Solved: How to specify which interface is used for management or user service

rezaalikhani · ‎05-25-2025

Hi all;

When configuring interfaces and their roles in C9800, how can I force the WLC to do not use SP for only OOB purpose and WMI for wireless user traffic servicing? In other words, how WLC forces to not use its SP for AAA negotiation with RADIUS server?

Thanks

rezaalikhani · ‎05-26-2025

Thanks for your reply;

Although your mentioned link help me understand the topic more, but I found a better explanation as follows:

The WMI is the mandatory Layer 3 interface (physical interface or an SVI) on the Catalyst 9800 (there is only one WMI on the controller). It is used for all communications between the controller and APs. Also, it is used for all CAPWAP or inter-controller mobility messaging and tunneling traffic. WMI is also the default interface for in-band management and connectivity to enterprise services, such as, AAA, SYSLOG, SNMP, etc. You can use the WMI IP address to remotely connect to the device using SSH, Telnet, or access the controller’s GUI using HTTP or HTTPS.

View solution in original post

marce1000 · ‎05-25-2025

- Such questions require a 'valid WHY' = ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Scott Fella · ‎05-25-2025

Just to add to what @marce1000 mentioned, it's important to review the intended use and capabilities of the Service Port. Understanding of Cisco's recommended implementation practices is essential to design and have a supportable network infrastructure. I know folks always ask "why", maybe because other vendors implement their's in a different way, but again, you still need to follow what the vendor recommends. Can things change, sure... will it, who knows.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Useoftheserviceport

-Scott
*** Please rate helpful posts ***

rezaalikhani · ‎05-26-2025

Thanks for your reply;

Although your mentioned link help me understand the topic more, but I found a better explanation as follows:

The WMI is the mandatory Layer 3 interface (physical interface or an SVI) on the Catalyst 9800 (there is only one WMI on the controller). It is used for all communications between the controller and APs. Also, it is used for all CAPWAP or inter-controller mobility messaging and tunneling traffic. WMI is also the default interface for in-band management and connectivity to enterprise services, such as, AAA, SYSLOG, SNMP, etc. You can use the WMI IP address to remotely connect to the device using SSH, Telnet, or access the controller’s GUI using HTTP or HTTPS.

Rich R · ‎05-26-2025

I'm still not clear exactly what you were trying to ask @rezaalikhani with multiple double negatives in your questions but the important point is that the SP is in a separate VRF and early versions of 9800 had very limited VRF support so initially it was really just SSH which could be supported on SP. Since then successive versions have increased support for other features on SP in VRF - these are mentioned in the release notes for the relevant versions. Note that telemetry features only work through WMI, not SP.

For example:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/release-notes/rn-17-12-9800.html#whats-new-17122

What's New in Cisco IOS XE Dublin 17.12.2

From this release, Layer 2 VRF is also supported with WGB, RADSEC, and TRUSTSEC capabilities. However, RLAN is not supported with VRF. For more information, see Remote LANs.

What's New in Cisco IOS XE Dublin 17.12.1

VRF Support

From this release, Virtual Routing and Forwarding (VRF) is supported.

For more information, see VRF Support.

> how WLC forces to not use its SP for AAA negotiation with RADIUS server?
In your AAA configuration you can specify both source interface and VRF for the server.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390