ap-manager dedicated subnet and interface

Unanswered Question
Sep 13th, 2014
User Badges:

Dear all,

I'm deploying a WLC 5508 device. Due security reaons, I have to separate management and APs area.

Thus on the controller, the idea is to dedicate the management interface for GUI access, SSH, backup etc.... and the ap-manager only for the CAPWAP tunnel between the controller and the APs.

 

WLC 5508
Software version: 7.6.130.0

 

So I have configured the management and ap-manager interfaces as bellow:

management interface

vlan identifier: 200
IP addres: 192.168.1.95
Subnet mask: 255.255.255.0
Gateway: 192.168.1.1

Physical Information:
The interface is attached to a LAG
Enable Dynamic AP management: NOT checked

 

ap-manager interface

vlan identifier: 257
IP addres: 192.168.157.11
Subnet mask: 255.255.255.0
Gateway: 192.168.157.1

Physical Information:
The interface is attached to a LAG
Enable Dynamic AP management:  checked

 The vlan 257 is only used for the APs. This subnet is not routed. So only the controlleur is able to reach the APs located in the vlan257. A cisco router acting as DHCP server is located in the vlan 257. It has only 1 interface. So it cannot route traffic between the vlan 257 and others. Option 43 is configured for the IP 192.168.157.11

 

Problem:

When an AP start it receive an IP in the subnet 192.168.157.0/24 from the DHCP router (Cisco router) and try to join the WLC controller (due to option 43) on the ap-manager interface.

BUT the WLC dropp the traffic. The debug capwap shows the following messages:

spamApTask7: Sep 12 21:36:45.591: 3c:0e:23:7d:8e:40 Discovery Request received on wrong VLAN '257' on interface '13', management VLAN = '200', AP Manager VLAN = '257', dropping the packet

spamApTask7: Sep 12 21:36:45.591: 3c:0e:23:7d:8e:40 State machine handler: Failed to process  msg type = 1 state = 0 from 192.168.157:29139

spamApTask7: Sep 12 21:36:45.591: a8:0c:0d:e7:1d:28 Failed to parse CAPWAP packet from 192.168.157.20:29139

It seems that wlc waits connections request only on the management interface and not the ap-manager interface.

 

Do you have an idea to fix this issue ?

Thank you very for your help,

Regards,

 

Isidore
 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Leo Laohoo Sat, 09/13/2014 - 17:53
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I've got a better solution for you:  Why are you still using AP Manager? 

 

Starting with 2504/5508/WiSM-2, you no longer need to use AP Manager interface.  You can use it if you want, but NOT having one won't break anything.  

Isidore Moreno Sun, 09/14/2014 - 02:28
User Badges:

Hi leo,

 

Thank you for your help.

I'm fully aware that with the 5508 I can use the mgt interface for GUI and for APs registration.
But for security reasons I have to dedicate a vlan which contains only the APs. The APs are not reachable from other subnets but only from the WLC.

 

Do you have an idea ?

 

Thank you.

Leo Laohoo Sun, 09/14/2014 - 15:21
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

But for security reasons I have to dedicate a vlan which contains only the APs.

Make sense.  Our AP subnets are in their own unique VRF and their own subnet.  Our WLC Management are in a different VRF and subnet.  This is NOT a wireless configuration issue.  This is a MPLS routing requirement.   You can separate your subnets via Layer 3 (IP address) or MPLS/VRF.  The main thing is your routing configuration.  So far, I can't make any comment because you haven't furnish enough information about your routing.  

The APs are not reachable from other subnets but only from the WLC.

Same thing here.  This is a routing issue.  If you want only your WLC to contact your AP, then this is an ACL configuration and/or a firewall rule configuration.   The most strategic location to put your ACL is to find where the default-gateway of the subnet of the AP is being hosted.  This is where you stick the ACL in.

 

Make sure you will have access to your WLC and AP from your computer.  It will help you troubleshoot.

Isidore Moreno Mon, 09/15/2014 - 01:36
User Badges:

Hi Leo,

I have access from my wrk to the WLC for sure because it has one management interface which I can use to manage it. I don't have direct access to the APs because it are located on a dedicated and not routed VLAN. The WLC has a interface (ap-manager) to this dedicated VLAN.

What do you think regarding my feeling ? It seems that the controller listen only on the management interface for APs registration. Even if I disable the "Dynamic AP management" option in the management interface and enable only on the ap-manager interface.

 

Thank you,

Regards,

Marco Schaefer Wed, 09/17/2014 - 00:27
User Badges:

Hi Isidore,

in my understanding it is necessary to point your option 43 to your managment interface ip 192.168.1.95 wether ap manager on it is checked or not.

Capwap tunnel will build between ap manager interface and the accesspoints though.

 

I'm thinking about implementing a similiar solution to yours: flexconnect aps which are communicating with a seperate ap manager - but as option 43 has to point to the mgmt if there is no choice which ap manager will be used i think :/

 

Regards,

Marco

jordanburnett Tue, 09/16/2014 - 19:33
User Badges:

First off, have you tried rebooting? WLCs are finicky with regard to settings like this and a reboot may help it take the settings. 

Second, have you checked that the interface you're receiving the requests on are tied to the LAG, and subsequently it is tied to the AP Manager Interface? Does the LAG consist of all in-use ports on the 5508? Or are they two different LAGs that you have associated the interfaces to?

Under any condition the option 43 address is supposed to be the management interface on WLC rather than the AP-manager interface. Here is how: Although 5580 doesn't need to set AP-manager interface as it use management interface to take the role of AP-manager, what if you intend to use a dedicated AP-manager interface?  In situation when there are only a few APs on the net, one AP-manager is good enough, but when more APs , say, hundreds, are added to the WLC, one AP-manager interface is no good, since each AP-manager interface is tied to only one physical port and no redundent port available. This means all traffic from APs are going through this port, with the other 7 ports wasted in vain. Furthermore, if AP-manager interfaces are required to be on an subnet other than that of the management interface, distinct AP-manager interface is quite needed. So we can have 7 more AP-manager interfaces on the WLC, with each one tied to a individual physical ports. When APs tramsmit CAPWAP or LWAPP tunnel infomation towards WLC's management interface ip address, the WLC uses one of its AP-manager interface ip address as source address to response, and the APs in turn use this ip address as destination ip address to communicate with the WLC. So it is the WLC who determines which port is chosen to connect APs, rather than APs just pick which port on the WLC to connect. This way, traffic is balance between all the ports and as more as possisble APs could be supported, for WLC itself has the ability to find out which port is the best one to use.

Just change the option 43 from 192.168.157.11 to 192.168.1.95 will work.

Actions

This Discussion