cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1051
Views
5
Helpful
9
Replies

Help to Cisco WLC 5508 Central Switch Setup

Rafael Rubik
Level 1
Level 1

Hello,

 

i´m trying to deploy a new setup on our wireless network to connect a remote site on our WLC 5508. Due to some rules, we need to setup flexconnect Central Switching, all traffic via Capwap. APs are cisco AIR-AP2802I-Z-K9

 

Central-sw.PNG

 

This is our network topology:
Topology.png

The environment configuration is as follows:

. we have an interface on the FTD firewall (IP 10.4.15.97, vlan 1524, netw 10.4.15.96 / 255.255.255.240 )

. the WLC interface on Nexus is set up like this:
  switchport trunk native vlan xx
  switchport trunk allowed vlan xx, 1524
  switchport mode trunk

. WLC dynamic interface with the following configuration:
vlan: 1524
IP: 10.4.15.98 (Firewall interface is .97)
Mask: 255.255.255.240
Gateway: 10.4.15.97 (Firewall interface ... is correct?)
DHCP: 10.4.8.40 (This is the WLC MNGMNT, I created a dhcp scope to this test. One question: is the Default Routers IP .97 = firewall ? or .98 = dynamic interface? )
 
WLC DHCP Scope:
dhcp.png
. I created a Wlan with the following configuration:
WPA2, PSK
Interface / Interface Group (G) is associated with dinamic interface
no qos
no Policy Mapping
Flexconnect: All disabled
Flex.PNG
 
. And the access point is configured like this:
  Ap mode: Flexconnect
TJ.png
Well, this is the situation:
. The access point is associated with WLC.
. Wlan is on air.
. clients are able to connect.
. clients get the correct IP by WLC internal DHCP.
. clients can ping other clients on this same WLAN.
. clients are able to ping the ip of the dynamic interface .98
. clients do not ping the firewall interface ip .97 and nothing behind
. Firewall rule is permit any any for testing
. clients don't browse anything
. The WLC pings the firewall interface .97
           (Cisco Controller)> ping 10.4.15.97
           Send count = 3, Receive count = 3 from 10.4.15.97

           (Cisco Controller)> ping 10.4.15.97 int_test
           Send count = 3, Receive count = 3 from 10.4.15.97
 
We believe it may be a WLC configuration or an ARP problem due to a bug. Anyone can help?
 
Tks
Rafael
 
9 Replies 9

patoberli
VIP Alumni
VIP Alumni
Test if you hit an MTU issue. You can test that with Ping from an attached client to a host on the other side. Use the "do not fragment" option with the ping and increase the size slowly.
If I understand correctly, your users can connect to the wireless, but they can't use any services. So the authentication is successful?
Do you have correctly configure the routing for both ways?

We don't believe in MTU issues, we can ping nexus normally. Yes, clients connect normally, authentication ok, but there is no connectivity to any service. Routing is ok.

Now, we changed the topology and removed the firewall. It worked ! There is some question of interoperability between FTD and WLC, some question of ARP, we don't know. Could be a bug.

But that's it. Without firewall = everything works.

Are you maybe doing a NAT on the firewall? Or not doing a NAT?

Does the FTD provide a packet tracer, like the ASA does?


NAT is not being performed on the firewall. The FTD has a packet tracer and show ARP requests for that network. We believe that the problem starts here, from the ARP response to WLC.

Can you attach in your datacenter a wired client to the Nexus into the same VLAN as the clients on Wi-Fi? 

Can you ping the Firewall interface?

Your firewall is running in routed mode and not transparent? 

 

WLC interface configuration looks ok. The gateway address must the be IP address of the router of that VLAN, I guess your FTD in your design. 

Hello,
we did these tests a few days ago. Wired laptop works fine on same vlan and ping firewall (FTD) interface (.97). Our FTD is running in routed mode.

Can you try the following, under Wireless - select the AP - Flexconnect, enable "Enable OfficeExtend AP" for a test?

I think there was a bug in specific WLC versions in regards to ARP, but I don't yet think you hit it. What version are you running on the WLC?

Hello,
version is 8.5.151.0. I haven't installed K9-8-5-160-0.aes yet.
Tested "OfficeExtend AP" .. no success.
A question: AP mode is "local" or "flexconnect" ?
tks

Because you already have a VPN working and you want the traffic exited centrally, you could do "local". Local mode does have various latency requirements though and will not work if they are exceeded (for example to much traffic on the VPN connection) and will break the wireless functionality. That's where Flexconnect comes into play.
Review Cisco Networking for a $25 gift card