Solved: Default-gateways for dynamic interfaces on 2504 controller

Sandeep Verma · ‎01-22-2014

Hi,

I am setting up wifi flexconnect solution and is a bit confused regarding what should be the default gateway for the dynamic interfaces which will be created.

Will it be the same as the one for management interface or the will it be the one for the clients.

controller ip 172.16.1.100/24

default-gateway 172.16.1.254

vlan 10

dynamic interface 192.168.1.10/24

default-gateway ?????

vif for this vlan on switch 192.168.1.254

default-gateway for clients 192.168.1.254

Kindly suggest .

Thanks

Sandeep Choudhary · ‎01-23-2014

Hi Sandeep,

As per my exp.,

You can not ping the dynamic interface of WLC from Switch.

Management interface is the only consistently pingable interface.

Hope it helps.

Regards

Dont forget to rate helpful posts

View solution in original post

Rasika Nayanajith · ‎01-23-2014

Yes, In flexconnect local switching mode, you do not require a dynamic interface on your WLC (as traffic will never going to hit there)

As long as you configure branch L3 switch with required SVI & your FlexConnect AP for correct vlan mapping, that's it

When WLAN creating, since it require an interface to map, either you can create a dummy dynamic interface (which is not routable in your network) or simply assign management interface.

NB: If you have mixed of Local mode & FlexConnect mode AP on this controller using the same WLAN, then you need to have dynamic interface for the local mode ap users to get an IP from. In this scenario, FlexConnect AP still go for the branch vlan mapping rather using the WLC dynamic interface (because of Flexconnect local switching)

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

Rasika Nayanajith · ‎01-23-2014

Hi Sandeep,

Here is some work I did when I study for my CCIEW lab exam. It is based on ACS5.2 & should not have much difference to 5.4 & may helpful to you to get this started.

http://mrncciew.com/2013/03/03/peap-eap-fast-with-acs-5-2/

Then try to absorb things provided by George link as it has great resources pool

HTH

Rasika

*** Pls rate all useful responses ****

View solution in original post

Rasika Nayanajith · ‎02-25-2014

Yes, If you haven't install certs on ACS, you have to do that first,

Here is all you need for this (explained well by Jerome on his youtube videos). Go through these many times untill you understand & get it done.(that's what I did when I learn those )

http://wirelessccie.blogspot.com.au/2009/10/eap-tls-and-peap-configurations.html

HTH

Rasika

**** Pls rate all useful responses ***

View solution in original post

Rasika Nayanajith · ‎02-25-2014

Hi Sandeep,

NO, you do not require to install certificates on WLC & LWAPs.

If you are doing PEAP, certs needs to be installed on ACS (Authentication Server).

if you are doing EAP-TLS then you need to install certs on client as well (Supplicant)

In certain cases if you use WLC as authentication server (eg local EAP-TLS on WLC) then you need to install cert on WLC as it act as Authentication Server.

So if you have installed certs on ACS correctly that should be enough. Make sure on client side you choose PEAP & use correct credentials. You can go to “Monitoring & Reports > Launch Monitoring & Report Viewer > Catalog > AAA Protocol” of ACS & get exact reason for client authentication failure.

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

Scott Fella · ‎02-25-2014

You don't have a radius server?

Thanks,

Scott

*****Help out other by using the rating system and marking answered questions as "Answered"*****

-Scott
*** Please rate helpful posts ***

View solution in original post

Rasika Nayanajith · ‎02-26-2014

Client gets authenticated now but on ACS logs the protocol is PEAP and not EAP-TLS.

for EAP-TLS , you have to install certificates on client PC & use EAP-TLS as EAP methods when connecting to wireless. On ACS you need to configure a policy/rule when to use EAP-TLS.

If you are using WLC as Auth Server, then it is required to install cert on WLC. Below post explain EAP cert installation process of WLC.

http://mrncciew.com/2013/04/22/configuring-eap-tls-on-wlc/

HTH

Rasika

**** Pls rate all useful resposnes ****

View solution in original post

Rasika Nayanajith · ‎01-22-2014

Dynamic interface gateway should be 192.168.1.254 as per your configuration (which is the SVI of local switch).

If you create another dynamic interface (like 192.168.20.10) then gateway for that should be 192.168.20.254 (if that is the SVI on your switch)

Gateway should be always same subnet IP.

HTH

Rasika

**** Pls rate all useful responses ****

Sandeep Verma · ‎01-22-2014

Thanks for the reply.

Also i am not able to ping the ip address of dynamic interface on the controller with switch vif as source.

What would be the issue, and will it impact on services ??

And if yes how to resolve it.??

Scott Fella · ‎01-23-2014

Are you trunking Vlan 10? The WLC needs to be connected to a trunk port with the vlan's that are defined on the WLC.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Rasika Nayanajith · ‎01-23-2014

Hi Sandeep,

Can you post the below output from your SW & WLC

WLC

show interface detailed mangement

show interface detailed <-where 192.168.1.10 configured

SW

show run int Gx/x <- Gx/x is where WLC connected

HTH

Rasika

**** Pls rate all useful responses ****

Sandeep Choudhary · ‎01-23-2014

Hi Sandeep,

As per my exp.,

You can not ping the dynamic interface of WLC from Switch.

Management interface is the only consistently pingable interface.

Hope it helps.

Regards

Dont forget to rate helpful posts

Rasika Nayanajith · ‎01-23-2014

Hi Sandeep Choudhary

That is not correct, you should be able to ping dynamic interface of your controller from switch

Rasika

Sandeep Choudhary · ‎01-23-2014

HI Rasika,

Thanks for correcting me.

But Even I tried many times.....still I did not find any reason , whx I am not able to ping, may be my firewall blocked ICMP ofr this vlan ...??

Regards

Rasika Nayanajith · ‎01-23-2014

Yes, if you are not able to ping, something block that ICMP.

Try it in your study lab (if available) as this is a very basic troubleshooting tip for your CCIEW

HTH

Rasika

Sandeep Choudhary · ‎01-23-2014

Thanks.. I usually do my practice in my comapny test lab and i dont have rights to touch firewall.

So i must ask about this to my security colleauges.

I will remember this

Regards

Sandeep Verma · ‎01-23-2014

Thanks guys.

I am configuring the LWAP in Flexconnect mode

Switchport(connected to wlc) is configured as Trunk

Just pondering how a ping to dynamic interface should work.

looks loke a VPLS concept.

Also plz go through the image. to understand my scenario a bit better.

Rasika Nayanajith · ‎01-23-2014

Did you configure FlexConnect Local switching or Central Switching. If it is local switching, then your SVI to be defined on your branch L3 switch.(if it is central switching then you can define it your HQ)

If it is FlexConnect, did you configure correct vlan mapping ? This configuration guide should help you if you are running WLC 7.4.x code

http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/consolidated/b_cg74_CONSOLIDATED_chapter_010001101.html

If you provide those output requested we can help you better

HTH

Rasika

**** Pls rate all useful responses ****

Sandeep Verma · ‎01-23-2014

Thanks Rasika,

I have enabled Flexconnect in local switching mode and Vlan mappings are also correct, i have cross checked many times.

SVI is also configured on the branch L3 switch.

APS are registered and working fine, its just that the dynamic interfaces are not pinging.

I can't login to controller at this moment so output cannot be published, however for switchport config it is surely

switchport trunk encapsulation dot1q

switchport mode trunk

switchport nonegotiate

Rasika Nayanajith · ‎01-23-2014

If it is Flexconnect Local switching, can you ping the branch L3 switch SVI from a client who gets IP on this WLAN ? In this scenario all user traffic terminate at branch switch & no data traffic comes to WLC at all.

So WLC dynamic interface is not relevant (actually you cannot have WLC dynamic interface on the same subnet as branch L3 switch SVI as those two connected over WAN). You can put it on any dummy interface or management interface on WLC.

HTH

Rasika

**** Pls rate all useful responses ****

Sandeep Verma · ‎01-23-2014

This looks quite clear.

Yes the clients are able to ping SVI but not the dynamic interface.

So you mean to say its not mandatory to create the dynamic interface on wlc when AP is in flexconnect mode, or is it that dynamic interfaces are not required at all and the wlans can be mapped to management interface ??