Solved: All RADIUS, web login and ssh traffic pass through service-port. Any ideas why.

PlamenDanov · ‎10-19-2011

Hi everybody,

i am expecting an issue with my WLC 5508 with IOS 7.0.116.0. The traffic related with controler managment ( GUI and telnet access and RADIUS) is passing trough service-port.

The managment inteface is connected to catalist 6513 with folowing configuration and the catalists intarface has this config:

interface GigabitEthernet10/4
description Cisco WiFi SFP port TRNUK
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 9,28,30,38,98
switchport mode trunk
no ip address
speed 1000
duplex full
spanning-tree portfast
end

the mangment VLAN is 98 and the managment interface is in it. The service port is in different VLAN in this case 199 with static IP. The both cables are connected to same Switch.

Any ideas why i can access this controler only via service port and all RADIUS and SNMP trafic pass trough it?

thanks

nikhilcherian · ‎10-20-2011

Gateway is not needed for ur service port

when you add a route to the network A you are saying to use the service port for reaching the network A

Here as you added your route

10.2.100.0 255.255.255.0 10.4.199.254

10.4.10.0 255.255.255.0 10.4.199.254

The controller will be using the service port for reaching the network 10.2.100.0 and 10.4.10.0. If your management interface gateway 10.4.98.254 can reach your RADIUS server 10.4.10.0, I would suggest you to delete existing routes

Thanks

Nikhil

View solution in original post

nikhilcherian · ‎10-19-2011

Can you give the following inputs

Show interface detailed management

show interface detailed service-port

show route summary

Thanks

NikhiL

PlamenDanov · ‎10-19-2011

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.10.19 16:50:24 =~=~=~=~=~=~=~=~=~=~=~=

(Cisco Controller) >show interface detailed management

Interface Name................................... management

MAC Address...................................... 88:43:e1:61:db:c0

IP Address....................................... 10.4.98.5

IP Netmask....................................... 255.255.255.0

IP Gateway....................................... 10.4.98.254

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

VLAN............................................. 98

Quarantine-vlan.................................. 0

Active Physical Port............................. 1

Primary Physical Port............................ 1

Backup Physical Port............................. Unconfigured

Primary DHCP Server.............................. 10.4.10.40

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

L2 Multicast..................................... Enabled

(Cisco Controller) >show interface detailed service-port

Interface Name................................... service-port

MAC Address...................................... 88:43:e1:61:db:c1

IP Address....................................... 10.4.199.5

IP Netmask....................................... 255.255.255.0

DHCP Option 82................................... Disabled

DHCP Protocol.................................... Disabled

AP Manager....................................... No

Guest Interface.................................. No

(Cisco Controller) >show route summary

Number of Routes................................. 2

Destination Network Netmask Gateway

------------------- ------------------- -------------------

10.2.100.0 255.255.255.0 10.4.199.254

10.4.10.0 255.255.255.0 10.4.199.254

(Cisco Controller) >

All routes are added after i discovered that SNMP trafic is routed trough sarvice-port which is without gateway and was necesary to have records in routing table

nikhilcherian · ‎10-19-2011

Are you trying to access the WLC from any of these network 10.2.100.0 or 10.4.10.0..What about the RADIUS, does this come in any of these network

Thanks

NikhiL

PlamenDanov · ‎10-19-2011

The RADIUS is in 10.4.10.0 network. i am trying to access it from any VLAN (I mean 10.4.98.5). All Vlans are routable.

nikhilcherian · ‎10-19-2011

You have added a route for 10.4.10.0 through 10.4.199.254, which means any traffic from 10.4.10.* network will be routed through your 10.4.199.5 interface. Your RADIUS server falls in the network, hence the packet will be trying with that interface

Thanks

NikhiL

PlamenDanov · ‎10-20-2011

I added this route because of default gateway mising for service port. With those routes the controller will back an answer for the request, if i am right. The problem comes without routs. Then comes back trough service port but without gateway they were drop. I am looking for option how to use only management port for RADIUS and managment traffic. Thanks Plamen

Posted from my mobile device.

nikhilcherian · ‎10-20-2011

Gateway is not needed for ur service port

when you add a route to the network A you are saying to use the service port for reaching the network A

Here as you added your route

10.2.100.0 255.255.255.0 10.4.199.254

10.4.10.0 255.255.255.0 10.4.199.254

The controller will be using the service port for reaching the network 10.2.100.0 and 10.4.10.0. If your management interface gateway 10.4.98.254 can reach your RADIUS server 10.4.10.0, I would suggest you to delete existing routes

Thanks

Nikhil

PlamenDanov · ‎10-26-2011

Hi,

You are right Nikhil. Thanks for your support. Actually after removing all static route the interested traffic getting pass trough the management interface. It is strange why those services are not accessible via management interface when when i am in service network but this question is not for this post.

Thanks again for your help!