+ Reply to Thread
Results 1 to 10 of 10
  1. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #1

    Default 5508 - dhcp scope per wlan

    Just that... one ap-manager interface, with each AP broadcasting two SSID's. One for our user base, the other for guests.

    I have assigned an ssid to each wlan, and have opted to go with internal scopes on the controller. However, I cannot locate a way to assign a scope per wlan... all documentation has the scope being applied to the interface.

    In this case, both wlans/ssid's share the same interface.

    This document says it's possible, but doesn't explain how:

    Cisco Wireless LAN Controller Configuration Guide, Release 6.0 - Chapter 6 - Configuring WLANs [Cisco 5500 Series Wireless Controllers] - Cisco Systems

    It says: You can configure DHCP on a per-interface or per-WLAN basis. The preferred method is to use the primary DHCP server address assigned to a particular interface.

    It then goes on to explain how to apply to the interface... nothing on the per-Wlan approach.

    Any thoughts appreciated.
    Mike
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member SteveO86's Avatar
    Join Date
    Oct 2010
    Location
    FL
    Posts
    1,405

    Certifications
    CCNP, CCIP, CCDP, CCNP: Security/Data Center, CCNA Wireless, CWNA, WCNA
    #2
    This might be helpful.. Although it uses a different device for DHCP and not just the WLC itself. Maybe you can configure the DHCP on the device connected to the WLC?

    Guest WLAN and Internal WLAN using WLCs Configuration Example - Cisco Systems

    Although you'll need a second dynamic interface on the WLC
    Reply With Quote Quote  

  4. Junior Member
    Join Date
    Oct 2008
    Posts
    8
    #3
    Go into the WLAN, under advanced settings you should have an option to override the global DHCP settings with your own scopes.
    Reply With Quote Quote  

  5. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #4
    Awesome... I'm getting there.

    So, I created the dynamic interfaces for the two departments. I also created a 4-port LAG channel, and assigned all three interfaces (management, IT and PMO) to the channel.

    I can ping the Cat 6509 core's interfaces from the controller... 10.22.129.1 for ap-management, 216.1 for IT and 217.1 for PMO. (The controller has 129.2, 216.2 and 217.2 as its IP addresses) Also, I created the scopes for these two departments on the core, and when I connect to their respective SSID's, I get an IP in the correct scope.

    Here's where the joy ends, however. Once my laptop has acquired the correct IP config, I cannot do anything. I cannot ping the 216.1 or 217.1 gateway.

    It's as if my client, with its 216.21 (from IT scope) address, communicates with the AP, the traffic is encapulated from the AP to the controller, the controller strips off the headers and sees the source as 10.22.216.21, but either isn't sending it out the correct IT interface... or it is, but the return traffic is looking for 10.22.216.21 directly and doesn't know to go to the controller (216.2) first.

    Any thoughts?
    Reply With Quote Quote  

  6. Senior Member SteveO86's Avatar
    Join Date
    Oct 2010
    Location
    FL
    Posts
    1,405

    Certifications
    CCNP, CCIP, CCDP, CCNP: Security/Data Center, CCNA Wireless, CWNA, WCNA
    #5
    From the client with a DHCP address can you ping the IP Address on the controller?

    I've seen issues with client timeouts being configured too high, and when the client connects to a different subnet/SSID the traffic is not forwarded to the wired LAN, however it communicates with the LWAP and the WLC. (It represents as a weird situation since you can ping the WLC IP Address, but not the default gateway on the same subnet which is on the wired LAN)

    Maybe connecting to the SSID again, and then clear the arp tables and mac address table on both the WLC and neighboring switch

    (Web Interface, Controller -> General -> ARP Timeout, might be worth a look at)
    Last edited by SteveO86; 02-25-2011 at 07:56 PM.
    Reply With Quote Quote  

  7. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #6
    Exactly right... connectivity to the controller is good. I can see the client listed as associated and authenticated, and I can ping the interface. Just not anything past it.

    I do what you suggest and clean everything... do a reboot too.
    Reply With Quote Quote  

  8. Senior Member SteveO86's Avatar
    Join Date
    Oct 2010
    Location
    FL
    Posts
    1,405

    Certifications
    CCNP, CCIP, CCDP, CCNP: Security/Data Center, CCNA Wireless, CWNA, WCNA
    #7
    I hate rebooting WLC's (unless you got 2 of them )

    Let us know if it works for you.
    Reply With Quote Quote  

  9. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #8
    All good now.

    Odd... the AP is a fair distance away from me, and though I got a decent signal, my response times were between 2 and 4 thousand milliseconds. So I guess everything was timing out.

    I cleaned up some stuff, rebuilt the interface and wlans, rebooted... nothing helped. Then I added a second AP closer to my desk, and boom. She's all good now.

    In retrospect, I think I got it. Our security guy didn't want 802.11b enabled, so I killed all the slower data rates... everything below 9 is not available. I think that until I got an AP closer to me, that cost me.

    It's all good now, though.
    Reply With Quote Quote  

  10. Senior Member SteveO86's Avatar
    Join Date
    Oct 2010
    Location
    FL
    Posts
    1,405

    Certifications
    CCNP, CCIP, CCDP, CCNP: Security/Data Center, CCNA Wireless, CWNA, WCNA
    #9
    I'm a little on the reasoning for your security wanting 802.11b turned off.. It's just as vulnerable as the other standards. Or are they one of those old fashioned security guys that also believe hiding the SSID is secure to.

    While I do believe in disabling un-needed services, just be aware the effects it will have your WLAN. With the lower data rates disabled you'll need make sure your clients are registering a good enough signal to sustain the higher data rate. So you may need to more densely pack an area with AP's for sufficient roaming.
    Reply With Quote Quote  

  11. Senior Member mikearama's Avatar
    Join Date
    May 2007
    Location
    Oshawa, Ontario
    Posts
    757

    Certifications
    CCNP, CCSP, CISSP, MCSE
    #10
    It isn't an issue with vulnerability... the opinion of our architect is to not allow 'b' users to connect, preventing the effects of having 'b' users mixed in with a/g/n. Regardless, you're right... it means you connect at better than 9MBps, or not at all. So in my testing, I either get three bars and a connection, or nothing.

    I am planning to roll out a few more AP's than might be required, to totally radiate our campus.

    And the security guy IS of old school thought... it took me a lot of talking and emails to get our SSID's to stay broadcasted.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks