Physical Information: The interface is attached to a LAG Enable Dynamic AP management: checked
The vlan 257 is only used for the APs. This subnet is not routed. So only the controlleur is able to reach the APs located in the vlan257. A cisco router acting as DHCP server is located in the vlan 257. It has only 1 interface. So it cannot route traffic between the vlan 257 and others. Option 43 is configured for the IP 192.168.157.11
When an AP start it receive an IP in the subnet 192.168.157.0/24 from the DHCP router (Cisco router) and try to join the WLC controller (due to option 43) on the ap-manager interface.
BUT the WLC dropp the traffic. The debug capwap shows the following messages:
spamApTask7: Sep 12 21:36:45.591: 3c:0e:23:7d:8e:40 Discovery Request received on wrong VLAN '257' on interface '13', management VLAN = '200', AP Manager VLAN = '257', dropping the packet
spamApTask7: Sep 12 21:36:45.591: 3c:0e:23:7d:8e:40 State machine handler: Failed to process msg type = 1 state = 0 from 192.168.157:29139
spamApTask7: Sep 12 21:36:45.591: a8:0c:0d:e7:1d:28 Failed to parse CAPWAP packet from 192.168.157.20:29139
It seems that wlc waits connections request only on the management interface and not the ap-manager interface.
I'm fully aware that with the 5508 I can use the mgt interface for GUI and for APs registration. But for security reasons I have to dedicate a vlan which contains only the APs. The APs are not reachable from other subnets but only from the WLC.
But for security reasons I have to dedicate a vlan which contains only the APs.
Make sense. Our AP subnets are in their own unique VRF and their own subnet. Our WLC Management are in a different VRF and subnet. This is NOT a wireless configuration issue. This is a MPLS routing requirement. You can separate your subnets via Layer 3 (IP address) or MPLS/VRF. The main thing is your routing configuration. So far, I can't make any comment because you haven't furnish enough information about your routing.
The APs are not reachable from other subnets but only from the WLC.
Same thing here. This is a routing issue. If you want only your WLC to contact your AP, then this is an ACL configuration and/or a firewall rule configuration. The most strategic location to put your ACL is to find where the default-gateway of the subnet of the AP is being hosted. This is where you stick the ACL in.
Make sure you will have access to your WLC and AP from your computer. It will help you troubleshoot.
I have access from my wrk to the WLC for sure because it has one management interface which I can use to manage it. I don't have direct access to the APs because it are located on a dedicated and not routed VLAN. The WLC has a interface (ap-manager) to this dedicated VLAN.
What do you think regarding my feeling ? It seems that the controller listen only on the management interface for APs registration. Even if I disable the "Dynamic AP management" option in the management interface and enable only on the ap-manager interface.
in my understanding it is necessary to point your option 43 to your managment interface ip 192.168.1.95 wether ap manager on it is checked or not.
Capwap tunnel will build between ap manager interface and the accesspoints though.
I'm thinking about implementing a similiar solution to yours: flexconnect aps which are communicating with a seperate ap manager - but as option 43 has to point to the mgmt if there is no choice which ap manager will be used i think :/
First off, have you tried rebooting? WLCs are finicky with regard to settings like this and a reboot may help it take the settings.
Second, have you checked that the interface you're receiving the requests on are tied to the LAG, and subsequently it is tied to the AP Manager Interface? Does the LAG consist of all in-use ports on the 5508? Or are they two different LAGs that you have associated the interfaces to?
Under any condition the option 43 address is supposed to be the management interface on WLC rather than the AP-manager interface. Here is how: Although 5580 doesn't need to set AP-manager interface as it use management interface to take the role of AP-manager, what if you intend to use a dedicated AP-manager interface? In situation when there are only a few APs on the net, one AP-manager is good enough, but when more APs , say, hundreds, are added to the WLC, one AP-manager interface is no good, since each AP-manager interface is tied to only one physical port and no redundent port available. This means all traffic from APs are going through this port, with the other 7 ports wasted in vain. Furthermore, if AP-manager interfaces are required to be on an subnet other than that of the management interface, distinct AP-manager interface is quite needed. So we can have 7 more AP-manager interfaces on the WLC, with each one tied to a individual physical ports. When APs tramsmit CAPWAP or LWAPP tunnel infomation towards WLC's management interface ip address, the WLC uses one of its AP-manager interface ip address as source address to response, and the APs in turn use this ip address as destination ip address to communicate with the WLC. So it is the WLC who determines which port is chosen to connect APs, rather than APs just pick which port on the WLC to connect. This way, traffic is balance between all the ports and as more as possisble APs could be supported, for WLC itself has the ability to find out which port is the best one to use.
Just change the option 43 from 192.168.157.11 to 192.168.1.95 will work.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...