ā01-22-2014 11:13 PM - edited ā07-05-2021 12:01 AM
Hi,
I am setting up wifi flexconnect solution and is a bit confused regarding what should be the default gateway for the dynamic interfaces which will be created.
Will it be the same as the one for management interface or the will it be the one for the clients.
controller ip 172.16.1.100/24
default-gateway 172.16.1.254
vlan 10
dynamic interface 192.168.1.10/24
default-gateway ?????
vif for this vlan on switch 192.168.1.254
default-gateway for clients 192.168.1.254
Kindly suggest .
Thanks
Solved! Go to Solution.
ā01-23-2014 12:09 AM
Hi Sandeep,
As per my exp.,
You can not ping the dynamic interface of WLC from Switch.
Management interface is the only consistently pingable interface.
Hope it helps.
Regards
Dont forget to rate helpful posts
ā01-23-2014 02:24 AM
Yes, In flexconnect local switching mode, you do not require a dynamic interface on your WLC (as traffic will never going to hit there)
As long as you configure branch L3 switch with required SVI & your FlexConnect AP for correct vlan mapping, that's it
When WLAN creating, since it require an interface to map, either you can create a dummy dynamic interface (which is not routable in your network) or simply assign management interface.
NB: If you have mixed of Local mode & FlexConnect mode AP on this controller using the same WLAN, then you need to have dynamic interface for the local mode ap users to get an IP from. In this scenario, FlexConnect AP still go for the branch vlan mapping rather using the WLC dynamic interface (because of Flexconnect local switching)
HTH
Rasika
**** Pls rate all useful responses ****
ā01-23-2014 03:13 PM
Hi Sandeep,
Here is some work I did when I study for my CCIEW lab exam. It is based on ACS5.2 & should not have much difference to 5.4 & may helpful to you to get this started.
http://mrncciew.com/2013/03/03/peap-eap-fast-with-acs-5-2/
Then try to absorb things provided by George link as it has great resources pool
HTH
Rasika
*** Pls rate all useful responses ****
ā02-25-2014 01:11 AM
Yes, If you haven't install certs on ACS, you have to do that first,
Here is all you need for this (explained well by Jerome on his youtube videos). Go through these many times untill you understand & get it done.(that's what I did when I learn those )
http://wirelessccie.blogspot.com.au/2009/10/eap-tls-and-peap-configurations.html
HTH
Rasika
**** Pls rate all useful responses ***
ā02-25-2014 01:46 AM
Hi Sandeep,
NO, you do not require to install certificates on WLC & LWAPs.
If you are doing PEAP, certs needs to be installed on ACS (Authentication Server).
if you are doing EAP-TLS then you need to install certs on client as well (Supplicant)
In certain cases if you use WLC as authentication server (eg local EAP-TLS on WLC) then you need to install cert on WLC as it act as Authentication Server.
So if you have installed certs on ACS correctly that should be enough. Make sure on client side you choose PEAP & use correct credentials. You can go to āMonitoring & Reports > Launch Monitoring & Report Viewer > Catalog > AAA Protocolā of ACS & get exact reason for client authentication failure.
HTH
Rasika
**** Pls rate all useful responses ****
ā02-25-2014 06:16 AM
You don't have a radius server?
Thanks,
Scott
*****Help out other by using the rating system and marking answered questions as "Answered"*****
ā02-26-2014 10:15 AM
Client gets authenticated now but on ACS logs the protocol is PEAP and not EAP-TLS.
for EAP-TLS , you have to install certificates on client PC & use EAP-TLS as EAP methods when connecting to wireless. On ACS you need to configure a policy/rule when to use EAP-TLS.
If you are using WLC as Auth Server, then it is required to install cert on WLC. Below post explain EAP cert installation process of WLC.
http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/
HTH
Rasika
**** Pls rate all useful resposnes ****
ā01-22-2014 11:34 PM
Dynamic interface gateway should be 192.168.1.254 as per your configuration (which is the SVI of local switch).
