I have a WLC 4402 with 20 AP's. I currently use it only for my internal Lan and everything works great.
I would not like to add "Guest Wireless" SSID, so I connect a Cisco PIX501 to the second port. For what ever reason
I have no Layer two connectivity between the pix and port. The interfaces are obviously configured on seperate vlans
but my question is, whats the best way to troubleshoot this connectivity issue ? I have removed any Vlan tagging also
on the port. Any help would be appreciated.
Some assumtions. You mentioned "port", I am assuming you WLC is NOT configured as LAG, correct?
You created a dynamic guest interface. Did you point this interface to the correct port on the WLC? ?
Correct, its not configured as a LAG.
Yes I pointed the dynamic guest interface to port 2. I have been doing some reading and see that there is a requirement between the WLC and PIX using a trunk port. I may try and plug in a Cisco switch between, to see if that helps.
Do I really need a trunk, if I am only passing the one guest vlan ?
You shouldnt need a truck from a WLC perpsective. Although I am not a PIX guy to be honest. I have my guest access layered into a switch and then our ASA. I would put a swicth inbetween the 2 boxes as you suggested for starters. Make sure from the switch you can hit the guest interface to insure the WLC is good.
So I added the L2 switch in between the Pix and WLC, but I am still having the same issue. I am still unable to ping the interface.
Whats really odd, if I connect a laptop with a static ip to the second interface on the WLC I can ping fine. But if I connect the WLC to a PIX or switch I am unable to ping... what the heck ?
Your switch port that your laptop was on is in the same vlan as your WLC port 2 ? What vlaue (vlan number) do you have in your dynamic interafce for your guest ?
On the switch, have you created the guest vlan and assign switchports to this vlan. For testing you will need three ports configured on the switch for this vlan. 1) to the controller 2) to the pix 3) laptop for testing. You might have to configure the port going to the controller as a trunk.
Assuming your L2 is right on the switch .. You should be able to hit the guest interface from your laptop... All are in the same VLAN correct ...
George - Yes this is correct, the L2 is the switch. I can confirm that the switch and pix are working properly, because if I plug in my laptop into any port on the switch I can get internet access through the pix. When I plug in port 2 from the WLC, I dont even receive a link light on the switch from the WLC. I have changed the cables also. Is it possible that port security is creating this from the WLC ?
Can you post the show run-config
On your PIX, is it a 10/100 port or is it 10/100/1000? The WLC only does 1000, and doesn't negotiate.
OH CRAP! Great point Steve !
The Pix is a 506e and yes its a 10/100 no 1000.
Wow this is a big discovery, thanks guys. I also have an ASA here which I will try, I will let you know how that works.