Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
0
Helpful
3
Replies

Can a single WLC (5508) serve two physically separated networks?

magesalexander
Level 1
Level 1

‎05-30-2024 12:28 PM - edited ‎05-31-2024 09:33 AM

I have a main LAN (192.168.0.0/), and I'm creating an isolated subnet (10.10.0.0/) that directly connects to the internet gateway (firewall). Routing between the two is handled by the firewall, and security is the sole, uncompromising priority. This is my hail mary before begrudgingly purchasing another WLC. Topology looks like this:

routes that I don't actually know, but flat network overall <----------------------------------------> WLC 192.168.1.1
|
Firewall <---> internet
|
|vlan 10 access port (vlan 11 stays local to 10.10.0.0/)

L2 core switch <--- fiber trunk vlan 10,11 native 999 ---> L2 access switch (AP connects here)<=====> WLC 10.10.1.3 
|
DHCP server

I was hoping to add two interfaces to the WLC and plug them directly into the isolated network. The ap-manager enabled interface would plug into a vlan 11 access port, and the WLAN interface into a vlan 10 access port--both marked untagged on the WLC. The switchport the AP connects to would be a trunk allowing both. I was thinking this would permit WLC management traffic to and from the AP, but not to the other devices on the subnet, which overwhelmingly connect to vlan 10 access ports.

The APs on the main LAN were basically plug-n-play once the WLC was configured, which is evidently the whole point of the management interface (can't believe I thought that was complicated), but as far as I can tell, excluding the management interface, on a given subnet, you can have an ap-manager OR wlan interface, but not both. An interface cannot be both an ap-manager and wlan interface, and ap-managers are required on all ports if enabled on any port besides the default management interface.

The problem is clear, and while I can carefully route from the AP to the management interface on the main LAN, I'd rather not, and even then, it seems from other threads that I can't "pick" what AP is assigned to what ap-manager. I've tried putting both interfaces on one port and trunking, but it complains about an IP conflict; correct me if I'm wrong, but I think both need ip addresses, so the subnet conflict is unavoidable. I'm able to make two interfaces in the new subnet, but not one of each. Unfortunately, it seems contact with the management interface in the main LAN is unavoidable without another WLC.

Is there something I'm missing, or is this just not possible? The interface limitations seems arbitrary, but I have zero idea how the thing works. I'm willing to compromise (and carefully route to the WLC in the main LAN), but I'm an intern, so time is limited and complexity inevitably detracts from security.

Thanks

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎05-30-2024 11:02 PM

May be me that was not clear - why you like to connect to WLC ? is this subnet both looking to accommodate on Wireless clients with different SSID or single SSID ?

you should avoided using WLC (because its meant to service only for Wireless related) - not to complicate.

Rather test diagram if would nice if you can produce graphic diagram how they are connected, there may be better way to achieve what you looking to do, instead of using WLC.

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

magesalexander
Level 1
Level 1
In response to balaji.bandi

‎05-31-2024 06:54 AM

I'm using Aironet 2802 access points, and I'm only familiar with configuring them via a WLC. The new subnet will have one SSID and only two APs, but this number will increase substantially over time. Is there a relatively simple autonomous mode that could provide single-ssid connectivity for multiple APs without a WLC (seamless handoff is a requirement for our warehouse environment)? In addition, I'd like to make it somewhat simple for new access points to be added when I'm gone, and the WLC makes it trivial.

It seems the "correct" solution is to buy a WLC for the new network, but I wanted to make sure that I was correct in my understanding before doing so (that I can't have both a wlan and ap-manager on two separate networks), and I'm absolutely open to other ideas--I thought the WLC was the only way.

Thanks for your help!!!

0 Helpful

Rich R
VIP
VIP
In response to magesalexander

‎08-04-2024 03:50 PM - edited ‎08-04-2024 03:51 PM

Just picking up on this thread now so it might be too late for you by now @magesalexander 

You definitely do not need another WLC just to support an extra subnet.

- The AP management interface (vlan) is purely for the CAPWAP tunnels between the APs and the WLC.
- The client VLAN interfaces for centrally switched WLANs (also called dynamic interface) must be configured on the WLC.
- These can all be on the same trunked port. Read this as a starting point: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/initial_setup.html

Fig 2 here summarises it: https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/ports_and_interfaces.html#WLANs

In fact you might not even need to bring the VLAN back to the WLC at all - you can use Flexconnect mode and configure the WLAN for local switching then break it out directly onto the VLAN on the AP switch port.  This requires the AP switch port to have trunking enabled but the management vlan must always be the native (untagged) vlan on the switch port.

To configure a different set of SSIDs on some APs create AP groups then place the APs into the required AP group and they get the SSIDs configured for that group.  The WLAN IDs must be >16.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/config-guide/b_cg85/configuring_ap_groups.html

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card