Cisco Wireless :: H-Reap Vlan Mapping Groups On WLC 5508
Feb 29, 2012
Im configuring a WLC 5508 ( version 7 ) with h-reap local switching.All is working , yet i wonder if the vlan mapping can be done better.Currently i need to go into each Lightweight Access point , enable h-reap, then set the native vlan , with the final step to map the vlan. This needs to be done for each AP. In an environment of 100's of APs i would take forever. ( i thought one of the main points of the WLC is centralized management).
View 1 Replies
ADVERTISEMENT
May 2, 2011
I have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.
All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties tab. The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.
I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.
I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!
From config guide: For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point
Using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?
View 9 Replies
View Related
Jan 11, 2012
Just trying to figure out how LAP manage clients in a h-reap setup.Have a setup with native vlan on 144 (switch and AP) and ssid tagging in other vlan... Got this on switch:
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:31:43.121: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0811.9695.9b04 on port FastEthernet0/42.
Jan 12 10:37:42.770: %PORT_SECURITY-2-PSECURE_VIOLATION_VLAN: Security violation on port FastEthernet0/42 due to MAC address 0811.9695.9b04 on VLAN 144
Wonder why clients MAC is seen on native vlan (and ofcourse also on taged vlan) ...?
View 4 Replies
View Related
Apr 23, 2012
I'm trying to figure out if it is possible to configure in one site a wireless setup that goes like this:
One WLC (5508), multiple LAP's in H-REAP mode.
AP's will be splitted in multiple VLAN's belonging to different departments but with the same SSID.Each VLAN will have it's own DHCP scope. All AP's are located in the same site and I need to know if it is possible to roam between AP's that belong to different departments?
View 3 Replies
View Related
Aug 26, 2012
Is it possible to assign a single ssid to multiple interface groups by assigning the ssid to multiple AP groups?
I have buildings geographically dispersed that are configured with multiple vlans in interface groups so that I can maintain an addressing scheme of dhcp assigned addresses per building. Each building is also further grouped as AP groups. I'd like to know if by assigning the same wlan ssid to each of the AP groups, will I maintain addressing integrity for each building? I'm thinking it will work.
Do the buildings have to be outside AP range of each other to avoid problems?
5508 controller
7.2.110.0 code
6 buildings
6 interface groups
1 ssid
View 4 Replies
View Related
Aug 28, 2012
My customer wants to have mapping of WLAN SSID with different authentication protocol as show below .
1: EMP-M for Mschap
2: EMP-G for Peap GTC
3: EMP-T for TLS
For example EMP-M SSID users should be connected with only PEAP(MSCHAPv2) and not on other methods like PEAP-GTC/EAP-TLS .
customer is currently having WLC 5508 and using ISE for AAA . Any tip how we can do the above requirement through WLC .
View 4 Replies
View Related
Mar 11, 2013
I am running big wireless network, with 20no of 5500 with 7.0.116.0 version. I have more than 20,000 AP's. If i add some config in primary controller or do some changes or reboot all the AP's are moving to backup controller. this doesn’t have any problem, but many AP's which moved to backup controller are losing VLAN mapping. This happens every time. Primary --> backup, backup --> primary. Both controllers have same vern...same config etc..
AP model: AIR-LAP1252AG-A-K9
Controler model: AIR-CT5508-K9
View 15 Replies
View Related
Sep 1, 2012
1) Is it possible for 2 WLCs installed in seperate data centres with L3 seperation to be joined in a mobility group? We will have aps in the branch offices split between controllers so we want to make sure roaming work ok. Also all guest access should be anchored to data centre 2.
2) in flexconnect local switching mode, do I need to create flexconnect groups if I'm only using radius servers in the data centre with no requirement to use local radius as a backup?
View 6 Replies
View Related
Jul 7, 2011
I have 2 5508 controllers in a mobility group. Any good way to keep the configuration between the 2 controllers synched up?
I thought about copying the config from my primary controller to the secondary controller, but I would think there is a more elegant way to make this happen.
View 5 Replies
View Related
Jul 25, 2012
we have ACS 5.3 and 1042 AP. So we need to authenticate client based on user certificate, and after that to put the client in specific VLAN based on membership in Active Directory group.
Is it possible to do that? We can not solve the problem of identity store, once the user is authenticated based on regular certificate, we need to authorize the same user based on the specific attribute from AD.
