Thanks, Nicholas!!!

When you said "Client interface", I'm assuming that you mean the interface for the WLAN? The way this site is set up, the WLAN is on the Management interface. There is no interface for the WLAN. So, I'm assuming that your suggestion wouldn't work unless I, like you said, assign the Management interface and AP Manager interface to the port connecting to the PoE switch, create a WLAN interface, configure it to use the port that goes to the WAN, and assign the WLAN to that interface on the WLAN Configuration page?

For management purposes, I could just create another dynamic interface and assign it to the same port as the WAN?

Also, at the moment, the Management interface and the AP Management interface are untagged and the whole site is using the default VLAN one. Should the newly created WLAN interface for  the clients be untagged as well?

Thanks for your help.

Pat.

Yes client interface= dynamic interface on WLC used in the WLAN.

Creating several management interfaces is not possible.

The AP joining process is the following :

-AP sends discovery request to management interface of WLC

-Management int of WLC replies with the ip of an ap-manager interface

-AP sends join request to ap-manager interface.

What does it have to do ? Well in your setup, if you place the management interface on the port towards the WAN router, the APs will not be able to access it. As I said, the WLC is not a switch.

So for your APs to join you need management and ap-manager on the port towards APs. The client interfaces can be on another port.

So you cannot config your WLAN to use the management int either because of the above

Thanks for the response.

I understand that I have to assign the AP Manager and the Management interfaces to the port connecting to the PoE switch. And the WLAN interface to the port that goes to the WAN.

What I don't understand is your suggestion in your first response:

              "WLC will only be manageable from one side though (the side where the APs are). This is why it's not like a switch (especially for wired traffic).

              This can be worked around by enabling management through dynamic interfaces."

How do I create the work-around for manageing the device from the Main site? Create another dynamic interface and point that interface  to the port that goes to the WAN?

If not that, could I configure an address on the service port and cable it to the switch that goes to the WAN?

Thanks, Pat.

Only the managment ip address can be used for HTTP management, telnet/ssh etc ...

So the management ip, in this scenario, would only be accessible from the PoE switch side. (since the wlc is not switching traffic).

Since the scenario would require you to create a new subnet/interface on WLC assigned to the port connected to WAN router, you will maybe want (or not ! it depends from where you want to manage WLC) to use that interface/ip to manage the WLC. This requires to enable the option on WLC to allow management through dynamic interfaces

Thanks Nicholas,

You said "Since the scenario would require you to create a new subnet/interface on WLC assigned to the port connected to WAN router"

I assuming it doesn't have to be another subnet, right?

Also, where can I find the enable option to manage the device from a dynamic interface?

Also, do I have to disable LAG on the Controller since I won't be etherchanneling?

Thank you, Pat.

Using the same subnet on 2 different interfaces on 2 different ports is not going to work. it's not a routing nor switching device. You need to define a subnet for clients that will be assigned to port towards WAN.

Yes you have to disable LAG

config network mgmt-via-dynamic-interface

But I was going to make the AP Manager ip, the Management ip and the client SSID interface and the new dynamic interface for logging in to the device all on the same subnet but, assign the SSID interface and the "logging in" interface to the other port. Are you saying that this is impossible?

Are you saying that if I want the second port to go to another switch, interfaces associated with it have to be on a different subnet?

Also, what about my other idea of configuring the Service port with an address within the wired subnet and connecting it to the switch connected to the router?

Thanks, Pat.

Nicholas,

there is obviously a piece I am missing here. Is there a document you can point me to that might guide me to understand how a controller forwards traffic?

Although I believe you are correct, I am not completely understanding your logic.

Thank, Pat.

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch.html

and

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html

The information is spread out.

The key poitn is that a WLC is not forwarding traffic between its ports. that's why the main way to deploy is LAG although connecting to different switches is possible and supported.

WLC receives wireless traffic from APs (on ap-manager interface) and forwards it to the network on the client dynamic interface.

It won't route traffic coming from wired that is not destined to a wireless client. So if your management traffic comes on the wrong port, it's not gonna go through.