Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

WLAN 4402 Design question

Dear Support,

Wondering if anyone could help me, after some basic design advice on a WLAN implementation and if it is achievable.


VLAN 201 - Wired user LAN and 2003 Server running IAS (10.115.2.x /24)

VLAN 201 - Secure WLAN on 10.115.2.x /24

VLAN 60 - Management LAN for WLAN 4402 controller and 4 1130 LW (layer 2 mode) APs (172.16.31.x /24)

WLAN 99 - Guest WLAN with web auth (192.168.252.x /24).

I have a DSL router for the 192.168.252.x subnet for internet access for Guest users. A DHCP scope if configured on the WLAN controller

I am wondering if I can have the same subnet (and addresses assigned via the server running IAS) for both the wired users and secure WLAN.

Thank you for your assistance in advance.

I always rate helpful replies.

Best regards, Adrian.

Cisco Employee

Re: WLAN 4402 Design question

Hi Adrian,

First of all do you want you controller to run on L2 LWAPP mode if yes 1130 does not support L2 Lwapp Transport mode and in L2 Lwapp transport mode APs does not get an IP address.

Secondly coming to you last doubt can you confirm what exactly you are looking for? You want your server running IAS also to work as DHCP server assiging ip addresses for your wired and wireless users and you want to disable controller working as DHCP server? If yes , than answer is YES thats is possible.

Under interface configuration on your wireless controller you need to sefine your external DHCP server IP Address.

Please come back with your comments if I misunderstood your question.



New Member

Re: WLAN 4402 Design question

Hi Ankur,

Many thanks for replying, ideally this is what I need to know is possible.

Currently the wired users on vlan 201, get an IP address via DHCP from the server, the same server is also configured with IAS for the implementation of MS-CHAP-V2 for authentication using their AD username and password (still yet to get working).

Ideally I would prefer that the wired and secure wireless (ms-chap-v2 on vlan 201) get their IP addresses from the same server. I need to know if it is possible to have both a wired VLAN and wireless WLAN using the same VLAN id (in this case 201).

I?m not over concerned with using either L2 or L3 mode on the APs, they currently are set to L2, but happy to define another scope either on the WLAN controller of the IAS (w2003) server.

Think the fundamental question I?m asking, is ;

Is it possible to have both the Wired users (VLAN 201) and Secure WLAN users (also on vlan 201) to share the same subnet. The reason this is crucial to the design is that the 10.115.2.x subnet is routed via a third party and getting them to add additional routes (i.e. one for the wired users and one for the wireless users is a pain! And a lot of paperwork!)

I have tried to do the config already the issues I have is that pings from the server to the management address of the WLAN controller sometimes work and sometimes don?t. I have 2 x 3560 switches doing the routing between the user (v201) and wlan management (v60). This is also the same in the opposite direction (4402 to the DHCP/IAS server). I am always able to ping the SVI of the v60 from the server. I'm also not seeing any authentication requests being passed to the IAS server.

Thanks again in advance for your assistance.

Best regards, Adrian.

Cisco Employee

Re: WLAN 4402 Design question

Hi Adrian,

Yes you can for sure have wired and wireless users in same subnet/vlan. You need to create a dynamic interface with vlan 201 and assign a default gateway to that interface as 3560 SVI interface for vlan 201 and define primary DHCP server your IAS server IP Address.

If you want instead of creating another dynamic interface you can configure your management interface also in same subnet then you do not need any dynamic interface for your wireless user and you managent interface can be in vlan 201.

But if you want your management interface and subnet should be different then you can create dynamic interface for vlan 201 and when you create SSID map it to that dynamic interface for vlan 201.

Infact in my setup wireless users and wired users are sharing same subnet/vlan and are working like a champ.



New Member

Re: WLAN 4402 Design question

Many thanks for the update, in the end I had to create another subnet for the secure wireless LAN. Which then all worked.

Thanks again.

Regards, Adrian