View 1 Replies
View Related
Aug 12, 2012
We have a 5508WLC recently updated to 7.2.110.0 since we are using CAP3602I-N-K9, this AP is intended to work as a H-REAP device and eventhough it is registering to the controller I can't get to see the WLANS on the list to map it to the local VLANS
I have verified and the WLAN is configured for local switching also have followed the steps listed here:URL
Still Can't see the WLANs under the Flexconnect tab on the AP?
View 2 Replies
View Related
Nov 20, 2011
I have a new deployment of 44 3502i AP's in 3 buildings at one of my campus'.The 5508 wlc is running latest 7.0.116.0 code.I have some users who take their work with them as they go from location to location on this campus.They need to be able to smoothly switch from AP to AP without having to reauthenticate each time the next AP takes over in the handoff.On the ssid in question we run 802.1x back to 1 auth server; there is no failover auth server.All APs are in one AP Group.My thought is to add all 44 of the APs to one HREAP Group.
View 4 Replies
View Related
Mar 15, 2011
Did any know that how many AP Groups can be created by one Controller? (5508) May I have 100 AP Groups?
View 3 Replies
View Related
May 3, 2012
web authenticate users within a specific Active Directory Security Group. I tried to authenticate over Radius with Cisco Secure ACS and Network Access Restrictions. But NAR only works with Layer 2 authentication. And Web Authentication over LDAP can only be used with User Objects.
View 5 Replies
View Related
May 6, 2012
How do Mobility Groups work with internal DHCP scopes on a WLC 5508?We have a WLC 5508 with two internal DHCP scopes which redirect to captive portals for authentication. I am looking at putting in a second WLC in a mobility group setup to provide some WLC redundancy. The LWAPs will be setup so that every second AP is on the has the second WLC as its primary controller. If the primary WLC fails we want the secondary to be able to take over and issue IP's from the internal scope. How do you set this up with a Mobility group so the second WLC does not act as a rouge DHCP server while the primary WLC is still active?
View 6 Replies
View Related
Feb 14, 2013
We are in a warehouse type setting and have data centers on each side of warehouse with 5508 WLC's in each data center. Each side is on its own subnet with routing in between and a different set of SSID's for each set of WLC’s. Are goal is to have the ability to failover in the event that if one data center goes down AP’s will move to the controllers in the other DC and the clients will still be able to operate.
Our thought was to implement mobility groups between the controllers. While I saw documentation on setting this up when the controllers are on the same vlan, I didnt see any setup config when controllers are in different vlans. So I am wondering if mobility groups are even an option for what we want to accomplish. For the most part clients stay on their respected sides of the warehouse and so we are not necessarily needing roaming for clients between controllers in DC1 and DC2. But that does raise another question in that we do have a planned voice wlan that we would like to have the ability to roam between each side of the warehouse. But we have seen ip issues with this. In the past we have had both SSID's setup on each side and ran to issues with clients not renewing their IP address when moving to the controllers on the different subnets.
Can we setup mobility groups between controllers on different vlans/subnets? For failover purposes will mobility groups assist in our setup with 2 DC’s and different subnets/vlans? If the answer is yes we can setup mobility groups between different subnets, is there a way to setup the SSID's on all controllers and have the ability for clients to roam and renew their IP’s when moving to a different controller on a different subnet?
View 3 Replies
View Related
Dec 12, 2011
I created some User Defined Groups in LMS 4.1, now I want to apply certain fault notification groups to Event Sets.
Unfortunately the Groups I configured are not in the Group Selector of the Fault Notification Group: Admin > Network > Notification and Action Settings > Fault Notification Group
View 3 Replies
View Related
Nov 13, 2012
I am very interested in the new 7.3 feature HA.Also I can read that it is recommended to connect the two WLCs directly. How to use a L2-VLAN between them, in fact to bridge a distance between two data centres?
View 3 Replies
View Related
Apr 8, 2013
I was wondering if it is possible to do dynamic VLAN assignment on the Cisco Wireless Controller 5508 without using Cisco ACS but use Microsoft NPS server instead?
View 3 Replies
View Related
Sep 30, 2011
I have a 5508 controller at our headquarters and am installing some 3502 AP's at a remote branch. Unfortunatly, the remote branch has a different Vlan setup for some reason and the vlan that is used for the WLC (90) is designated for telephony at this branch. Can I put the AP's on a different VLAN (10) without having any issues? I will still use DHCP option 43 to point them back to the controller. Below are the configs for the WLC interfaces and what I am proposing for the AP interfaces:
WLC Config
interface GigabitEthernet1/1/38
description WLC01
switchport
switchport trunk encapsulation dot1q
switchport trunk native vlan 90
switchport trunk allowed vlan 1,10,50,90,91,390,410-413,610-613,800,810,811
switchport mode trunk
[code]......
View 3 Replies
View Related
Mar 2, 2013
Is there is is any posibility to run WLC4402 and 104x family in H-REAP mode.
View 8 Replies
View Related
Dec 12, 2012
is it possible to multicast between 2 different SSID's that are associated to 2 different VLAN's?
View 2 Replies
View Related
Oct 11, 2011
I'm reading up on H-REAP in the Deploying and troubleshooting Cisco Wireless LAN Controllers book (Chapter 13) and I would like some clarification on the except below.:"Also notice that, as part of the WLAN configuration, no mention was made of choosing and interface for the WLAN. Unless you will have APs in local mode servicing a WLAN configured for local switching in conjunction with H-REAP APs, the controller interface is irrelevant because the controller will not bridge the client traffic on the network.The H-REAP performs that function. Even if you will not be using any local mode APs, you must choose an interface to be associated with your WLAN. In this case, you could use the management interface or create a quarantine VLAN interface, for example if you do not want client traffic to be bridged by the controller if the client traffic is no longer locally switched."Our corporate office has 2 5508 controllers and 150+ APs in local mode. I'm preparing to deploy a couple of H-REAP APs to a remote site to test. Is this saying you have to choose an interface when creating a WLAN, but if the WLAN will only be used by H-REAP APs w/ local switching it does not matter which interface is used when creating the WLAN. If there are APs in local mode using the same WLAN, the interface the WLAN associates with needs to be on the same subnet as the devices connecting the the WLAN?
View 3 Replies
View Related
May 31, 2012
We have two WLC's 5508. Following are its interfaces & details:mgmt 10.49.5.251 on wlc1 & .252 on wlc2 access p 10.49.6.251 on wlc1 & .252 on wlc2 there is no AP manager interface seen on both wlc's nor configured. both wlc1 & wlc2 are connected each to two switch ports, configured as normal trunk link each.LAG is enabled on both WLC's.
View 2 Replies
View Related
Jan 2, 2013
We created a VLAN interface and a WLAN on the wireless controller (5508) and using it for Guest Wireless (Web auth), can we use the same VLAN and WLAN s for Wired Guests also?
View 5 Replies
View Related
Sep 25, 2012
I have a new 5508 that I am setting up. My first one from scratch.
Interfaces:
managment -> 10.10.10.10 ->dhcp 10.10.10.1
voice -> 10.10.7.1 ->dhcp 10.10.10.1
guest -> 192.168.1.2 ->dhcp 192.168.1.2
Local DHCP (via the 5508) is for the guest network while the management and voice use the Windows DHCP server.
My problem, Voice and guest work fine. I have two SSID's (one 802.1X and the other PSK) that use the management interface that will not get an IP. I have enabled dhcp proxy from the cli on the controller. I tried with the management VLAN tagged and untagged.
View 2 Replies
View Related
Aug 12, 2012
I have got a wireless project with WLC main office and have 10 sites where ap's are there and ap's getting registerd .we need 4 ssid in all branches same .
ssid guest
ssid scanner
ssid user
vlan 600 main office for scanner 192.168.1.0
in branch
vlan 600 for scanner but ip is 172.16.1.0
and bgp is running . And customer is asking me not to edit the ip range or vlan or create new vlan . but in wlc am not able to create branch network 172.16.1.0 range interface and vlan 600 as vlan 600 i already created for scanner main office 192.168.1.0 So is there a way to do that .
Temprarly one site i did like created vlan 610 in branch no ip . And in main office interface vlan 610 given another ip range . and i created interface in wlc . from branch i can connect the ssid and getting ip . But they dont want to create any aditional vlan or another network . Customer dont have a smartnet contract . They recently baught 2 wlc 5508 and 40 ap 1142.
