I have a wireless network with LWAPPs and 1 WLC 5508. How to block communication between SSIDs (clients in different SSIDs bassically) and whether that is even possible from the controller? I'd like to mention that communication between clients whithin the same SSID is already blocked.
View 4 RepliesI have a customer who has vlan's and SVIs residing on a core 6509. the 6509 is connected to an ASA 5515 then out to the internet/sp edge deviceIP routing is not turned on. there is a static route on the 6509 that routes all ip's to the inside interface of the asa 5515 that the 6509 core is connected to.there is a set of vlans that are apart of a 192.168.128.0/19 subnet and all those vlans can "speak" to each other.
View 8 Replies View RelatedSay I have a managed switch that supports VLANs. I have two computers and one server connected to the switch (I'll call them PC-1, PC-2, and SRV-1).Without routing, I want both PC-1 and PC-2 to talk to SRV-1 and vice versa, however I don't want PC-1 or PC-2 to talk to each other.I achieve this by making each port a trunk port. I make PC-1 a member of VLAN 2, PC-2 a member of VLAN 3, and SRV-1 a member of VLAN 4. The port that SRV-1 is on I make a tagged member of PC-1 and PC-2 (VLAN 2 and 3 respectively) and make the ports the PCs are on a member of the SRV-1 VLAN (VLAN 4).Everything tests OK (that is, the clients can't talk to each other, however the clients can individually talk to the server)
View 6 Replies View RelatedRecently configured one nexus 3048 switch. Create two vlans (Vlan 10 and Vlan 19). Vlan 10 is 10.1.X.X/24 and Vlan 19 is 192.168.X.X/24, connected two pcs one is Vl 10 and second pc 19. But not able to communicate both Vlans.Nexus 3048 are not Support VTP Mode Server, running version 5.0. [code]
View 2 Replies View Relatedwe have an SG300 latest 1.3 firmware, we have it acting as our DHCP server, we have a 10.10.1.x range, 10.10.3.x range, and 192.168.24.x range, they are all on seperate VLANs and all can talk to each other which is what we want. However we have someone who wants to use the 192.168.1.x range to add IP cameras to our network using there own switch. I figured I'd just setup our server to do DHCP etc and it would communicate with the 10.10.1.x range of IP addresses no problem. It turns out the SG300s can't do DHCP for that range, so if he has all static address on the 192.168.1.x range how can i setup inter VLAN communication so we can talk to that range?
View 1 Replies View RelatedI'm student from IT school and i have a school project but i have a problem on packet tracer.In a vlan, i must block the communication between computers in it but i dont know how i must do that.Effectively, it's about 250 computers in this VLAN but each computer can't caommunicate between us.
View 4 Replies View RelatedThis problem only seems to affect one of our sites. Every once in a while, several APs would lose link to the 5508 and get stranded. The only way to fix the issue is either to power cycle, or better yet SSH into the APs and use the command "capwap ap controller ip address x.x.x.x", and then they'd automatically rejoin the controller. At first, I thought network hiccups caused the APs to lose connectivity, but there's none that I could find. I have the primary/secondary controller IPs configured in them as well. See log below:
[previous log entries show AP working as intended, then...]
*Jan 18 05:29:29.632: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_ECHO_REQUEST
., 1)
*Jan 18 05:29:29.632: %LWAPP-3-CLIENTEVENTLOG: Switching to Standalone mode
*Jan 18 05:29:29.645: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Jan 18 05:29:29.645: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to [ommitted due to security reason]:5246
*Jan 18 05:29:29.704: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
[code]....
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
5508 controller
7.2.110.0 code
6 buildings
6 interface groups
1 ssid
I use two wlc 4400 (4.2.x version) with a mobility domain and one ssid, both wlc are connected to a cisco l2 switch infrastructure. On the wlc I use the p2p blocking action 'drop' [URL] to isolate the clients from each other. Does only unicast traffic is blocked or also multicast and broadcast traffic like arp requests?Concerning blocking p2p traffic of clients connected to the same ssid but different controllers I found the following statement in the LAP FAQs [URL]
Q. In autonomous APs, Public Secure Packet Forwarding (PSPF) is used to avoid client devices associated to this AP from inadvertently sharing files with other client devices on the wireless network. Is there any equivalent feature in Lightweight APs?
