Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

WLC - Cannot reach Management IP from LAN.

Hello,

I have a 2811 (running 12.4(15)XZ) with a WLCM (4.2.209.0).

I have reset the configurations on both.

Set FE and WLCM IPs on the router and gave WLC Management and AP manager addresses.

All + PC are on the same subnet.

Router pings all addresses besides AP-manager(intended). WLC CLI cannot ping PC and PC cannot ping (nor http) to WLC. PC can however ping and telnet the router on both the FE and WLCM IPs.

I followed the guides on WLCM configuration, did I miss something?

How can I access the management IP and the web GUI?

2811 config:

Building configuration...

Current configuration : 1292 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$Cqw1$hEVpc7p4.l99WgLrettec.

enable password ********

!

!

dot11 syslog

no ip routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

no ip cef

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

no ip route-cache

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.31.35.60 255.255.0.0

no ip route-cache

duplex full

speed auto

no mop enabled

!

interface Integrated-Service-Engine1/0

ip address 172.31.35.61 255.255.0.0

no ip route-cache

no keepalive

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line 66

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

password *******

login

!

scheduler allocate 20000 1000

end

WLC Config:

System Inventory

NAME: "Chassis"    , DESCR: "Cisco Wireless Controller"

PID: NME-AIR-WLC8-K9,  VID: V01,  SN: **************

Burned-in MAC Address............................ *******************

Press Enter to continue Or <Ctl Z> to abort

System Information

Manufacturer's Name.............................. Cisco Systems Inc.

Product Name..................................... Cisco Controller

Product Version.................................. 4.2.209.0

RTOS Version..................................... 4.2.209.0

Bootloader Version............................... 4.2.209.0

Build Type....................................... DATA + WPS

System Name...................................... Cisco_WLC

System Location..................................

System Contact...................................

System ObjectID.................................. 1.3.6.1.4.1.9.1.818

IP Address....................................... 172.31.35.62

System Up Time................................... 0 days 0 hrs 41 mins 50 secs

Configured Country............................... EE  - Estonia

State of 802.11b Network......................... Enabled

State of 802.11a Network......................... Enabled

Number of WLANs.................................. 1

3rd Party Access Point Support................... Disabled

Number of Active Clients......................... 0

--More-- or (q)uit

Burned-in MAC Address............................ ************

Press Enter to continue Or <Ctl Z> to abort

Switch Configuration

802.3x Flow Control Mode......................... Disable

Current LWAPP Transport Mode..................... Layer 3

LWAPP Transport Mode after next switch reboot.... Layer 3

FIPS prerequisite features....................... Disabled

Secret obfuscation............................... Enabled

Press Enter to continue Or <Ctl Z> to abort

Network Information

RF-Network Name............................. WLCM-Group

Web Mode.................................... Enable

Secure Web Mode............................. Enable

Secure Web Mode Cipher-Option High.......... Disable

Secure Web Mode Cipher-Option SSLv2......... Enable

Secure Shell (ssh).......................... Enable

Telnet...................................... Disable

Ethernet Multicast Mode..................... Disable   Mode: Mcast  0.0.0.0

Ethernet Broadcast Mode..................... Disable

IGMP snooping............................... Disabled

IGMP timeout................................ 60 seconds

User Idle Timeout........................... 300 seconds

ARP Idle Timeout............................ 300 seconds

ARP Unicast Mode............................ Disabled

Cisco AP Default Master..................... Disable

Mgmt Via Wireless Interface................. Disable

Mgmt Via Dynamic Interface.................. Disable

Bridge MAC filter Config.................... Enable

Bridge Security Mode........................ EAP

Over The Air Provisioning of AP's........... Disable

AP Fallback ................................ Enable

--More-- or (q)uit

Web Auth Redirect Ports .................... 80

Fast SSID Change ........................... Disabled

802.3 Bridging ............................. Disable

Press Enter to continue Or <Ctl Z> to abort

Port Summary

           STP   Admin   Physical   Physical   Link   Link

Pr  Type   Stat   Mode     Mode      Status   Status  Trap     POE

-- ------- ---- ------- ---------- ---------- ------ ------- ---------

1  Normal  Forw Enable  Auto       1000 Full  Up     Enable  N/A

Press Enter to continue Or <Ctl Z> to abort

AP Summary

Number of APs.................................... 0

AP Name             Slots  AP Model             Ethernet MAC       Location          Port  Country

------------------  -----  -------------------  -----------------  ----------------  ----  -------

Press Enter to continue Or <Ctl Z> to abort


Cheers!

17 REPLIES
Hall of Fame Super Silver

WLC - Cannot reach Management IP from LAN.

Can you post the rest of the WLC config?

-Scott
*** Please rate helpful posts ***

WLC - Cannot reach Management IP from LAN.

Can you check the device connected to F0/1?  Make sure that you don't have a duplex mismatch

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

WLC - Cannot reach Management IP from LAN.

The FE0/1 has no duplex mismatch and the routers connection with the PC is ok over that link.

The bridge between PC-2811-WLCM is whats not working well :/

WLC - Cannot reach Management IP from LAN.

Not FE0/1, but what is connected to it, so the switch on the other end.

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: WLC - Cannot reach Management IP from LAN.

Steve, there is nothing but the PC and 2811 with the WLC module.

Re: WLC - Cannot reach Management IP from LAN.

and the PC is configured to be 100/full?  or is it auto/auto? 

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: WLC - Cannot reach Management IP from LAN.

Windows 7, Auto Negotiation, 1000mbit interface. I really appreciate your help Steve

Re: WLC - Cannot reach Management IP from LAN.

can you set the router to auto/auto and see if it will allow you to pass traffic?

HTH,
Steve

-----------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: WLC - Cannot reach Management IP from LAN.

Sven,

I believe that the fast ethernet interface has to be on a separate IP subnet and the default gateway on the management interface in the WLCM points at the IP address on the ISE interface in the router.

Refer to config example below:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00807112e2.shtml

Bill Jenkins

Sent from Cisco Technical Support iPad App

New Member

Re: WLC - Cannot reach Management IP from LAN.

Ok interesting info!

I have now tried with a different subnet (192.168.1.1/24 for FE0/1 and 192.168.1.2/24 pointing to 1 for PC).

Interestingly I cannot ping 192.168.1.1 from the router but everything remained same - PC pings router and WLCM but not WLC Management. Router pings everything. WLC pings FE0/1 and WLCM.

PC(192.168.1.2/24):

C:\Users\Svea>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 192.168.1.1: bytes=32 time=1001ms TTL=255

Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Reply from 192.168.1.1: bytes=32 time=1ms TTL=255

Ping statistics for 192.168.1.1:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 1001ms, Average = 251ms

C:\Users\Svea>ping 172.31.35.61

Pinging 172.31.35.61 with 32 bytes of data:

Reply from 172.31.35.61: bytes=32 time=1ms TTL=255

Reply from 172.31.35.61: bytes=32 time=1ms TTL=255

Reply from 172.31.35.61: bytes=32 time=1ms TTL=255

Reply from 172.31.35.61: bytes=32 time=1ms TTL=255

Ping statistics for 172.31.35.61:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\Users\Svea>ping 172.31.35.62

Pinging 172.31.35.62 with 32 bytes of data:

Request timed out.

Ping statistics for 172.31.35.62:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Control-C

^C

C:\Users\Svea>tracert 172.31.35.61

Tracing route to 172.31.35.61 over a maximum of 30 hops

  1     1 ms     1 ms    <1 ms  172.31.35.61

Trace complete.

C:\Users\Svea>tracert 172.31.35.62

Tracing route to 172.31.35.62 over a maximum of 30 hops

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3     *        *        *     Request timed out.

  4  ^C

Thank you Bill for pointing out that the Management and AP Manager IPs should point to the WLCM ISE. Unfortunately it didn't change anything.

I am still open for suggestions but in a few days I will ship it to a live environment and see if that changes anything.

I will try setting the router from full duplex to auto (speed is auto atm) tomorrow. I doubt it has an effect because I have no problem reaching the router that contains the WLCM over IP.

New Member

Re: WLC - Cannot reach Management IP from LAN.

Continuing......

AP Location

Status........................................... disabled

Press Enter to continue Or to abort

AP Config

Press Enter to continue Or to abort

Press Enter to continue Or to abort

AP Airewave Director Configuration

Press Enter to continue Or to abort

802.11A Configuration

802.11a Network.................................. Enabled

11nSupport....................................... Enabled

      802.11a Low Band........................... Enabled

      802.11a Mid Band........................... Enabled

      802.11a High Band.......................... Enabled

802.11a Operational Rates

    802.11a 6M Rate.............................. Mandatory

    802.11a 9M Rate.............................. Supported

    802.11a 12M Rate............................. Mandatory

    802.11a 18M Rate............................. Supported

    802.11a 24M Rate............................. Mandatory

    802.11a 36M Rate............................. Supported

    802.11a 48M Rate............................. Supported

    802.11a 54M Rate............................. Supported

802.11n MCS Settings:

    MCS 0........................................ Supported

    MCS 1........................................ Supported

    MCS 2........................................ Supported

    MCS 3........................................ Supported

    MCS 4........................................ Supported

    MCS 5........................................ Supported

    MCS 6........................................ Suppor--More-- or (q)uit

ted

    MCS 7........................................ Supported

    MCS 8........................................ Supported

    MCS 9........................................ Supported

    MCS 10....................................... Supported

    MCS 11....................................... Supported

    MCS 12....................................... Supported

    MCS 13....................................... Supported

    MCS 14....................................... Supported

    MCS 15....................................... Supported

802.11n Status:

    A-MPDU Tx:

        Priority 0............................... Enabled

        Priority 1............................... Disabled

        Priority 2............................... Disabled

        Priority 3............................... Disabled

        Priority 4............................... Disabled

        Priority 5............................... Disabled

        Priority 6............................... Disabled

        Priority 7............................... Disabled

    A-MSDU Tx ................................... Enabled

    Rifs Tx ..................................... Enabled

    Guard Interval .............................. Short

--More-- or (q)uit

Beacon Interval.................................. 100

CF Pollable mandatory............................ Disabled

CF Poll Request mandatory........................ Disabled

CFP Period....................................... 4

CFP Maximum Duration............................. 60

Default Channel.................................. 36

Default Tx Power Level........................... 1

DTPC  Status..................................... Enabled

DTIM Period...................................... 1

Fragmentation Threshold.......................... 2346

Long Retry Limit................................. 4

Maximum Rx Life Time............................. 512

Max Tx MSDU Life Time............................ 512

Medium Occupancy Limit........................... 100

Pico-Cell Status................................. Disabled

Pico-Cell-V2 Status.............................. Disabled

RTS Threshold.................................... 2347

Short Retry Limit................................ 7

TI Threshold..................................... -50

Traffic Stream Metrics Status.................... Disabled

Expedited BW Request Status...................... Disabled

EDCA profile type................................ default-wmm

Voice MAC optimization status.................... Disabled

--More-- or (q)uit

Call Admision Control (CAC) configuration

   Voice AC - Admission control (ACM)............ Disabled

   Voice max RF bandwidth........................ 75

   Voice reserved roaming bandwidth.............. 6

   Voice load-based CAC mode..................... Disabled

   Voice tspec inactivity timeout................ Disabled

   Voice tspec inactivity timeout................ Disabled

   Video AC - Admission control (ACM)............ Disabled

   Voice Stream-Size............................. 84000

   Voice Max-Streams............................. 2

   Video max RF bandwidth........................ Infinite

   Video reserved roaming bandwidth.............. 0

Press Enter to continue Or to abort

802.11A Advanced Configuration

Press Enter to continue Or to abort

802.11A Airewave Director Configuration

RF Event and Performance Logging

  Channel Update Logging......................... Off

  Coverage Profile Logging....................... Off

  Foreign Profile Logging........................ Off

  Load Profile Logging........................... Off

  Noise Profile Logging.......................... Off

  Performance Profile Logging.................... Off

  TxPower Update Logging......................... Off

Default 802.11a AP performance profiles

  802.11a Global Interference threshold.......... 10 %

  802.11a Global noise threshold................. -70 dBm

  802.11a Global RF utilization threshold........ 80 %

  802.11a Global throughput threshold............ 1000000 bps

  802.11a Global clients threshold............... 12 clients

  802.11a Global coverage threshold.............. 16 dB

  802.11a Global coverage exception level........ 25 %

  802.11a Global client minimum exception lev.... 3 clients

Default 802.11a AP monitoring

  802.11a Monitor Mode........................... enable

  802.11a Monitor Channels....................... Country channels

  802.11a AP Coverage Interval................... 180 seconds

--More-- or (q)uit

  802.11a AP Load Interval....................... 60 seconds

  802.11a AP Noise Interval...................... 180 seconds

  802.11a AP Signal Strength Interval............ 60 seconds

Automatic Transmit Power Assignment

  Transmit Power Assignment Mode................. AUTO

  Transmit Power Update Interval................. 600 seconds

  Transmit Power Threshold....................... -70 dBm

  Transmit Power Neighbor Count.................. 3 APs

  Transmit Power Update Contribution............. SNI.

  Transmit Power Assignment Leader............... 00:1e:13:33:f2:60

  Last Run....................................... 87 seconds ago

Automatic Channel Assignment

  Channel Assignment Mode........................ AUTO

  Channel Update Interval........................ 600 seconds [startup]

  Anchor time (Hour of the day).................. 0

  Channel Update Contribution.................... SNI.

  Channel Assignment Leader...................... 00:1e:13:33:f2:60

  Last Run....................................... 87 seconds ago

  DCA Sensitivity Level: ...................... STARTUP (5 dB)

  Channel Energy Levels

    Minimum...................................... unknown

    Average...................................... unknown

--More-- or (q)uit

    Maximum...................................... unknown

  Channel Dwell Times

    Minimum...................................... unknown

    Average...................................... unknown

    Maximum...................................... unknown

  Auto-RF Allowed Channel List................... 36,40,44,48,52,56,60,64

  Auto-RF Unused Channel List.................... 100,104,108,112,116,120,124,

    ............................................. 128,132,136,140

  DCA Outdoor AP option.......................... Disabled

Radio RF Grouping

  802.11a Group Mode............................. AUTO

  802.11a Group Update Interval.................. 600 seconds

  802.11a Group Leader........................... 00:1e:13:33:f2:60

    802.11a Group Member......................... 00:1e:13:33:f2:60

  802.11a Last Run............................... 87 seconds ago

Press Enter to continue Or to abort

Mobility Configuration

Symmetric Mobility Tunneling (current) .......... Disabled

Symmetric Mobility Tunneling (after reboot) ..... Disabled

Mobility Protocol Port........................... 16666

Default Mobility Domain.......................... WLCM-Group

Mobility Keepalive interval...................... 10

Mobility Keepalive count......................... 3

Mobility Group members configured................ 1

Controllers configured in the Mobility Group

MAC Address        IP Address       Group Name         Status

00:1e:13:33:f2:60    172.31.35.62     WLCM-Group       Up

Press Enter to continue Or to abort

Interface Configuration

Interface Name................................... ap-manager

MAC Address...................................... 00:1e:13:33:f2:60

IP Address....................................... 172.31.35.63

IP Netmask....................................... 255.255.0.0

IP Gateway....................................... 172.31.35.1

VLAN............................................. untagged

Physical Port.................................... 1

Primary DHCP Server.............................. 172.31.35.22

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

Interface Name................................... management

MAC Address...................................... 00:1e:13:33:f2:60

IP Address....................................... 172.31.35.62

IP Netmask....................................... 255.255.0.0

IP Gateway....................................... 172.31.35.1

VLAN............................................. untagged

Physical Port.................................... 1

Primary DHCP Server.............................. 172.31.35.22

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... No

Guest Interface.................................. No

Interface Name................................... virtual

MAC Address...................................... 00:1e:13:33:f2:60

IP Address....................................... 1.1.1.1

DHCP Option 82................................... Disabled

Virtual DNS Host Name............................ Disabled

AP Manager....................................... No

Guest Interface.................................. No

Press Enter to continue Or to abort

WLAN Configuration

WLAN Identifier.................................. 1

Profile Name..................................... WLCM-Clients

Network Name (SSID).............................. WLCM-Clients

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Number of Active Clients......................... 0

Exclusionlist Timeout............................ 60 seconds

Session Timeout.................................. 1800 seconds

Interface........................................ management

WLAN ACL......................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Quality of Service............................... Silver (best effort)

Scan Defer Priority.............................. 5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

CCX - AironetIe Support.......................... Enabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability....--More-- or (q)uit

......... Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

IPv6 Support..................................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

Radius Servers

   Authentication................................ Global Servers

   Accounting.................................... Global Servers

Local EAP Authentication......................... Disabled

Security

   802.11 Authentication:........................ Open System

   Static WEP Keys............................... Disabled

   802.1X........................................ Disabled

   Wi-Fi Protected Access (WPA/WPA2)............. Enabled

      WPA (SSN IE)............................... Disabled

      WPA2 (RSN IE).............................. Enabled

         TKIP Cipher............................. Disabled

         AES Cipher.............................. Enabled

      Auth Key Management

         802.1x.................................. Enabled

         PSK..................................... Disabled

--More-- or (q)uit

         CCKM.................................... Disabled

   CKIP ......................................... Disabled

   IP Security Passthru.......................... Disabled

   Web Based Authentication...................... Disabled

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

Press Enter to continue Or to abort

ACL Configuration

Press Enter to continue Or to abort

CPU ACL Configuration

CPU Acl Name................................ NOT CONFIGURED

Wireless Traffic............................ Disabled

Wired Traffic............................... Disabled

Press Enter to continue Or to abort

RADIUS Configuration

Vendor Id Backward Compatibility................. Disabled

Call Station Id Type............................. IP Address

Aggressive Failover.............................. Enabled

Keywrap.......................................... Disabled

Authentication Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr

---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------

Accounting Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr

---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------

Press Enter to continue Or to abort

TACACS Configuration

Authentication Servers

Idx  Server Address    Port    State     Tout

---  ----------------  ------  --------  ----

Authorization Servers

Idx  Server Address    Port    State     Tout

---  ----------------  ------  --------  ----

Accounting Servers

Idx  Server Address    Port    State     Tout

---  ----------------  ------  --------  ----

Press Enter to continue Or to abort

LDAP Configuration

Press Enter to continue Or to abort

Local EAP Configuration

User credentials database search order:

    Primary ..................................... Local DB

Timer:

    Active timeout .............................. 300

Configured EAP profiles:

EAP Method configuration:

    EAP-FAST:

      Server key ................................

      TTL for the PAC ........................... 10

      Anonymous provision allowed ............... Yes

      Authority ID .............................. 436973636f0000000000000000000000

      Authority Information ..................... Cisco A-ID

Press Enter to continue Or to abort

Route  Info

Number of Routes................................. 0

Destination Network          Genmask               Gateway

-------------------    -------------------   -------------------

   Web-Passthrough............................... Disabled

   Conditional Web Redirect...................... Disabled

   Auto Anchor................................... Disabled

   H-REAP Local Switching........................ Disabled

   Infrastructure MFP protection................. Enabled (Global Infrastructure MFP Disabled)

   Client MFP.................................... Optional

   Tkip MIC Countermeasure Hold-down Timer....... 60

Mobility Anchor List

WLAN ID     IP Address            Status

-------     ---------------       ------

Press Enter to continue Or to abort

ACL Configuration

Press Enter to continue Or to abort

CPU ACL Configuration

CPU Acl Name................................ NOT CONFIGURED

Wireless Traffic............................ Disabled

Wired Traffic............................... Disabled

Press Enter to continue Or to abort

RADIUS Configuration

Vendor Id Backward Compatibility................. Disabled

Call Station Id Type............................. IP Address

Aggressive Failover.............................. Enabled

Keywrap.......................................... Disabled

Authentication Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr

---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------

Accounting Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr

---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------

Press Enter to continue Or to abort

TACACS Configuration

Authentication Servers

Idx  Server Address    Port    State     Tout

---  ----------------  ------  --------  ----

Authorization Servers

Idx  Server Address    Port    State     Tout

---  ----------------  ------  --------  ----

Accounting Servers

Idx  Server Address    Port    State     Tout

---  ----------------  ------  --------  ----

Press Enter to continue Or to abort

LDAP Configuration

Press Enter to continue Or to abort

Local EAP Configuration

User credentials database search order:

    Primary ..................................... Local DB

Timer:

    Active timeout .............................. 300

Configured EAP profiles:

EAP Method configuration:

    EAP-FAST:

      Server key ................................

      TTL for the PAC ........................... 10

      Anonymous provision allowed ............... Yes

      Authority ID .............................. 436973636f0000000000000000000000

      Authority Information ..................... Cisco A-ID

Press Enter to continue Or to abort

Route  Info

Number of Routes................................. 0

Destination Network          Genmask               Gateway

-------------------    -------------------   -------------------

Press Enter to continue Or to abort

Qos Queue Length Info

Platinum queue length............................ 100

Gold queue length................................  75

Silver queue length..............................  50

Bronze queue length..............................  25

Press Enter to continue Or to abort

Mac Filter Info

Press Enter to continue Or to abort

Authorization List

Authorize APs against AAA ....................... disabled

Allow APs with Self-Signed Certificate (SSC) .... disabled

Press Enter to continue Or to abort

Load Balancing Info

Aggressive Load Balancing........................ Disabled

Aggressive Load Balancing Window................. 5 clients

Press Enter to continue Or to abort

Dhcp Scope Info

Press Enter to continue Or to abort

Exclusion List ConfigurationUnable to retrieve exclusion-list entry

Press Enter to continue Or to abort

CDP Configuration

cdp.............................................. disabled

Press Enter to continue Or to abort

Country Channels Configuration

Configured Country............................. EE  - Estonia

      KEY: * = Channel is legal in this country and may be configured manually.

           A = Channel is the Auto-RF default in this country.

           . = Channel is not legal in this country.

           C = Channel has been configured for use by Auto-RF.

           x = Channel is available to be configured for use by Auto-RF.

         = Regulatory Domains allowed by this country.

------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-

802.11BG    :

Channels    :                   1 1 1 1 1

            : 1 2 3 4 5 6 7 8 9 0 1 2 3 4

------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-

EE (-E)    : A * * * * A * * * * A * * .

------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

802.11A    :                         1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Channels    : 3 3 3 4 4 4 4 4 5 5 6 6 0 0 0 1 1 2 2 2 3 3 4 4 5 5 6 6

            : 4 6 8 0 2 4 6 8 2 6 0 4 0 4 8 2 6 0 4 8 2 6 0 9 3 7 1 5

------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

EE (-E)    : . A . A . A . A A A A A * * * * * * * * * * * . . . . .

