Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
296
Views
0
Helpful
1
Replies

5508 controller Office extended setup

ShrikantGAIKWAD69594
Level 1
Level 1

‎11-27-2020 02:53 AM - edited ‎07-05-2021 12:50 PM

Hello Team,

we are doing office extended setup on cisco 5508 controller with 8.5.135 airos and 2702i access point

controller is behind firewall

our 5508 controller is not dedicated for the OEAP setup our controller working as gust anchor controller also it is in HA,

destination Nat is present on the firewall,

On firewall we have the port 5246 and 5247 open for real ip to join the controller,

currently NAT ip is not  configured in mgmt. interface of 5508 controller, option is grid out in mgmt. interface of 5508 controller as it is in HA 

 

Query

1. Is it mandatory to have the NAT on the 5508 management interface only ? or we can do NAT on other part of network(on firewall facing towards DMZ-internet).

Because we did the  destination NAT on the firewall side for the management ip of our controller

Request of the 2702i coming to the controller using real ip , discovery response also going from wlc to destination real ip, next exchange is lost somewhere

2. our wlc has 8.5.135 license we don't require special DTLS license as it already has DATA+Wplus in existing airos right?

3. if we configure the NAT directly on the MGMT interface we need to break HA, enable NAT, again build HA, and we have the guest mobility tunnel to private ip to all other sites , does it will be problem for this tunnels.

 

Many thanks

Shrikant

 

 

 

Labels:
0 Helpful
1 Reply 1

Scott Fella
Hall of Fame
Hall of Fame

‎11-27-2020 07:26 AM

Nat is only available on the management interface configuration. As long as there are no internal AP’s connected you do not have to issue this command.

config network ap-discovery nat-ip-only disable

As far as SSO, you are changing the management IP address to a public ip so that you need to consider. I would think you would need to break HA.
Why not break sso and use the other controller for OEAP. There is no real benefit for SSO for guest anchor.
-Scott
*** Please rate helpful posts ***
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card