Hello Rasika,

I thougt the virtual IP is used internal or for Wireless clients only?

Are there any IP packets go out from the controller to LAN?

What about L2 networks and more than 1 controller?

Sven

Yes, you are correct, virtual IP address is used for communication for wireless client & controller itself, Assume you configure it as a routable IP, then WLC will forward that traffic to Network & cannot do its intended function.

Also if you have more than 1 controller & you need to have mobility between them then you need to configure same virtual IP address all of those controllers.

Here are the some of useful points about this interface from config guide.

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1194487

* The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled.

Specifically, the virtual interface plays these two primary roles:  

     1.  Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.        

      2.  Serves as the redirect address for the web authentication login page.

* The virtual interface IP address is used only in communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out a distribution system port and onto the switched network. For the system to operate correctly, the virtual interface IP address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address as the virtual interface. Therefore, the virtual interface must be configured with an unassigned and unused gateway IP address. The virtual interface IP address is not pingable and should not exist in any routing table in your network. In addition, the virtual interface cannot be mapped to a backup port.

* All controllers within a mobility group must be configured with the same virtual interface IP address. Otherwise, inter-controller roaming may appear to work, but the handoff does not complete, and the client loses connectivity for a period of time.

HTH

Rasika

**** Please rate all useful responses  ****

It never appears as the source or destination address of a  packet that goes out a distribution system port and onto the switched  networ

Thats the reason why I ask

If it never used, where is the problem with any routing tables?

Thanks for your support

Sven

No prob... Thanks for rating the responses...

Rasika

I want to buy  public SSL certificate for guest registration page of our wireless controller. So currently controller use his virtual ip address (1.1.1.1) for guest page this is Passthrought authentication. I wont to change this ip address to your suggested 192.0.....

The question is can we use ip address of virtual interface for CSR generation or must use DNS for this?

IP of controller 1.1.1.1 = CN for CSR ?

Controller is with 8.0.152 version of IOS.

Thank you.

So we need record in DNS for VIP address on controller right ?

The record will look like this :

X.domain.X > to address 1.1.1.1

I have plan to change VIP from 1.1.1.1 to non routable  - 192.0.2.1.

That will work as long as you can add the dns entry to the dns servers guest will be assigned. I have tied the dns cn to a public address which is easier if you don’t manage your own external dns servers. 

Yes unfortunately we have access to DNS server for guest ( this DNS server is our router and guest interface is directly pointed to DMZ on this router).

OK finally we must to have:

DNS record like this  WLC.domain.com pointed to 1.1.1.1 or 192.0.2.1 and internal guest page will look like this after redirect:

WLC.domain.com/screens/base/login_preview.html

After our guest is redirected to this page they will click on accept button and will get internet access.

For CSR we need

DNS record for virtual IP on controller - WLC.domain.com pointed to 1.1.1.1 or 192.0.2.1.

and that is actually our FQDN right ?

Thank you Scott !