------------:+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-

--More-- or (q)uit

Press Enter to continue Or to abort

WPS Configuration Summary

Auto-Immune

  Auto-Immune.................................... Disabled

Client Exclusion Policy

  Excessive 802.11-association failures.......... Enabled

  Excessive 802.11-authentication failures....... Enabled

  Excessive 802.1x-authentication................ Enabled

  IP-theft....................................... Enabled

  Excessive Web authentication failure........... Enabled

Trusted AP Policy

  Management Frame Protection.................... Disabled

  Mis-configured AP Action....................... Alarm Only

    Enforced encryption policy................... none

    Enforced preamble policy..................... none

    Enforced radio type policy................... none

    Validate SSID................................ Disabled

  Alert if Trusted AP is missing................. Disabled

  Trusted AP timeout............................. 120

--More-- or (q)uit

Untrusted AP Policy

  Rogue Location Discovery Protocol.............. Disabled

    RLDP Action.................................. Alarm Only

  Rogue APs

    Rogues AP advertising my SSID................ Alarm Only

    Detect and report Ad-Hoc Networks............ Enabled

  Rogue Clients

    Validate rogue clients against AAA........... Disabled

    Detect trusted clients on rogue APs.......... Alarm Only

  Rogue AP timeout............................... 1200

Signature Policy

  Signature Processing........................... Enabled

Press Enter to continue Or to abort

Custom Web Configuration

Radius Authentication Method..................... PAP

Cisco Logo....................................... Enabled

CustomLogo....................................... None

Custom Title..................................... None

Custom Message................................... None

Custom Redirect URL.............................. None

Web Authentication Type.......................... Internal Default

External Web Authentication URL.................. None

Configuration Per Profile:

Thanks for you time.

New Member

Re: WLC - Cannot reach Management IP from LAN.

Hello,

the whole thing now sits in the live environment:

2811-WLCM-VLAN1.png

  • Everything is pointing to the WAN gateway 172.31.35.1
  • With the exception of WLC whose Management and AP-Manager point to ISE-172.31.35.61

Problem: no connection (ping, web access) between Windows 7(PC) and WLC

2811 has no problem pinging either of those:

Router>ping 172.31.35.124

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.35.124, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Router>ping 172.31.35.62

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.31.35.62, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Current config of 2811:

Router>en

Password:

Router#show running

Building configuration...

Current configuration : 1323 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$Cqw1$hEVpc7p4.l99WgLrw3Mdc.

enable password ********

!

no aaa new-model

!

dot11 syslog

no ip routing

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

no ip cef

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

no ip address

no ip route-cache

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.31.35.60 255.255.0.0

no ip route-cache

duplex auto

speed auto

no mop enabled

!

interface Integrated-Service-Engine1/0

ip address 172.31.35.61 255.255.0.0

no ip route-cache

no keepalive

!

ip default-gateway 172.31.35.1

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line 66

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

password *********

login

!

scheduler allocate 20000 1000

end

It was mentioned that Fa0/1 should be in a different subnet than WLC, is this true? Then I would need to enable routing?

PC:

Pinging 172.31.35.60 with 32 bytes of data:

Reply from 172.31.35.60: bytes=32 time=1ms TTL=255

Reply from 172.31.35.60: bytes=32 time<1ms TTL=255

Reply from 172.31.35.60: bytes=32 time<1ms TTL=255

Reply from 172.31.35.60: bytes=32 time<1ms TTL=255

Ping statistics for 172.31.35.60:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

Pinging 172.31.35.61 with 32 bytes of data:

Reply from 172.31.35.61: bytes=32 time=1ms TTL=255

Reply from 172.31.35.61: bytes=32 time<1ms TTL=255

Reply from 172.31.35.61: bytes=32 time<1ms TTL=255

Reply from 172.31.35.61: bytes=32 time<1ms TTL=255

Ping statistics for 172.31.35.61:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

Pinging 172.31.35.62 with 32 bytes of data:

Reply from 172.31.35.124: Destination host unreachable.

Reply from 172.31.35.124: Destination host unreachable.

Reply from 172.31.35.124: Destination host unreachable.

Reply from 172.31.35.124: Destination host unreachable.

Ping statistics for 172.31.35.62:

    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)

Tracing route to 172.31.35.62 over a maximum of 30 hops

  1  PC [172.31.35.124]  reports: Destination host unreachable.

Trace complete.

Why are packets not flowing between the PC and the WLC Management IP?

New Member

Re: WLC - Cannot reach Management IP from LAN.

Sven,

In order for traffic to be forwarded to the ISE interface the router must either bridge or route the traffic to/from the fast Ethernet interface. To be routed the Interfaces must be on different IP subnets and routing must be enabled on the router. The Hosts (APs, PCs, etc) will need a route to the ISE / WLC IP subnet.

Bill Jenkins

Sent from Cisco Technical Support iPad App

New Member

Re: WLC - Cannot reach Management IP from LAN.

Thank you yet again Bill!

As routing is not really desired (more complex network), what is currentry wrong with the present setup? Shouldn't 2811 just bridge out of the box since the IPs are flat in the same subnet? If my setup doesn't allow bridging then what do I need to change?

New Member

Re: WLC - Cannot reach Management IP from LAN.

The 2811 is a router and does not bridge between interfaces by default.

There are some advantages to using routing vs bridging and all of the examples I can find show routing configured.

However you might be able to configure IRB (Integrated Routing and Bridging) on the router.

The fast Ethernet and the ISE interfaces would need to be in the same bridge group.

This would be similar to how an autonomous AP is configured.

However this may not be supported by Cisco.

Also I do not know for sure if it will work or exactly how it would need to be configured.

I would recommend using the routing solution.

Bill Jenkins

Sent from Cisco Technical Support iPad App

New Member

WLC - Cannot reach Management IP from LAN.

It makes sense that it doesn't bridge interfaces by default. Looks like im missing the IOS 101 course

Today I tried setting bridge-group 1 to both ISE and LAN interfaces but it failed as the Fa0/1 started flapping with bridge 1 protocol ieee & bridge 1 priority 1. Couldn't find a single reason why it shouldn't have worked.

Next I gave every interface their own subnet and enabled routing.

Current configuration : 1536 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

enable secret 5 $1$Cqw1$hEVpc7p4.l99WgLrw3Mdc.

enable password *******

!

no aaa new-model

!

dot11 syslog

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 172.32.2.1 172.32.2.99

!

ip dhcp pool lap

   network 172.32.2.0 255.255.255.0

   default-router 172.32.2.1

   option 43 ascii "172.32.1.2"

!

!

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

archive

log config

  hidekeys

!

!

!

!

!

!

!

!

!

interface FastEthernet0/0

ip address 172.32.2.1 255.255.255.0

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 172.31.35.60 255.255.0.0

duplex full

speed auto

no mop enabled

!

interface Integrated-Service-Engine1/0

ip address 172.32.1.1 255.255.255.0

no keepalive

!

!

ip default-gateway 172.31.35.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.31.35.1

no ip http server

no ip http secure-server

!

!

!

!

!

!

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

!

line con 0

line aux 0

line 66

no activation-character

no exec

transport preferred none

transport input all

transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh

line vty 0 4

password *******

login

!

scheduler allocate 20000 1000

end

I also set up a route from the WAN gateway to the 2811.

show ip route:

Gateway of last resort is 172.31.35.1 to network 0.0.0.0

C    172.31.0.0/16 is directly connected, FastEthernet0/1

     172.32.0.0/24 is subnetted, 2 subnets

C       172.32.1.0 is directly connected, Integrated-Service-E

C       172.32.2.0 is directly connected, FastEthernet0/0

S*   0.0.0.0/0 [1/0] via 172.31.35.1

what happend was this:

PC can ping router and its interface IPs

2811 can ping everything.

WLC can only ping ISE IP and itself.

So the only thing that changed was that the WLC can't ping other IPs on the 2811 anymore.

New Member

WLC - Cannot reach Management IP from LAN.

Could you post the following command output from the WLC?

show sysinfo

show network summary

show interface detailed management

show port summary

3406
Views
0
Helpful
17
Replies