Traffic LWAPP Flow the WLC
Hello
I need to know about traffic flow in the WLC.
I know that all traffic must pass in the WLC, but I need to know if I can change it.
Example:
I have a lwapp ap, but I want to pass traffic in this unit and after crossing the cable without a pass to the WLC system.
Can I do it?
I need to know too much about the options when I'm setting up an AP in the WLC as local, bridge, h - collect, monitor and others.
Thank you.
Hello
Here is the link that says u more on LWAPP traffic study...
http://www.Cisco.com/en/us/Tech/tk722/tk809/technologies_white_paper09186a0080901caa.shtml
Abd here is the link which explains on the modes of operation os AP...
http://www.Cisco.com/en/us/docs/wireless/controller/7.0/Configuration/Guide/c70lwap.html
Let me know if this naswered your question and please remember to note the useful messages!
Concerning
Surendra
Tags: Cisco Wireless
Similar Questions
-
The traffic load between the power of Cisco ASA and FireSight Management Center fire
Hi all
I have a stupid question to ask.
Can I know what is the traffic load and the e/s flow between firepower Cisco ASA and FireSight Management Center?
Currently working on a project, client require such information to adapt to their network. Tried to find in the document from Cisco, but no luck.
Maybe you all have no idea to provide.
It varies depending on the number of events reported from the module to the CSP. No event = only health controls and policy changes are exchanged. 10,000 events per second = much more traffic.
Generally it is not a heavy load, however.
-
Hello
I missed something in the Cisco WLC 2100 series documentation. In fact, the plug technical it is mentioned that the WLC 2100 "provides eight 10/100 Ethernet ports to support a combination of access points and rising redundant LAN", while in the configuration guide noted that the WLC 2100 supports no LAG (aggregation of links). So how WLC 2100 can use a redundant network connection without aggregation of links?
Thank you in advance.
You can use a port for management and interface ap - manager and another for the vlan specific used for the ssid of your wlan with connection of access points to your WLC. This way you can say that port 1 is your management and ap-Manager, port 2 is for your internal ssid vlan x, port 3 is for your voice ssid vlan x, port 4 is for the traffic of comments, 5 & 6 port is used to connect the two access points.
-
Upgrade for the WLC code questions
We 6.0.132 (lastest) WCS and our controllers are on 4.2.130, we now to upgrade to deal with sometimes, but don't want to capwap yet.
Question 1: what is the last exit LWAPP code?
Question2:Whats the differences between 4.2.207 (support page for cisco said it's the latest version), but it has same releases with ie 6.0 how it works it is very confusing workout a way to upgrade to higher versions
See you soon
Hi Tyrone,
I'm not an expert on the management of versions, but here are some basic in response details
at your request
4.2.207 is the last version on the Train of 4.2 and is without doubt an excellent choice
If you are avoiding CAPWAP for now. You will see in the link below which
There are several 'simultaneous' for the WLC Trains (and most of the Cisco product). People
were not big fans of the first Trains 5.x (quite buggy) and was introduced to CAPWAP
in 5.2 and the attacker thus is why 4.2.207 seems to be a good choice for you
In the later version or 5.2 controller software version, Cisco lightweight access points use the IETF control and commissioning of Access Points (CAPWAP) standard protocol to communicate between the controller wireless and other points of light access on the network. Versions software controller before 5.2 use the Lightweight of Point access (LWAPP) Protocol to these communications.
CAPWAP, which is based on LWAPP, is a standard and interoperable protocol that allows a controller manage a collection of wireless access points. CAPWAP is implemented in version 5.2 software controller for these reasons:
*
To provide a path for upgrade of Cisco products that use LWAPP generation Cisco products that use CAPWAP
*To manage RFID readers and similar devices
*To allow controllers to interoperate with third party access points in the future
LWAPP compatible access points can discover and join a CAPWAP controller, and conversion to a controller of CAPWAP is transparent. For example, the process of discovery of controller and firmware download process when using CAPWAP are the same as when you are using LWAPP. The only exception is for layer 2 deployments, which are not supported by CAPWAP.
You can deploy CAPWAP and LWAPP controllers on the same network. The CAPWAP compatible software allows access points join to be a controller running CAPWAP-LWAPP. The only exception is the Access Point Cisco Aironet 1140 series, which takes in charge only CAPWAP and joined so only controllers that run CAPWAP. For example, 1130 series access point can reach a controller running CAPWAP or LWAPP considering that access of series 1140 point can join only a controller running CAPWAP.
http://www.Cisco.com/en/us/products/ps6366/products_qanda_item09186a008064a991.shtml
4.2.207 was released on July 24, 2009 which makes the new second version available on any train.
http://www.Cisco.com/en/us/products/ps6366/prod_release_notes_list.html
See you soon!
Rob
-
VPN Cisco ASA 5540 L2L - one-way traffic only for the pair to a network
Hello
I'm a little confused as to which is the problem. This is the premise for the problem I have face.
One of our big clients has a Cisco ASA5540 (8.2 (2)) failover (active / standby). Early last year, we have configured a VPN from Lan to Lan to a 3rd party site (a device of control point on their end). He worked until early this week when suddenly the connection problems.
Only 1 of the 3 networks the / guests can access a remote network on the other side. 2 others have suddenly stopped working. We do not know of any change on our side and the remote end also insists that their end configurations are correct (and what information they sent me it seems to be correct)
So essentially the encryption field is configured as follows:
access-list
line 1 permit extended ip 10.238.57.21 host 10.82.0.202 (hitcnt = 2)
access-listline 2 extended permit ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252 (hitcnt = 198)
access-listline 3 extended permit ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252 (hitcnt = 173) Free NAT has been configured as follows (names modified interfaces):
NAT (interface1) 0-list of access to the INTERIOR-VPN-SHEEP
the INTERIOR-VPN-SHEEP line 1 permit access list extended ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
permit for Access-list SHEEP-VPN-INSIDE line lengthened 2 ip host 10.238.57.21 10.82.0.202NAT (interface2) 0-list of access VPN-SHEEP
VPN-SHEEP line 1 permit access list extended ip 10.207.0.0 255.255.0.0 10.82.0.200 255.255.255.252
After the problem started only 10.207.0.0/16 network connections worked for the site remote 10.82.0.200/30. All other connections do not work.
There has been no change made on our side and on the side remote also insists there has been no change. I also checked how long the ASAs have been upward and how long the same device has been active in the failover. Both have been at the same time (about a year)
The main problem is that users of the 10.231.191.0/24 cant access remote network network. However, the remote user can initiate and implement the VPN on their side but usually get any return traffic. Ive also checked that the routes are configured correctly in the routers in core for the return of their connections traffic should go back to the firewall.
Also used of "packet - trace" event raising the VPN tunnel (even if it passes the phases VPN). For my understanding "packet - trace" alone with the IP source and destination addresses must activate the VPN connection (even if it generates no traffic to the current tunnel).
This is printing to the following command: "packet - trace entry interface1 tcp 10.231.191.100 1025 10.82.0.203 80.
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit rule
Additional information:
MAC access listPhase: 2
Type: FLOW-SEARCH
Subtype:
Result: ALLOW
Config:
Additional information:
Not found no corresponding stream, creating a new streamPhase: 3
Type:-ROUTE SEARCH
Subtype: entry
Result: ALLOW
Config:
Additional information:
in 10.82.0.200 255.255.255.252 outsidePhase: 4
Type: ACCESS-LIST
Subtype: Journal
Result: ALLOW
Config:Access-group interface interface1
access-list extendedallow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
Additional information:Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 6
Type: INSPECT
Subtype: np - inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
Policy-map global_policy
class inspection_default
inspect the http
global service-policy global_policy
Additional information:Phase: 7
Type: FOVER
Subtype: Eve-updated
Result: ALLOW
Config:
Additional information:Phase: 8
Type: NAT-FREE
Subtype:
Result: ALLOW
Config:
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside 10.82.0.200 255.255.255.252
Exempt from NAT
translate_hits = 32, untranslate_hits = 35251
Additional information:-Phase 9 is a static nat of the problem to another network interface. Don't know why his watch to print.
Phase: 9
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (interface1, interface3) 10.231.0.0 10.231.0.0 255.255.0.0 subnet mask
NAT-control
is the intellectual property inside 10.231.0.0 255.255.0.0 interface3 all
static translation at 10.231.0.0
translate_hits = 153954, untranslate_hits = 88
Additional information:-Phase 10 seems to be the default NAT for the local network configuration when traffic is to the Internet
Phase: 10
Type: NAT
Subtype:
Result: ALLOW
Config:
NAT (interface1) 5 10.231.191.0 255.255.255.0
NAT-control
is the intellectual property inside 10.231.191.0 255.255.255.0 outside of any
dynamic translation of hen 5 (y.y.y.y)
translate_hits = 3048900, untranslate_hits = 77195
Additional information:Phase: 11
Type: VPN
Subtype: encrypt
Result: ALLOW
Config:
Additional information:Phase: 12
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional information:Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional information:Phase: 14
Type: CREATING STREAMS
Subtype:
Result: ALLOW
Config:
Additional information:
New workflow created with the 1047981896 id, package sent to the next moduleResult:
input interface: interface1
entry status: to the top
entry-line-status: to the top
output interface: outside
the status of the output: to the top
output-line-status: to the top
Action: allowSo, basically, the connection should properly go to connect VPN L2L but yet is not. I tried to generate customer traffic of base (with the source IP address of the client network and I see the connection on the firewall, but yet there is absolutely no encapsulated packets when I check "crypto ipsec to show his" regarding this connection VPN L2L.) Its almost as if the firewall only transfers the packets on the external interface instead of encapsulating for VPN?
And as I said, at the same time the remote end can activate the connection between these 2 networks very well, but just won't get any traffic back to their echo ICMP messages.
access-list extended
allow ip 10.231.191.0 255.255.255.0 10.82.0.200 255.255.255.252
local ident (addr, mask, prot, port): (10.231.191.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (10.82.0.200/255.255.255.252/0/0)
current_peer: y.y.y.y#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 131, #pkts decrypt: 131, #pkts check: 131
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, comp #pkts failed: 0, #pkts Dang failed: 0
success #frag before: 0, failures before #frag: 0, #fragments created: 0
Sent #PMTUs: 0, #PMTUs rcvd: 0, reassembly: 20th century / of frgs #decapsulated: 0
#send errors: 0, #recv errors: 0If it was just a routing problem it would be a simple thing to fix, but it is not because I can see the connection I have to confirm it by the router base on the firewall, but they don't just get passed on to the VPN connection.
Could this happen due to a bug in the Software ASA? Would this be something with Checkpoint VPN device? (I have absolutely no experience with devices of control point)
If there is any essential information that I can give, please ask.
-Jouni
Jouni,
8.2.4.1 is the minimum - 8.2.4 had some issues (including TCP proxy).
If this does not resolve the problem - I suggest open TAC box to get to the bottom of this ;-)
Marcin
-
External ACL does not increment for traffic allowed through the site to site VPN
Hi all, we have many site - to IPSEC VPNS that are sending traffic to us successfully - the largest part of this traffic is FTP or SFTP.
There is not configuration of the firewall of the SAA sysopt. Access lists have been configured on the external interface of the ASA to allow these VPN for FTP SFTP connections & - however, all counters are 0 when I do a 'show access-list internet-in' for FTP or SFTP.
There are general IP entries in list of FTP & SFTP natted access connected to the Internet addresses of these FTP servers and these are increment but then there are certain customers who use the internet to transfer files.