View 4 Replies
View Related
Sep 4, 2012
We have a customer who is evaluating a Cisco Vs. Motorla wirless solution. He says that a Motorola AP can only work in standalone mode for 48 hrs. after it lost communication to the controller. Is there any limitation like this with a 2500 controller and 1140 series access points solution?. Is there any reference to show?
View 3 Replies
View Related
Oct 14, 2012
i have configured cisco LAP1240 in H-Reap Mode for multiple branch offices with Local switching and central authentication. one of the branch's AP does not join the controller in HQ while the others are all ok. i have firewall only in HQ, i did priming first for all APs like let them join the controller and configure controller IP in high availbility, and H-Reap config and assign SSID to map with the branch local vlan. when i faced this issue first time i brought back ap and configure a static IP address for AP than recheck them again but the problem still same. since i have only one firewall in the network and also other branches joined the controller through that firewall and no issues.
View 3 Replies
View Related
Sep 7, 2011
What is the maximum number of WLANs/SSIDs that can be configured on a H-REAP access point? I have a network with 3502i AP's, centralised WLC's in the data centre running 7.0.116.0, and WCS version 7.0.172.0.
I was successfully running 2 SSID's at a remote site, one SSID was configured for H-REAP local switching, dropping out to the local site VLAN X, and the other SSID was a central switching guest WLAN anchored to a WLC in a DMZ.I configured a third SSID at the local site running H-REAP local switching, and now I cannot see the guest SSID anymore, it does not appear to be broadcasting.Is there a maximum of 2 WLANs/SSIDs when operating in H-REAP mode?
View 5 Replies
View Related
Feb 23, 2012
In our test set up, we have two WLC 5508 Controllers connected via Checkpoint UTM-1 firewall Inside and DMZ Interfaces. Both the WLC controllers are connected to the firewall via Cisco 3750 switch. On the Local (Inside) Controller, guest SSID is enabled and attached to the wireless management Interface. On the remote anchor controller, guest SSID is enabled and attached to the Management Interface as well. The following configs are replicated on both the Controllers.
SSID Name - guest
Interface - Management ( VLAN 10 on Local and VLAN 20 on remote) -
Mobility Group: Same configs at both ends
SSID Anchor : Anchor SSID on local and local SSID on Anchor.
AP: CAPWAP 3502 Management Subnet
[code]....
Is there any thing missing in the wireless configs and or the firewall rules as i could not see DHCP request back from the Anchor Controller. Also, after DHCP is obtained, the web authentication request will be redirected to an Amigopod device for authentication. In this case is the redirect URL congiguration to be performed only on the Anchor Controller or is this to be replicated on both the Local and Anchor Controllers.
View 8 Replies
View Related
Oct 12, 2011
We use LAP 1042's as our main AP's, and we set those in H-REAP (with Local Switching) in order to let them work properly. This is because our WLC is not located in the AP's local network. This is something that, sadly, cannot change, so this has to stay the way it is now.We also use a freeradius server to authenticate users on our wireless network. In our previous situation, before using Cisco appliances, we would just set our web auth page to a certain URL and make sure that the URL was granted access before authentication. We obviously found out that Cisco implemented this by using a Pre-Auth ACL. As a result we've added the IP adres of that web login page to a ACL and added that ACL to the pre-auth for the WLAN that will use Radius Web Auth. The WLAN also has the Radius servers added to the AAA page, so those are in place.
Now comes the problem though. When I connect to the WLAN that will have to use Radius, and try to open a page it will start trying to load the virtual interface (1.1.1.1) and then it will try to redirect to the web-page that I defined in the External Server. Like I stated, I've added the webpage's IP adres (after resolving it) to the pre-Auth ACL, and when I look at the counters I see that go up every time I try to load a page. Yet the browser on the computer gives me a time-out trying to load the external web-server web auth page.
When I disable Web-Auth all-together, I get internet straight away, so the problem obviously is located in the web-auth settings or ACL settings somewhere, but at this point I just don't know where to look anymore.
View 6 Replies
View Related
Jan 8, 2012
I have a 5508 WLC that for whatever reason cant take any DNS settings, but I still need to get some filtering on the public hotspot side of my wireless network. Can I put the DNS settings on the router that the circuit terminates on? This is the same router that the public vlan is defined on, I'm just not sure if I can put DNS settings in place for just one vlan, and how that'd work.
View 3 Replies
View Related
