Necessary mandatory STP on wlc?

Hello

We use several wlc440x that bind each with two links to two different basic switches that are interconnected; one of the basic switches is stp root for all the VLANS.

Is there a need for the wlcs to have stp enabled on their ports? AFAIK they don't bridge between their ports, in my opinion, it is not mandatory.

Thank you very much

Thorsten

Take a look at this link... I never activated PLEASE on any of my installs WLC.

http://www-Europe.Cisco.com/en/us/Tech/tk722/tk809/technologies_tech_note09186a0080810880.shtml#Topic2

Tags: Cisco Wireless

Similar Questions

  • Reference Dell Powerconnect 5324/5424 STP Configuration Question...

    Hey guys,.

    I have a basic > intermediate understanding of networking. I recently loaded the research in what seems at first sight be an STP issue on our corporate network. Without going into too much detail, I think I found the cause of the problem. Within our network, we have our basic switching infrastructure and then a second pair of switches / second a lot, much smaller network that "needs" to be completely isolated from the base and core STP network.

    However, I have discovered recently that this second network / set of switches are not as isolated as we thought. The second, network supposed to be isolated was installed by a 3rd party company - their statements being that the network should be completely independent of our core network and the only link between the two must be access / management connection so that we can telnet to these switches in the network of base if necessary.  However, I recently discovered that these switches on the isolated network are part of our STP! Not only that, but one of these switches is as root (as it has the smallest MAC address). It is through the management / access ports I think of BDPU must be get sent and received. Is there a way that I stop BDPU being sent and received during these management / access of connections between these two networks - therefore isolate the secondary network and making it create two instances of STP - one for the main network and the other for the secondary. We always request the ability to Telnet to these core network switches - I just need to block/filter STP on Internet access / management ports.

    Thank you in advance to anyone who takes the time to read and respond to this.

    With protocols spanning tree disabled on the port should not send BDPU frames.

  • Cisco WLC license evaluation of Access Point

    Hello

    I would like to know what is happening to access connected to a Cisco WLC points if the evaluation license reached its expiration date and other licenses have not yet been installed all connected access points would cease immediately operation?

    Kind regards

    Mark

    Yes, they would stop working.

    Note: when you add licenses a reboot is required. Even if the number of supported the HA increases on reset controller is always necessary for these devices to register on the controller under the permanent license. I once added licenses and when I saw the number of the AP increase - I experimented with the restart - and when evaluating lic. expiration of my AP dropped the controller.

  • Wireless converged access (new) Mobiliity between WLC 5508

    Hello

    I have 3 WLC 5508 which is upgraded to version 8.x and I can see this feature when searching on the web I find that this new feature is necessary when we have new models of WLC 5760 or 3850 in the network and must contact 5508.

    So my question is in my current scenario, I only 5508

    1. can I activate this function and use this function between 5508 - If Yes, in the configuration, I just create mobility than in the old configuration groups and it should work right or is there additional configuration is required?

    Also in my network current fflexconnect is activated and allow this will affect my flexconnect?

    Please notify.

    Kind regards

    Anjaz

    If you want to, you can migrate to the new mobility without any problem, but must be allowed to all of your WLC at the same time. This will have no impact for your flex-connect communication or configuration and influence the way in which the tunnels between of WLC are under construction. No changes are necessary in this configuration either.

    Please rate helpful messages... :-)

  • WLC Collection failed - Config - no APs running no.

    Hello

    I was not able to collect successfully with our wireless LAN controllers.  SNMP and SSH work correctly and one set of very limited data are collected, but he did not provide the AP inventory which is necessary in order to obtain these WAP portal of the NMP.  I tried everything at my disposal, but still does not accumulate the WLC AP inventory.  The WLC shows as "Managed" and collection is successful, less inventory of the AP.  Please help and if possible the Dataset that will collect this inventory so I can create a special Collection profile for our WLCs.  Thank you.

    Perfect.  Thank you.  This sysobjectid should be part of the WLC platform (settings > manage platform definitions).  This platform will be referenced in the dataset (settings > manage data sets) called AIRESPACE-without THREAD-MIB_bsnAP.  If you look inside the data group, you will see the WLC platform here.

    Collection profile was executed?

    Where are you not see the APs?  On the portal of the NMP or in the results of the collection on the CSPC (reports > Collection profile summary Run), choose the profile Collection and the date, and select Action > view data.  You can find the device in question and click it and search for the set of data listed above and then see the raw data.  If you see the LWAP here, so this isn't a matter of collection and we need to check if it is a problem of back-end processing.

  • WLCs manage LWAPPs to use chs overlapping?

    I'm a beginner with the wireless and more, the WLC. (I use a WLC module in a search report international No. 2851). I have a few general questions about the WLCM:

    (1) I will deploy five laps out of the WLCM in a floor of a building. It's true that I don't have to worry of duplication of canals as the WLCM detects contention and change the channel? Don't I have to configure anything in particular about channels, on the side of RF?

    (2) I have will be also using 7920 s in my deployment and want to ensure call quality when a user walks/wanders between the towers. I'll use static and 7920 WEPs s are on the same VLAN. Since all APs are associated with the same WLCM, is it true that I will not make additional configuration in order to ensure smooth roaming?

    Thank you!

    Greetings,

    It is what it is supposed to do. It has been my experience and other institutions, this is not necessarily the case.

    Regarding the allocation of channels, this device did a mediocre job, even though I have many more AP 5, so your mileage may vary. Be on the lookout for the same location co channel features where is not necessary to be.

    Power settings also not are managed properly. Almost each AP in my installations are power 2 (17dBm or 50mW) level and it is only because I do not allow the maximum power in option. There is a wonderful document you must download if you want to be anywhere near LWAPP - http://www.cisco.com/warp/public/114/rrm.pdf

    read especially the emission power algorithm and the algorithm of hole in coverage. I took the third AP of any AP has a threshold by default - 65, which means that if this criterion is satisfied that the power will not come down. My investigations are at 11 Mbit/s to-65dBm, that would mean my third AP since my first AP location will be at the edge of the first cell in the AP. If you draw three circles on paper, your first circle is where you want, the radius of the third circle must pass through the edge of the first circle... so now that you have to enter the second circle somewhere in there. This scenario is called duplication of 50% - where two AP (two 50% (a 100%) overlap to another AP. If in the case of a failure of AP - two others can pick up the slack. Well, if I draw my networks as such, what the hell do need me LWAPP for? I opened a TAC case and vain quickly actually, I got nowhere at all.

    My solution for me is to redesign the existing infrastructure in order to have 20-30% overlap and have 11 Mbps cell boundries to-65dBm. The only way I'll be able to maintain the allocations of power and the channel will remove auto channel RF and power capabilities. I'll harcode that in. Perhaps, once the design, I get up and functional, I'll experiment with sections of the installation and let auto RF have a chance in a properly designed environment and see what happens. Unfortunately, I'm in a production of high-profile health care environment, and I'm not comfortable, especially given the results that I've seen so far.

    I hope that you have determined that the 5 you need the AP was based on a valid poll, preferably using the 7920 as the survey tool.

    If you have determined your coverage, throughput requirements, and plans for future growth, and read about what rate you can get each access point in the scenarios of data and voice and has determined that some areas may or may not be more densely populated with users using voice or data or both - then you should be ok.

    Please think of voice being on the same vlan as data, which should be separate even more data wired people.

    If you have many users then go ahead. If you think that the user density could bite you in the pants, he will and he won't let go.

    If I have not scared the crap out of you yet, I hope to have given you some things to think about and tools to use so that you are not in the situation that I am currently.

    However, being the payer cleaner remarkably well. I'm kind of the wireless "Mr. Wolf" in the film of our network.

    Well - being

  • Privilege in WLC management needs first 2.2

    The word Hello,

    After you install a Cisco first 2.2 and added several WLC, my client wants to just a reading only the first management. Then, when I added WLC I provided SNMP v3 RO and no username/password / activate telnet/SSH.

    The problem is that my customer wants to manage guest users of premium, I have of course some write type of privilege is necessary. Changing SNMP of ro to RW would be enough? Or maybe I need to add a user/password / activate SSH/telnet to manage? Or maybe I'll be times RW SNMP and telnet/SSH?

    Thank you very much!

    David

    Hi David,

    most likely, you would need RW and ssh\telnet as well, but it depends on what type of operations, your guest user will have access to.

    Thank you-

    Alya

    Ratings encourage contributors *.

  • Connecting WLC to 6509 Core... Connectivity issues

    Hello

    I have four ports of a WLC 4404 connected to a 6509 through fiber optic cables. However, I'm not able to ping the WLC or see.

    I have a few questions about this... First of all, if I want to TRAIN it is necessary that all ports are active and connected, correct?

    Secondly, in the configuration of switch, to my knowledge, all the ports should be ports of junction, however, the customer has configured them as 'switchport trunk encapsulation isl' instead of "switchport trunk encapsulation dot1q"... does it matter? I've never used the isl command then I really wonder if this is supported in the WLC?

    Any help would be greatly appreciated!

    Thank you!

    The controllers are not ISL. You will need to change the dot1q encap. Also, in order to support the LAG, the switchports will be setup in etherchannel

  • WLC Campus Design - 10 controllers etc.

    Hi guys,.

    If I have the following scenarios,

    2 sites and each site will be broken up by 100km (just an example to show that wireless reached between them) and have 100 APs in each site.

    Please see the attached diagram.

    Both sites have two controllers on site or a domain controller centralized (if there is a preferred method)?

    Anyway,.

    Two controllers for site1 (1 on each DC for example) should be in the same group of mobility.

    Site controllers 2 should be in a different group of mobility?

    Also, if this design developed by a factor of 5, and we had now 20 + controllers, controllers each either on one VLAN separate in the domain controllers or could I create a controller wireless VLAN that has all the controllers connected to?

    Please note that, on the previous point, the domain controllers have NO VLAN for layer 2 between them, so that each set of controllers (by site, one in each ms) are sensitive to the layer 3 wanders, but the basic principle, we will use is that each site will have a PDC and a BDC and all items should be on the same controller.

    Also, for most small Wireless deployments, is better to have a set of controllers of nmanager small sites, say for APs 5 to 10 per site? BUT then, you can't have a group of mobility for the controller so would this cause a problem? Oh, now I'm confused?

    Anyone can comment on the above drawings?

    Thx a lot.

    Ken

    REAP H works well in the code of 4.2. I have about 30 sites with the up to 5 1252 mode operation REAP H return to the a single domain controller. The domain controller has 2 4404-100 and I divided the primary one and secondary to the other sites.

    As for redundancy, should watch how you manage the clients ip address. N + N is the most popular because you always have 100% redundancy. It can either be on site or to the domain controller.

    Now you can also make N + 1, one in the local site and the other in the domain controller. Now, you have to look at what ip address users will get when they are on the wlc primary and when the primary fails and AP, go to wlc backup. Now, you have clients getting and the ip address on the central site (DC) and the traffic here. So now, you have to watch the traffic flow and how you configure your acl, if necessary.

    N + N + 1 can work for you if you have a WISN in the two DC. Then for the site 1:

    Primary school DC1WISM1-WLC1

    High school DC2WISM1-WLC1

    Tertiary DC1WISM1-WLC2

    Or you can have a 4404-100 on each site that primary and a 4404-100 on each secondary and tertiary domain controller. You will need one at each site and two on each controller domain just for two remote sites. Now, please understand what is needed for smaller remote sites.

    It boils down to cost and is it better to keep the wlc on site since if the wan goes down, resources is not available on the domain controller. Also if you place the different primary and secondary or tertiary in ip subnets, how will you manage ip addressing customer will get from the wlc.

    Also... Stick with the 4.2 If you need to deploy h - harvest. Do not go with the 5.0 or 5.1 again. %.0 is the worst and 5.1 is too new and could focus on the issues raised in the 5.0 and could introduce more.

  • WLC use Management Interface & more get started Questions

    Hello

    I am yet to implement Wireless LAN in one seat of our customers. There are 40 x 1130AG LWAPP AP and WLC 4404 with ACS 4.x for authentication of Wireless Clients attempting to access the LAN.

    For the WLC to connect to the Dual Core Switch, I need to use only a Management Interface with port 1 being the main and mapping Distribution system the DS 2 Port as the backup for the Management Interface port. Is this correct? or can I have configure dynamic Interfaces as well. Is the interface of access management / management and configuration only? Management interface will communicate with ACS for AAA and AP who wish to associate with the WLC, is this true?

    Note: WLC, AP, Wireless customers & AP are in the same IP subnet.

    Some other question of WLAN is so it helps me during the implementation.

    Can • I use the 802. 1 x authentication applications saved in Windows XP for the Wireless Interface; instead of the Client Application from Cisco. For this purpose; I have to configure the WLC / Wireless Client use EAP algorithm; is that correct?

    • With the help of MRR, interference between of multiple (3-4 AP) AP in the same area is controlled by the WLC by changing the channels used by the AP, that isn't even on of the AP is it good?

    • How many users Client will connect by channels. 802.11 a / g will provide 11 channels, it is right?

    • I'm putting in the WLC to limit client connections by AP to 25, can this be achieved?

    Please, can someone help me calrifying the points above.

    Kind regards

    Keshava Raju

    Unless this has changed recently, you can't. The ports must be then break into individual groups. You can the controller mode layer 3 as Cisco is the support Layer 2 stop. The Director of the PA is necessary in all cases in LWAPP layer 3 transport mode. Do a search on Cisco.com to the configuration guide for the version of the code you are running. This will give you a step by step installation instructions.

  • ISE with WLC AND switches

    Hello

    We run 3xWLC controller with 800 AP using ISE 1.2 for authentication wireless 802. 1 x. I was looking in the config of the ISE and notice of 400 edge cheating only 2x2960s are configured with 802. 1 x (ISE RADIUS config) and SNMP and only 2 of the port is 2 ap tie with swtich remaining ports.and the 3XWLC in network devices.

    I do not understand how an access point is to do this work (802.1 x) because it is location on different site and people are connecting to various different locations. ISE almost run/do 11 876 profiled ends.

    version 12.2
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$ fokm$ lesIWAaceFFs.SpNdJi7t.
    !
    Test-RADIUS username password 7 07233544471A1C5445415F
    AAA new-model
    Group AAA dot1x default authentication RADIUS
    Group AAA authorization network default RADIUS
    Group AAA authorization auth-proxy default RADIUS
    start-stop radius group AAA accounting dot1x default
    start-stop radius group AAA accounting system by default
    !
    !
    !
    !
    AAA server RADIUS Dynamics-author
    Client 10.178.5.152 server-key 7 151E1F040D392E
    Client 10.178.5.153 server-key 7 060A1B29455D0C
    !
    AAA - the id of the joint session
    switch 1 supply ws-c2960s-48 i/s-l
    cooldown critical authentication 1000
    !
    !
    IP dhcp snooping vlan 29,320,401
    no ip dhcp snooping option information
    IP dhcp snooping
    no ip domain-lookup
    analysis of IP device
    !
    logging of the EMP
    !
    Crypto pki trustpoint TP-self-signed-364377856
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 364377856
    revocation checking no
    rsakeypair TP-self-signed-364377856
    !
    !
    TP-self-signed-364377856 crypto pki certificate chain
    certificate self-signed 01
    30820247 308201B 0 A0030201 02020101 300 D 0609 2A 864886 F70D0101 04050030
    2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
    69666963 33363433 37373835 36301E17 393330 33303130 30303331 0D 6174652D
    305A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
    532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3336 34333737
    06092A 86 4886F70D 01010105 38353630 819F300D 00308189 02818100 0003818D
    B09F8205 9DD44616 858B1F49 A27F94E4 9E9C3504 F56E18EB 6D1A1309 15C20A3D
    31FCE168 5A8C610B 7F77E7FC D9AD3856 E4BABDD1 DFB28F54 6C24229D 97756ED4
    975E2222 939CF878 48D7F894 618279CF 2F9C4AD5 4008AFBB 19733DDB 92BDF73E
    B43E0071 C7DC51C6 B9A43C6A FF035C63 B53E26E2 C0522D40 3F850F0B 734DADED
    02030100 01A 37130 03551 D 13 6F300F06 0101FF04 05300301 01FF301C 0603551D
    11041530 13821150 5F494D2B 545F5374 61636B5F 322D312E 301F0603 551D 2304
    18301680 1456F3D9 23759254 57BA0966 7C6C3A71 FFF07CE0 A2301D06 03551D0E
    04160414 56F3D923 75925457 BA09667C 6C3A71FF F07CE0A2 2A 864886 300 D 0609
    F70D0101 5B1CA52E B38AC231 E45F3AF6 12764661 04050003 81810062 819657B 5
    F08D258E EAA2762F F90FBB7F F6E3AA8C 3EE98DB0 842E82E2 F88E60E0 80C1CF27
    DE9D9AC7 04649AEA 51C49BD7 7BCE9C5A 67093FB5 09495971 926542 4 5A7C7022
    8D9A8C2B 794D99B2 3B92B936 526216E0 79 D 80425 12B 33847 30F9A3F6 9CAC4D3C
    7C96AA15 CC4CC1C0 5FAD3B
    quit smoking
    control-dot1x system-auth
    dot1x critical eapol
    !
    pvst spanning-tree mode
    spanning tree extend id-system
    No vlan spanning tree 294-312,314-319,321-335,337-345,400,480,484-493,499,950
    !
    !
    !
    errdisable recovery cause Uni-directional
    errdisable recovery cause bpduguard
    errdisable recovery cause of security breach
    errdisable recovery cause channel-misconfig (STP)
    errdisable recovery cause pagp-flap
    errdisable recovery cause dtp-flap
    errdisable recovery cause link-flap
    errdisable recovery cause FPS-config-incompatibility
    errdisable recovery cause gbic-invalid
    errdisable recovery cause psecure-violation
    errdisable cause of port-mode-failure recovery
    errdisable recovery cause dhcp-rate-limit
    errdisable recovery cause pppoe-AI-rate-limit
    errdisable recovery cause mac-limit
    errdisable recovery cause vmps
    errdisable recovery cause storm-control
    errdisable recovery cause inline-power
    errdisable recovery cause arp-inspection
    errdisable recovery cause loopback
    errdisable recovery cause small-frame
    errdisable recovery cause psp
    !
    internal allocation policy of VLAN ascendant
    !
    !
    interface GigabitEthernet1/0/10
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard

    interface GigabitEthernet1/0/16
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard
     
    interface GigabitEthernet1/0/24
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard
     
    !
    interface GigabitEthernet1/0/33
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard
     
    interface GigabitEthernet1/0/34
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface GigabitEthernet1/0/44
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard

    !
    interface GigabitEthernet1/0/46
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard

    interface GigabitEthernet1/0/48
    switchport access vlan 320
    switchport mode access
    IP access-group ACL-LEAVE in
    authentication event fail following action method
    action of death server to authenticate the event permit
    living action of the server reset the authentication event
    multi-domain of host-mode authentication
    open authentication
    authentication order dot1x mab
    authentication priority dot1x mab
    Auto control of the port of authentication
    periodic authentication
    authentication violation replace
    MAB
    dot1x EAP authenticator
    dot1x tx-time 10
    spanning tree portfast
    spanning tree enable bpduguard
    !
    interface GigabitEthernet1/0/49
    Description link GH
    switchport trunk allowed vlan 1,2,320,350,351,401
    switchport mode trunk
    MLS qos trust dscp
    IP dhcp snooping trust
    !

