I am trying to set up an OEAP test environment in our DMZ and I am having some trouble. Because of the security requirements I can't manage the controller from the DMZ vlan. It is currently LAG enabled on two ports and connected to the DMZ switch via a trunk. My plan was to create an ap-manager interface and place it on the DMZ vlan and then place the management interface on a separate vlan that I can reach internally. However, this does not seem to be working. The only other post I have found on the subject seems to indicate that even if you create an ap-manager interface it still needs to be on the same vlan as the management interface. Is this true? At this point I have been seriously considering using the service port as the management interface and saving myself the trouble of figuring it out, but I would like to go with my original solution if possible. Any help you can provide would be appreciated.
OfficeExtend requires the ap manager to be the management interface due to how NAT is handled. In order for this to work you'll need to have the management interface be the interface that your OEAPs hit from the outside.
What's the issue with managing the WLC from the management network?
There is no issue managing the WLC from the management network. The problem is with managing it from the DMZ. If both the management interface and the ap manager interface have to be in the DMZ there is no way I can reach the management interface from the inside. It's not a configuration issue, it's a security policy issue. Our infosec group is very tight on what they will allow through our DMZ from the inside. For that matter, this particular DMZ is pretty heavily firewalled on the outside as well. It was a chore just to get them to allow UDP 5246 and 5247 through the firewall. I think I may be configuring the service port for management after all.
Well it isn't supported by any means but you might be able to use the CLI command to allow management via dynamic interfaces and use say for example port 8 on a dynamic interface that is inside your network then?
Seems odd they restrict from inside to DMZ.
They call this the "straddle", one leg inside the network and one leg outside in the DMZ.
But, as Blake pointed out NAT will be a problem with OE.
Oh, btw if you enable mangement via dynamic interface your security folks may have a stroke. But you could leg it in ..