I guess what I was asking is ASA outside increment for traffic access lists allowed by VPN? The access list entries are for THEIRINTERNALIP to OURINTERNALIP (according to crypto card)
Just to add that these ACL is configured through groups of objects in the case that matters - also once again that they are correctly transfer files to us - only I don't get where they are allowed.
Thanks in advance
Mark
VPN traffic is flowing properly and there is no ACL allowing UDP 500 or ESP?
Can you post the output of "sh run all the sysopt"
Federico.
-
Site to site VPN, I need all internet traffic to exit the site.
I have 2 sites connected via a pair of SRX5308
A = 192.168.1.0/24
IP WAN = 1.1.1.1
B = 192.168.2.0/24
IP WAN = 2.2.2.2
Now what I need to do, is to have all traffic from B to go to the site one even traffic destined to the internet. That is, I need internet traffic out of our network with the IP 1.1.1.1, even if it is from the network B.
On my I have set up a route 1.1.1.1 of the ISP, then a value by default 0/0 to 192.168.1.1 it ASA knows how to get to the peer VPN is a more specific route, but sends everything above the tunnel, at the remote end which then hairpin of ASA routes internet outside its own WAN port traffic.
I can understand though not how to so the same thing on the pair of SRX5308 they either don't raise the tunnel or internet route to the local site address B.
Anyone have any ideas?
I need to do this because we are logging and monitoring of internet traffic to A site via tapping from upstream to various IDS solutions and will not (cannot) reproduce this to all our remote sites.
Thank you
Dave.
After some more thought and testing I came up with a workable solution to my own problem. I'll share it here in case it can help others.
(1) use the wizard at both ends to implement a normal VPN that connects the two segments of network 192.168.1.0 and 192.168.2.0
(2) go to site VPN - VPN policy remote router192.168.2.1 and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the remote IP address.
(c) to apply the change
3) go to the VPN-> VPN policy on the head end site (192.168.1.1) and click Edit
(a) disable Netbios
(b) select "None" from the drop-down list the local IP address
(c) to apply the change
Now all the traffic wil go down the VPN tunnel and exit to the internet on the site of head end. Hope this helps others with the same question.
-
AP failed to connect with the WLC.
We have 5 sets of 1700 APs works on the mode of the controller and cisco WLC 2500.
I configured the controller as I always used to do, but this time the access points have been unable to reach the controller.
That's what I did:
controller IP address:192.168.1.250/24
GW:192.168.1.1
Primary DHCP: 192.168.1.250
I have connected the port1 controller with ethernet cable from the switch and the same switch I connected the AP.
We used the adapter instead of the POE switch.
I even tried assigning address to AP directly through the console as:
CAPWAP ap controller ip address and so on. This did not help either.There was this message in the AP "% CAPWAP-5-DHCP_RENEW: could not find WLC by using DHCP IP." DHCP IP renewal. "
Moreover, the POE ports in the controller, they provide enough energy for the PA to operate?
Help, please.
I have attached the PuTTY log as well.Hello
WLC connection has successfully been created. Then he for some reason any. I don't know if this helps, but try to connect the ethernet cable directly to the AP instead of port POE port to THE.
You can use port POE on AP even if you don t use the POE switch.And regarding the port POE on WLC. Cisco doesn´t recommend that you directly connect AP to WLC, but it is possible.
Also I Don t see that the IP address is assigned by DHCP.
Try also to use the commands:
CAPWAP ap ip address...
CAPWAP ap ip default-gateway...I guess the WLC and switch are configured correctly.
EDIT:
I had similar problem today.
Just connect the cable from the console to AP, go to mode and type the commands:
Claire capwap private-config
Claire lwap private-configthen reload AP with command "reload".
After these commands AP joined succesfully WLC
-
unloading of feature to make dhcp off the WLC and put it on Active Directory.
I need to use the feature of unloading to dhcp off the WLC and put it on Active Directory. Someone at - it a walkthrough or a page for this? I know it's just a checkbox and a redirect to the new dhcp server, but where the hell is the configuration on the WLC?
Thank you!
-anne
You can go there.
Point to your existing ad integrated DHCP server.
-
Config of basis for the 2nd and 3rd of the WLC?
I saw the discussion about the configuration of the failover on of the WLC. I think I have a pretty good understanding of what is supposed to happen here. But what is really clear is the config of base on the 2nd and 3rd in WLC. They need to be configured exactly like the first, with the exception of the unique fields such as host name and ip addresses, interface and such? Usually people take the config of the first and do a "Find and replace" to fix the config for subsequent controllers? I will add 2 more to my controller in the near future and try to have a better understanding of the process until I have to implement. Thank you!
You are right in the config WLC - unique IP/hostname info and everything else the same. There is usually not a lot of changes of configuration to do on the additional WLC, the few times that I did I have manually configured things or used WCS. Configure additional WLC being part of the same group of mobility and/or hardcode primary, secondary & tertiary controllers AP for failover.
HTH
-
ERROR:-cannot download the WLC config.
Hello
I'm not able to save the configuration of the wcs of wlc controller Please take a look and suggest me if I'm doing something wrong here.
(WISN-slot1-2) > transfer mode upload tftp
(WISN-slot1-2) > upload datatype transfer config
(WISN-slot1-2) > transfer download IP_serveur 10.10.10.10
(WISN-slot1-2) > download transfer path.
(WISN-slot1-2) > name of download WLCconfig file transfer
(WISN-slot1-2) > transfer download starts
Mode............................................. TFTP
TFTP Server IP... 10.10.10.10
TFTP Path........................................ /
Name of the TFTP file. WLCconfig
Data Type........................................ Configuration file
Encryption... People with disabilities
WARNING: Config File Encryption Disabled *.
Are you sure you want to start? y (y/N)
TFTP Config from transfer.
Preparation for transfer error!
NOTE: I use the WCS as the server and do not use any what other tftp. Any help is appricaited.
Hi Neha,
You must restart the WLC controller if the WLC is placed on the WISN Module you must reload the WISN module after you will be able to download and upgrade the firmware of the controller.
What is happening because of some isue internal with WISN/WLC material. I ask you to do and your problem will be solved.
Kind regards
Reem
-
Update from the WLC-12 to WLC-50
If someone knows if I would run through all of the questions during the upgrade of a wireless controller Cisco WLC-12 to a Cisco WLC wireless controller - 50? Can we predict problems with me simply copy the startup configuration of the WLC-12 to the WLC-50? All comments are appreciated.
Thank you
Travis
I don't think that that is supported. It is best to configure the new wlc. You don't want to risk having a corrupt on the wlc configuration file. Configure the new, a side by side for you can compare the configuration... does not take long.
-
How to retrieve the RADIUS shared secret key on the WLC 5508
Hi all
The wirelss privious admin left our company and did not let the other know the shared secret key on the WLC 5508 Radius.
The 5508 WLC runs on the 7.0.98.0 code. I can access the viao WLC CLI and GUI. I can also access the Win2003 Radius Server, but the button displays an asterisk for me. I have listed partial RADIUS config of the WLC below. How can I get the RADIUS shared secret key? Thanks in advance.
(Cisco Controller) > show RADIUS summary
Vendor Id backward compatibility... People with disabilities
Call Station Id... lower case
Dial the Station Id Type... IP address
Aggressive failover... Activated
Keywrap.......................................... People with disabilities
Rescue test:
Test Mode.................................... Off
Probe of username... cisco-probe
Interval (in seconds)... 300
MAC for authentication Messages... hyphen delimiter
MAC for Accounting Messages... hyphen delimiterAuthentication servers
The State of the Port Address Type server all RFC3576 IPSec - AuthMode idx / phase 1/group/life/Auth/BA
--- ---- ---------------- ------ -------- ---- ------- ------------------------------------------------
1 NM 10.xx.18.48 1645 on 2 off off - no/unknown/group-0/0 None/NoneAccounting servers
The State of the Port Address Type server all RFC3576 IPSec - AuthMode idx / phase 1/group/life/Auth/BA
-Other - or ITU (q)
--- ---- ---------------- ------ -------- ---- ------- ------------------------------------------------
1 N 10.xx.18.48 1646 enabled 2 N/A disabled - no/unknown/group-0/0 None/NoneKind regards
Robert
You can retrieve the RADIUS shared secret key as other passwords that are stored on the WLC by using the procedure at the following link:
NOTE: WPA keys are not available through these methods.
Basically, you can enable password in clear text on the wlc with 'config passwd-cleartext enable' and then issue a "view orders of the running-config' - your RADIUS configuration command should now display the shared secret.
-Pat
-
Regarding the file of configuration on the WLC
Hi all
I would like to replace an AIR-WLC4402-25-K9 with AIR-WLC4402-50-K9 because of the amount of AP problem. The two controllers are running on the same version of the software 4.2.61.0. Just out of curiosity, can I just backup the old configuration and download to the new controller? I guess it should work. Correct me if I'm wrong.
Any input will be appreciated.
Robert
Robert,
It should work, because the difference between them is at a level of asic and not a config. As long as you don't have two of them on the wire at the same time there should be no problem.
Alternatively, you can shoot the show running-config to the WLC-25 and then download that the WLC-50 in the config > mode
See you soon,.
Steve--
If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.
-
Mac, learning to the passage of the WLC
Hello
I plugged WLC on the main switch on concert 5/5,
Mac address table is lower to -.
kernel #sh mac-address-table
Unicast entries
port of protocols VLAN mac address type4001 8843.e131.1983 dynamic ip GigabitEthernet5/5
4001 8843.e131.198b dynamic ip GigabitEthernet5/5
4001 c8bc.c80b.f5d7 dynamic ip, other GigabitEthernet5/5
4001 c8bc.c81c.3572 dynamic ip GigabitEthernet5/5selected is mac of the WLC, who are these other mac addresses of learning through concert 5/5?
These aren't mac virtual port or service of WLC.
Hello
2 here is the Cisco devices... check if any other Interface such as AP manager or the dynamic interface has Mac.
4001 8843.e131.1983 dynamic ip GigabitEthernet5/5
4001 8843.e131.198b dynamic ip GigabitEthernet5/5,the MAC here is the MAC of the seller and not identified by finder YES...
4001 c8bc.c80b.f5d7 dynamic ip, other GigabitEthernet5/5
4001 c8bc.c81c.3572 dynamic ip GigabitEthernet5/5Just do what the MAC in your network...
Let me know if that answers your question and please do not forget to note the useful messages!
Concerning
Surendra
Maybe you are looking for
-
V27, 27.1, won't play YouTube videos. Even in safe mode
I can't watch videos on my default browser, the latest Firefox v 27. I think that I am not alone in this. I do not have the latest versions of Flash Player, Real Player, and Javascript is enabled (not java) I found it first in the videos of my favori
-
How to change the installer to be able to install the program even as a new product?
Hello! I created distributive for my project and installed. Now, I want to install this program with fiew changes in the code, but as a new product. But the new program replaces an old. How to change the settings for the installer to create a distrib
-
2 different Topologies of PXI - 2503
HelloI use CVI 8.1, MAX 4.5 and switch Exec 2.01, Wndows XP2 to the following situation.I had a previous (only 2 x 24) topology for a PXI-2503 switch, with its respective test program.For my application, the Configuration of the previous switch is ca
-
[W520] How can I configure microphone and speakers?
Hi, I recently got a Thinkpad W520 and I am having some problems. How can I set up the microphone for use with Skype or Msn Messenger? Now, whenever I make a call, he said that Skype/Msn does not detect my sound card, so it won't work. The microphone
-
Vista sticks to the Welcome screen
Hi, I read some of the posts that people put here and I can not find an answer for my problem, my friend has a computer laptop sony vaio and when she takes care of vista, it sticks to the Welcome screen, I got him to try to connect by using safe mood