Cisco WLC SSID anchored several subnets
Hello
I have a requirement to land a SSID on a controller of the anchor but that AP customer connect I need them to receive certain IP address.
Then...
I have a LWAP called AP1 connection to WLC1, WLC1 uses WLC2 as the anchor for the ssid SSID1 DC. When a user connects, I want the user to get an address of SUBNET1. If a user connects to AP2 is also linked to the WLC1 I want the user to get an address of SUBNET2
Now... If the AP is it is located directly on the WLC2 I could use groups AP to provide this feature, no one knows if its possible to combine it with anchor?
Thank you
RG
Fix... You can't do what you are trying to accomplish. If you were doing 802. 1 x, you can use override AAA to assign users to a vlan, but other than that, the WLC cannot perform this task.
Sent from my iPhone
Tags: Cisco Wireless
Similar Questions
-
The SSID on Cisco WLC support no.
Hi all
Can you please help me to provide details on the following Cisco wireless controller?
1. no support SSID on Cisco WLC
2. is it possible to limit the SSID on the access point (for example, I have 10 SSID configured on the controller, I want 10 first access points using SSID (SSID 1-5) and rest of the AP SSID 6-10)
Thank you
Jamal
Hi Jamal,.
Just to add to the great info of Robert (+ 5 points Robert)
The feature you're looking for is called WLAN substitute in versions 4.x WLC.
Allowing substitution WLAN
By default, all defined WLAN transmission on the controller access points. However, you can use WLAN editable to select WLAN is transmitted and who are not on a per access point basis. For example, you can use WLAN to control override goes where in the guest WLAN network or you can use it to disable a specific WLAN in a certain area of the network.
This doc.
http://www.Cisco.com/en/us/docs/wireless/controller/4.0/Configuration/Guide/c40wlan.html#wp1114777
Once you create a new WLAN, WLAN > page edition for the new WLAN. In this page, you can set various parameters specific to this general policy, RADIUS servers, political security WLAN key, and 802.1 x settings.
* Check Admin status under general strategies to activate the WLAN. If you want AP broadcast the SSID in beacon frames, check the SSID broadcast.
Note: You can configure up to 16 WLAN on the controller. The Cisco WLAN Solution can control up to sixteen WLAN for Lightweight APs. Each WLAN has an ID separated from WLAN (1 to 16), a WLAN SSID (name of the WLAN) separate and can be assigned to single security policies. Lightweight APs broadcast all Cisco WIFI WLAN SSID Solution assets and apply the policies that you set for each WLAN.
The good doc.
In versions 5.x, you will use AP groups, because in versions 5.x WLC, WLAN substitute has been replaced by the "Groups of AP" feature;
Creation of groups access Point
After all the access points have joined the controller, you can create up to 150 groups of access point and assign up to 16 local wireless networks in each group. Each access point announces that the WLAN enabled that belong to his group of access point. The access point no announcement not disabled WLAN in its access point group or WLAN that belong to another group.
http://www.Cisco.com/en/us/docs/wireless/controller/5.2/configuration/guide/c52wlan.html#wp1128591
To learn more about George video AP discover excellent groups
http://www.my80211.com/Cisco-Labs/2009/3/22/Cisco-AP-group-nugget.html
I hope this helps!
Rob
-
Two WLC 5508 anchor high availability
Hello.
It is possible use 2 WLC 5508 EN HOW to ANCHOR in an active scenario?.
For example, if a WLC down the service, another Dungeon provide service to customers of anchor?
At the moment we have just a WLC 5508 anchor mode. What do I have to configure high availability of the ANCHOR.
Thank you very much!!!
You have redundant WLC as anchor points, but if an anchor fails, the user must reconnect.
There is a feature on the WLC HA, but it is mainly for foreigners redundancy WLC anchor no redundancy. With guest several anchors overseas WLC balance the load between the two. You will not be able to put a primary or backup.
Sent by Cisco Support technique iPhone App
-
Cisco WLC 5508 &; HP printer
Hello
I have some problems with cisco and hp airprint wlan systems.
I use two cisco wlc 5508, a master and an anchor.
the APs ar connectet to master wlc, DHCP and the point of diversion to the internet are on anchor wlc.
so far, with my android phone, I can connect and hepatitis has access to the internet.
now, I use an HP Multifunction (MFP M276nw) printer with Airprint. I connect to the WLAN even the hp printer on the same IP range.
I can ping the printer from my android tablet, but I can never find the printer with a hp soft.
If I connect the printer even with the same compressed to a point of user access to home normal is all ok thing.
I think I have to configure something on my wlcs.
any ideas?
Thank you
It seems that v7.5 supports Hello on anchor. You might want to look at this thread
https://supportforums.Cisco.com/thread/2200019
Sent by Cisco Support technique iPhone App
-
WLAN how can I use with Cisco WLC 2504
I have two companies co-implantant and to decrease costs would like to implement a single Cisco WLC and separate traffic with the VLAN. I see that the controllers of the series Cisco WLC 2500 min supported number of WLAN: 5 and max: 75. That means actually? When I create more than 3 WLAN on a controller, the best practices page advises me against the use of more than 3 WLAN. Is it good to have more than 3 Wireless LANs, and what are the penalties to do?
5 and 75 are the number of points WLC can support access light weight.
By default, 2504 can manage up to 5 access points. You can increase this number up to 75 by adding the new license.
Also, it can support up to 16 different WLANs (SSID)
FC
-
Cisco ASA cannot create several tunnels at the same address in hand?
We have several remote sites with Linksys WRVS4400N and Smoothwall firewall/vpn devices. I need these sites to be able to connect to several tell-contiguous subnets to our main office. This was done easily with smoothwall and linksys. You create a separate tunnel for each subnet, and voila, you're done. However, when I tried this with our ASA newly installed, it won't let me create several tunnels at the same address of the remote peer. It is a problem because these sites have only a single IP address public static. Did I miss something or ASA not allow connections to and from multiple subnets form a site with a unique address peer?
Resembles the limitation on the WRVS4400N as Cisco ASA supports several subnets by tunnel.
Is there anyway that you can configure a subnet more instead of specific subnets on the ACL?
For example:
If you 192.168.0.0/24 and 192.168.1.0/24, instead of having 2 subnets configured, you can combine them into 1 subnet 192.168.0.0/23
-
Cisco WLC license evaluation of Access Point
Hello
I would like to know what is happening to access connected to a Cisco WLC points if the evaluation license reached its expiration date and other licenses have not yet been installed all connected access points would cease immediately operation?
Kind regards
Mark
Yes, they would stop working.
Note: when you add licenses a reboot is required. Even if the number of supported the HA increases on reset controller is always necessary for these devices to register on the controller under the permanent license. I once added licenses and when I saw the number of the AP increase - I experimented with the restart - and when evaluating lic. expiration of my AP dropped the controller.
-
Cisco WLC 2504 - Access Points do not reach the controller
Hello world
We bougth a Cisco WLC 2504 with two AIR-AP2702I-UXK9 Access Points. The problem is that the AP do not join the WLC.
The output from 'show join ap stats' shows the following:(Cisco Controller) > view join ap stats summary all the
Database Mac EthernetMac AP AP name IP address Status
00:35: 1a: B1:A9:60 00:f2:8 b: f4:1 has: 9 c AP00f2.8bf4.1a9c 192.168.10.23 joined not
00:35: 1a: C9:99:B0 00:f2:8 b: 77:b7:fc AP00f2.8b77.b7fc not joined 192.168.10.24(Cisco Controller) > show join ap 00:35:1 detailed stats to: b1:a9:60
Synchronization phase statistics
-For the synchronization request has received... Does not apply
-For the synchronization completed... Does not applyDiscovery phase statistics
-Applications received discovered... 114
-Answers success of discovery... 114
-Discovery failure processing... 0
-Purpose of the last unsuccessful attempt of discovery... Does not apply
-Attempt to finally successful discovery time... 20:15:40.106 16 June
-Discovery attempt ultimately unsuccessful time... Does not applyJoin the live statistics
-Join applications received... 57
-Join sent successful responses... 57
-Processing of the join request without success... 0
-Purpose of the last unsuccessful attempt to join... Does not apply
-Attempt to join finally managed time... 20:15:50.414 16 June
-Join finally failed time... Does not applyConfiguration phase statistics
-Configuration requests... 114
-Answers configuration successful... 0
-Processing configuration failed... 57
-Purpose of the last unsuccessful attempt to Setup... Invalid license in the application configuration
-Attempt to finally successful configuration time... Does not apply
-Time finally failed configuration attempt... 20:15:50.810 16 JuneLast the decryption of the AP details failure messages
-Last message decryption failure reason... Does not applyDetails of recent disconnection AP
-Last AP connection failure reason... Does not apply
-Last reason for disconnection AP... Unknown failure reasonLatest summary join error
-Type of error that occurred in the last... Application of configuration rejected LWAPP
-Reason for the error that took place the last... Invalid license in the application configuration
-Time which occurred the last error to join... 20:15:50.810 16 JuneDetails of sign-out AP
-Last AP connection failure reason... Does not apply
Ethernet Mac: c 00:f2:8 b: f4:1 has: 9 Ip address: 192.168.10.23Would be grateful for the help.
Best regards
MarcHi Marc,
Make sure first that your controller has software code 8.0.x or above, if first better it. Here's the code recommended by TAC
Then, try the UX above deployment guide to begin. Under Advanced tab WLAN, you need to enable "of the first universal ap' in order to use this app provisioning & connect to the AP.
If you have more than 1 AP, then you must start 1AP using this application. Other access points that you can feed them upward, while AP original is also powered, so they'll use protocal called NDP & start them automatically
Let us know how it goes
HTH
Rasika
Pls note all useful responses *.
-
Hi all
Could someone help me, I have Cisco WLC 5508 with details of license as the photo below as a status "in use". My question can I used another license with inactive status?
5508 as the 2504 can only use licenses that have been purchased and installed or if eval has not expired. If you exceed the number of licenses of AP, then you need to activate the eval, if not expired. You will not be able to do both. The newer controllers who have the right of use license, you would be able to do.
-Scott
Please evaluate the useful messages *.
-
Cisco WLC 2504 internal DHCP does not work properly
Hi all
I m trials with a Cisco WLC 2504 and some APs of 1832. I set up a DHCP scope on the interface of the controller with 2
a large number of different configurations, but the DHCP protocol does not work and Don t Access Point to obtain an IP address. My first question: is it possible to do DHCP for Access Points or only for wireless clients?
These are my interfaces:
Interface of the PA-Manager:
My DHCP scope:
Advanced DHCP:
I forgot something? Is there anyone using DHCP for its access points?
Thank you!
Hello
On Cisco WLC internal DHCP, you can add the option 43 to say where APs must register. In this case, they will try to resolve the DNS CISCO-CAPWAP-CONTROLLER or CISCO-LWAPP entry.
Let me explain briefly how AP-Manager works on WLC:
- Boots of Access Point and sends a discovery request to the management interface of the controller using the intellectual property you configured as DHCP Option 43 (as described above, it can be resolved by the DNS entry)
- Controller, sends it a response discovered that contains the name of the system, addresses AP-Manager, the number of access points already connected to each interface AP-Manager and the overall capacity of the controller.
- Joints access point controller using the less loaded interface AP Manager.
With this, every AP Manager must have a good configured interface and be connected to a different port, no LAG.
I drop a post here sometimes there is which might help:
https://supportforums.Cisco.com/document/118311/configuring-multiple-AP-...
Thank you
PS: Please do not forget to rate and score as correct answer if this answered your question
-
Migration of Cisco WLC 5508 to 5520
Hi all
I need to migrate cisco 5508 to 5520 wlc. This Cisco 5508 WLC is in production, it is possible, I can import this 5508 configuration file and export again 5520.
Please provide the steps to follow while making the migration.
(1) how cisco WLC-2 AP WLC-1 transfer since both have the same versions of IOS. Any URL available Cisco?
WLC-2, enter the command "config primary ap
. (2) applicant tried to transfer 2 points of access for LAP 1130 2 WLC WLC - 1 2 days back but still not reflective in WLC - 1. Measures to solve the problems there?
Distance or console in the AP. Post the output of the command 'sh' full record when trying to move the access of a controller to another point is entered.
-
My installation has cisco WLC 5508 and ACS 1120 ver 5.0. How to authenticate users who access to the WLC via the ACS 1120 users GANYMEDE +. I am able to authenticate users for routers and cisco switches, but when I try the same for the CMT, it fails.
Can someone explain please the config/basic steps that must be configured on both services ACS & WLC.
You use plain vanilla 5.0 or have installed patches?
the ACS 5.1 has new GANYMEDE related functionaity, including support for custom services and attributes. If they are necessary for the WLC yo need support it would improve.
He could also relevant corrective patch from calendar 5.0 but I can't find any relevant specific at this stage CDETS
-
Hello
I followed the guide on http://www.cisco.com/en/US/docs/wireless/technology/bonjour/7.5/Bonjour_Gateway_Phase-2_WLC_software_release_7.5.html on activation of Cisco WLC 7.5 with Apple TV good morning however I have a weird problem. I have some clients unable to see the apple TV connected to a different wireless access point while some may see the Apple connected TVs. I have attached my setup for reference. I would like to inquire about the use of LSS and so perhaps someone has encountered similar problems? The apple TV is discovered by the wlc on mdns-domain names.
According to the document, multicast has been activated not however the discovery of the apple tv is intermittent of apple customers. Customer can discover apple tv 1 and 3 but not apple tv 2 and sometimes it can discover all 3 apple TV while client B is able to perceive all apple TV devices 3. All 3 apple TV devices are discovered by WLC and only apple TV service has been activated on WLC. I was wondering if anyone has seen a similar question? Not too sure what can be the cause of it?
Any suggestion is appreciated.
Some of the docs didn't do it, but it is required as all my installation requiring Hello, set multicast implementation.
Thank you
Scott
Help others using the system of rating and marking answers questions like "answered."
-
Several subnets in the site to Site VPN
Hi guys,.
I would like to set up a site of tunnel VPN stie with several subnets. I could not find a configuration which is my problem. I hope you can help me with the solution.
You can find my design network attach to this subject.
This is my setup on the ASA:(1) NAT excemption for network traffic, go to the Site to site VPN.
NAT (MGMTLAN, INT STSVPN) static source 192.168.10.0 192.168.10.0 static destination 192.168.31.0 192.168.31.0
NAT (inside, INT STSVPN) static source 192.168.15.0 192.168.15.0 static destination 192.168.38.0 192.168.38.0(2) the Accesslist with traffic to encrypt
object-group network 192.168.10.0
object-network 192.168.10.0 255.255.255.0object-group network 192.168.15.0
object-network 192.168.15.0 255.255.255.0the 192.168.38.0 object-group network
object-network 192.168.38.0 255.255.255.0the 192.168.31.0 object-group network
object-network 192.168.31.0 255.255.255.0object-group network STSVPN-LOCAL
Group-object 192.168.10.0
purpose of group - 192.168.15.0object-group network STSVPN-US
purpose of group - 192.168.38.0
purpose of group - 192.168.31.0ACL_STSVPN-US allowed extended ip access-list object-STSVPN-LOCAL object group STSVPN-American
(3) proposal phase 1
IKEv2 crypto policy 10
aes-256 encryption
sha256 integrity
Group 14
FRP sha256
second life 86400(4) proposal phase 2
Crypto ipsec ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
Protocol esp encryption aes-256
Protocol esp integrity sha-256(5) group tunnel
tunnel-group 4.4.4.4 type ipsec-l2l
tunnel-group 4.4.4.4 General attributes
Group Policy - by default-GrpPolicy-STSVPN-US
IPSec-attributes tunnel-group 14.4.4.4
IKEv2 remote-authentication pre-shared key abcd
IKEv2 authentication local pre-shared key abcdGroupPolicy
Group Policy GrpPolicy-STSVPN-US internal
Group Policy attributes GrpPolicy-STSVPN-US
value of VPN-filter STSVPN-US
Ikev2 VPN-tunnel-Protocol(5) crypto card
10 CM-STSVPN crypto card matches the address STSVPN-US
10 CM - STSVPN peer set 4.4.4.4 crypto card
card crypto 10 CM-STSVPN set ikev2 proposal ipsec IKEV2-IPSEC-ESP-AES-SHA
interface card crypto INT-STSVPN CM-STSVPN
Crypto ikev2 enable INT-STSVPN
/////////////////////////////////////////////////////////////////////The router configuration:
(1) part SA
proposal of crypto ikev2 ki2. PROP
encryption aes-cbc-256
sha256 integrity
Group 14
IKEv2 crypto policy ki2. POL
proposal ki2. PROP
ikev2 KR1 encryption keys
peer ASALAB
address 2.2.2.2
pre-shared key local abcd
pre-shared key remote abcd
Profile of crypto ikev2 ki2. TEACHER
match one address remote identity 2.2.2.2 255.255.255.255
address local identity 4.4.4.4
sharing front of remote authentication
sharing of local meadow of authentication
door-key local KR1
(2) TransformsetCrypto ipsec transform-set TS. VPN2, esp esp - aes hmac-sha256-256
tunnel mode(3) access-list
IP ACL extended access list. VPNIKE2
IP 192.168.31.0 allow 0.0.0.255 192.168.10.0 0.0.0.255
IP 192.168.38.0 allow 0.0.0.255 192.168.15.0 0.0.0.255
(5) crypto cardcrypto CM card. 30 VPN ipsec-isakmp
defined peer 2.2.2.2
the transform-set TS value. VPN2
group14 Set pfs
ki2 ikev2-profile value. TEACHER
match address ACL. VPNIKE2
//////////////////////////////////////////////////////////////////////This configuration is correct to allow both subnets on each side of the VPN tunnel to communicate with each other.
192.168.31.0 subnet cannot communicate with 192.168.10.0
192.168.38.0 subnet cannot communicate with 192.168.15.0Hello Jay,
I went during the configuration of the two aircraft and noticed a few errors on the configuration of the SAA. Details here:
(1) the access list configured for VPN traffic is named ACL_STSVPN-US, however the address for correspondence configured on the map encryption uses a group of objects name instead:
address for correspondence card crypto 10 CM - STSVPN STSVPN-US
You must change this setting to avoid any problems with the negotiation of traffic:
no matching address card crypto 10 CM-STSVPN STSVPN-US
10 CM-STSVPN crypto card matches the address ACL_STSVPN-US
(2) you also have the same error on the configured vpn filter. However, you could not use the access list ACL_STSVPN-United States for VPN filter since the ASA will filter incoming packets only. In this case the appropriate ACL will be configured for remote network (ROUTER) to local networks (ASA). It will look something like this:
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
access-list VPN_filter extended permitted ip object-STSVPN-US group LOCAL STSVPN
Group Policy attributes GrpPolicy-STSVPN-US
VPN-Filter VPN_filter valueKeep in mind that the VPN filter is in the rules that determine whether to allow or deny packets of data tunnelees coming through the device security, based on criteria such as the source, destination, and Protocol address address. If you want to use the IP Protocol, the filter will not make a difference.
(3) group 14 of the PFS is configured on the router crypto map, but not on the SAA. You need to even add it in the card encryption ASA or remove it from the router.
ASA:
card crypto 10 CM-STSVPN set group14 pfs
Router:
crypto CM card. 30 VPN ipsec-isakmp
No group14 set pfs
Hope this help you to raise the tunnel,
Luis.
-
several subnets by VLANS and ports link
Hello
I need some clarification.
Our iSCSI SAN storage (Dell MD3660i0 requires a separate subnet by port.
We require paths multiple access and balancing in VMware.
To achieve this in ESXi 5.1 we need binding ports... BUT the binding of ports is supported only if the vmks are all in the SAME domain in accordance with these two KBs broadcasting
VMware KB: Considerations for use binding software iSCSI ports in ESX/ESXi
OK... probably so I simply put my all subnets in ISCSI storage in one VLAN and everything will be ok (one VLAN is after all a broadcast domain, both are stuff of L2)... This would respond to the requirements of KBs... If VMware means "area of distribution" in the true sense of the term.
So my question is can you configure the port in this way binding? It is supported by VMware?
VMware has come back to me (in fact the author of one of the kb/s I've referenced)
He confirmed that the terminology used in the KB is misleading and "broadcast domain", it actually means "subnet" so not layer 3 layer 2.
This means that you can NOT have multiple subnets in a broadcast domain (VLAN) AND use the SW iSCSI port binding.
BUT
He told me (he is very familiar with the Dell MD3660i iSCSI kit), you don't have to have binding of ports to achieve several Multipathing and load balancing. If you have a requirement for several subnets of your iSCSI SAN provider then just create multiple vmks on different subnets, and DO NOT make the port binding. The fact that they are on different subnets will be enough to achieve the multiple paths
It updates the KB to make this much clearer.
I hope this helps someone
Maybe you are looking for
-
I created my first Podcast using Garageband. It seems very well. How do I publish it on iTunes? I created the RSS feed using my Sound Cloud account. When I download it says that it is not the right type of file. I must make files AIFF, WAVE (WAV),
-
I seem to have two versions of numbers?
Can anyone help be kind this please. I have two numbers of icons in the system tray. Don't know how to tell my Mac to get rid of the old version because I think that it is still using the default. Any help much appreciated. Execution Elcapitan btw on
-
loud beeping noise on ideapad y650
There is a horrible, loud beep which occurs whenever I plug the power chord or the battery is low. These two events occur often, so noise is not something that I can easily ignore. I went into the control panel and off all system sounds, but apparent
-
LaserJet P1102w: Printer does not print more than 2 pages
After I've upgraded to Windows 10, I noticed that my printer would print no more than one page, even if several page were supposed to print. (I can't tell if this coincides directly with my move to Windows 10, because it seems that the problem did no
-
My clock lost blackBerry smartphones
I'm relatively new to the Blackberry Tour and today wanted to move my clock at a location more accessible and easier bedside mode. I had clicked on "move" and began to scroll and the clock disappeared. I have not clicked Delete, nor was I invited wi