Solved: use WLC's service interface IP when add WLC into WCS

bbxie · ‎08-12-2010

Hi All,

Does anybody know if there's any limitations or bugs to use WLC's service interface IP when add WLC into WCS?

Another question is I remember there's a post previously says that there are a bug regarding to ARP if the WLC not using LAG but connect one port to one switch, connect another port to another switch, so that's why it is strongly suggested to use LAG, but I can't find it now, anybody know it? Thanks!

Stephen Rodriguez · ‎08-13-2010

As has been stated previously, the Service Port is designed for out of band access. You are not able to configure a gateway, so anything needing to access that interface needs to on the same subnet. Now, you can play a game with the Network Routes, these are a way to define what traffic will be forced out of the service port interface. You are not able to specify only SNMP traps, but you could try forcing all the traffic destined to the WCS out this interface.

*****BE ADVISED, THAT THIS COULD HAVE UNEXPECTED SIDE EFFECTS AS WELL. ALL TRAFFIC DESTINED FOR THE WCS WOULD BE SENT, AND YOU WOULD NO LONGER BE ABLE TO ACCESS WLC MGMT INTERFACE FROM WCS*******

that being said, I would not recommend the above be a permamnet solution, rather a short term bandaid. The management interface is designed to be used for all managment tasks.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎08-13-2010

I believe we only could do 802.1d, but ever since Cisco aquired Airespace, we have not recommended enabling SPT on the controllers. This was an old piece of code that was from the older model of controller that was actually a switch, like the 4024, that actually had 24 ports on the front of it.

In later code, I want to say 5.2 and beyond, the abitlity to enable SPT has been removed.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Stephen Rodriguez · ‎08-13-2010

On the WLC, never use SPT, if that makes it any easier.

SPT has nothing to do with being able to split your ports on the WLC. It is fully supported for at least the 440x/5508 platforms, to have one port go to switch-a and another go to switch-b. You just need to make sure you have an AP manager on each port.

The WLC does not route. We are a layer2 device not a layer3 device. IP addresses are on dynamic interfaces, so the WLC has knowledge of what the IP subnet is, in case of a L3 roam.

Spliting ports can be done for a couple of reasons, these being some semblance of balance, redundancy or to segregate traffic.

Redundancy being my client interface is normally on port 1, but is set to port 2 for backup.

Semblance of Balance, interface clients goes to port 1, interface voice goes to port 2.

Segregate, pretty much the same as SOB, but all internal would go out one port, and then my guest out the other. You could plug the "guest port" directly into a DMZ switch.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

Leo Laohoo · ‎08-12-2010

Service Port IP address of a WLC into the WCS???? You sure it's not the management IP address?

bbxie · ‎08-12-2010

Yes, not management IP but the service int IP. Actually in WCS, we can add the WLC by using this service int IP , then we can click configuration-->controller(service IP)--> do some configuratiion change, however since normally we will use management IP, so I'm not quite sure if there're anly limitation or bug by using service int IP. For example, if the WLC need to send snmp trap to WCS, will it always try to send out from management int? I can't find any command to force WLC to use service int IP when configure SNMP trap in WLC.

Leo Laohoo · ‎08-12-2010

The service port is controlled by the service-port interface and is reserved for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The service port is not capable of carrying 802.1Q tags, so it must be connected to an access port on the neighbor switch.

If the service port is in use, the management interface must be on a different supernet from the service-port interface.

The service-port interface controls communications through and is statically mapped by the system to the service port. It must have an IP address on a different supernet from the management, AP-manager, and any dynamic interfaces, and it cannot be mapped to a backup port. This configuration enables you to manage the controller directly or through a dedicated operating system network, such as 10.1.2.x, which can ensure service access during network downtime.

The service port can obtain an IP address using DHCP, or it can be assigned a static IP address, but a default gateway cannot be assigned to the service-port interface. Static routes can be defined through the controller for remote network access to the service port.

bbxie · ‎08-12-2010

Yes, I had read this in Cisco doc. This requirement was generated by a customer, I do believe we need to use managment IP when add WLC to WCS, however I need to fully understand what can do, what can't do in this mode. Since we can add the WLC into WCS by using service int IP and do come configuration change(we just tested it, and it works), so SNMP Get and Set can work, but I think SNMP Trap can't work because it is origniated from the WLC to WCS, WLC will always use mangement IP when send SNMP Trap to WCS(I can't find anyway to configure WLC to use service IP when send SNMP Trap, will do more test next week). Besides that I also want to know if there's any limitaions on SNMP Get and Set, that's why I posted it here.

Stephen Rodriguez · ‎08-13-2010

As has been stated previously, the Service Port is designed for out of band access. You are not able to configure a gateway, so anything needing to access that interface needs to on the same subnet. Now, you can play a game with the Network Routes, these are a way to define what traffic will be forced out of the service port interface. You are not able to specify only SNMP traps, but you could try forcing all the traffic destined to the WCS out this interface.

*****BE ADVISED, THAT THIS COULD HAVE UNEXPECTED SIDE EFFECTS AS WELL. ALL TRAFFIC DESTINED FOR THE WCS WOULD BE SENT, AND YOU WOULD NO LONGER BE ABLE TO ACCESS WLC MGMT INTERFACE FROM WCS*******

that being said, I would not recommend the above be a permamnet solution, rather a short term bandaid. The management interface is designed to be used for all managment tasks.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

bbxie · ‎08-13-2010

Thanks Stephen, I haven't realized that network route command can force traffic to go through service interface. BTW, I found when try to add a network route, the destination IP can't be 0.0.0.0, have to be a more specific subnet for example 10.0.0.0, previously I thought it is a bug, now I know it is because if 0/0 can be configured, then all the traffic(including which must go through manage int and ap-mgr int) will be forced to go through service interface which definitely is not allowed, right?

BTW, do you know what kind of spanning tree protocol the WLC can support? Seems only 802.1D. Not PVST, Rapid PVST, MSTP, etc. If it is true, that will make sense why in Cisco's WLAN best practise, it says not enable spanning tree, otherwise because most customer use PVST or Rapid PVST, then there will have a compatibility issue. So that's why recommend to use LAG, not connect one port of WLC to one switch, connect another port to another switch and configure different ap-manager int for each port.

Stephen Rodriguez · ‎08-13-2010

I believe we only could do 802.1d, but ever since Cisco aquired Airespace, we have not recommended enabling SPT on the controllers. This was an old piece of code that was from the older model of controller that was actually a switch, like the 4024, that actually had 24 ports on the front of it.

In later code, I want to say 5.2 and beyond, the abitlity to enable SPT has been removed.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

bbxie · ‎08-13-2010

Hi Stephen, if SPT had been removed from 5.2, does it mean we can never connect one port of the WLC to core-switch1, connect another port to core-switch2 which I believe depend on SPT(WLC behaves like an access switch)? However I noticed that at page 3-34 of WLC configuration guide 7.0, it seems still have this kind of connection provided? I'm confused. Does it mean this kind of connection mode actually has nothing to do with SPT? Since each port will have one AP-Manager int, so it seems like a layer3 connection instead of layer2, so the WLC is like a router with two etherenet ports(but can't do internal routing)? If so, under what kind of connection mode will SPT be used?

I'm really confused, could you pls. help to clarify it? Thanks!

Stephen Rodriguez · ‎08-13-2010

On the WLC, never use SPT, if that makes it any easier.

SPT has nothing to do with being able to split your ports on the WLC. It is fully supported for at least the 440x/5508 platforms, to have one port go to switch-a and another go to switch-b. You just need to make sure you have an AP manager on each port.

The WLC does not route. We are a layer2 device not a layer3 device. IP addresses are on dynamic interfaces, so the WLC has knowledge of what the IP subnet is, in case of a L3 roam.

Spliting ports can be done for a couple of reasons, these being some semblance of balance, redundancy or to segregate traffic.

Redundancy being my client interface is normally on port 1, but is set to port 2 for backup.

Semblance of Balance, interface clients goes to port 1, interface voice goes to port 2.

Segregate, pretty much the same as SOB, but all internal would go out one port, and then my guest out the other. You could plug the "guest port" directly into a DMZ switch.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

bbxie · ‎08-14-2010

Hi Stephen, thanks for your clarification!