A. The feature or the mode that performs the similar function of PSPF in lightweight architecture is called peer-to-peer blocking mode. Peer-to-peer blocking mode is actually available with the controllers that manage the LAP. If this mode is disabled on the controller (which is the default setting), it allows the wireless clients to communicate with each other through the controller. If the mode is enabled, it blocks the communication between clients through the controller. It only works among the APs that have joined to the same controller. When enabled, this mode does not block wireless clients terminated on one controller from the ability to get to wireless clients terminated on a different controller, even in the same mobility group.
what's the best practise to prevent this inter wlc client traffic? I already read about using acls on the wlc dynamic interfaces, or private vlans on the l2 switch vlans where the dynamic interfaces are connected to. Is it allowed to completely isolate the wlc from each other on these dynamic interfaces with acls or private vlans or do the wlc need to see each other on this interfaces (e.g. heart beat)?
I have an issue where I have an AP in one room and another in another.When I walk from one room to the other, I lose signal but manages to see the SSID and join.But, I cannot seem to surf the Internet, I have to manually disconnect and reconnect. Normal wireless routers I reconnect seamlessly without any manual disconnect & reconnect.Currently using cisco 5508 and ap2600.
View 8 Replies View Relatedwe have two offices in same city at different location however we are planning to bring both the office at same location.Now lets say site A has controller 5508 configured with 24 AP's with 10.10.10.x subnet for internal SSID and Site B which is shifting to Site A campus has different subnet ( 10.10.20.x ) for same SSID.Site B has no controller since they had connection with H-reap and they were using different subnet for internal SSID ( 10.10.20.x ) .....Now i need to add their AP's in Site A controller which will be extended wireless LAN however we would like to keep same subnet ( 10.10.20.x ) what Site B has for wireless clients which is really confusing me ....I have already client subnet for site A with 10.10.10.x /24 subnet and nearly 200 users are already using this wireless client subnet.... How do i add their ( Site B ) subnet / 10.10.20.x with same SSID configured which is globally only one SSID ?
limitations :I can not create new SSID for site B since same will be broadcasting even in Site A AP's ?Is this possible to map one more subnet of site B to existing SSID with already different subnet ( 10.10.10.x ) ?
We have a network of multiple WLCs: 5508, 4402, WISMs in two C6509 all running version 7 software. We have about a dozen SSIDs and we need to provide DHCP to the one public SSID (which like the other SSIDs span across all controllers) and to do so we thought of using a spare router, Linux workstation or DHCP server on the controllers. We are not sure if using the controllers is an option since we have multiple controllers. Is there a way to setup DHCP on a WLC and tell the others to use that WLC for DHCP for the one SSID?
View 3 Replies View RelatedI have an issue where I cannot get clients to change SSID. I have two SSID, one WPA2 secure, one open guest. The secure is locally switched via Flexconnect and the guest is centrally switched. Both of them work. I have been able to test this and both work as intended. The problem is that once you connect to one of them, either secure or guest, you cannot then change to the other. The only way to change is to delete the dhcp entry from the scope and then do it.
Fast SSID change is enabled. I also have debug client output from when the client fails when you try to switch which I will include below. I also pulled some wireshark captures and those show me that the DHCP ack packets are trying to give the client the ip address from the incorrect/previous scope. So basically it's like FAST SSID change is not working and the client is never being disassociated properly??
I am totally stumped and even though the client will most likely not be switched between SSID that often I would still like to know the solution.
Cisco 5508 running 7.2.110.0
Cisco 3502 LWAPP
windows server 2008 dhcp server
[Code].....
