Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
626
Views
3
Helpful
6
Replies

WISM Design Issue.

p.danielsen
Level 1
Level 1

‎11-28-2006 12:18 PM - edited ‎07-03-2021 01:18 PM

Hi,

I'm trying to design our Wireless LAN network, and something is bugging me,

I want to separate the APs, from our network, by placing them in a separate VRF, this should not be a problem, the thing that bugs me, is when I looked into Cisco documentation, they describes that the APs needs to see both the AP management interface and the Management interface on the WISM module, any one know if this is true !!

If I understand the communication, APs only talks to the AP management interface on the WISM, and the management server only needs to talk to the management interface on the WISM module, Right/Wrong ??

Quick overview of the setup.

AP <-Vlan 10(VRF B)-> AP Management (WISM) Management <-Vlan20 (VRFA) -> Management server

So there is no connection between the management server and the APs

Hope anyone, can guide me in the right direction ..

Regards

Peter.

(will rate all answers)

Labels:
0 Helpful
6 Replies 6

Stephen Rodriguez
Cisco Employee
Cisco Employee

‎11-28-2006 12:30 PM

Peter,

The AP's need to initially see the Management interface, since this is the only interface that responds to ARP, and is pingable. Per the documentation the AP-Manger and Management interfaces should be on the same subnet/vlan.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
0 Helpful

p.danielsen
Level 1
Level 1
In response to Stephen Rodriguez

‎11-29-2006 09:41 AM

Stephan,

Not the answer I wanted, but nice to know,

So another question, If I want to put a firewall between the WISM module / APs and the management server, do you know of a document that describes, the firewall rules to use ?? ..

Best Regards

Peter,

0 Helpful

Frederick Reimer
Level 4
Level 4
In response to p.danielsen

‎11-29-2006 10:11 AM

I don't know of a Cisco document, but the only thing you should need is SNMP, TFTP, syslog. The WCS, if that's what you are referring to as the management server, uses SNMP to push profiles or make other changes to the WLCs. You should setup SNMPv3 and get rid of the default public/private communities. TFTP is used for image file transfer, and backing up the configurations. syslog can be used in addition to the SNMP-traps that the WCS automatically configures the WLCs to send.

khagen
Level 1
Level 1

‎12-01-2006 08:39 AM

Ive just gotten through installing a large # of WiSM's and I can say without a doubt the Cisco Documentation is lacking. In one spot the docs say the AP-Manager and Management interface of the WiSM should be on the same VLAN. In another section it describes putting them on separate VLANs for security purposes. Whats more, they give no examples or requirements of how to do anything but putting both interfaces on the same VLAN.

Basically, what Ive found is:

1) AP-Manager and Management interfaces can be on separate VLANs, the key here is what you put as the native VLAN for the port-channels. If you make the native vlan the same vlan as the management interface, then you must configure it as un-tagged. If you want to vlan tag them, then ensure that the native vlan is something not used in the WiSM.

My personal preference is to have them on

separate VLANs for security purposes.

2) The initial boot of the APs has them talking to the Management Interface. Im still fuzzy if they move to the AP-Manager interface after registering (Ill get a sniffer in there sooner or later to find out).

3) As to firewalling, items you want to make sure are open.

a) To Management Interface

- HTTPS

- SNMP

- SSH

- LWAPP Protocol

- ICMP (maybe upto you)

b) From Management Interface

- SNMP traps

- Syslog

- TFTP

- RADIUS

c) To AP-Management Interface

- LWAPP Protocol

Parts that Im unsure on are the protocol

used to communicate between WiSMs or with

other controllers.

Hope this helps.

--

Karl

0 Helpful

sandjose
Cisco Employee
Cisco Employee
In response to khagen

‎12-02-2006 04:43 AM

Karl ,

The AP manager and the management can be on different vlans , but from the AP both the management and the ap-manager should be reachable . The AP intiall tries to contacts the management interface in the lwapp discovery request and the discovery response from the mgmt intf carries the AP-manager int address.Now the AP sends the join req to the ap-manager intf.

Regarding the ports that are used for LWAPP protocol

12223,12222,12224,16666 UDP ports

0 Helpful

MARK HEUZENROEDER
Level 1
Level 1
In response to sandjose

‎12-06-2006 10:11 PM

I gleened the following from Ethereal between WiSM & 1131AG,

This LWAPP traffic goes between Management Interface and AP,

- Discovery_REQUEST

- Discovery_REPLY

- PRIMARY_DISCOVERY_REQ

- PRIMARY_DISCOVERY_RES

This LWAPP traffic goes between AP-Manager Interface and AP,

- JOIN_REQUEST

- CONFIGURE_REQUEST

- CONFIGURE_RESPONSE

- various other CONFIGURE packets

- ECHO_REQUEST

- ECHO_RESPONSE

- STATISTICS_INFO

- STATISTICS_INFO_RES

I agree cisco doco. is a mad man's breakfast in this area.

I havn't seen any LWAPP doco. which is both coherent and technically detailed enough to be useful.

Dear Cisco - how hard would it be to add the above to your doco, and, heaven forbid, maybe even some Ethereal snippets!!!

Regards, MH

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card