I'm trying to design our Wireless LAN network, and something is bugging me,
I want to separate the APs, from our network, by placing them in a separate VRF, this should not be a problem, the thing that bugs me, is when I looked into Cisco documentation, they describes that the APs needs to see both the AP management interface and the Management interface on the WISM module, any one know if this is true !!
If I understand the communication, APs only talks to the AP management interface on the WISM, and the management server only needs to talk to the management interface on the WISM module, Right/Wrong ??
Quick overview of the setup.
AP <-Vlan 10(VRF B)-> AP Management (WISM) Management <-Vlan20 (VRFA) -> Management server
So there is no connection between the management server and the APs
Hope anyone, can guide me in the right direction ..
The AP's need to initially see the Management interface, since this is the only interface that responds to ARP, and is pingable. Per the documentation the AP-Manger and Management interfaces should be on the same subnet/vlan.
Please remember to rate useful posts, and mark questions as answered
I don't know of a Cisco document, but the only thing you should need is SNMP, TFTP, syslog. The WCS, if that's what you are referring to as the management server, uses SNMP to push profiles or make other changes to the WLCs. You should setup SNMPv3 and get rid of the default public/private communities. TFTP is used for image file transfer, and backing up the configurations. syslog can be used in addition to the SNMP-traps that the WCS automatically configures the WLCs to send.
Ive just gotten through installing a large # of WiSM's and I can say without a doubt the Cisco Documentation is lacking. In one spot the docs say the AP-Manager and Management interface of the WiSM should be on the same VLAN. In another section it describes putting them on separate VLANs for security purposes. Whats more, they give no examples or requirements of how to do anything but putting both interfaces on the same VLAN.
Basically, what Ive found is:
1) AP-Manager and Management interfaces can be on separate VLANs, the key here is what you put as the native VLAN for the port-channels. If you make the native vlan the same vlan as the management interface, then you must configure it as un-tagged. If you want to vlan tag them, then ensure that the native vlan is something not used in the WiSM.
My personal preference is to have them on
separate VLANs for security purposes.
2) The initial boot of the APs has them talking to the Management Interface. Im still fuzzy if they move to the AP-Manager interface after registering (Ill get a sniffer in there sooner or later to find out).
3) As to firewalling, items you want to make sure are open.
The AP manager and the management can be on different vlans , but from the AP both the management and the ap-manager should be reachable . The AP intiall tries to contacts the management interface in the lwapp discovery request and the discovery response from the mgmt intf carries the AP-manager int address.Now the AP sends the join req to the ap-manager intf.
Regarding the ports that are used for LWAPP protocol