×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

WLC no more access to the management port

Unanswered Question
Apr 17th, 2014
User Badges:

 

Hello, after configuring the WLC5508, i move it to another agency, and since when i try to https to int1 for management i get the prompte for the certificat, and then i click on 'continue' and then blank page.

When I ssh to the same interface: here is what i get:

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2014.04.17 11:31:44 =~=~=~=~=~=~=~=~=~=~=~=
login as: admin
Sorry, telnet is not allowed on this port!

 

i can connect to the Console cable.

Is there something i need to do to grant access to this interface.

 

I try to plug a pc directly to the interface (with a static ip on the PC) same thing, i try to configure INT2, same result.

 

Please HELP.

Tx,

ALexis

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Rasika Nayanajith Thu, 04/17/2014 - 03:19
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi Alex,

Pls provide the below output from your WLC & WLC connected switch

 

(5508) >show interface detailed management 

Switch# show run interface gig x/x <- Gig x/x is port connected to WLC

 

HTH

Rasika

**** Pls rate all useful responses ***

 

bouchal-38 Thu, 04/17/2014 - 04:28
User Badges:

hello, thanx foryour help, here is the foolowing:

Interface Name................................... managementus
MAC Address...................................... e4:c7:22:aa:7b:65
IP Address....................................... 10.12.0.22
IP Netmask....................................... 255.255.252.0
IP Gateway....................................... 10.12.0.1
External NAT IP State............................ Disabled
External NAT IP Address.......................... 0.0.0.0
VLAN............................................. untagged
Quarantine-vlan.................................. 0
NAS-Identifier................................... USROCHDM001
Active Physical Port............................. 2
Primary Physical Port............................ 2
Backup Physical Port............................. Unconfigured
DHCP Proxy Mode.................................. Disabled
Primary DHCP Server.............................. Unconfigured
Secondary DHCP Server............................ Unconfigured
DHCP Option 82................................... Disabled
ACL.............................................. Unconfigured
mDNS Profile Name................................ Unconfigured
AP Manager....................................... No
Guest Interface.................................. No
L2 Multicast..................................... Enabled

 

 

-------
On the swith:
Current configuration : 175 bytes
!
interface GigabitEthernet2/18
 description NCSA WLC
 switchport access vlan 1200
 switchport mode access
 switchport nonegotiate
 no cdp enable
 spanning-tree portfast
end

 

 

anby idea?

Rasika Nayanajith Thu, 04/17/2014 - 15:00
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi,

As I suspected your configuration is wrong. Typically you should configure WLC connected switchport as trunk. Assuming you want to have WLC management on vlan 1200 (10.12.0.0/22), configure it like this. In this way you can have multiple vlan on your wireless network.

(5508) >config interface vlan management 1200

(5508) >config interface port management 2

interface GigabitEthernet2/18
 description NCSA WLC
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 cdp enable
 spanning-tree portfast trunk

 

Ideally you should restrict vlans going across this trunk like below (x,y,z are vlans you configure for wireless users & not for AP management)

switchport trunk allow vlan 1200,x,y,z

Give it a try & let us know

 

HTH

Rasika

**** Pls rate all useful responses ****

 

 

bouchal-38 Fri, 04/18/2014 - 06:21
User Badges:

Hello And thanx for this answer, i solve the probleme enabling the management interface in http, and renew the certificat  so i could connect to the management interface, then i reDisable the HTTP and leave only the HTTPS.

But ca i ask you a question regarding your answer: right now, my other WLC is managing 200 APs, and the management is untagged (see screenshot attached), but i can managed all my AP which are on different VLAN... Did i missunderstood something from you?

What is the use of having the management interface in trunk on the different VLAN? in my case, the management interface would be in the vlan 50,44,43,401,X.  X being the VLAN of the management IP (41).

Is it what youtold me to do? is my actual conf correct? or what's wrong with it?

Thanx for your answer.

A

 

 

Attachment: 
Rasika Nayanajith Fri, 04/18/2014 - 15:44
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Wireless

Hi,

What I provided to you was a best practice configuration.

Even with management un-tagged it would work. But if you want to implement QoS, then across layer 2 trunk link CoS value is only for tagged vlans. So if you management is un-tagged all your wireless traffic won't preserve any QoS set by WLC (all traffic treat as Best Effort). Refer this for more detail.

http://www.cisco.com/c/en/us/support/docs/wireless-mobility/voice-over-wireless-lan-vowlan/116056-technote-qos-00.html

Regarding restricting vlan across trunk, again it is best practice. Typically AP management & WLC management put in two different vlans (I believe in your case all in one or I may be wrong). If all in one subnet lots of unnecessary broadcast traffic generated by AP reach WLC, which is unnecessary. So put WLC & AP management in two different vlan &  restricting which vlan traffic can go across WLC trunk link using "allow vlan x,y,z) command is consider as a best practice by only permitting WLC management vlan & any dynamic interface user vlans across that (No AP management vlan).

 

HTH

Rasika

**** Pls rate all useful responses ****

 

Actions

This Discussion