We are deploying two 5508 WLC running 7.2 ios. Is it possible to anchor these to a 4402 running 7.0.116.0. Is there any version mismatch issues. We can find documents on the older compatibility but not on the new code.
View 9 RepliesWe have got a WLC 4402 as an anchor that provides guest internet access to our visitors. Our wan sites have 4402's running a tunnel to this anchor for guest traffic. We have got a new site coming up that will have a 5508 as its WLC. I am trying to determine if the 5508 will successfully form a tunnel with the existing 4402 anchor. I am assuming that it will be ok or maybe the 4402 will require an ios upgrade. Our AP's everywhere are 1131's but the new site will have the later versions which can work with the CAPWAP based 5508.
will the tunnel between the 4402 and 5508 work well or will it require an ios + bootstrap upgrade on the 4402 and subsequently the rest of the 4402's or it will not work altogetherwill the CAPWAP AP's at the new site work well with the 4402 LWAPP anchor - I am assuming that they will since the CAPWAP compatibility requirements are really between the AP and its local WLC. Our 4402's are on 4.2.61.0 and I am proposing to management that we should upgrade these to 7.0.116.0 to prepare the infrastructure for any potential issues.
We currently have all of our foreign AP controllers on software version 7.0.116. This consists of a mixture of 4400 and 5508 WLC's. Our guest anchor is a 4402 on version 7.0.116. We are replacing the guest anchor with a 5508. We are also upgrading our 5508 wireless controllers to version 7.2 to support the 3600 series AP's. My question is what is the recommeded code that the anchor controller should be on? Should it also be upgraded to 7.2? If we upgrade the anchor controller to version 7.2, will this affect anchoring to 4400 series foreign controllers still on7.0.116?
View 9 Replies View RelatedI want to use a 5508 as an anchor controller for a wireless guest deployment....but the client has internal 4402's controllers, with software version 7.0.235.0...is it possible tu mix these two controllers for a Wireless Guest Access Deployment??
View 3 Replies View RelatedI am running into an issue with disabling the web-auth secure web on an 5508 anchor WLC running 7.2.110. After the WLC rebooted, the guest authentication portal didn't show up...I could see the IE tab showed Web Auth Redirect though...Changed again the web-auth secure web to enable and rebooted the WLC fixed the issue.
View 4 Replies View RelatedWe have a WLC (5508) in our main office in Brisbane that is hosting two WLANs. One provides wireless access to our internal network and the second provides wireless guest access. The guest WLAN is anchored to a controller sitting in the DMZ at our Data Centre.
In the DMZ the anchor controller has a management interface and an interface in the DMZ for the wireless guest access. I am using the DHCP server on the anchor DMZ to provide IPs etc to wireless guest clients. The default gateway is 10.8.144.1 which is a VIP or a pair of firewalls.
Initially everything works fine. Guests connect to the guest network, have to authenticate via a web portal (Cisco ISE server) and then can go on an use the internet. Works perfectly until the firewalls fail over and the secondary firewall takes over the VIP address. All access to the internet is lost at that point. If I try to disconnect and then reconnect a wireless client it connects, as in it will get an IP address, but DNS resolution stops and I do not get redirected to the web auth portal. If the firewalls are failed back to the primary then everything works again, no issues. However, if I reboot the WLC while the secondary firewall has the VIP IP everything will work fine as it did on the primary. If the firewalls now fail over to the primary again everything goes to ****. Until either the firewalls are failed back or the anchor WLC is rebooted.
Initially I thought this was an issue on the firewall, but this doesn't appear to be the case. When the firewall fails over it sends out a gratuitous ARP advising of the change in MAC address for the 10.8.144.1 IP address. The WLC seems to update its ARP table because if I run the command "show arp switch" it has the 10.8.144.1 IP address with the MAC address of the active firewall. From the client perspective I have run a wireshark and captured packets on the wireless interface when trying to connect. The laptop is continuously send ARP requests for 10.8.144.1 but gets not reply. Without this the client cannot send an ethernet frame to the gateway and hence get to the DNS server and WEB portal. Internet access breaks. Doing a TCP dump on the active firewall shows it receiving and then sending a reply to the ARP request. It just never gets to the wireless client. Debugging ARP packets on the anchor WLC seems to indicate that the controller is receiving the ARP replies from the firewall. So I'm at a loss as to why things should break when the firewalls fail over.
I have a 3750 switch in the DMZ with SVI of 10.8.144.4. I thought I could get a work around where I would make this the default gateway. The theory being that this interface MAC address would never change. However I was wrong. Even with this IP set as the gateway address for the wireless clients I see the exact same bahaviour when the firewalls fail over. I can't explain it other than to say that the gratuitous ARP sent by the firewalls seems to kill the ability of ARP replies to be sent back to the wireless client.
I have the following
WCS: Version 7.0.164.3 and WLC 5508 Software Version7.0.116.0 And cannot import it. I have 2 more WLC 5508 (same version) already imported in WCS with no issue. Have run debug on the DMZ WLC and can see the snmp request coming through when I try to import it. Firewall rules are fine, ran a tcpdump and the WLC returns snmp values back. snmp credentials and routing is fine, can ping both in both ways.
Always comes up with the following error.
IP Address TypeStatus 203.14.70.91Failed to add device to WCS Reason: Object not found in device
Any link that will give configuration examples of a wireles anchor config with one controller in a DMZ. I have tried this on my own and have some problems in my test enviorment. I believe my issues were with the firewall but not exactly sure.
View 4 Replies View RelatedAll controllers are in version 7.2.111.3.C1 is a 5508, it is ou anchor controller.C2 is a 5508, it is a big site controller.C3 is a 2504, it is a small site controller. C2 and C3 are in the same mobility group than C1 (and all is up up in mobilty managment). When "DHCP Addr. Assignment" is enable on C1 : Clients on C2 received their IP address by our external DHCP server via C1 and the guest tunneling betwenn C1 and C2 and all is working fine. Clients on C3 don't received their IP address by our external DHCP server via C1 and the guest tunneling betwenn C1 and C3, so nothing work.
View 4 Replies View RelatedI'm trying to research the tunnel limits on a 5508 controller if you're terminating controllers to two different SSID's. For example. In my DMZ i have a GUEST SSID for contractors and guests and then I have another SSID used by employees so that tablet and mobile phone users can access the interenet. Because we don't trust any of these devices we have that SSID is termiated just as we do our GUEST SSID.
To reduce the number of anchor controllers I deploy, I wanted to start with one 5508 Controller. (then move up to about 3) This controller would have two SSID's, GUEST & MOBILE. On the Foreign controllers when I setup anchor tunneling I will be anchoring to the same controller however to two different SSID's.
Per the 5508 specs it supports 71 tunnels.
So my question to the group is, will the 5508 see this anchoring as one tunnel each? Or does it support 71 Tunnels per SSID?
I am trying to set up a guest SSID which will be separate from other corp SSIDs. I have read about this auto-anchor feature and I have a basic idea. Here are some questions about the network design
1. Can Cisco 5508 with 7.2.111.3 code do NAT? I mean can I use the anchor controller also as a gateway to Internet or do I need another device such as FW or router to do the job?
2. I want the guests to get IP address in 192.168.0.0/24 range. On the anchor controller I will need an interface in this range, correct? However on the internal controller I won't need this interface. The guest ssid will be associated with the management interface on the internal controller, correct?
3. I want the guests to get IP address from general DHCP server. Does DHCP request have to come out of the new interface in the 192.168.0.0/24 range? However this interface will be connecting with the FW. It won't have connection back to the internal network to reach the DHCP server. The management interface will have the route to the DHCP server. Is it possible to use management interface for this SSID but still let traffic to pass through the Guest interface?
We have Internal Wireless Controllers to be set up for HA (AP SSO) and wireless traffic from Guest SSID will be terminated on a Guest Anchor Controller inside Firewall DMZ. The Internal WLC controllers are installed with software versions 7.3.101.0, and the Guest Anchor controller is installed with software version 7.2.103.0. Just wondering if the Guest Anchor controller needs an upgrade to match the software versions on the HA controllers. Also, Cisco provides a new version of code, 7.3.112.0 now. So is it recommended to install the new software version on the HA controllers as well as the Guest Anchor Controller.
View 8 Replies View RelatedI know that the recommendation from Cisco for the mobility anchor feature to work well is to use the same IOS version on the anchor WLC and local WLC controller. Now I´ll install on a new site a 5508 local WLC with a newer IOS version which is installed on the other controllers ( Guest and local ). Later I´ve planned to update also the other controllers to the same IOS version. Now my question is, must I upgrade all other controller at the same time ?
View 4 Replies View RelatedWe are planning a WLAN upgrade and the security policy is to forward wireless Guest user traffic to the DMZ controllers. We are now considering the Virtual WLAN Controller and all AP's will register with the virtual controllers and we will use Flexconnect for Staff and internal traffic that will switch their traffic onto the local switch.
We wish to forward the guest traffic to the DMZ Guest Anchor controller which will be a 5508 controller. This will also offer Office Extend AP service.I have looked at teh virtual controller docs and not very clear if this deployment model is supported. Below is a diagram of what we wish to deploy and is this a supported deployment model.
I have 2 x Redundant Guest Anchor Controllers (5508) located in 2 separate Data Centers with all the management and guest user VLAN spanned between two. Everything is working fine with the Guest WiFi access except the DHCP functionality as the Controllers are acting themselves as the internal DHCP Servers.
This is how I tried to distribute :
network. 10.1.0.0/23
gateway: 10.1.1.254
Controller 1, DHCP Server pool: 10.1.0.2 - 10.1.0.254 Gw: 10.1.1.254
Controller 2, DHCP Server pool: 10.1.1.2 - 10.1.1.254 Gw: 10.1.1.254
As the user load balancing between the Anchor Controllers cannot be controlled (i.e. they are active/active), the same client sometime getting 2 different IP addresses from both the Controllers (as they do not talk to each other in terms of DHCP) hence depleting the pool addresses.
I guess one way of solving this is to just run 1 DHCP server in one of the controllers but that defeats the purpose of having N+1 Controllers. Is there a better way of doing the DHCP load balancing and having full redundancy at the same time?
I have implemented a Guest WLAN solution as per the recommended design from Cisco. We have two internal WiSM2 controllers providing services for Internal secure SSIDs. Both these controllers are members of a Mobility and RF management group.
Two 5508 controllers have been installed in our DMZ for resilience and have been placed into a separate Mobility group. All controllers (internal and external) have been linked together as mobility neighbours in a full mesh and a new SSID for Web Guest traffic has been anchored to the controllers in the DMZ.
Web page authentication works perfectly fine, but I cannot for the life of me get the MAC filtering override to work, i.e. if a MAC address is present, do not redirect to the splash page for web auth.
In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
[code]....
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
Not able to register AP Point < Air-Cap35021-E-K9 > on 4402 WLC running IOS (AIR-WLC4400-K9-7-0-235-0 ) Other AP already registered on the WLC are AIR-LAP1242AG-E-K9 & AIR-LAP1131AG-E-K9.
View 13 Replies View RelatedI have 2 4402 WLC running 7.x.x.x code. I also have some 1510 Mesh- L WAPs that require an old version of code. I need 4.1.192.22M for those. Is it possible to bring up a 3rd controller running this old code with the other 2 4402's running modern code? What will break? I know that anchoring and mobility might get messed up. What are the other caveats?
View 2 Replies View RelatedI know that the 3600 series APs are not supported on the 4404 WLC. However, would the following scenario be supported? I would like to use the 4404 (software rel. 7.0) as a guest anchor with a 5508 (software release 7.2) as the foreign controller supporting series 3600 APs. I ask because the APs do not need to join the guest anchor.
View 7 Replies View RelatedWe have a customer that have 2 5508 as primary and backup controller and a 4400 as an anchor controller. We plan to upgrade the 5508 to 7.3.112.0 and the 4400 is already 7.0.116.0. Will there be any issue if the anchor controller is not the same code as the foreign controller? Do I also have to upgrade the acnhor controller to 7.0.240.0?
View 2 Replies View RelatedI need to install one 5508 and a 4402 together to bring redundancy to a wireless environment.Can I do this?. What are the neccesary steps to perform this?, the idea behind this is to bring redundancy is the primary WLC falls for any reason.
View 4 Replies View RelatedWe have 2 WLCs, 4402 (main) and 5508 (backup). While we turn on both devices, 4402 have 10 APs, and 5508 have 10 APs as well. Total connected clients will be 120+, but when we turn off either 1 wlc, let's say only 4402 is power on, total 20 APs joined, but the total client will be 90+, never reach over 100 clients. The same happened on 5508, is there any maximum associated connection on WLC?
View 1 Replies View RelatedMy customer has a 4402-25-K9 and need a backup (failover) controller to avoid data transmision break when primary controller goes down.4402 are end of sale so I have a question can I use 5508 to get Controller Failover Protection with 4402 ?
View 3 Replies View RelatedAny instructions on performing an upgrade from a 4402 to 5508?
View 7 Replies View RelatedI am running 5508 wireless controllers. I pass along another agency's WLAN across my wireless network that is anchored to their older 4402 controller.
I wish to run the new 3600 series APs and am planning on migrating to NCS and the new 7.2 code.
I know that the older 4400 series controllers will not handle the newer 7.1 or 7.2 code. However, i still wish to maintain this anchor relatiosnhip with the older 4402 controller. I need to know if this will work or not.
I'd like to replace my 4402 Wireless controller with a new 5508. I have migrated the exact configuration from my 4404 controller to the 5508 and they are both running the same version of code. I'm worried that if I replace the 4402 with the 5508 controller, the Access Points will not rejoin to the new controller or they will join but will have lost their configuration e.g. AP Name/location etc etc. AP models registered to the existing controller are 1131, 1142 and 3502. I am also using Cisco WCS.
As long as the new controller has the exact same configuration, is it possible to replace the 4404 with the 5508? Will the existing Access Points join the new controller? Is there any other configuration required? I have read about doing this using mobility groups however would rather not if possible.
We currently run six 4402 Wireless lan controllers - these are managed by a WCS server - soon to be replaced by Cisco Prime. We run a mixture of LAP1242 and LAP1142 wireless access points. I need to add more but have been told by my supplier that the both these AP's are now end of sale and cannot be purchased.
The replacement AP's are the 2600 series - but I have been told that these are not compatible with my existing 4402 controllers.
To make matters worse I was then advised that if I purchase the new 5580 controllers the older LAP1242 access points will not work with it and require replacing - this, for me, is a lot of access points.
What I need to know is:
What access points, if any, are currently available that are compatible with my 4402 controllers and a future 5508 installation?
I ssem to be in a situation now where I cannot buy any access points that will work with my 4402's but if I upgrade all my current 1242's will not funtion with the new 5508 controller!
My client has on cisco 4402 controller running with 48 AP on this. Client requires to add another 25 AP but licence on the current controller is not supported client bought another controller 5508 with 25 AP.
I have been tasked to installe 5508 with conjestion of 4402. I have make the software version on both of them as below
AIR-CT5500-K9-7-0-235-3.aes
AIR-WLC4400-K9-7-0-235-3.aes
To match the same IOS version on both the controller. I have following challenges with me.
- 5508 will registered 25 AP while .. 4408 will continue with 48 AP.
- 5508 is going to be in DC and it will be directly connected to firewall as default gateway for guest SSID. 4402 is going to be on another building.
- How can I make sure that Users connected to AP registered with 4402 will have the same deafult gateway as 5508. Thre is no layer 2 connectivity between this two controllers.
- There is no romaing going to happen between this two controller as both are two different locations and user will leave one location will disconnect and it joines bak when it reach to another controller.
- Is there any way to configure 5508 as master and 4402 as slave kind of connections?
l have implemented mac filtering auth on my wireless network, l have 2 WLC ( 1 WLC 5508 and 1 WLC 4402, and I wonder if you can migrate the mac address database of a WLC to another and how can l do this.
View 4 Replies View RelatedI have attached a diagram of the current topology. At present, we have two 5508 connected to our core. We also have a 4402 behind the firewall (DMZ) just purely for guest access. So the staff users connect to the access point which in turns connects to the Staff WLC 1 (if this fails then to Staff WLC2). any guest user connect to the access point which in turn connects to Staff WLC which anchors to Guest WLC which then provides access. Since the guest is behind the DMZ they can only access the internet and not out internal network.
Now we want to office extend our network - we want our users to use 1132 AP at home to access the Infrastructure. is there a way we can do this without disturbing the existing infrastructure. On reading Cisco website, i know the best practice is to use 2 5508 (one behind the firewall and the other anchored to this access the internet network ) i thought since we have a Cisco (dmz) switch (48 port) and only the 4402 (Guest WLC) is connected to it, maybe purchase another 5508 WLC and connect to the 48 port Cisco (dmz) switch. will this work?
I have 10 Access-Point model 1131 AG are new AP.
When I connect the access-Point to the network, the AP associate only one time but i go to wireless for see the AP, i can see downloading of IOS, but the ios is 3.0.59, the ap don not nothing. I can not change any parameters.
I have 2x WLC 5508 running version 7.2. 1st one is setup and running. My questions is: If I want to setup Active-Passive redundancy, do I need to manually setup the 2nd one exactly as the 1st one and put them in the same group? Or is it a way to copy all of the configs I made on the 1st one over to the 2nd one?
View 4 Replies View Related