i have a WLC (5508) - trying to enable AP group vlans based on instructions from: url...however, my problem is that i don't have the 'ap group vlans feature enable' checkbox.
View 1 RepliesI switched from comcast to att uverse. I was happy about the guest-access feature of E3000 when using the comcast, where I can directly connect my e3000 to the modem (basically you can see two network, one is XXX, the other is XXX-guest). However, the ATT uverse has a gateway that combines the modem and router together, in order to use my e3000 instead of the built-in router of the gateway, I have done a LAN-to-LAN connection and I can access internet without any problem. But in this case, I can not enable my guest-access feature. When I use Cisco Connect to set up e3000, it says "cannot connect to your router". how to set up the guess-access feature of e3000 when using ATT uverse.
View 3 Replies View RelatedI have a dual 5508 controller /NCS deployment. I deployed my first clean air AP today, a 3502I.
The Clean Air feature does not seem to work, however. "No information is available because CleanAir is disabled or otherwise not available for this radio. If no information is available and CleanAir is enabled then you can try rebooting the AP XXXX".The thing is that CleanAir is enabled on this AP.
From an older manual it describes how to configure this. I installed the oldest firmware available for download and this feature is there. Was this just simply moved somewhere else in the newer firmware?
Configuring Port VLANs
You can associate VLANS on the Cisco RV220W to the LAN ports on the device.
By default, all 4 ports belong to VLAN1. You can edit these ports to associate them
[Code].....
I have an AP group on a Cisco 5508 WLAN controller. Currently, it is populated with 13 Cisco 1142 lightweight access points. When I try to add a Cisco 3602i access point to the group, I get the following error in NCS: Error: OfficeExtend requires primary, secondary, or tertiary controller management IP to be set.I am using DNS to allow my AP's to find the controller and they work just fine. Is there a reason I can't add the 3600 series AP's to the AP group?
View 13 Replies View RelatedI recently add a second CT5508 to the network, but when I tried to add the first 5508 to the mobilty group I received a message like this:
"error in creating member"
I've tried different mobility names, via GUI, via CLI and always the same error.
I've verified twice or more than twice connectivity issues or any error on the entering the MAC and IP of the controllers, everything is fine.
I'm using version 7.0.116.0
I have to WLC's a 4402 and 5508 in a mobilty group. they are both running 7.0.116.0. They are configured to use Web Authentication. We are having complaints that Users are having to re-authenticate when moving around the office. My theory is they are moving from one WLC to the other and then requiring to re-authenticate.
View 5 Replies View Relatedfor some reason our wlan-controllers were build up to be standalone instead of beeing one mobility-group. I would like to change this in order to use all features of HA.
let me describe our scenario: two WLCs 5508 running SW ver. 6
- same subnet
- both are running in master controller mode
- different hostnames, ip-addresses, etc
- all settings for WLANs and AP-groups (exept the APs themselves in these groups) are the same
- in total at this moment we are running around 100 LAPs configured one half on WLC#1, the other half on WLC#2
I don't know exactly why, but when that setting was installed, someone already configuredHA for each accesspoint... e.g.:
- AP#1 primary WLC#1, secondary WLC#2
- AP#2 primary WLC#2, secondary WLC#1 but without WLC#2 knowing the configuration for AP#1 it makes no sense, correct?
so my question is: how should I do the migration in the best way?
is it easy as:
- disabling master controller mode on WLC#2
- configuring both WLCs into one mobility group
--> WLCs are negotiating their configurations for the APs
I have a 4400 and a 5508 WLC in the same location We want to be able to roam between ap joined to both the 4400 and the 5508 using only one ssid
Do I only need to create a mobility group and add both WLC then create only one WLAN on one of the controllers and it will be shared across bot WLC.
I have a Cisco 5508 setup an running with Cisco 3502 AP. with same SSID
however i need segment the network using 3-Diff VLANS:
1. vlan 1-----students
2. vlan2----- Visitors
3.vlan3------ Staff
the students and visitor are not ment to login to the corporate network, however the staff are to be login using their Active Directory User name and Password how to i achieve this ?
just have few questions about designing WLC 5508
The scenario is that currently one of the client has a firewall Tie ring T1 internet facing and T2 internal which has multiple DMZ connected.
T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing.
Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ)
Now my question is as follow.
1- Keeping in mind that there is only one WLC where should i physically put it?
2- How guest users will work ? How the authentication will be done?
3-There are 8 SFP ports in WLC how physical topology will look like?
4-How many Vlans i have to make for wirless users will that be 10? (1 at each site) ?
my last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different vlan....just confuse about interfaces and vlans on WLC (interfaces concept)
just have few questions about designing WLC 5508. The scenario is that currently one of the client has a firewall Tie ring T1 internet facing and T2 internal which has multiple DMZ connected. T2 firewall has a DMZ switch connected which has a router which connects to MPLS cloud to different site across the country. (around 10 sites) all static routing. Now the client is thinking to deploy wireless at all 10 sites using H-REAP. The issue is that client has only one WLC and they are not willing to buy other as i was thinking to deploy two WLC one for corporate and one for guest users. (one in internal network and on in DMZ). Now my question is as follow.
1- Keeping in mind that there is only one WLC where should i physically put it?
2- How guest users will work ? How the authentication will be done?
3-There are 8 SFP ports in WLC how physical topology will look like?
4-How many V LANs i have to make for wireless users will that be 10? (1 at each site) ?
My last question is that how these ports work on WLC are they just like switch e.g one port can be assigned to different v lan....just confuse about interfaces and vlans on WLC (interfaces concept).
My customer requires the hostport on an access switch to be allocated to a specific Vlan based upon the AD Group that the user is a memeber of ? I am planning to setup NAC in a Real Gateway OOB deployment, using an ACS 5.2. I was initially thinking that the initial authentication server would be the ACS and then the AD, which using group mappings within the AD, I could then assign the user to a specific ACS group and then pass a Radius attribute back to the NAC manager for processing?
View 2 Replies View RelatedWe implemented WLC 5508 software version 7.3, with 8 Aironet devices, most of them are AIR-LAP1131AG-E-K9, and two AIR-LAP1242AG-E-K9.I could really have benefits of VLAN select feature, but I noticed that it's not working like it should. Two interfaces are in Interface group, but from 45 clients only few of them has IP address from one subnet, others have from second sub.I see requirements for this to work is 32 MB of flash on LWAP devices..I only have 16 MB.. upgrade of flash on devices or something ?
View 12 Replies View RelatedI am trying to set up a guest SSID which will be separate from other corp SSIDs. I have read about this auto-anchor feature and I have a basic idea. Here are some questions about the network design
1. Can Cisco 5508 with 7.2.111.3 code do NAT? I mean can I use the anchor controller also as a gateway to Internet or do I need another device such as FW or router to do the job?
2. I want the guests to get IP address in 192.168.0.0/24 range. On the anchor controller I will need an interface in this range, correct? However on the internal controller I won't need this interface. The guest ssid will be associated with the management interface on the internal controller, correct?
3. I want the guests to get IP address from general DHCP server. Does DHCP request have to come out of the new interface in the 192.168.0.0/24 range? However this interface will be connecting with the FW. It won't have connection back to the internal network to reach the DHCP server. The management interface will have the route to the DHCP server. Is it possible to use management interface for this SSID but still let traffic to pass through the Guest interface?
I'm trying to figure out if it is possible to configure in one site a wireless setup that goes like this:
One WLC (5508), multiple LAP's in H-REAP mode.
AP's will be splitted in multiple VLAN's belonging to different departments but with the same SSID.Each VLAN will have it's own DHCP scope. All AP's are located in the same site and I need to know if it is possible to roam between AP's that belong to different departments?
I have several WLC 5508 with 7.2.110 firmware. My questions are:
(1) Is band select is enable by default on 7.2.110?
(2) All the variables settings on the band select, how do I set it up to make 5 ghz more preferable than 2 ghz?
is there any specific way to create the SVI Interface on MSFC , actually I need to create the two SVI Int on MSFC to enable routing in between two VLANs on 7613 chassis.
View 2 Replies View RelatedI have 6500 with this STP configuration:
spanning-tree mode rapid-pvst
no spanning-tree vlan 1-4094
I need to enable STP on vlan 100 and vlan 103.
When I do "spanning-tree vlan 100,103 root primary" and then "show spanning-tree".I see that STP is not enable on these vlans (100,103).
I tried to do "no spanning-tree vlan 1-99,101,102,104-4094" and it is not work.
There is a way to enable STP on vlans 100,103 without to do "spanning-tree vlan 1-4094"
I'm looking for some input on RRM. I personally have NOT used it in a LONG TIME, since probably the 4.0 days and then very shortly due to massive issues it was causing and admittedly, in part due to my ignorance at the time. So, every since that point, I have always set all my channels and power manually but now feel I am getting to some points where RRM may be required / beneficial. So, I've invested some time and have begun researching and trying to get the ends and outs on it but I'm forseeing a potential issue in myworld anyways and am hoping for some clarification. Lets take the below example:
-WLC5508a and b - (2 100ap license controllers) - these hold the majority of the AP's for the main hospital.Lets say, 140AP's.
-WLC5508c and d - (1 100ap and 1 50ap licensed controllers) - These tend to hold our smaller sites and and buildings, not all connected and some a few miles from each other
-WLC4402a and b - (failover ready)
So, with RRM, I can set setting it up on the 5508A/B with out issue as this is one big large building. However,what about C and D? I suppose I can make them a separate RF Group, but how would RRM respond when it has16 AP's in Building X and then 3 AP's in Building Y 30 AP's in Building Z and sporadic buildings with 1's and 2's? Everything I've read so far, leads me to believe if these devices are separated it probably won't be an issue, however, I just don't want something causing a change in Building Z and Building X be affected because RRM decided it would try to fix it. My point is, I can't afford to have a separate RF Group (meaning separate controllers) for every location.
I have a network setup as live-ssid. It is using the Interface for VLAN 14. All APs under the default-group AP Group obviously allows clients to DHCP an address from VLAN 14. This is working fine.
I created a new AP Group called 3rd Floor. This has the live-ssid setup, but instead of using the Interface for VLAN 14 it is setup for the Interface for VLAN 50. I have all the APs on this floor moved to the 3rd Floor AP Group.
The problem is that 95% of the clients on 3rd Floor are still picking up DHCP addresses from VLAN 14. I checked and all the clients are connected to the APs on the 3rd Floor. Only 4 Clients are getting an address from VLAN 50.
I'm not sure if something is configured wrong or not since some devices pick up the new VLAN and the rest don't. I've manually reboot the APs on the 3rd floor to see if that would fix it.
I am setting up officeexten. I have placed the officeextend wlc in the dmz with an mgmt ip of 192.168.10.2. in the process of anchoring this to the internal wlc. Also the ip on the firewall for this interface is 192.168.10.1
1. does the mobility group need to match the same on the internal wlc ?
2. Now do i need a NAT transnational on the firewall for the external WAN ip (AP primed address say 66.10.10.10) to NAT back to 192.168.10.2 ?
3. The 5508 WLC is running on ver6.0.199.4 (license level base) - will this support office extend?
I have a Cisco 5508 controller and am considering using LAG. Can I enable LAG but only use 2-4 of the 8 available ports on the 5508? I am asking because currently I don't have enough ports on my 3750G switch to accomidate all 8 ports on the 5508.
View 2 Replies View RelatedI am trying to block clients based on MAC addresses connecting to our Wireless Guest network.
My scenario is: We have 2 interfaces (corporate and a guest). Users are connecting to our guest network after they have automatically connected to our corporate network and logged into Windows. When they realise that things are not quite working in the way they want (access to servers etc...), they reboot and then find they cannot logon to the laptop at all. This is because the laptop has automatically rejoined the guest network and has no access to AD. I then have to locally logon to the laptop and remove the guest network.
It’s starting to become a bit of a pain as we are an educational establishment and... well... you would wouldn’t you
Hardware: WLC5508, Software Version 7.3
So far I’ve tried enabling MAC Filtering under “Security -> AAA -> MAC Filtering”, but found out that it’s a white list. The opposite of what I’m trying to achieve, but I like the fact you can link it to a specific interface.
I’m just looking at the “Disabled Clients” again under “Security -> AAA ->”, but think this is more a total ban as I cannot see a method at attaching it to an individual interface. I'm kindda stuck and my good old friend Google is not yielding great results.
I’m not by any means a wireless expert, so there is probably a better method. I would prefer to use the controller as a way of achieving this, but if you think I’m wasting my time and should be looking at a Windows Group Policy method then I’ll go with that?
We`re using a WLC 5508 with SW 7.2.103.0.The most things are working fine, but i have a problem with the web auth.
Setup:
- Max Concurrent Logins for a user name is set to 1
- Max-Login Ignore Identity Response is set to enable
- Web Authentication Type is set to customized
The Problem:
- the user "test" is logged in at device1 (working), the same user "test" try to login at device 2 (is not working, fine!) -> login is not accepted, WLC redirects to the INTERNAL Web Login Page.The problem is the redirect to the internal web login page after failed login. If i try to login with a not existing user, the redirect is working perfect to the customized web login.
I had configured one access point CAP3602E in flex connect mode through a WLC 5508 after deploying the access point in flex control mode the local mac-filering is not working. before it was working when ap was in local mode. any body have to know is the mac-filtering working in flex-control mode ?
View 2 Replies View RelatedI have WLC 4400/5508 I stumbled across this config paging disable command to stop page breaks, works great for the one session I am logged in but it do not work for other users..
View 1 Replies View RelatedI have purchased these two switches from ebay as a test lab, I plan to connect them up via a gigastack modulecable and enable ip routing on the c3550 and vlans to talk to each other.
I'm very much a procurve person and really need to get into the cisco switching.I will want to trunklacp between the switches - whats the process is setting that up on cisco switches?
(5508 WLC, 1142N APs).I understand if I enable the AP mode to Rogue Detector from the details page of the AP, the AP stops accepting requests and is now looking for rogue items on the wired network. Is this the same when I enable Rogue Location Discovery Protocol? Will I lose the wireless functionality of all of my APs on the controller?
Next question, when I look at the Rogue Summary on the Monitoring page I see three Adhoc Rogue devices. When I select the Detail link only one shows. I remember the other two were HP mutifuction devices with WIFI enabled but I cannot retrieve that information anymore.
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
WE have to deploy ASA5585 in between User vlans & server vlans. we have to find all the ports that needs to be opened on firewall. any tools to do same.
View 2 Replies View RelatedWe need U-APSD (a special WMM Feature).Does the WAP321-E-K9 Support this feature?We need it for powersave mode from cordless wlan phones.
View 1 Replies View RelatedI have a remote site that has an AP running in H-REAP mode which connects over our MPLS cloud to a WLC, which has one interface on the "inside" network and one on our DMZ. The remote AP in H-REAP mode currently only runs our Guest SSID, but now I need to established an isolated VLAN.
Two of the hosts on this isolated VLAN, which is need to support some conference room devices, need to run on wireless and communicate with two devices on the same VLAN that are hard-wired to the switch.
Getting the wireless devices to connect remotely is easy enough by setting up an SSID that uses an IP subnet which one of the WLC's interfaces actually connects to...but can I do that for a completely remote IP subnet (i.e. one that the WLC does NOT physically connect to?). I'm not sure and I'm wondering whether that's the purpose of the "Remote LAN" feature...which is a very new feature.