Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
812
Views
0
Helpful
4
Replies

Mobility express access

blazcc
Level 1
Level 1

‎08-09-2021 09:58 AM

Hi to all,

 

I have AP 1850 with Mobility express. There is 3 SSID's on that AP, one of them is for guest network. Everything works fine except one issue, I can access ME controller from guest network. I cannot access any other device in other vlans, except controller.

Config is like that

vlan 10 - LAN 10.10.10.0/25 - 2 SSID's

vlan 30 - Guest 172.30.0.0/28 - Guest SSID

Management of ME controller is 10.10.10.10 and device on Guest network get an IP 172.30.0.3 and that device can ping and access ME controller while I cannot ping any other device on network 10.10.10.0/25

What did I do wrong? Can I limit access to this ME for specific IP addresses on controller itself? Because I already limited intervlan connection on firewall, but somehow it's not working for ME, it works for whole network except ME.

Any help would be great

Labels:
0 Helpful
4 Replies 4

Arshad Safrulla
VIP Alumni
VIP Alumni

‎08-10-2021 01:37 PM

All ME AP's use Flex connect local switching. Unless the WLC access is allowed by the upstream firewall I don't see any reason why the ME controller should be accessible from your Guest subnet. I will be reviewing the firewall configuration to make sure that I didn't miss out on anything.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

blazcc
Level 1
Level 1
In response to Arshad Safrulla

‎08-10-2021 09:35 PM

Hi,

thank you for the advice. But it's one thing is very weird. On network 10.10.10.0 I have PC with remote desktop enabled. If I'm using guest wifi I cannot connect to that remote desktop, I can't ping that device and nothing else, and also few other device on the network. I was thinking there is maybe a problem with vlan tagging, because I use native vlan and tagged vlan for guest network. But I don't see an option to disable native vlan and just using vlan for network 172.30.0.1

Best regards

0 Helpful

blazcc
Level 1
Level 1
In response to Arshad Safrulla

‎08-19-2021 12:04 AM

Hi,

I found the issue, and it's a really weird thing. On last upgrade something went wrong and image is damaged a little. Everything seems to work ok. But first thing it's impossible to upload new image over http or over tftp can't do that at all. And second thing this vlan tagging, it's simply not working. Today I tired same settings and same guest network on diffrenet ME AP 1850 and it's working, I can only access guest network, but not my 10.x.x.x network. So my next question, do you maybe know how to erase image from AP, and upload new one over serial. Is that possible at all?

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni
In response to blazcc

‎08-19-2021 08:47 AM

Since you have an upstream firewall please make sure that TFTP ports are allowed there and also can you make sure the firewall on ur PC or tftp server is allowing tftp from ME mgmt IP, or you can disable the firewall temporarily if its allowed and safe. Please follow the below guide.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-2/b_Mobility_Express_Deployment_guide/b_Mobility_Express_Deployment_guide_chapter_01000.html

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card