Re: WLC 5508 to WLC 5508 for Mobility Group

bill.hurley · ‎03-23-2012

Hi

I have 5508 WLC (Running 7.2) in seperate buildings. I have created ACL's on both Controllers and the only thing that is failing is the Mobility Control Function. The ACL on WLC B is the Exactly the same except with some IP's being reversed. I have allowed EoIP and Mobility Traffic on both Controllers. The Data Path is Fine but the Control Path is stating down. I apologize in advance if I have been to vague. Any help would be appreciated.

Thank You

Bill

Scott Fella · ‎03-23-2012

So if you remove the wlc acl's does the mobility come up? I never use the wlc acl's unless I need to because of pre auth requirements.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

bill.hurley · ‎03-23-2012

Yes..It even comes up if I remove the ACL off one. Once I add it back ..down she goes. No rhyme or Reason at this point. :-)

Scott Fella · ‎03-23-2012

So does eping and mping fail? Can you post your acl?

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

bill.hurley · ‎03-23-2012

eping passes..mping fails. I will be back at their office tmr. I will get it and post.

Thanks

Scott Fella · ‎03-23-2012

Okay. Just wanted to see if you either allow everything between the WLC's or if not, you have udp 16666 open between the two.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎03-24-2012

Can you post your ACL?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

bill.hurley · ‎03-24-2012

Here you go

Thank You

Scott Fella · ‎03-24-2012

Well for mping, that is upd 16666/16667. So in your rule, your rule you shoulod have something like this:

17 16666-16666 16666-16666 Any Permit

17 16667-16667 16667-16667 Any Permit

What is the ip of the WLC's? YOur counters are all zero also.

http://www.cisco.com/en/US/products/ps6366/products_tech_note09186a0080a7c988.shtml#t4

Take a look at your show rules output without the ACL and then witht he ACL.

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎03-24-2012

For my info .. is this ACL on the CPU or the WLAN?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

bill.hurley · ‎03-24-2012

Hey george I have it attach to the CPU

George Stefanick · ‎03-24-2012

Bill,

What is the purpose of the ACL? CPU ACLs are more for WLC managment ...

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

bill.hurley · ‎03-24-2012

George

The Customer wanted to limit who has access to go into the WLC and make changes. They asked an ACL be placed on the WLC to do this.

Thanks

Bill

Scott Fella · ‎03-24-2012

Well why not just do a deny for http/https/telnet/ssh from the other subnets and then just permit any any. Not a big fan and i always tell my clients that it is best to place the acl on the L3.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***

George Stefanick · ‎03-24-2012

+5 Scott ...

I try and persuade my customers to do the same. I am deploying ISE and playing with ACLs on the WLC. I plan to move them to the wired ..

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________