cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3917
Views
10
Helpful
11
Replies

Manage APs on two isolated networks - WLC 5520

Thibault87
Level 1
Level 1

Hello all,

I'm actually trying to set a WLC 5520 Wireless Controller up, to manage my aironets APs on two differents (isolated) physicals networks.

Wlans on network 1 are only linked to vlans on network 1, and Wlans on network 2 are only linked to vlans on network 2.

These networks can't be directly interconnected.

I have the management interface + a dynamic AP management interface on port 1 (network 1, vlan1), and dynamic AP management interface on port 2 (network 2, vlan2).

The problem is that : on network 2, APs can't communicate with AP manager on network 1, and vice versa.

I understand that the discovery process requires access to the Management interface, so i made a route for network 2 to access it.

I can't manage all my APs on a single interface or route traffic between networks, for evident network traffic issues you can see on the diagram.

So, I don't want APs to be load balanced between the two AP Managers, but to choose manualy (or automaticaly by IP) which AP goes on which AP Manager.

 

Here is the diagram:

Untitled Diagram (1) (4).jpg

 

I hope someone can help me. Thank you for reading, have a nice day

I'm sorry my english is a bit rusty. If you don't understand something, do not hesitate to ask me for details.

11 Replies 11

pieterh
VIP
VIP

I don't think you need the route to the management interface.

the management interface is default also enabled for ap-management , but you use specific ap-manager interfaces

if the specific AP-manager enabled interface is reachable, this should do!

you can configure the controller discovery using DHCP or DNS,

DHCP: option-43 to be different for the two subnets

DNS: use a different domain name for each vlans and use different DNS record in each domain for

"CISCO-CAPWAP-CONTROLLER.local-domain" or "CISCO-LWAPP-CONTROLLER.local-domain".

 

But I guess you make a mistake in the use of ethernet ports.

By default the are meant to be used as LAG interfaces to the same network,

your setup suggest you need independent interfaces to two independent switches ?

If this is a physical separation, then you have a challenge

if this is seperation by vlan, then you can use LAG to connect to the same switch.

 

Hello,

first of all, thank you for your answere.

 

Yes, they are physically separated networks.

I already know how AP discovers controller. Discover request must be on Management Interface.

On my network 1 it's made by broadcast, on my network 2 via DHCP 43 (already set, the ap get the management interface address).

From network 2, I need a route to it, because it cannot contact it directly.

 

Once it has contacted the management interface, the AP gets the list of all Dynamic AP Managers, and then, join one it has automaticaly selected (conciderng its load).

 

Once my AP in network 2 have contacted the management interface and discovered the Dynamic AP Manager's list, I want it to associate with a Dynamic AP Manager of its own network, instead of randomly balancing the load between both ports (and so both physical networks).

 

"your setup suggest you need independent interfaces to two independent switches ?" Yes

"If this is a physical separation, then you have a challenge" :'(

"If this is a physical separation, then you have a challenge"

-> do not fear,  there are possibilities look at the section in this document:,

Non LAG topology

To connect the WLC to more than one switch, you must create an AP manager for each physical port and disable LAG. This provides redundancy and scalability. It is not supported to have a WLC with a port up, without a corresponding AP manager interface.

 

and read the section prefer mode in this document

If an AP, with an configured prefer-mode, tries to join the controller and fails, then it will fall back to choose AP-manager of the other transport and joins the same controller. When both transports fail, AP will move to next discovery response.

Thanks a lot, I try it.

"If an AP, with an configured prefer-mode, tries to join the controller and fails, then it will fall back to choose AP-manager of the other transport and joins the same controller. When both transports fail, AP will move to next discovery response."

So, I just tried to put my AP group (+global mode) in ipv4 (also tried with ipv6) preferred mode.

groupe app.JPG

Then, I re-enabled my ap manager interface in the other network, and rebooted an ap.

It still loops on discovery phase, and continues selecting the less loaded ap manager, not trying to join the other one.

discovery no join.JPG

 

I think the AP just tries to contact the same ap manager, first by selected preferred-mode (ipv4), then by the other if available.

 

just to make sure: you rebooted the controller after disabling LAG?

"A controller that supports link aggregation (LAG) can go into a LAG-in-Transition (LAT) mode during transition between LAG to non-LAG mode or vice-versa. The transition is complete only when the controller is rebooted. "

It has always been disabled, and I tried to reboot both controllers at least 2-3 times :)

lag.JPG

What I need is to choose which AP goes on which AP manager.

I made a wireshark to see exchanges between AP and controller during discovery/ join phases. 

In fact, the AP contacts the Management interface and gets a list of all dynamic AP managers with their load (Discovery phase).

Then chooses itself which one is the less loaded, and establish a connection to it (Join phase).

If it fails (because an AP can't reach the AP manager that is not in its network), it goes back to discovery, gets the list, chooses the same bad less loaded AP manager, can't reach it, loops to discovery, and so on....

I think I'm gonna have to do some IP/ Packet spoofing to force it join the AP Manager I want.

 

Edit : I think what you don't get, is that dynamic ap managers and management interface are not the same thing. Even if Management interface can be a dynamic AP manager, it has its own role (Discovery = establish first contact between AP and controller, and distributes list of APs managers).

 

"Before an access point joins a controller, it sends out a discovery request. From the discovery response that it receives, the access point can tell the number of AP-manager interfaces on the controller and the number of access points on each AP-manager interface. The access point generally joins the AP-manager with the least number of access points. In this way, the access point load is dynamically distributed across the multiple AP-manager interfaces." Source

 

look at this note from version 7.4

"AP-manager interfaces do not need to be on the same VLAN or IP subnet, and they may or may not be on the same VLAN or IP subnet as the management interface. However, we recommend that you configure all AP-manager interfaces on the same VLAN or IP subnet. "

 

I did  not find this phrase in the 8.5 manual, but it may still be valid?

No, Management and AP Managers interfaces doesn't need to be on the same subnet, but they have to be reachable by the AP.

As management interface only manages discovery requests, I made a route to it from 2nd network.

But I can't route all the AP management traffic between both networks (to avoid network congestion), and APs can randomly take the AP manager of the other network.

 

Edit : As I said, network 1 and network 2 are physicaly isolated networks, so they can't be on the same vlan or IP subnet.

 

Edit 2 : At least, if the AP could try next AP Manager when the first fails, it would be great.

 

 

Cisco's advise to keep multiple AP-mangers on the same subnet, suggests that this is designed to be used within the SAME network.

from this you should conclude that the setup with two separated networks, is not supported!

 

You can keep searching for possibilities, but you have little chance, and even if you succeed it will not be a supported configuration.

I think i am going to add a switch at the controller level. So i will be
able to share managements vlans between both networks, and isolate clients
vlans by limiting allowed vlans on each ports.
This is the only solution I see. I just wait for the answere of Cisco
Support.

Thank you for your time and have a great day.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: