topic Re: WISM Design Issue. in Wireless

WISM Design Issue.

p.danielsen — Sat, 03 Jul 2021 20:18:14 GMT

Hi,

I'm trying to design our Wireless LAN network, and something is bugging me,

I want to separate the APs, from our network, by placing them in a separate VRF, this should not be a problem, the thing that bugs me, is when I looked into Cisco documentation, they describes that the APs needs to see both the AP management interface and the Management interface on the WISM module, any one know if this is true !!

If I understand the communication, APs only talks to the AP management interface on the WISM, and the management server only needs to talk to the management interface on the WISM module, Right/Wrong ??

Quick overview of the setup.

AP <-Vlan 10(VRF B)-> AP Management (WISM) Management <-Vlan20 (VRFA) -> Management server

So there is no connection between the management server and the APs

Hope anyone, can guide me in the right direction ..

Regards

Peter.

(will rate all answers)

Re: WISM Design Issue.

Stephen Rodriguez — Tue, 28 Nov 2006 20:30:07 GMT

Peter,

The AP's need to initially see the Management interface, since this is the only interface that responds to ARP, and is pingable. Per the documentation the AP-Manger and Management interfaces should be on the same subnet/vlan.

Re: WISM Design Issue.

p.danielsen — Wed, 29 Nov 2006 17:41:41 GMT

Stephan,

Not the answer I wanted, but nice to know,

So another question, If I want to put a firewall between the WISM module / APs and the management server, do you know of a document that describes, the firewall rules to use ?? ..

Best Regards

Peter,

Re: WISM Design Issue.

Frederick Reimer — Wed, 29 Nov 2006 18:11:32 GMT

I don't know of a Cisco document, but the only thing you should need is SNMP, TFTP, syslog. The WCS, if that's what you are referring to as the management server, uses SNMP to push profiles or make other changes to the WLCs. You should setup SNMPv3 and get rid of the default public/private communities. TFTP is used for image file transfer, and backing up the configurations. syslog can be used in addition to the SNMP-traps that the WCS automatically configures the WLCs to send.

Re: WISM Design Issue.

khagen — Fri, 01 Dec 2006 16:39:07 GMT

Ive just gotten through installing a large # of WiSM's and I can say without a doubt the Cisco Documentation is lacking. In one spot the docs say the AP-Manager and Management interface of the WiSM should be on the same VLAN. In another section it describes putting them on separate VLANs for security purposes. Whats more, they give no examples or requirements of how to do anything but putting both interfaces on the same VLAN.

Basically, what Ive found is:

1) AP-Manager and Management interfaces can be on separate VLANs, the key here is what you put as the native VLAN for the port-channels. If you make the native vlan the same vlan as the management interface, then you must configure it as un-tagged. If you want to vlan tag them, then ensure that the native vlan is something not used in the WiSM.

My personal preference is to have them on

separate VLANs for security purposes.

2) The initial boot of the APs has them talking to the Management Interface. Im still fuzzy if they move to the AP-Manager interface after registering (Ill get a sniffer in there sooner or later to find out).

3) As to firewalling, items you want to make sure are open.

a) To Management Interface

- HTTPS

- SNMP

- SSH

- LWAPP Protocol

- ICMP (maybe upto you)

b) From Management Interface

- SNMP traps

- Syslog

- TFTP

- RADIUS

c) To AP-Management Interface

- LWAPP Protocol

Parts that Im unsure on are the protocol

used to communicate between WiSMs or with

other controllers.

Hope this helps.

Karl

Re: WISM Design Issue.

sandjose — Sat, 02 Dec 2006 12:43:29 GMT

Karl ,

The AP manager and the management can be on different vlans , but from the AP both the management and the ap-manager should be reachable . The AP intiall tries to contacts the management interface in the lwapp discovery request and the discovery response from the mgmt intf carries the AP-manager int address.Now the AP sends the join req to the ap-manager intf.

Regarding the ports that are used for LWAPP protocol

12223,12222,12224,16666 UDP ports

Re: WISM Design Issue.

MARK HEUZENROEDER — Thu, 07 Dec 2006 06:11:53 GMT

I gleened the following from Ethereal between WiSM & 1131AG,

This LWAPP traffic goes between Management Interface and AP,

- Discovery_REQUEST

- Discovery_REPLY

- PRIMARY_DISCOVERY_REQ

- PRIMARY_DISCOVERY_RES

This LWAPP traffic goes between AP-Manager Interface and AP,

- JOIN_REQUEST

- CONFIGURE_REQUEST

- CONFIGURE_RESPONSE

- various other CONFIGURE packets

- ECHO_REQUEST

- ECHO_RESPONSE

- STATISTICS_INFO

- STATISTICS_INFO_RES

I agree cisco doco. is a mad man's breakfast in this area.

I havn't seen any LWAPP doco. which is both coherent and technically detailed enough to be useful.

Dear Cisco - how hard would it be to add the above to your doco, and, heaven forbid, maybe even some Ethereal snippets!!!

Regards, MH