Cisco :: 5508 - Client Isolation And The Bonjour Gateway On WLC 7.4.1?
Mar 4, 2013
I am considering upgrading our 5508 WLCs to version 7.4.1 to take advantage of the Bonjour gateway. What I want to do is allow clients on our guest wireless network to access things like the Apple TV in our conference rooms. My intention would be to have the Apple TVs on a separate vlan. Obviously, the Bonjour gateway would allow for access between these 2 networks. The question I have is this. If I have client isolation turned on my guest wireless network, is it still possible for these devices to access Apple TVs on another network?
View 2 Replies
ADVERTISEMENT
Dec 1, 2012
I've just installed a standard Cisco wireless install (5508, 3502i, local and flexconnect setups) all working swimmingly.
The customer has asked for a new WLAN for a particular group of staff that will route to a different gateway than the general wireless staff.
The 5508 is connected to a older Avaya L3 switch that is the customers core swtich, but it isn't capable of PBR so it routes on desitnation only and its default route is not where I need the new WLAN traffic to route to. An ASA will be connected to the Avaya switch (which is the alternate gateway I need to get the new WLAN users to). So my question is probably routing 101, but if the ASA interface, the Avaya swtich and the WLAN interface all reside in the same VLAN, can I give the wireless clients the ASA as their gateway via DHCP and successfully get their traffic to the ASA?
View 3 Replies
View Related
Aug 1, 2012
I would like to enable "client isolation" on an autonomous, standalone 1142N AP but I don't see that option anywhere in the web interface. how to keep associated clients from passing traffic to one another on this AP?
View 6 Replies
View Related
Apr 3, 2013
A Cisco RV220W router/firewall connects the local LAN to the internet. The router is connected to a new Cisco SG300-28P switch configured in Layer 2 mode. There are two new AIR-1142N wireless access points running in autonomous mode connected to 2 ports on the SG300 powered through PoE. The AIR-1142N access points are running the latest firmware version 15.2(2)JB. There are two VLANs defined: VLAN1 is the native on all devices, and VLAN2 is for wireless guest traffic to provide access to the internet only.Internal/staff traffic is on 192.168.100.x, and the wireless SSID is MYNetS.Guest traffic is on 192.168.200.x and the wireless SSID is MyNetG.IP addresses are being assigned by the RV220W.
All works well with one exception. Wireless clients on the internal SSID are able to ping/access the switch, router, and other clients on wired ports on the switch. The router, switch, and wired clients can ping wireless clients. However, wireless clients, on the same SSID and the same 1142N cannot ping/access one another. They are being isolated from each other. We absolutely need to have this capability.The SG300 does not have port security enabled on any port. none of the workstations/laptops have a firewall enabled. These laptops are all Macs btw. I have checked that neither of the 1142N access points have Public Secure Packet Forwarding enabled on either of the VLANs.I am at a loss as to why the wireless clients are being isolated.
View 5 Replies
View Related
Feb 2, 2011
i've been looking for a way to isolate clients on a Cisco Aironet 1121 on a certain SSID, and i cant find anything, tried pretty much everything i coudl remember, but since im no expert on Cisco wireless.
Quote:
Cisco IOS Software, C1100 Software (C1100-K9W7-M), Version 12.3(7)JA1, RELEASE SOFTWARE (fc1)
Technical Support: [URL]
Copyright (c) 1986-2005 by Cisco Systems, Inc.
[Code].....
View 3 Replies
View Related
Apr 9, 2013
Q: If i m going to do a Bonjour Gateway deployment, do i still need the vlan select feature on the wism's or is enabling multicast enough?
Details of the Q:
I m working with WISM s and WISM2;s, 1130 and 3602 ap;s. Cores are 6509-E's.
i m going to implement a Bonjour gateway (which is an Aerohive ap, no wifi enabled, its just a Bonjour gateway)
This ap is connected with a trunk port (to a 6509-E) and has the wifi client vlans on the trunk as allowed vlans. It also has an allowed vlan for AppleTV;s which will be wired devices.
The Aerohive gateway gets an ip address in every wifi subnet, so far so good.
I was thinking that if i enable multicast :
- globally on the wisms, with mcast-mcast distribution
- on the SVI's for the wifi client vlans
- on te SVI's of the vlans for cisco aps
- on the SVI for AppleTV
- SVI for wism management
- SVI for the Bonjour gateway
then do i still need vlan select? Maybe a stupid question, but i m not sure how to interpret some things in this document.
View 4 Replies
View Related
May 5, 2013
Have 7.4 installed and configured for Bonjour Snooping. All is working, but working too well. We have a large campus that house 2 schools and each school is complaining that they can see the other schools Apple TV devices.
I have played around with a few different scenarios to see if I can localize the bonjour traffic. I guess I am looking to create a logical split for bonjour devices among the schools. Apple came to the school and informed us that the I PAD has a limit of 64 devices that can be seen via the bonjour. At some point we will have over 100 Apple TV added.
so we have 3 wlc 5508's with 7.4.100. we have 2 SSIDs that span the whole campus using AP groups to segment the floors in buildings. So the schools are logically split with AP groups.
Here is what I have tried, I created few mDNS profiles and assigned the services for Apple TV - let's call them school1 and school2. I assign the mDNS profiles to the interfaces dedicated each school. Enable snooping on the W LAN with profile of none. The end result is that devices from both schools can be seen.
I tried to create new ssid for apple TVs and a new ssid for 1 schools teachers. I followed the v lan select example [URL]. End result is that devices from both schools can be seen. I have tried the mDNS without multicast enabled just like the video shows to no avail - I assume maybe my AP groups might be more complicated then the example of just 2 v lans. [URL].
I have tried combinations of things, but I must be missing something . In the webinar, Cisco said it will use filtering to restrict which clients can see which services (Apple TV's, etc). What will Cisco use to filter Bonjour requests? According to this article
[URL].
The filtering options are: · Per W LAN/SSID · Per V LAN or AP Group · Per Interface Group (which is a group of V LANs pooled together). A Bonjour service policy can be created and applied on any one of the above criteria. In the future, we will support per-user Bonjour service policies which will come as a RADIUS attribute from the AAA server. Read more: [URL].
View 15 Replies
View Related
Apr 1, 2013
I have followed the details here as closely as I can:URL
I've upgraded to 7.4. I've enabled IGMP snooping, increased the time out, decreased the query/hello interval, went into Controller> menu and set AP Multicast Mode to Multicast with the Bonjour multicast range of 224.0.0.251.
Went into my WLAN and enabled Multicast VLAN Feature, and enabled my Multicast Interface as the same VLAN as the WLAN range.
The Lantronix Bonjour device is on the same VLAN as the WLAN (13). Accessing the Lantronix device shows it polling printers on our wired VLAN. However, no iDevice that joins the WLAN/SSID can find these printers.
View 6 Replies
View Related
Oct 22, 2012
A customer of ours has the following access points and wireless lan controllers on site. They want to use the Apple Bonjour service with Apple TV's and iPads. I have enabled multicast feature of the 5508 globally and one the SSID.The Apple TV has an ethernet connection and the iPads connect over the wifi. The Apple tv is on the same subnet as the iPad's - the Bonjour features do work for approx 5/10 minutes then it stops working for some reason. The Access Points plug into a Cisco 2960 Layer 2 switch, the 5508 controllers plug are in LAG mode and plug into a Nortel Layer 3 stack which I have enabled IGMP snooping.I've read that the Apple Bonjour service isnt designed to work on a multi subnet network - but both the Apple TV and iPad are connected on the same subnet. Sounds like some kind of timeout but not too sure.
View 5 Replies
View Related
Nov 8, 2011
I have a RV042 and I am trying to setup a Client to Gateway VPN for about 12 to 15 remote users. These users travel a lot and need to connect to the server. I have never setup a vpn and have looked at the manual and set it up like it says to. I installed the Quick VPN client on the remote computer and copied the certificate to the remote computer.
I am having two problems.
1. When I run the client on the remote computer and try to connect it tells me the cert is not installed on the local computer. (it is copied to the root program directory C:Program Files Cisco Small Business and the sub directory, C:Program Files Cisco Small Business Quick VPN Client.
2. I can continue and it acts like it's connecting but it does not. If I look at the router VPN summary it shows that I connected for only a brief time.
View 1 Replies
View Related
Aug 29, 2011
I set up an RV042 as a VPN gateway for a client a year ago. It is running firmware 1.3.12.19-tm (Feb 13 2009 13:03:21). I created a new certificate. When I download the client certificate, It comes as a .zip file. One the can not be opened by a zip utlity (windows, Winzip or 7 zip). It looks like I can just rename the file to a .pem file, but I want to make sure that is right. They were getting QuickVPN timeouts, but that looks like it was fixed in 1.3.13.
View 3 Replies
View Related
May 29, 2012
Client is having 1 file server running small business windows server 2003. Server is not configured with domain, it is working only on workgroup. We have around 15 users who are using that server as file server only. Now my main question is do i need to configure DNS server in that server?we also have internet connection running (have problem in that also, will explain next time) with wireless router to connected with switch. So do I need to setup dns in server also or just put static ip (I prefer static then dhcp) & dns server from ip will be ok? If I put dns which I got from ISP, so will it create any problem with using those file from server?the second question is..
What IP address, Default gateway and dns address I should use for Server & also client pc.
router ip - 192.168.1.1
server ip - 192.168.1.10
Currently no DNS setupcurrent configuration - Server
IP - 192.168.1.10
subnet- 255.255.255.0
gateway - 192.168.1.1
dns - 213.42.20.20 (from ISP)
dns2 - xxx.xx.xx.xx (from ISP)current configuration - Client
IP - 192168.1.111(to 115)
subnet - 255.255.255.0
gateway - 192.168.1.1
dns 1 - 192.168.1.10 (File Server)
dns 2 - 213.42.20.20 (from ISP)
View 2 Replies
View Related
Jun 1, 2013
I'm trying to setup an rv180w to connect as a client to an remote vpn gateway and route all the lan traffic behind it direct to the remote vpn gateway. [code]
View 3 Replies
View Related
Apr 12, 2011
We recently upgraded from a Linksys WRT54G router to a Cisco RV042 to gain "gateway-to-gateway" automated VPN access. However, we are unable to get "client to gateway" access working.
With the Linksys WRT54G we used a "username" "password" pair for remote client authenication. This worked for both Windows and Mac OS X users using the built-in PPTP client. We found we had to set "encryption" value to "none" on the client side.
I am confused by the setup screens on the RV042. It looks like I must setup a "tunnel" (VPN->Client to Gateway), there is (VPN->VPN Client Access) where I can enter a username/password, and also (VPN->PPTP Server) where another username/password pair can be entered. I have tried all sorts of combinations but "no love". I am particularly mystified by the (VPN->Client to Gateway) settings for "Remote Client Setup"; the client can be calling in from anywhere and there is an option for "Dynamic IP + Email Address" but I'm not sure how that maps onto the client (do they use the email address as their account name?). I have also looked at defining a "Group VPN" where I am given other options. But nothing works from the client.
I just need to come up with some setup that works, that I can document to both PC and Mac users at a miniumum.
View 1 Replies
View Related
Jun 9, 2012
I'm trying to set up a RV042 to do the following:
1) Block all WAN connections, except for:
2) Allow all port 80 connections, and forward to 10.4.20.60
3) Allow all port 443 connections, and forward to 10.4.20.60
4) Allow port 22 connections from specific IP addresses, and forward to 10.4.20.60
5) After a remote client has connected using Client to Gateway VPN, allow that remote client to access anything on the LAN
I'm able to do #1-4 above, but I can't get #5 to work. Or I can get #5 to work, but can't implement the restrictions I need in #1-4. Attached are some relevant screenshots. I think the problem is that I have Forwarding rules set up that require me to have a firewall rule to Deny All Traffic from WAN1 (unless I'm specifically allowing it). In the Access Rules screenshot, rule #6 is the problem. If I enable it (thereby denying all WAN1 traffic), then VPN clinents can't access anything on the LAN. However if disable this rule, VPN clinents can access anything on the LAN, but the firewall also opens up all outside connections to SSH, since that's set up in the Forwarding rules. I would have thought that once a remote client is connected using client to gateway VPN, then that client is considered to be on the LAN, as far as the firewall is concerned. Thus a firewall rule (like #6) that is specified for WAN1 shouldn't effect remote VPN clients.
View 1 Replies
View Related
Jan 21, 2011
This is terminating on an ASA c5510 sec+ running 8.3(2) Client devices running XP with the same VPN client get an address from the ASA pool e.g. 10.10.50.1 with no default gateway. Users are able to connect without a problem. Windows 7 (32bit) clients with this same VPN client get this address but get a default gateway 10.10.50.2 and are unable to connect for obvious reasons.
View 7 Replies
View Related
Jan 27, 2012
I am setting up remote access using an RV042 router. Using quickvpn or a client-to gateway vpn and shrewsoft client, I can only access/ping the LAN side of the remote router and one machine on the remote network. The PPTP server and native Windows 7 connection provide access to all machines on the remote network.I have 2 possible reasons for this and would like to find the real reason:
1) The remote RV042 is behind another router, and that router restricts access other than the PPTP traffic.
2) The VPN tunnels other than PPTP only allow access to the remote LAN side of the router and remote machines that have the remote router defined as their gateway in the IP configuration.
View 2 Replies
View Related
Sep 17, 2011
After we change the firewal from PIX515E to Fortigate311B, one notebook which installed Cisco PN client 5.0.7.440 in WIN7 64bits can not access VPN because the default gateway is not correct. For example the IP get from Ip pool is 172.28.22.10 but the default gateway IP is 172.28.22.1. ?
View 2 Replies
View Related
Feb 26, 2013
What is the best way to isolate hosts on WiFi network managed with 4400 controllers so they only see def gw but not each other, something like "switchport protected" but for WiFi ....
View 4 Replies
View Related
Apr 12, 2011
I have two number of WLC model 5508 running IOS version 7.0.98.0. And One WLC in DMZ with the same model and IOS version. AP model is 1141. The Two WLCs are integrated with ACS. I have a SSID named EMployee. The DHCP for the users are configured in a seperate DHCP server and i have mapped this DHCP server IP to the interaface Employee.And this interface is mapped to the SSID as well.. But my client is not receiving the DHCP IP. Attached are the debug logs from the client.
View 9 Replies
View Related
Dec 20, 2012
Security during client authentication is enhanced by applying both 802.1X and Web Authentication for a WLAN."
View 7 Replies
View Related
Jun 5, 2013
Please find attached a simple BYOD/ISE document I uploaded to kick start my new Wireless setup. Its all configured on my ISE sever and Controller as per doc.My setup:
-3600 AP's
-Internal 5508 Controller
-DMZ 5508 Controller (acts as a DHCP server for wireless clients)
Controllers have established connectivity (mobility acnhors), as a client I can connect fine to my new SSID get a DHCP IP address back from DMZ WLC and at the moment can connect out to the Internet fine (using no WLAN Security as a test). So this part is working.I have now followed the document configured ISE, enabled AAA on the Internal WLC only and used the AAA override setting on WLAN as in the attached document.I connect to SSID expecting to be redirected to my ISE Guest Portal, nothing happens other than connecting to Internet WebPages.My question is, if I have followed this document correctly why is the Internal WLC not redirecting client requests to ISE, is this because my mobility anchors need to be re-configured, perhaps the AAA/ISE config needs to be applied to my DMZ WLC not internal WLC?
I would prefer the Internal WLC to redirect the login to ISE, doesn't make sense to traverse through the DMZ Firewall onto DMZ WLC back into the Internal Network again to the ISE to authenticate.Or am I missing something additionally to this document to make sure clients are directed to the ISE Guest portal login.
View 3 Replies
View Related
Dec 1, 2012
I am using 2 anchor controllers 5508 as DHCP server. Anchor controller A is primary and anchor controller B is secondary. From time to time, client will complain "duplicate IP address error" when they try to connect guest wireless.First question: both anchor controller should have a recorder of IP address which is assigned to each PC, right?Second question: is there any way this type of issue can be avoided?
View 3 Replies
View Related
May 27, 2013
I am having some troubles with client roaming on a 5508 controller running firmware 7.3.101.0. As soon as a client roams outside the range of an AP they lose data flow and do not seem to transition to another AP for about 1 minute.This is a small network with 6 x AIRCAP3502E-N-K9 AP's (running in H-REAP mode) on the same floor and clients are a mix of HP notebooks, Mac Books, iMacs, iPads and iPhones. There are several seperate SSID's setup and the problem occurs on all. All are WPA2/AES with either a PSK or 802.1X. Both 2.4GHz and 5GHz radios are enabled with auto power and channel selection.
I have tried changing the roaming settings from default and also playing with the AP power settings to no avail.Is this normal behaviour or is there something I can do to improve the reconnection speed?
View 11 Replies
View Related
Apr 23, 2013
I have one 5508 with Product version 6.0.199.4 and about 7 Cisco 1140 APs.We have a next problems. Go out of the connection on the clients PC, while physically a wireless connection to the workstations is not broken, but access to network resources is lost and restored after some time (up to about one minute).The logs on the controller at the same time see the following message.
View 3 Replies
View Related
Feb 21, 2013
I am running WLC 5508 and WCS version 7.0.98. We are noticing with some of our handheld devices that have Sychip Wireless cards that they constantly have issues communicating. The error I see on the WCS side is shown below:
Client '00:0b:6c:2f:d0:32 (0.0.0.0)' failed to associate with interface '802.11b/g' of AP 'HO-BRSales'. The reason code is '0(null)'.
View 11 Replies
View Related
Jul 2, 2011
I have one wlc 5508 running on latest IOS 7.116, there is one wlan abc which i have disable status and disable broadcast, but randomly still i can see from wlc dashboard there is one client connected to this wlan abc. The moment i check on the client details, there is no client connected to that wlan and when return to dashboard, no more client connected to that wlan abc.
View 3 Replies
View Related
Apr 11, 2012
Using a wrt610n.I am trying to Isolate one of my wireless bands from the rest of the network. I turn on the AP Isolation and I still have access to all of my wired computers. With AP Isolation working will they be able to see the hard drive plugged into the router?I've heard that they can still see other wireless devices, is that true? And if so, can they see others wireless devices on the other wireless band?
View 18 Replies
View Related
Apr 11, 2012
Using a wrt610n. I am trying to Isolate one of my wireless bands from the rest of the network. I turn on the AP Isolation and I still have access to all of my wired computers.
Questions: With AP Isolation working will they be able to see the hard drive plugged into the router? I've heard that they can still see other wireless devices, is that true? And if so, can they see others wireless devices on the other wireless band?
View 6 Replies
View Related
Sep 16, 2012
Is it possible to rename the default webauthentication URL from [URL] to something like [URL]. We are running on 7.0.98.0, is it possible to do http for web authentication and https for Mgmt access if we upgrade the controller software?
We configured our guest wireless with no layer 2 authetication so users can associate with an AP and get an ip adress but they can't go anywhere unless they have a valid username and password(web authentication) - does this affect the performance of an AP since there will be many people associated with each AP, is there any setting in the WLC to de associate a client from an AP if its idle for certain time.
View 9 Replies
View Related
Feb 21, 2012
I have had several complaints from around the firm where by mobile devices are being bumped off the PSK secured network (All other SSID networks are operating A-OK). Both Android and iPhone devices are being affected, the device will just loop until it reconnects, sometimes up to 20 minutes of trying to establish a connection. It will eventually connect so the key is not the issue.I've attached a debug of a device which fails to connect and then shortly after is successful.
Controller 5508 v7.0.116.0
AP 3502i IOS 12.4(23c)JA2
View 4 Replies
View Related
Apr 18, 2012
I'm on WLC 5508 . It doesn't matter if passive client feature is turned on or turned off , when you try to increase "User Idle Timeout" you can see this message:
In our network, a lot of clients gets deauthenticated. I thought it would be useful to enable "Passive-client" feature, or increase "user idle timeout" , but how these works with each other?
View 15 Replies
View Related
Apr 29, 2012
I have an environment of Cisco 5508 Wireless Controller and 1142N Access Points. I have a problem with the ratio of concentration of clients connecting to Access points in floors.
Recently I have been turning off 802.11a on the access points and I am seeing increase in client count in a few of acces points.What is the maximum client count supported by these access points and how do i ensure they are distributed evenly on access points?
View 4 Replies
View Related
