I used Example Number 2 which is exactly my topology.
The Configuration worked liked a charm, the AP's join the WLC and are propagating the configured SSID's (3 total)
The Clients can associate with an AP (1231G) (which is broadcasting SSID_1) and get an ip address from the DHCP Pool configured on the 2811.
The Problem i am experiecing is that the Clients do not receive an answer if they do a ARP Request for their configured Gateway and i have no clue why.
When i try to ping the Wireless Client directly from the Router, i can see that the ICMP Echo Request arrive on the Wireless Client (through Wireshark) but the ICMP Reply failed due to the unanswered ARP Request for the Default Gateway.I tested this with various Operating Systems (Linux/Windows/OSX) but they all have the same faulty behaviour.
I would greatly appreciate your effort if you could point me the right direction or could bring up a solution, because this weird behaviour drives me crazy.
If you need any additional Information don't hesitate to ask.
See attached my configuration for the Router & WLC.
2811 Router Config
! ! Last configuration change at 23:13:07 CET Mon Mar 8 2010 ! NVRAM config last updated at 21:45:15 CET Mon Mar 8 2010 by xxx ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime service timestamps log datetime msec localtime service password-encryption ! hostname 2811_wlc ! boot-start-marker boot-end-marker ! security authentication failure rate 10 log security passwords min-length 9 logging message-counter syslog logging buffered 8192 enable secret 5 xxx ! no aaa new-model memory-size iomem 10 clock timezone CET 1 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ! dot11 syslog no ip source-route ! ip cef ip dhcp excluded-address 172.16.4.1 172.16.4.100 ip dhcp excluded-address 10.2.0.1 10.2.0.100 ip dhcp excluded-address 172.16.1.1 172.16.1.50 ip dhcp excluded-address 172.16.5.1 172.16.5.100 ip dhcp excluded-address 10.1.0.1 10.1.0.100 ip dhcp excluded-address 172.16.2.1 172.16.2.100 ip dhcp excluded-address 172.16.3.1 172.16.3.100 ! ip dhcp pool AP_Pool network 10.2.0.0 255.255.255.0 default-router 10.2.0.1 option 43 ascii "10.3.0.20" ! ip dhcp pool SSID_1 network 172.16.1.0 255.255.255.0 default-router 172.16.1.1 dns-server 184.108.40.206 220.127.116.11 ! ip dhcp pool MGMT network 10.1.0.0 255.255.255.0 default-router 10.1.0.1 dns-server 18.104.22.168 22.214.171.124 ! ip dhcp pool SSID_2 network 172.16.2.0 255.255.255.0 default-router 172.16.2.1 dns-server 126.96.36.199 188.8.131.52 ! ip dhcp pool SSID_3 network 172.16.3.0 255.255.255.0 default-router 172.16.3.1 dns-server 184.108.40.206 220.127.116.11 ! ip dhcp pool LAN 1 network 172.16.4.0 255.255.255.0 default-router 172.16.4.1 dns-server 18.104.22.168 22.214.171.124 ! ip dhcp pool LAN 2 network 172.16.5.0 255.255.255.0 default-router 172.16.5.1 dns-server 126.96.36.199 188.8.131.52 ! interface FastEthernet0/0 no ip address duplex full speed 100 no keepalive ! interface FastEthernet0/0.101 description ===MGMT GW=== encapsulation dot1Q 101 ip address 10.1.0.1 255.255.255.0 ip access-group 150 out no cdp enable ! interface FastEthernet0/0.102 description ===AP_GW=== encapsulation dot1Q 102 ip address 10.2.0.1 255.255.255.0 no cdp enable ! interface FastEthernet0/0.174 description ===LAN1_GW=== encapsulation dot1Q 174 ip address 172.16.4.1 255.255.255.0 no cdp enable ! interface FastEthernet0/0.175 description ===LAN2_GW=== encapsulation dot1Q 175 ip address 172.16.5.1 255.255.255.0 no cdp enable ! interface FastEthernet0/1 description ===TRANSIT to Border Gateway=== ip address 10.4.0.2 255.255.255.0 duplex full speed 100 no keepalive ! interface wlan-controller1/0 description ====WLAN_Controller_Subnet=== ip address 10.3.0.1 255.255.255.0 ! interface wlan-controller1/0.171 encapsulation dot1Q 171 ip address 172.16.1.1 255.255.255.0 no cdp enable ! interface wlan-controller1/0.172 encapsulation dot1Q 172 ip address 172.16.2.1 255.255.255.0 no cdp enable ! interface wlan-controller1/0.173 encapsulation dot1Q 173 ip address 172.16.3.1 255.255.255.0 no cdp enable ! no ip forward-protocol nd ip forward-protocol udp 12223 ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 10.4.0.1 no ip http server no ip http secure-server ! ! ! access-list 100 remark ### VTY Access ### access-list 100 permit ip 10.1.0.0 0.0.0.255 any access-list 100 permit ip 10.2.0.0 0.0.0.255 any access-list 100 permit ip 10.3.0.0 0.0.0.255 any access-list 100 permit ip 172.16.3.0 0.0.0.255 any access-list 150 remark ===DENY ACCESS TO MGMT=== access-list 150 permit ip 172.16.2.0 0.0.0.255 host 10.1.0.225 access-list 150 deny ip 172.16.1.0 0.0.0.255 any log access-list 150 deny ip 172.16.2.0 0.0.0.255 any log access-list 150 deny ip 172.16.4.0 0.0.0.255 any log access-list 150 deny ip 172.16.5.0 0.0.0.255 any log access-list 150 permit ip any any ! line con 0 exec-timeout 0 0 logging synchronous level 2 line aux 0 line 66 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh line vty 0 4 access-class 100 in logging synchronous login local length 0 line vty 5 15 access-class 100 in logging synchronous login local length 0 line vty 16 988 access-class 100 in logging synchronous login local ! scheduler allocate 20000 1000 end
Re: Clients associated to the AP aren't able to resolve mac-addr
Well your configuration looks great to me... nothing is obviously standing out at least..
If the routers ping request makes it to your client, then the router must at least be able to arp for you.
Have you tried to ping the gateway from the WLC itself? (vlan 171 it appears)
I'm curious if the WLC even gets the ping through. 'show arp switch' on the WLC would show its arp table as well...
I'm not very proficient with the router debugging, but perhaps there is some kind of ARP debug you can run to verify if the ARP request is even coming out of the WLC from your client?
Again, the config looks go to me, so either this is a situation where a nice save config and reboot would come in handy (perhaps coupled with shutting down the interfaces and turning them back on)..... or something just isn't right....
Does this happen with the other vlans you have coming in to the WLC? Perhaps there is just something going on the router side where it isn't responding to the arp.... which comes back to the whole shutting down interfaces and/or rebooting. Obviously this isn't root-cause, but should at least provide sanity-check.
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...
This is the start of a display filter cross reference between Wireshark and OmniPeek.
The 1st installment is a table of advanced filters. More filters will be added as time allows.
It is a living doc, so check back for changes every so often
Please feel ...
I have created a Powershell script to automatically add a Wireless Guest User on Cisco WLCs. (tested on 2500 Series)
The script should be completely self explanatory.
Powershell SNMP Module (Install-Module -Name SNMP)
SNMP Write Access to...