06-13-2019 05:25 AM - edited 07-05-2021 10:33 AM
I'm actually trying to set a WLC 5520 Wireless Controller up, to manage my aironets APs on two differents (isolated) physicals networks.
Wlans on network 1 are only linked to vlans on network 1, and Wlans on network 2 are only linked to vlans on network 2.
These networks can't be directly interconnected.
I have the management interface + a dynamic AP management interface on port 1 (network 1, vlan1), and dynamic AP management interface on port 2 (network 2, vlan2).
The problem is that : on network 2, APs can't communicate with AP manager on network 1, and vice versa.
I understand that the discovery process requires access to the Management interface, so i made a route for network 2 to access it.
I can't manage all my APs on a single interface or route traffic between networks, for evident network traffic issues you can see on the diagram.
So, I don't want APs to be load balanced between the two AP Managers, but to choose manualy (or automaticaly by IP) which AP goes on which AP Manager.
Here is the diagram:
I hope someone can help me. Thank you for reading, have a nice day
I'm sorry my english is a bit rusty. If you don't understand something, do not hesitate to ask me for details.
06-13-2019 07:33 AM
I don't think you need the route to the management interface.
the management interface is default also enabled for ap-management , but you use specific ap-manager interfaces
if the specific AP-manager enabled interface is reachable, this should do!
you can configure the controller discovery using DHCP or DNS,
DHCP: option-43 to be different for the two subnets
DNS: use a different domain name for each vlans and use different DNS record in each domain for
"CISCO-CAPWAP-CONTROLLER.local-domain" or "CISCO-LWAPP-CONTROLLER.local-domain".
But I guess you make a mistake in the use of ethernet ports.
By default the are meant to be used as LAG interfaces to the same network,
your setup suggest you need independent interfaces to two independent switches ?
If this is a physical separation, then you have a challenge
if this is seperation by vlan, then you can use LAG to connect to the same switch.
06-13-2019 07:57 AM - edited 06-13-2019 08:03 AM
first of all, thank you for your answere.
Yes, they are physically separated networks.
I already know how AP discovers controller. Discover request must be on Management Interface.
On my network 1 it's made by broadcast, on my network 2 via DHCP 43 (already set, the ap get the management interface address).
From network 2, I need a route to it, because it cannot contact it directly.
Once it has contacted the management interface, the AP gets the list of all Dynamic AP Managers, and then, join one it has automaticaly selected (conciderng its load).
Once my AP in network 2 have contacted the management interface and discovered the Dynamic AP Manager's list, I want it to associate with a Dynamic AP Manager of its own network, instead of randomly balancing the load between both ports (and so both physical networks).
"your setup suggest you need independent interfaces to two independent switches ?" Yes
"If this is a physical separation, then you have a challenge" :'(
06-14-2019 12:25 AM
"If this is a physical separation, then you have a challenge"
-> do not fear, there are possibilities look at the section in this document:,
To connect the WLC to more than one switch, you must create an AP manager for each physical port and disable LAG. This provides redundancy and scalability. It is not supported to have a WLC with a port up, without a corresponding AP manager interface.
and read the section prefer mode in this document
If an AP, with an configured prefer-mode, tries to join the controller and fails, then it will fall back to choose AP-manager of the other transport and joins the same controller. When both transports fail, AP will move to next discovery response.
06-14-2019 12:59 AM
06-14-2019 05:15 AM - edited 06-14-2019 05:49 AM
"If an AP, with an configured prefer-mode, tries to join the controller and fails, then it will fall back to choose AP-manager of the other transport and joins the same controller. When both transports fail, AP will move to next discovery response."
So, I just tried to put my AP group (+global mode) in ipv4 (also tried with ipv6) preferred mode.
Then, I re-enabled my ap manager interface in the other network, and rebooted an ap.
It still loops on discovery phase, and continues selecting the less loaded ap manager, not trying to join the other one.
I think the AP just tries to contact the same ap manager, first by selected preferred-mode (ipv4), then by the other if available.
06-14-2019 06:08 AM
just to make sure: you rebooted the controller after disabling LAG?
"A controller that supports link aggregation (LAG) can go into a LAG-in-Transition (LAT) mode during transition between LAG to non-LAG mode or vice-versa. The transition is complete only when the controller is rebooted. "
06-17-2019 05:03 AM - edited 06-17-2019 06:23 AM
It has always been disabled, and I tried to reboot both controllers at least 2-3 times :)
What I need is to choose which AP goes on which AP manager.
I made a wireshark to see exchanges between AP and controller during discovery/ join phases.
In fact, the AP contacts the Management interface and gets a list of all dynamic AP managers with their load (Discovery phase).
Then chooses itself which one is the less loaded, and establish a connection to it (Join phase).
If it fails (because an AP can't reach the AP manager that is not in its network), it goes back to discovery, gets the list, chooses the same bad less loaded AP manager, can't reach it, loops to discovery, and so on....
I think I'm gonna have to do some IP/ Packet spoofing to force it join the AP Manager I want.
Edit : I think what you don't get, is that dynamic ap managers and management interface are not the same thing. Even if Management interface can be a dynamic AP manager, it has its own role (Discovery = establish first contact between AP and controller, and distributes list of APs managers).
"Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points. In this way, the access point load is dynamically distributed across the multiple AP-manager interfaces." Source
06-17-2019 06:17 AM
look at this note from version 7.4
"AP-manager interfaces do not need to be on the same VLAN or IP subnet, and they may or may not be on the same VLAN or IP subnet as the management interface. However, we recommend that you configure all AP-manager interfaces on the same VLAN or IP subnet. "
I did not find this phrase in the 8.5 manual, but it may still be valid?
06-17-2019 06:35 AM - edited 06-18-2019 03:03 AM
No, Management and AP Managers interfaces doesn't need to be on the same subnet, but they have to be reachable by the AP.
As management interface only manages discovery requests, I made a route to it from 2nd network.
But I can't route all the AP management traffic between both networks (to avoid network congestion), and APs can randomly take the AP manager of the other network.
Edit : As I said, network 1 and network 2 are physicaly isolated networks, so they can't be on the same vlan or IP subnet.
Edit 2 : At least, if the AP could try next AP Manager when the first fails, it would be great.
06-19-2019 12:50 AM
Cisco's advise to keep multiple AP-mangers on the same subnet, suggests that this is designed to be used within the SAME network.
from this you should conclude that the setup with two separated networks, is not supported!
You can keep searching for possibilities, but you have little chance, and even if you succeed it will not be a supported configuration.
06-19-2019 04:19 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: