Cisco Wireless LAN Controller (WLC) Basic Configuration

Hi,

I think this is a related question.
I have this set up that stops working at some point and I can’t figure out why.

Sw1 connects to the DHCP server, to the WLC and to Sw2 and Sw3. WLC has management IP address of 10.0.0.11 and server is 10.0.0.10.

Sw2 connects to Lightweight APs and to the end-user laptop.
The APs and the laptop use DHCP and the laptop can log in to the WLC through its GUI - https://10.0.0.11.

Everything works fine, wireless users authenticate to APs, APs have CAPWAP tunnels to the WLC.

When I create VLANs for management and sales etc. I assign the laptop’s interface on Sw2 to the management vlan, create other VLANs and set up a trunk between Sw2 and Sw1, and from Sw1 to the WLC, I cannot access the WLC’s GUI anymore. The native vlans on trunks are the same and other VLAN’s settings are fine, the interfaces trunk, but the connection between the laptop and the WLC’s GUI is lost.

Can anyone explain the problem with this set up, please?
Does each vlan need a dhcp pool?

Thank you in advance
Marcin

Hello Marcin

Take a look at this response:

I hope this has been helpful!

Laz

Hi All,

Can U help, plz
The service-port interface is used for out-of-band management of the controller. If the management workstation is in a remote subnet, it may be necessary to add a IPv4 route on the controller in order to manage the controller from the remote workstation.

It is important to note that the service-port IP address must not reside on the same subnet as the Manager/AP-Manager interface.

II didn’t understand, what does out-of-band management mean?

Hello Neves

Take a look at this post:

If you have any further questions, let us know!

I hope this has been helpful!

Laz

Hello everyone,
I’m setting up a small wlan, but whenever I create a vlan x, just for management, I can’t even ping the wlc. The interface that connects the WLC is configured as a trunk and has permission for all vlans and the host that manages it is in vlan 10.
How do I resolve this, plz?

interface FastEthernet0/10
 descripiton PC
 switchport access vlan 10
 switchport mode access
interface GigabitEthernet0/1
 switchport trunk native vlan 10
 switchport mode trunk
!
interface Vlan10
 mac-address 0004.9ae8.8301
 ip address 192.168.10.254 255.255.255.0

image

Hello Neves

In the lesson, only VLAN 10 was used. APs, management PC, WLC, as well as hosts all used that VLAN all within the same subnet, even though multiple VLANs were created. In order to deploy a topology in which multiple VLANs will be created and used, you must configure the controller appropriately, as shown in the following lesson:

Make sure you include all of the appropriate VLANs on the WLC.

Where are you attempting to ping the WLC from? The management PC? Follow the steps in the above link and let us know if you face any additional issues.

I hope this has been helpful!

Laz

Hi Laz,

let me ask you another question, can the wlc receive a tagged frame?
I say this because, I don’t know if it’s because I’m using the packet tracer, but when I don’t configure the interface that connects wlc as native to the management vlan, wlc doesn’t respond to packages.
Is this behavior normal?
Can the wlc receive tagged frames?

Hello Neves

The quick answer to your question is yes, it can. The long answer is below:

You can create what are called dynamic interfaces, also known as VLAN interfaces on a WLC and assign them to the physical ports of the WLC. The idea is the same as the configuration of subinterfaces on the port of a router. However, it works slightly differently. Each dynamic interface is configured to be on a different VLAN or a different IP subnet. If dynamic ports are untagged, then all dynamic interfaces must be on different IP subnets than any other dynamic interface configured on the specific port.

More info about this, how it works, and how to configure it can be found at this Cisco documentation:

I hope this has been helpful!

Laz

Hi Laz,
Thanks ir was really helpful!

1 Like

Good evening,

I was wondering if you could recommend a cheap Cisco AP so I can familiarise myself with a Cisco AP GUI as per the above lesson?

Thanks in advance!

Hello Conor

The 1800 series access points are the entry level access points that can be used with a wireless controller in an environment similar to that shown in the lesson. You can take a look at these devices at the following Cisco site:

If you can find a cheap used Aironet 700 or 1600 which are older series not sold anymore, they too can be incorporated into a WLC enviroment.

I hope this has been helpful!

Laz

Hello,
I see in the WLC configuration that 802.11n is not mentioned among the other standard.
Is it a limitation of the used WLC or there is another reason?
thanks

Enable 802.11b Network [YES][no]: 
Enable 802.11a Network [YES][no]: 
Enable 802.11g Network [YES][no]:

Hello Giacomo

According to the Cisco data sheet, the WLC2504 does support the 802.11n standard. I’m not sure why this doesn’t appear in the lesson, it may be that an older firmware version is being used. I’ll ask Rene to take a look and let us know…

Laz

1 Like

What about Virtual WLC, does it work normal

Hello Wali

The Virtual WLC is a virtual form-factor controller that can run on VMWare Hypervisor ESXi. Virtual WLC is similar to a hardware WLC, but it does have some differences such as the fact that the virtual WLC cannot act as an anchor controller. Also, all APs must be in FlexConnect mode for virtual WLC to operate.

You can find out more about the Virtual WLC here:

Note that the end of sale and end of life has been announced for the virtual WLC, with end of sale set for January 31st of 2022, and a last day of support set for January 31st of 2027.

Cisco’s recommended migration option is to move to Cisco DNA Center.

I hope this has been helpful!

Laz

1 Like

hi laz,

iam having the same issue. even having the AP in the same VLAN as the WLC, I can not ping the Management IP of the WLC from the PC connected to the AP. should not this be possible, as they are on the same vlan?

Hello Costa

First of all, I’m not sure which issue you are referring to. The post you are replying to is dealing with a different topic. However, I see that you are trying to reach the management IP of the WLC from a wireless client on the same VLAN.

It is considered best practice to ensure that wireless clients are unable to gain direct access to the management interface from the wireless network. Indeed, Cisco documentation states the following:

To prevent or block a wired or wireless client from accessing the management network on a controller (from the wireless client dynamic interface or VLAN), the network administrator should ensure that only authorized clients gain access to the management network through proper CPU ACLs, or use a firewall between the client dynamic interface and the management network.

It could be that precautions have been configured to disallow this communication. Now if that is the case, you should be able to create an exception in the ACL for a PC on the wireless network, so that if you as an administrator connect, you will have management access.

Let us know how you get along in your troubleshooting.

I hope this has been helpful!

Laz

Thanks a lot for explanation, greatly appreciate it

Hi,

is it necessary for the trunk link between WLC and switch to support management VLAN since CAPWAP tunnel is operating at layer 3?

In addition, is there any scenario where we don’t need to configure the management wlan on the trunk link?

For example, if WLC and APs are in different subnet and there is only Layer 3 routing in some part between them, do we still need to enable the management wlan on the trunk link?