Solved: WISM, Controller, ASA5515. New wireless Guest implementation failure

Steve Coady · ‎03-11-2014

I have been trying to get our 5508 guest controller to talk to our wism2. I got the mobility group up and working but could not get the 5508 to communicate to the asa5515x even though they are directly connected.

This is a new implementation.

The 5508 will be the anchor with internal dhcp.

I created a interface for it as well. Vlan 1500.

5508 is anchored to the wism2s through mobility and communicates through the mgmt ip.

The 5508 then goes through an ASA5515x before it hits the internet.

I talked to various wireless engineers and asa engineers and no one could seem to figure it out. They all kept pointing to trunking but the asa is unable to set a physical port as trunking.

I created a sub interface on the ASA5155x then put that sub interface In the vlan. The mgmt ip of 5508 is the only vlan that actually lives on our

network.

Please review and advise.

sMc

Felix Arrieta · ‎03-11-2014

Hello Steve,

- do you happen to have an available port at the ASA?

-if available port at the ASA then just configure it for "access mode vlan 1500" meaning there is not "tagging or trunk from the ASA.

- get a separate cable from the ASA to the WLC port number 2.

-delete existing "guest" dynamic interface and re-create a new one matching up with WLC port number 2.

-configure the IP address, gateway and mask from vlan 1500 but do not tag it from the WLC, so vlan field goes empty.

-make sure LAG is disable on the WLC.

note:

ASA, Trunk mode is available only with the Security Plus license. Source:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html#wp1073296

hope that helps,

Felix.

View solution in original post

Felix Arrieta · ‎03-11-2014

Hello Steve,

- do you happen to have an available port at the ASA?

-if available port at the ASA then just configure it for "access mode vlan 1500" meaning there is not "tagging or trunk from the ASA.

- get a separate cable from the ASA to the WLC port number 2.

-delete existing "guest" dynamic interface and re-create a new one matching up with WLC port number 2.

-configure the IP address, gateway and mask from vlan 1500 but do not tag it from the WLC, so vlan field goes empty.

-make sure LAG is disable on the WLC.

note:

ASA, Trunk mode is available only with the Security Plus license. Source:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start_5505.html#wp1073296

hope that helps,

Felix.

Steve Coady · ‎03-12-2014

Fearriet

Thank you for the response.

Just so I understand. Currently I have the WLC port 6 connected to ASA INSIDE int. I needed to create a sub int on the ASA5515x, version 9.1(1).

interface GigabitEthernet0/0
description GUEST_Wireless
nameif inside
security-level 100
no ip address

int gi0/0.1
interface GigabitEthernet0/0.1
vlan 1500
no nameif
no security-level
ip address 192.168.x.a 255.255.248.0

so I could put the interface in Vlan 1500. Is this correct?

The WLC has the following

Vlan ID = 0

192.168.x.y 255.255.248.0

gateway = 192.168.x.a

Port 6

The WLC is the DHCP server for the subnet 192.168.x.0 255.255.248.0

sMc

Steve Coady · ‎03-13-2014

Hello

More information per Cisco that may be of use.

The Cisco Controller "should not" be used as a DHCP server in production network. A CCIE stated this was really only for LAB scenarios!?!

The Ports on the Controller are not really like a switch port, therefore a direct connection between a ASA 5515x Gi0/0 interface and Gig port 1-8 on controller is not recommended. The recommend putting a switch in between. Rack space is small and defeates the original design intent.

These last 2 revelations, from Cisco employees, begs for the phrase "wth"?!?!

The goal is to keep Guest user traffic OFF the main production network.

The topology looks as follows:

Cable Internet--->Cable Modem--->ASA5515x (disk0:/asa911-smp-k8.bin) --->5508

Controller--->DISTRO switch--->WISM--->AP's.

Please review and advise

sMc