I have Internal DHCP Server configured on the Cisco WLC 5508 and all is working fine. DHCP Range is 192.168.1.100 to 192.168.1.245. Now I created another SSID but I want clients connecting to this SSID get specific IP's or from a specific range. WLC has no option to bind a DHCP pool to a specific IP so what I did I checked the option to "Override DHCP" and added the IP of my firewall WLC is connected to and setup a DHCP Pool on that firewall as 192.168.1.89 to 192.168.1.94 (192.168.1.88/29).
Client can connect to the second SSID but can't grab and IP address, what am I missing ?
I am setting up a Cisco 5508 wireless controller and was looking for some feedback or assistance. Basically I already have my guest SSID configured and functioning. Created an interface group containing my vlans and applied the created ACL "Guest Policy - internet only", which is also working.I want to setup a second SSID called "staffstudent" and use RADIUS for authentication. I have already created two separate network policies on the radius server: staff and student. Each only allows certain user groups. I want to be able to differentiate on the controller side which profile they are logging in on and then apply the correct ACL. I have two currently configured: one for staff and one for student. It appears to me that since you have to apply the ACL at the interface level I cannot use both since my interface is accepting both staff and students. Is there a way I can filter them using RADIUS so that when they login RADIUS can return a "student" value and then apply the correct ACL? Same for staff?
View 2 Replies View Relatedis it possible to multicast between 2 different SSID's that are associated to 2 different VLAN's?
View 2 Replies View Relatedsetup a WEP SSID on my 5508 controllers. THat being said, I have multiple sites with extremely old scan guns that only do 104bit wep. I plan on locally switching this SSID and using static WEP 104bit key with MAC authentication, and then ACLing to limit my inherent security issues/exposure once someone compromises my WEP key. [code]
View 4 Replies View RelatedBeen a while since I have conf'd a controller. I believe its WLAN/edit/security/layer2 and below psk format edit the password?
View 2 Replies View RelatedWe created the management interface, an internal DHCP scope in same subnet, and Two SSID tied to the same management interface:
- when we connect to the first SSID we have and IP address
- but when we connect to the secone SSID: impossible to get an ip address - auth and association are OK
On a wlc 5508-7.0.116, can I set up 2 ssids that map to one wlan/vlan/subnet. I thought you could but I don't have the means to test without breaking production.
My goal is this:
Ssid red open
Ssid blue wpa 2
But all clients on the same ip subnet
I have Build a 5508-HA Cluster (7.4.100.0) , hat to reboot this cluster due to Licens install.After the reboot atleast one of the SSIDs was not broadcasting anymore, even the checkbox was checked.
What did I do:
Installed the Licenses @ Freiday 12:00
@17:15 reload active WLC, wait till controller is up again (a few minutes pingable)
@17:25 force failover to first controller.
check a few SSIDs but not all, those who where check are ok.
@monday 07:00 clients complaining not seeing the SSID (some where connected)
on a 5508 WLC can we create new SSID for I PAD / IPHONE Users without having ISE, only I phone / I PAD are allowed to be authenticated rest all should be denied. IS this possible?
View 8 Replies View RelatedIs it possible to block outside P2P traffic on a guest wireless network using an ACL on the controller? I know we can do it our firewall
View 6 Replies View RelatedI have a wireless lan controller (5508) broadcasting 2 SSID's, once is a secure vlan grabbing an ip address from a local dhcp server and getting access to the internal network, and the other ssid is for a guest vlan where the dhcp server is in a remote site and internet access is off a circuit in our data center which is accessed over a wan. The secure ssid's vlan is defined on the local switch, but the guest vlan is not defined on the local switch.the ap's in the respective sites are trunked to the core switch and the switchport config is : [code] it's trunked b/c we have both vlans going across this physical connection.I would like get the guest vlan a wired connection, ie. off a switchhub, but not sure how to do that as this guest vlan is not defined on our local network.
View 1 Replies View RelatedI have an open SSID on 5508 controllers - configured as anchors and need to redirect wireless clients to the wireless help page automatically once they have connected and opened their browser.I've read all through the web auth and pass through discussions on here but nothing seems to be quiet right for me - unless I am completely missing something.
View 5 Replies View RelatedI have two WLC-5508 for 50 AP's deployed. One is primary controller & other is secondary.Recently noticed an unknown "authorization failed, no sufficient privileges for user" message poping up while making configuration changes in WLC. Specificly when trying to create an new SSID. WLC Authentication is local. This message poped up earlier once or twice but it didnt prevent from making changes that time.
View 3 Replies View RelatedI have a 5508 WLC controller at the HQ with the employee ssid ,the dhcp scope on the ssid is 10.120.0.0/16 network.
However,I want this same ssid to be brodcasted to a remote site using HREAP access point but with different dhcp scope 10.102.0.0/16.
I have tried creating another interface for the remote site with a different dhcp scope(10.102.0.0) but the controller wont allow me create another wlan with same ssid that existed before to apply the new interface created for.
My customer wants to have mapping of WLAN SSID with different authentication protocol as show below .
1: EMP-M for Mschap
2: EMP-G for Peap GTC
3: EMP-T for TLS
For example EMP-M SSID users should be connected with only PEAP(MSCHAPv2) and not on other methods like PEAP-GTC/EAP-TLS .
customer is currently having WLC 5508 and using ISE for AAA . Any tip how we can do the above requirement through WLC .
I am trying to set up a guest SSID which will be separate from other corp SSIDs. I have read about this auto-anchor feature and I have a basic idea. Here are some questions about the network design
1. Can Cisco 5508 with 7.2.111.3 code do NAT? I mean can I use the anchor controller also as a gateway to Internet or do I need another device such as FW or router to do the job?
2. I want the guests to get IP address in 192.168.0.0/24 range. On the anchor controller I will need an interface in this range, correct? However on the internal controller I won't need this interface. The guest ssid will be associated with the management interface on the internal controller, correct?
3. I want the guests to get IP address from general DHCP server. Does DHCP request have to come out of the new interface in the 192.168.0.0/24 range? However this interface will be connecting with the FW. It won't have connection back to the internal network to reach the DHCP server. The management interface will have the route to the DHCP server. Is it possible to use management interface for this SSID but still let traffic to pass through the Guest interface?
I have a 4400 and a 5508 WLC in the same location We want to be able to roam between ap joined to both the 4400 and the 5508 using only one ssid
Do I only need to create a mobility group and add both WLC then create only one WLAN on one of the controllers and it will be shared across bot WLC.
I need raise a especial configuration to 34 APs LWAPP associated to WLC 5508 with IOS 7.0.220
This is the Scenario:We have 34 APs LWAPP with 2 SSID (Corporative & Guest), with 2 DHCP different. The Guest SSID receive IP to DHCP from WLC while SSID Corporative receive IP from Microsoft DHCP. The AP On Site are Local and the Foreign AP are configured like H-REAP (H-REAP Local switching and Learn Client IP Address are marked)
Here is the thing, I need configure a new WLAN (Pruebas) for add to 34 APs (Local and Foreign) but this new WLAN must be receive IP from a New Microsoft DHCP
Firstly I configured a new Physical interface and linked to New WLAN (Pruebas) however i don't know how configure the AP and the DHCP because I want that the AP deliver IP addresses depending the Locality.The last because the SuperScope from DHCP is divided in various subnets and because the IP from the AP will be in another VLAN
I'm using a Cisco Wireless LAN Controller 5508, 14x Access Points 1041 and 6x Access Points 1031 in combination with a NCS 1.0.
Is it possible to broadcast SSID'S only on defined Access Points, e.g. AP 1-3,7-10,18? If yes, what have I to do?
i have two 5508 ver 7.3.0, one is the primary and one is the guest controller. mobility is up and running. i have an exising guest ssid working with wpa2-psk and web authentication and its working fine but i require a second guest ssid that only uses a wpa2-psk for ipod/ipads as i cant use passive client on primary controller. i presently have the one vlan range and dhcp setup on the guest controller to give addressing to either ssid. i know you can have multiple ssid setup on the guest controller but in other sites i have only had one guest connection comming from the primary controller, just a primary controller on each sites was only creating one link to the same guest controler.
View 3 Replies View Related