    interface GigabitEthernet1/0/52
    Description link CORE1
    switchport trunk allowed vlan 1,2,29,277,278,314,320,401
    switchport mode trunk
    MLS qos trust dscp
    IP dhcp snooping trust
    !
    !
    interface Vlan320
    IP 10.178.61.5 255.255.255.128
    no ip-cache cef route
    no ip route cache
    !
    default IP gateway - 10.178.61.1
    IP http server
    IP http secure server
    IP http secure-active-session-modules no
    active session modules IP http no
    !
    !
    Access IP extended ACL-AGENT-REDIRECT list
    deny udp any any domain eq bootps
    permit tcp any any eq www
    permit any any eq 443 tcp
    IP extended ACL-ALLOW access list
    allow an ip
    IP access-list extended by DEFAULT ACL
    allow udp any eq bootpc any eq bootps
    allow udp any any eq field
    allow icmp a whole
    allow any host 10.178.5.152 eq 8443 tcp
    permit tcp any host 10.178.5.152 eq 8905
    allow any host 10.178.5.152 eq 8905 udp
    permit tcp any host 10.178.5.152 eq 8906
    allow any host 10.178.5.152 eq 8906 udp
    allow any host 10.178.5.152 eq 8909 tcp
    allow any host 10.178.5.152 eq 8909 udp
    allow any host 10.178.5.153 eq 8443 tcp
    permit tcp any host 10.178.5.153 eq 8905
    allow any host 10.178.5.153 eq 8905 udp
    permit tcp any host 10.178.5.153 eq 8906
    allow any host 10.178.5.153 eq 8906 udp
    allow any host 10.178.5.153 eq 8909 tcp
    allow any host 10.178.5.153 eq 8909 udp
    refuse an entire ip
    Access IP extended ACL-WEBAUTH-REDIRECT list
    deny ip any host 10.178.5.152
    deny ip any host 10.178.5.153
    permit tcp any any eq www
    permit any any eq 443 tcp

    radius of the IP source-interface Vlan320
    exploitation forest esm config
    logging trap alerts
    logging Source ip id
    connection interface-source Vlan320
    record 192.168.6.31
    host 10.178.5.150 record transport udp port 20514
    host 10.178.5.151 record transport udp port 20514
    access-list 10 permit 10.178.5.117
    access-list 10 permit 10.178.61.100
    Server SNMP engineID local 800000090300000A8AF5F181
    SNMP - server RO W143L355 community
    w143l355 RW SNMP-server community
    SNMP-Server RO community lthpublic
    SNMP-Server RO community lthise
    Server SNMP trap-source Vlan320
    Server SNMP informed source-interface Vlan320
    Server enable SNMP traps snmp authentication linkdown, linkup cold start
    SNMP-Server enable traps cluster
    config SNMP-server enable traps
    entity of traps activate SNMP Server
    Server enable SNMP traps ipsla
    Server enable SNMP traps syslog
    Server enable SNMP traps vtp
    SNMP Server enable traps mac-notification change move threshold
    Server SNMP enable traps belonging to a vlan
    SNMP-server host 10.178.5.152 version 2 c lthise mac-notification
    SNMP-server host 10.178.5.153 version 2 c lthise mac-notification
    !
    RADIUS attribute 6 sur-pour-login-auth server
    Server RADIUS attribute 8 include-in-access-req
    RADIUS attribute 25-application access server include
    dead-criteria 5 tent 3 times RADIUS server
    test the server RADIUS host 10.178.5.152 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 03084F030F1C24
    test the server RADIUS host 10.178.5.153 auth-port 1812 acct-port 1813 username test-RADIUS 7 key 141B060305172F
    RADIUS vsa server send accounting
    RADIUS vsa server send authentication

    any help would be really appreciated.

    I'm not sure that completely understand the question; But if LSE is only political wireless, then none of the wired switches need any configuration of ISE.

    Access points tunnel all wireless traffic to the WLC on CAPWAP (unless you use FlexConnect). This is the configuration 802. 1 x on the WLC that implements policies defined in ISE.

    Switches wired never need to act as an access network (n) device and so do not need to be defined in ISE unless or until you want to apply policies of ISE for wired devices...

  • Cisco ISE 2.0 and WLC 5508 with 7.6.130.0

    I have looked on the release notes and compatibility n for ISE 2.0 and have not seen the answer to that. For the WLC 5508, the minimum AirOS is 7.0.116.0 but he limited the AAA authentication and support for comments. The recommended version of AirOS is 8.0.121.0.

    http://www.Cisco.com/c/en/us/TD/docs/security/ISE/2-0/compatibility/ISE _...

    What airos 7.6.130.0? I know that AirOS release works with 1.3 and 1.4, even if they show the same support for version 2.0. I'm just afraid that something may have changed with 2.0. I am concerned only about the AAA authentication and guest access. No BYOD, posture or MDM is necessary.

    No change. Works well.

  • WCS: Is the name of the controller of tertiary sector mandatory?

    Hello

    I have improved my WCS to 4.2. After that, whenever I want to configure an access point I get an error message "" name of the controller of tertiary: this attribute is MANDATORY. "." Please specify ".

    How can I disable the which? Thank you

    Hi Tobias,.

    It seems that this Bug has been postponed;

    CSCsi24972 Details of bug

    Controller of tertiary sector - is not not required

    Symptom:

    WCS 4.1.83.0 with 3 or more linked WLC.

    Try to change the configuration of an access point, and if you do not have a defined tertiary you get an error saying that it is mandatory.

    Conditions:

    WCS 4.1.83. Status

    Fixed

    Gravity

    4 minor

    Last modification

    In the last 2 weeks

    Product

    Cisco wireless control system

    Technology

    1 found-In

    4.1 (83.0)

    Fixed in

    4.2 (26.0)

    WCS information related Bug 4.1.83.0 tertiary controller requires fixed for AP

    Symptom: WCS 4.1.83.0 with 3 or more linked WLC. Try to change the configuration of an access point, and if you do not have a defined tertiary you get an error saying that it is mandatory. Conditions: 4.1.83.0 with 3 or more WLC WCS related Workaround: define the secondary or primary as the tertiary

    I hope this helps!

    Rob

  • Problem with WLC and a 3rd-party NMS SNMP AP Assoc/cancellation interruption

    Hello

    I'm troubleshooting an issue, why our NMS is not able to automatically clear an alarm generated trap of an AP that has been separated and is associated with again.

    When debugging on the WLC snmp trap generation, I discovered that when the AP disassociates the WLC sends the trap of bsnAPDisassociated , which is perfectly defined and I can also find in the SNMP Object Navigator. However when the AP reassociates again the WLC sends the ciscoLwappApAssociatedtrap.

    Part 3 NMS is not able to understand it, but our WCS system does, that's why I then took a peek in the MIB file installed.

    I discovered that ciscoLwappApAssociated is a sheet of ciscoLwappApMIBNotifs (1.3.6.1.4.1.9.9.513.0. 4), which I have neither

    Cannot be found in the Cisco SNMP Object Navigator or the downloadable MIB.

    As the MIB in the WCS is a XML file I didn't how to get information in the 3rd-party NMS.

    Anyone have any idea on how to solve this problem or there at - it update CISCO-LWAPP-AP-MIB available somewhere?

    Our WLCs are running the latest version of the software (7.0.116.0) as well as our WCS (7.0.172.0)

    Thanks in advance!

    Kind regards

    Patrick

    Such discrepancies sometimes occur. Best is a matter of TAC in order to tackle the problem through a bug or have a new MIB published on cisco.com if necessary

  • Anchor WLC in DMZ, FW does not support mulit-static Rts.

    Hi gang,.

    Not looking for someone to hold me hand, but you can use some advice.

    We work through our deployment of a WLC guest. Our WLC anchor is in our DMZ.

    Management and the AP Manager are on the same subnet. The dynamic interface "VLAN" is on a different subnet from the other interfaces, and its Portal is the DMZ Firewall interface.

    Problem, the firewall does not support multiple static routes.

    Always do the management and dynamic interfaces must be on different subnets?

    Someone at - it experience with this type of configuration?

    I understand the value of the time, if I appreciate honestly all help I get.

    Best regards

    Larry feet

    Just to clarify, we're talking wireless access visitor right? Wired not invited?

    Wired allows you to create a custom in a vlan port specific necessary (but not when you configure this on the controller of anchorage)

    In any case... just make sure that the WLAN you want to dock is configured the same as on the controller of the DMZ. Make sure you anchor this controller to the DMZ and make sure you anchor the wlan dmz to himself.

Maybe you are looking for