02-15-2012 12:38 PM - edited 07-03-2021 09:35 PM
I am trying to set up an OEAP test environment in our DMZ and I am having some trouble. Because of the security requirements I can't manage the controller from the DMZ vlan. It is currently LAG enabled on two ports and connected to the DMZ switch via a trunk. My plan was to create an ap-manager interface and place it on the DMZ vlan and then place the management interface on a separate vlan that I can reach internally. However, this does not seem to be working. The only other post I have found on the subject seems to indicate that even if you create an ap-manager interface it still needs to be on the same vlan as the management interface. Is this true? At this point I have been seriously considering using the service port as the management interface and saving myself the trouble of figuring it out, but I would like to go with my original solution if possible. Any help you can provide would be appreciated.
Thanks,
Patton Davis
02-15-2012 12:41 PM
OfficeExtend requires the ap manager to be the management interface due to how NAT is handled. In order for this to work you'll need to have the management interface be the interface that your OEAPs hit from the outside.
What's the issue with managing the WLC from the management network?
02-15-2012 12:49 PM
There is no issue managing the WLC from the management network. The problem is with managing it from the DMZ. If both the management interface and the ap manager interface have to be in the DMZ there is no way I can reach the management interface from the inside. It's not a configuration issue, it's a security policy issue. Our infosec group is very tight on what they will allow through our DMZ from the inside. For that matter, this particular DMZ is pretty heavily firewalled on the outside as well. It was a chore just to get them to allow UDP 5246 and 5247 through the firewall. I think I may be configuring the service port for management after all.
02-15-2012 01:55 PM
Well it isn't supported by any means but you might be able to use the CLI command to allow management via dynamic interfaces and use say for example port 8 on a dynamic interface that is inside your network then?
Seems odd they restrict from inside to DMZ.
02-15-2012 06:28 PM
They call this the "straddle", one leg inside the network and one leg outside in the DMZ.
But, as Blake pointed out NAT will be a problem with OE.
02-15-2012 06:41 PM
Oh, btw if you enable mangement via dynamic interface your security folks may have a stroke. But you could leg it in ..
+5 Blake
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide