Cisco Wireless :: 5508 / H-REAP LWAPs Losing VLAN Mapping When Fail To Secondary WLCs

May 2, 2011

I have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.

All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties  tab.  The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.

I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.

I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!

From config guide: For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point

Using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?

View 9 Replies


ADVERTISEMENT

Cisco Wireless :: H-Reap Vlan Mapping Groups On WLC 5508

Feb 29, 2012

Im configuring a WLC 5508 ( version 7 ) with h-reap local switching.All is working , yet i wonder if the vlan mapping can be done better.Currently i need to go into each Lightweight Access point , enable h-reap, then set the native vlan , with the final step to map the vlan. This needs to be done for each AP. In an environment of 100's of APs i would take forever. ( i thought one of the main points of the WLC is centralized management).

View 1 Replies View Related

Cisco Wireless :: 144 / Client MAC On Native Vlan In H-reap Setup

Jan 11, 2012

Just trying to figure out how LAP manage clients in a h-reap setup.Have a setup with native vlan on 144 (switch and AP) and ssid tagging in other vlan... Got this on switch:

Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
 
Wonder why clients MAC is seen on native vlan (and ofcourse also on taged vlan) ...?

View 4 Replies View Related

Cisco Wireless :: 5508 / APs Roaming In H-REAP Mode With Multiple VLANs?

Apr 23, 2012

I'm trying to figure out if it is possible to configure in one site a wireless setup that goes like this:
 
One WLC (5508), multiple LAP's in H-REAP mode.
 
AP's will be splitted in multiple VLAN's belonging to different departments but with the same SSID.Each VLAN will have it's own DHCP scope. All AP's are located in the same site and I need to know if it is possible to roam between AP's that belong to different departments?

View 3 Replies View Related

Cisco :: 5508 / Can Point WLCs To Prime Infrastructure And WCS Concurrently

Oct 18, 2012

We are currently running WCS but have built a new Prime Infrastructure 1.3 system from scratch on a brand new server,  we have sucessfully migrated the old WCS database on to the new Prime server and as a test I have pointed 1 anchor controller to it. Possible to point the WLC's to both WCS and Prime Infrastructure concurrently - I was thinking that it would be a quick fallback if we has any problems with Prime (I know there have been some!)  We are not running MSE but we do have mobility groups, the WLC's are 5508 running 7.0.235.3 .

View 0 Replies View Related

Cisco :: 5508 - Failover For Multiple WLCs And Mobility Groups

Feb 14, 2013

We are in a warehouse type setting and have data centers on each side of warehouse with 5508 WLC's in each data center. Each side is on its own subnet with routing in between and a different set of SSID's for each set of WLC’s. Are goal is to have the ability to failover in the event that if one data center goes down AP’s will move to the controllers in the other DC and the clients will still be able to operate.
 
Our thought was to implement mobility groups between the controllers. While I saw documentation on setting this up when the controllers are on the same vlan, I didnt see any setup config when controllers are in different vlans. So I am wondering if mobility groups are even an option for what we want to accomplish. For the most part clients stay on their respected sides of the warehouse and so we are not necessarily needing roaming for clients between controllers in DC1 and DC2. But that does raise another question in that we do have a planned voice wlan that we would like to have the ability to roam between each side of the warehouse. But we have seen ip issues with this. In the past we have had both SSID's setup on each side and ran to issues with clients not renewing their IP address when moving to the controllers on the different subnets.
 
Can we setup mobility groups between controllers on different vlans/subnets? For failover purposes will mobility groups assist in our setup with 2 DC’s and different subnets/vlans? If the answer is yes we can setup mobility groups between different subnets, is there a way to setup the SSID's on all controllers and have the ability for clients to roam and renew their IP’s when moving to a different controller on a different subnet?

View 3 Replies View Related

Cisco Wireless :: WLC 5508 - Mapping SSID With Authentication Protocol

Aug 28, 2012

My customer wants to have mapping of WLAN SSID with   different authentication protocol as show below .
  
1: EMP-M for Mschap
2: EMP-G   for Peap GTC
3: EMP-T   for TLS
 
For example EMP-M SSID users should be connected with only PEAP(MSCHAPv2) and not on other methods like PEAP-GTC/EAP-TLS .
 
customer is currently having WLC 5508 and using ISE for AAA . Any tip how we can do the above requirement through WLC .

View 4 Replies View Related

Cisco Wireless :: AIR-CT5508-K9 - VLAN Mapping Missing In LWAP

Mar 11, 2013

I am running big wireless network, with 20no of 5500 with 7.0.116.0 version. I have more than 20,000 AP's. If i add some config in primary controller or do some changes or reboot all the AP's are moving to backup controller. this doesn’t have any problem, but many AP's which moved to backup controller are losing VLAN mapping. This happens every time. Primary --> backup, backup --> primary. Both controllers have same vern...same config etc..
 
AP model: AIR-LAP1252AG-A-K9
Controler model: AIR-CT5508-K9

View 15 Replies View Related

Cisco AAA/Identity/Nac :: 802.1x Auth-Fail VLAN And Guest-VLan Not Available

Oct 12, 2011

I'm wanting to setup a Virtual Office scenario. Everything is working fine except for 802.1x...I can get the 881 to authenticate things connected to it, but I don't have the options of guest-vlan or auth-fail vlan.Idea is if the users takes the router home and someone, either accidentally or on pupose, connects an unauthorized Laptop, they stay off the Corp network but can get to the internet still.I found this link on Cisco's site: [URL]That link shows them configuring a guest vlan right on the fa0-3 ports of an 881W. I dont have that option on mine. I can only configure 802.1x on the vlan interface. I have 802.1x working, for things that connect to vlan1, but I would like to have a "fallback" setup.
 
EZVPN_Remote(config-if)#int fa1
EZVPN_Remote(config-if)#dot
EZVPN_Remote(config-if)#dot1?
dot1q 
EZVPN_Remote(config-if)#dot1

[code]....

View 1 Replies View Related

Cisco Wireless :: 5508 / WLC Proxy ARP Fail

Jun 9, 2013

I have a lab network setup at my house with similar equipment to our office that I use for testing different features and functionality.  Since I have had this installed (~ 2 years) I've had an intermittent but recurring problem with connectivity to various wireless devices that I have never been able to fully resolve.I have a 5508 Wireless controller with a handful of 3502i APs spread throughout my house.  The controller is connected to a 3560X switch.  And I have an ASA 5510 firewall as my Firewall/Internet Gateway. When I work from home I most often work from a desktop computer in my office and have a Windows RDP session to a laptop located in another room in my house on one of my monitors as a working space (I know this is weird but there is a good reason).  This laptop is connected via WiFi at all times.Occasionally, I will lose connectivity to this laptop (or not be able to connect back to my desktop from it) and have to start an extended ping from the laptop to the desktop to re-establish connectivity.  A while ago I performed some deeper analysis on what was happening and what I found is that when the connectivity breaks the problem is that the desktop is unable to resolve the MAC address of the laptop.  It sends out ARP requests but never receives any reply back.
 
Why would the controller stop replying to ARP requests for the IP address of the laptop?If I log into the controller while this is happening it shows the laptop as a connected client, and has its IP address and MAC address listed fine in the clients section.  In order to avoid getting up every time I need to reconnect, I normally hop to a system I control across one of my VPN tunnels via RDP, then connect BACK to the laptop and start the ping to re-establish connectivity back to my main desktop machine.  This works because the firewalls ARP cache hasn't cleared yet.  And then everything works fine again... unless I manually clear my ARP cache.  Sometimes clearing the ARP cache will result in the exact same problem again and I will lose connection.  Other times it seems to repopulate almost immediately and the connection doesn't drop.
 
A wireshark debug from the desktop reveals that ARP requests simply go out with no reply, confirming what is happening.As a note, I have set both the User Idle Timeout and the ARP timeout to 24 hours to try but this has not had any effect.This problem seems to go away and then come back.  In fact, I havent been experiencing this issue for probably a couple months recently and then it just started again in the last few days which is why I am back to posting here.  No changes to the network were made in the meantime that could account for this change in behavior.  I am currently running version 7.2.111.3 but this behavior has persisted through at least four software upgrades so I don't think it's an issue with a specific version but I don't really know.I occasionally epxerience connectivity issues in my house to other devices as well that I use less often like a printer, network camera, apple tv so I now feel like these issues are likely all related.

View 5 Replies View Related

Cisco :: ACS 5.3 Certificate VLAN AD Mapping

Jul 25, 2012

we have ACS 5.3 and 1042 AP. So we need to authenticate client based on user certificate, and after that to put the client in specific VLAN based on membership in Active Directory group.
 
Is it possible to do that? We can not solve the problem of identity store, once the user is authenticated based on regular certificate, we need to authorize the same user based on the specific attribute from AD.

View 1 Replies View Related

Cisco :: 5508 WLC - FlexConnect WLAN Mapping

Aug 12, 2012

We have a 5508WLC recently updated to 7.2.110.0 since we are using CAP3602I-N-K9, this AP is intended to work as a H-REAP device and eventhough it is registering to the controller I can't get to see the WLANS on the list to map it to the local VLANS
 
I have verified and the WLAN is configured for local switching also have followed the steps listed here:URL
 
 Still Can't see the WLANs under the Flexconnect tab on the AP?

View 2 Replies View Related

Cisco Wireless :: Set Up Fail Over Capability On Two Active WLC 5508

Mar 18, 2013

for some reason some AP's are terminating the association to either one of the controllers for a short period of time. When this happens and the AP re-associates itself with either of the active controllers, it looses the information of what group it previously belonged; and it gets dropped in the default group, broadcasting every single SSID available.
 
What I would like to see happen is that if for some reason an AP terminates association, but restablishes it shortly; it can automatically go to the correct group.
 
Both WLC are running the same version and have the same amount of licenses, they can hold all the AP's one of the WLC came down. Config-wise they are identical except that the groups are named differently but ultimately configured the same. If that is an issue we can change it no problem since it's only the name.

View 5 Replies View Related

Cisco :: Failover Configuration - Allow Primary Link To Fail And Secondary Link To Automatically Pick Up Traffic?

Dec 27, 2012

We have a customer who has a network consisting of two ISPs, one as a primary and the other as a backup. We are trying to create a configuration that would allow the primary link to fail and the secondary link to automatically pick up traffic and begin routing .how to set something like this up. Both routers are non Cisco routers and there for HSRP is out.

View 14 Replies View Related

Cisco Wireless :: 3502i Keeps Losing Communication With WLC 5508?

Jan 17, 2013

This problem only seems to affect one of our sites.  Every once in a while, several APs would lose link to the 5508 and get stranded.  The only way to fix the issue is either to power cycle, or better yet SSH into the APs and use the command "capwap ap controller ip address x.x.x.x", and then they'd automatically rejoin the controller.  At first, I thought network hiccups caused the APs to lose connectivity, but there's none that I could find.  I have the primary/secondary controller IPs configured in them as well.  See log below:
 
[previous log entries show AP working as intended, then...] 
*Jan 18 05:29:29.632: %CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_ECHO_REQUEST
., 1)
*Jan 18 05:29:29.632: %LWAPP-3-CLIENTEVENTLOG: Switching to Standalone mode
*Jan 18 05:29:29.645: %CAPWAP-3-ERRORLOG: GOING BACK TO DISCOVER MODE
*Jan 18 05:29:29.645: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to [ommitted due to security reason]:5246
*Jan 18 05:29:29.704: %WIDS-6-DISABLED: IDS Signature is removed and disabled.

[code]....

View 2 Replies View Related

Cisco Wireless :: Losing The 5508 Snmp Packet?

May 16, 2013

We had a system outage due to power problems a few days ago, and now our WLC is showing short term packet loss when monitoring it using SNMP.  We also monitor it using ICMP, but that shows no packet loss.  I looked at the interface statistics on the WLC and all of the switches in between and there are no errors to be seen.  is there any way to troubleshoot this problem on the WLC?  I am more familiar with IOS than the WLC CLI.

View 10 Replies View Related

Cisco Wireless :: 5508 Controllers - After 7.0.116.0 Upgrade Intel Wi-Fi Link Cards Fail

Nov 10, 2011

Just recently upgrade our 2 5508 controllers from 6.0.199.0 to 7.0.116.0.  Since that upgrade, I have a handful (8 to 10) of wireless laptops that now refuse to associate to any access points.  The thing these laptops all have in common is some variation of the Intel Wifi Link AGN cards.  I have about 200 other clients out there working just fine.
 
I've tried everything under the sun that I can think of.  Patches, drivers, the whole sh'bang. 
 
Is there a known issue with 7.0.116.0 and these particular cards?

View 17 Replies View Related

Cisco Wireless :: WLC 5508 Implementation - Some Users Losing Connectivity

Dec 3, 2012

We are implementing a WLC infrastructure in our company following the below scenario:

- WLC 5508, OS 7.2
- APs AIR-LAP1142N-T-K9
- 3 Wlans (1Open w/ Web Auth, 1 WPA2 and 1 802.1x)
 
Issues:Everything seems to be fine, but some users loses connectivity (when connected to 802.1x network) at least 3 times by day.

- I cannot see anything at WLC logs concerning the association/deassociation of any of these users.

- Only strange line in the logs is "RADIUS server 172.21.44.50:1646 deactivated in global list" (authorization server config)

- Also I see some "Coverage hole pre alarm for client" but that doesn't look like a problem...

View 6 Replies View Related

Cisco :: 5508 - Eap-Fast PAC On Secondary Controller

Oct 15, 2012

Have a controller based depolyment with (2) 5508s and an 1121 ACS appliance running 5.1 code. Controllers are setup identically and we are radius authenticating users to AD via the ACS. Everything works great on the primary controller, but when I test failover to the secondary controller, my authentication fails and I get the following error message in my ACS logs:
 
12126  EAP-FAST cryptobinding verification passed
12147  Machine Authentication is disabled
12161  Cannot provision Authorization PAC when the stateless session resume is disabled
12106  EAP-FAST authentication phase finished successfully
11503  Prepared EAP-Success

View 1 Replies View Related

Cisco :: Setting Up Primary And Secondary 5508 Using Redundancy Port

May 15, 2013

Management purchased a HA package from Cisco consisting of 2 5508's with pre installed 500 users license on the Primary WLC and none on the secondary WLC. We have 5508's already so I am familiar with setting them up and so forth. What I am not familiar with is setting them up using HA for failover and license sharing. I've looked and looked and can't find documentation online showing how to set this up. I have found some but nothing that is complete. I have spent 2 days spinning my wheels.

View 2 Replies View Related

Cisco :: 4400 / 1142n LWAPs - Slow Wireless Speed

Jan 23, 2011

Background: Cisco 4400 series WCS w/ Cisco 1142n LWAPs. Clients are HP Elitebook 2730p notebooks with Intel 5100 wifi chips.I was installing Dragon Dictate on several users tablets this weekend. I was ready for the 1 hour install. I noticed that one of the computers was done far quicker than I expected. The computer had a wired ethernet cable attached to it's docking station. The other 3 were accessing the network via the wireless. I did some checking on the WCS, and the other three notebooks were downloading files at a whopping 8 Mbps each. The server that they were. downloading from is attached via gigabit ethernet, and was little utilized. All three notebooks reported that they were connected ~80Mbps to our 2.4GHz N network. I'm willing to accept that wireless is going to be slower than wired, but this seems extreme. The three tablets were connected back to the same LWAP, which is connected to a gigabit switch. There were only three other people in the building at this time, so network congestion isn't an issue. 

View 20 Replies View Related

Cisco Wireless :: Configuring Guest Access Using 2 LWAPs And 2504 WLC?

Apr 3, 2012

I have 2 APs, Cisco Aironet 1040, and 2504 WLC.Is it possible to configure guest access (Guest SSID/VLAN and Corporative SSID/VLAN) without dedicated guest WLC in DMZ?

View 4 Replies View Related

Cisco WAN :: QoS Policy Fail On Vlan Interface Of Router 3845

Aug 29, 2011

I have configured a qos policy and I am trying to apply the policy to a vlan interface which is physically connected to a switch module port of a 3845 Router.When I try to apply, the message configuration failed appears.

View 4 Replies View Related

Cisco AAA/Identity/Nac :: C3560E / Authentication Event Fail Action Authorize VLan

Jul 15, 2012

when the supplicant is missing vlan500 is open for port and everything is ok, but when supplicant has wrong configuration something happend and port is always authenticating(every 30s, vlan500 is not assign to this port with bad configuration supplicant) and logs show something like that
 
Jul 10 10:20:12.362: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A3545161E4 Jul 10 10:20:44.365: %AUTHMGR-5-START: Starting 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %MAB-5-FAIL: Authentication failed for client (001e.3718.7297) on Interface Ga0/1AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-RESULT: Authentication result 'no-response' from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-7-FAILOVER: Failing over from 'mab' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11 Jul 10 10:20:44.399: %AUTHMGR-5-START: Starting 'dot1x' for client (001e.3718.7297) on Interface Ga0/1 AuditSessionID 0A0EFF5B000004A45451DF11
  
version - Cisco IOS Software, C3560E Software (C3560E-UNIVERSALK9-M), Version 15.0(1)SE2
  
port config:

interface GigabitEthernet0/1
switchport access vlan 104
switchport mode access
switchport voice vlan 200
authentication event fail action authorize vlan 500

[code]....

View 3 Replies View Related

Cisco AAA/Identity/Nac :: Accounting Setup On WLC 440x / 5508 ACS Takes It As Authentication Request And Fail

Dec 8, 2011

accounting in ACS 5.3. When I setup accounting on WLC 440x / 5508 ACS takes them as an authentication request and fail.
 
Here are some logs what I see in acsview:
 
Dec 9,11 6:05:11.783 PM
Radius authentication failed for USER: navrka2  MAC: a.b.c.d  AUTHTYPE: Radius authentication failed
 ACS Session ID:
dc2aaa1v/112555963/420
Audit Session ID:
0a9a01d7000001fd4ee23a3d
Tunnel Details:

[code]...

View 4 Replies View Related

Cisco Wireless :: 5508 WLC In HA Over L2 VLAN

Nov 13, 2012

I am very interested in the new 7.3 feature HA.Also I can read that it is recommended to connect the two WLCs directly. How to use a L2-VLAN between them, in fact to bridge a distance between two data centres?

View 3 Replies View Related

Cisco :: 5508 Losing Access Point Config After Power Loss To AP

Sep 19, 2012

I know there were a few post about users losing their access point config after a power loss to the ap. I wanted to share that I can confirm and reproduce this same issue with a number of access points that I have. I opened a tac case and will update this tread as the case progresses.
 
Wlc 5508
Ap 1242
7.0.220.0

View 3 Replies View Related

Cisco :: ICMP / SSH With LWAPs Behind WLC 2100

Feb 27, 2011

I'm new to the Cisco WLCs and recently implemented a wireless infrastructure using a WLC 2100 with 1262 LWAPs. I have two of the 1262s plugged into ports 7/8 using crossover cables. They're functioning correctly with the exception of the inability SSH and send pings to the LWAPs behind the WLC. Is there anyway to ping/shh through the WLCs to the LWAPs behind it? I use an NMS (Nagios) to monitor the status of the LWAPs and it can't monitor them if it cannot ping them. Also, is there anyway to configure the WLC to monitor the status of LWAPs?

View 2 Replies View Related

Cisco Wireless :: VLAN Assignment Without ACS On 5508

Apr 8, 2013

I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead?

View 3 Replies View Related

Cisco Wireless :: 5508 / AP On Different Vlan Than Controller?

Sep 30, 2011

I have a 5508 controller at our headquarters and am installing some 3502 AP's at a remote branch.  Unfortunatly, the remote branch has a different Vlan setup for some reason and the vlan that is used for the WLC (90) is designated for telephony at this branch.  Can I put the AP's on a different VLAN (10) without having any issues?  I will still use DHCP option 43 to point them back to the controller. Below are the configs for the WLC interfaces and what I am proposing for the AP interfaces:
 
WLC Config
 
interface GigabitEthernet1/1/38
description WLC01
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 90
switchport trunk allowed vlan 1,10,50,90,91,390,410-413,610-613,800,810,811
switchport mode trunk

[code]......

View 3 Replies View Related

Cisco Wireless :: Failover Of 2504 WLCs

Mar 17, 2013

have concern regarding the faiolver of 2 WLCs.
 
1. One Active_WLC(2504) have a full licence of 15 Access points.
2. 2nd Seconday_WLCs(2504) have a normal licenece (Without any AP licenece-Zero AP Count License).
 
Now my questions are:
1. If first WLCs goes down due to any kind of problem then can secondary WLCs comes up and takover of all APs.
2. if Yes, then How may days or hours...These APs will connect to the WLC.
3.If first WLCs comes up after some days, then can this WLC automaticall tak over the situation??

View 4 Replies View Related

Cisco Wireless :: WLC4402 And 104x H-REAP Mode

Mar 2, 2013

Is there is is any posibility to run WLC4402 and 104x family in H-REAP mode.

View 8 Replies View Related

Cisco Wireless :: WLC 5508 Multicast Between SSID's And Vlan's

Dec 12, 2012

is it possible to multicast between 2 different SSID's that are associated to 2 different VLAN's?

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved