Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
657
Views
0
Helpful
5
Replies

Cisco vWLC Web-Access from different VLAN

florian.hanig1
Level 1
Level 1

‎02-04-2021 11:40 PM - edited ‎07-05-2021 01:11 PM

Hi Guys,

 

i recently setup a vWLC.

 

The Mgmt Interface with Access to Web-Gui and CLI is VLAN 99 (Net 10.0.99.0/24, Gateway 10.0.99.1)

I have another VLAN 10 (Net 10.0.10.0/24, Gateway 10.0.10.1).

 

So i just configured my Firewall to permit Data from VLAN 10 to 99.

For other Devices like Switches, which are in MGMT Vlan, it work.

 

But I cant access to vWLC Web-Gui or CLI, if I'm in VLAN 10.

I think its a routing issue on vWLC Side...

 

The vWLC has 2 Interfaces an one interface is the vlan 10 interface.

If I remove vlan 10 interface from vWLC, the acesss works from VLAN10 to 99.

 

So what can I do to do this ?

Labels:
0 Helpful
5 Replies 5

Ric Beeching
Level 7
Level 7

‎02-05-2021 12:13 AM

Hi Florian,

 

You may be experiencing routing asymmetry as your client will go from VLAN 10 -> VLAN 99 -> WLC but when the WLC sees the source IP of VLAN 10, it will get confused as it has an interface in that subnet and try to go WLC -> VLAN10

 

On the vWLC, issue the command config network mgmt-via-dynamic-interface enable then access the GUI via its VLAN 10 interface.

 

Cheers,

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful

florian.hanig1
Level 1
Level 1
In response to Ric Beeching

‎02-05-2021 02:35 AM

Yes, that works...

 

But i want to enable the WLC mgmt only for special clients in vlan 10...

 

0 Helpful

Ric Beeching
Level 7
Level 7
In response to florian.hanig1

‎02-05-2021 03:52 AM

Then the 'easiest' way would be to reserve the IP of those clients and create a CPU ACL on the WLC to allow only those clients access to the interface.

 

Warning though, CPU ACLs can be a bit of a headache and you may end up locking yourself out of the WLC if doing remote work.

 

Personally I would try and resolve this by re-jigging your VLAN/Subnet setup.

 

Cheers

Ric

-----------------------------
Please rate helpful / correct posts
0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Ric Beeching

‎02-05-2021 08:32 AM

I agree with Ric... be very careful when you are messing around with the CPU acl.  This can be done, but your better off testing in a lab environment where you can just reload the controller if you get locked out. 

-Scott
*** Please rate helpful posts ***
0 Helpful

florian.hanig1
Level 1
Level 1
In response to Scott Fella

‎02-05-2021 11:00 AM

Can anyone please share the commands to permit only Net 10.0.99.0/24 and a Single IP: 10.0.9.5 to the Web-Gui.. ?

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card