Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
373
Views
0
Helpful
3
Replies

Wireless Mgmt Access

Simon Young
Level 1
Level 1

‎02-25-2015 08:18 AM - edited ‎07-05-2021 02:36 AM

Is it possible to do the following on a 5508 WLC

I have a management and one other VLAN trunked to a switch, say 10 and 20

 

I have an interface configured on the controller as VLAN 10 with an IP address of 192.168.1.1/24

 

I have a management interface of 192.168.2.1/24 (vlan 20)

 

My admin users use 192.168.1.x for connecting to all other subnets and the firewall allows privileged access i.e. to servers etc

 

So I have a wired desktop using 192.168.1.200 and I try to connect to 192.168.2.1, I get a TCP reset

 

The issue is related to me using an IP address within the VLAN 10. If  I remove this I can access the device

 

I do not want to use "manage the WLC from a wireless connection", as that might enable users from other SSIDs to connect

 

I am wondering if I can enable my wired admin users to connect to the management interface, even though they are coming in on the data interface?

Labels:
0 Helpful
3 Replies 3

JordieFike
Level 1
Level 1

‎02-26-2015 01:57 PM

To clarify, VLAN 10 (192.168.1.x) is your Dynamic Interface and VLAN 20 (192.168.2.x) is your Management Interface, correct?

 

So are you asking if someone on the Dynamic Interface can manage your WLC? Nope, I don't think so.  If you are trying to give some users access but not all and don't want to just rely on the username/password, what about puttingeverything on the same VLAN, but give your Admins a subnet of 255.255.254.0 and your regular users subnet of 255.255.255.0.  This should allow the admins to see 192.168.2.x but not the regular users.  I don't think you could do this with DHCP, but if you used static IP it should work.

 

thoughts?

0 Helpful

Simon Young
Level 1
Level 1
In response to JordieFike

‎02-27-2015 12:35 AM

I had reached the same conclusion about managing from the dynamic address. I think I need to use the service port in this instance.

My alternative was create two scopes, one for wireless and the other for desktops

192.168.1.x /25

192.168.128.x /25

The desktop group would not fall into the dynamic interface group and should work

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Simon Young

‎02-27-2015 05:14 AM

Yeah... If you don't want to enable management via wireless, then this prevents any incoming access from the management and any dynamic interfaces. Now if you use the service pirt to access the WLC and connect that to the network, you need to make sure that there is no connectivity between the management interface and the service port or else you will run into issues. 

-Scott

-Scott
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card