I'm getting ready to migrate from standalone AP's to using a 2504 WLC. WLC is new to me and I've read several of the configuration guides, but the one item that keeps escaping me is best practice for the placement of the management interface on our network. I understand the AP's need to be able to route to it, but I'm not sure if this interface should be considered an untrusted connection and be placed in a less restricted VLAN or if this interface is strictly used for management and AP's connecting to it and there is no chance WiFi connected users can gain access to servers should it be placed in our secure VLAN?
My second question is for Guest users and Internet access. Should the interface the WLC is using to for Internet access sit behind a firewall, or can it be placed in front of the firewall?
AP to WLC is point to point capwap connection for management & data traffic unless it is hreap.
Do not map any WLANs on WLC to management interface, this way end users can't directly access the management interface, however you need ACL at L3 if you had intervlan. Also, Don't enable management via dynamic and management via wireless interface.
Map the guest WLAN or untrusted traffic WLANs to dynamic interface of WLC without anchor setup and map the guest user on foreign wlc with dummy interface in case of guest anchor setup. Firewall can be on L3 or ACL at WLC.
Configured the management interface (untagged) on port 1. My 1142 AP discovered and automatically connected to it.
I configured a guest interface (port 2) with an IP address for my guest VLAN and entered the VLAN ID.
I configured my switch port for trunking and set the tag for the guest VLAN.
I setup a WLAN and associated it with the guest interface
I setup an Internal DHCP pool and verified the guest WLAN pointed to it.
Attached a router port to the guest VLAN and assigned an IP in the guest subnet
My test client can connect to the Guest SSID and obtain an IP address from the internal DHCP server. The client can ping the Guest interface.
My problem is, my router cannot ping the guest interface of the WLC and the WLC cannot ping the Interface of the router. The client connected to the guest network cannot ping the routers interface either. To verify the router connectivity, I put a workstation in the guest VLAN, put an IP address on it and it can ping the router, but not the WLC.
IntroductionHow to use the Wireless LAN Controller Configuration Analyzer (WLCCA)
Javier Contreras is a Senior Tech Lead for the Wireless Business Unit in Cisco, with over 2 decades of experi...
< PRE >
(#)For this reason being that : - application that doesn't use multicast, sends one copy of each packet ( data unit of traffic at layer 3 ) to each client (" who seeks the traffic ).- application that does use multicast, sends ...
Transferring Crash file from standby:
Login to the Active WLC in HA.
(Cisco Controller) >transfer upload datatype crash
(Cisco Controller) >transfer upload filename <Desired filename>
(Cisco Controller) >transfer up...