it is just the way it works...

Stephen Rodriguez Mon, 12/21/2009 - 06:12

     The intitial discovery, is answered by the mgmt interface, not the ap-manager.  inside the discovery reply, is the IP of all the ap-manager that are in the mobility group.  so, when the wlc sees the discovery coming on a non-mgmt interface, it drops the packet.


    For the ACL, you will also need to allow udp 5247, otherwise the guests will not be able pass any traffic.  5246 is CAPWAP control, where 5247 is CAPWAP data.


    For all intents and purposes, if the second port is simply for guest access, you can leave all the AP in a vlan that has L3 connectivity to the mgmt interface, since all traffic between AP and WLC is in the tunnel.  then point the WLAN to use the 'guest' interface out port 2.

MARVIN SPITERI Mon, 12/21/2009 - 22:50

Hi thanks for your reply,


Yes I agree perfectly with your explanation - On both switches I have UDP forward for 5246 and 5247 and everything works fine.

You understood exactly what's happening for initial discovery the Guest AP asks for managemnt interface through WLC port 2 but managerment IP is on admin side WLC port 1 and then it drops packet saying that it was received on the wrong port. In fact that is why I put an ACL between the Admin switch and guest switch taht allows only 5426 capwap control - just to allow that initial discovery from guest AP to contact Management interface which can only be assigned to one port and in my case it is on the admin switch side. And that is why I had to make a route between the two independent switches.

My question is to know if there is any other way with my given design to eliminate this initial discovery to the management inetrface, as my client would like the admin and guest switches to be completely seperated i.e. without the routing. Is there any way that the guest APs can make contact with the AP management interface on their side only skipping the discovery of the management interface ? the guest APs were primed on the admin side so they know the IP. After the initial discovery, if I remove the routing between admin and guest switch, guest APs keep their connectivity without any problems.

Correct Answer
Stephen Rodriguez Tue, 12/22/2009 - 05:41

unfortunately, the initial discovery has to happen to the mgmt interface.  once that has happened the AP should know about the second AP-manager that is on the guest subnet, that's why they are able to stay up.  but if the AP rebooted, it would need to discover again, and would fail.


what is the customers concern with having all the AP routable to the mgmt network?  the guest users can't see anything there.


IMO, leave the AP able to connect to mgmt subnet, but then put a L3 ACL up, to block the guest subnet from reaching anything in the internal network.

MARVIN SPITERI Tue, 12/22/2009 - 06:25

Yes I agree with you - I needed some re-assurance re the management interface role as all cisco documented examples that I could find have management and AP management on same routed switch - and all documentation says that CAPWAP only needs layer 3 communication with AP management - so it was not very clear in my particular situation...


Thanks again

JASON BOYERS Thu, 01/07/2010 - 20:51

The initial AP connection is ALWAYS to the management interface IP address (true for CAPWAP and LWAPP).  After that, it will send out the available AP-Manager IP addresses.  On the 5500, incidentally, the management interface acts as an AP-manager by default.


In your setup, the subnet for VLAN 1 on the admin switch is not the same as the subnet for VLAN 1 on the guest switch.  Therefore, the "guest" APs can't get to the WLC's mgmt IP from their own switch.  Hence, your need for a static route over to the admin switch.


One option would be to create a completely new VLAN and subnet that would be on both switches, specifically fro WLC mgmt.  You would configure the management interface with that VLAN (instead of untagged) and an IP address in that subnet.  Then, when doing their initial WLC discovery (which happens using DHCP, DNS, subnet broadcast, Over the Air if enabled, and remembered WLC mgmt IP addresses - all at the same time, every time), they will be able to route to the WLC without going over a connection between the switches.


Or, go with the current setup, if it's working and acceptable to the customer.

Actions

This Discussion