If you create another dynamic interface (like 192.168.20.10) then gateway for that should be 192.168.20.254 (if that is the SVI on your switch)
Gateway should be always same subnet IP.
HTH
Rasika
**** Pls rate all useful responses ****
ā01-22-2014 11:50 PM
Thanks for the reply.
Also i am not able to ping the ip address of dynamic interface on the controller with switch vif as source.
What would be the issue, and will it impact on services ??
And if yes how to resolve it.??
ā01-23-2014 12:08 AM
Are you trunking Vlan 10? The WLC needs to be connected to a trunk port with the vlan's that are defined on the WLC.
Sent from Cisco Technical Support iPhone App
ā01-23-2014 12:08 AM
Hi Sandeep,
Can you post the below output from your SW & WLC
WLC
show interface detailed mangement
show interface detailed
SW
show run int Gx/x <- Gx/x is where WLC connected
HTH
Rasika
**** Pls rate all useful responses ****
ā01-23-2014 12:09 AM
Hi Sandeep,
As per my exp.,
You can not ping the dynamic interface of WLC from Switch.
Management interface is the only consistently pingable interface.
Hope it helps.
Regards
Dont forget to rate helpful posts
ā01-23-2014 12:13 AM
Hi Sandeep Choudhary
That is not correct, you should be able to ping dynamic interface of your controller from switch
Rasika
ā01-23-2014 12:15 AM
HI Rasika,
Thanks for correcting me.
But Even I tried many times.....still I did not find any reason , whx I am not able to ping, may be my firewall blocked ICMP ofr this vlan ...??
Regards
ā01-23-2014 12:17 AM
Yes, if you are not able to ping, something block that ICMP.
Try it in your study lab (if available) as this is a very basic troubleshooting tip for your CCIEW
HTH
Rasika
ā01-23-2014 12:19 AM
Thanks.. I usually do my practice in my comapny test lab and i dont have rights to touch firewall.
So i must ask about this to my security colleauges.
I will remember this
Regards
ā01-23-2014 01:37 AM
Thanks guys.
I am configuring the LWAP in Flexconnect mode
Switchport(connected to wlc) is configured as Trunk
Just pondering how a ping to dynamic interface should work.
looks loke a VPLS concept.
Also plz go through the image. to understand my scenario a bit better.
ā01-23-2014 01:55 AM
Did you configure FlexConnect Local switching or Central Switching. If it is local switching, then your SVI to be defined on your branch L3 switch.(if it is central switching then you can define it your HQ)
If it is FlexConnect, did you configure correct vlan mapping ? This configuration guide should help you if you are running WLC 7.4.x code
If you provide those output requested we can help you better
HTH
Rasika
**** Pls rate all useful responses ****
ā01-23-2014 02:05 AM
Thanks Rasika,
I have enabled Flexconnect in local switching mode and Vlan mappings are also correct, i have cross checked many times.
SVI is also configured on the branch L3 switch.
APS are registered and working fine, its just that the dynamic interfaces are not pinging.
I can't login to controller at this moment so output cannot be published, however for switchport config it is surely
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate
ā01-23-2014 02:12 AM
If it is Flexconnect Local switching, can you ping the branch L3 switch SVI from a client who gets IP on this WLAN ? In this scenario all user traffic terminate at branch switch & no data traffic comes to WLC at all.
So WLC dynamic interface is not relevant (actually you cannot have WLC dynamic interface on the same subnet as branch L3 switch SVI as those two connected over WAN). You can put it on any dummy interface or management interface on WLC.
HTH
Rasika
**** Pls rate all useful responses ****
ā01-23-2014 02:22 AM
This looks quite clear.
Yes the clients are able to ping SVI but not the dynamic interface.
So you mean to say its not mandatory to create the dynamic interface on wlc when AP is in flexconnect mode, or is it that dynamic interfaces are not required at all and the wlans can be mapped to management interface ??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide