01-31-2013 02:22 AM - edited 07-03-2021 11:27 PM
I need to configure a WLAN that would be associated with a specific VLAN, but need to have L2 only on the controller.
Means I need !no IP address! configured on the interface on the controller.
Here is an example
config interface create test 71
config interface vlan test 71
config interface address dynamic-interface test 10.1.1.100 255.255.255.0 10.1.1.1
I can't create a corresponding WLAN without configuring an IP address on the interface through the above line. The controller does not allow me to do it.
Because of security I need no IP on the controller.
Does anyone know is this possible ?
Thank you.
Vlad
Solved! Go to Solution.
02-01-2013 05:15 AM
No... The WLC bridges traffic so having an IP address on an interface doesn't affect a pure layer 2 VLAN unless for some reasons your devices don't need IP address. The wlc can't router and only bridges traffic. If its a security policy that you have, we'll that makes it tough. I just had a customer call regarding the same thing and they were eventually fine with doing it since we can place an ACL'S on the wlc to block traffic to any internal network. Other than that, they to wanted that layer 2 functionality
Sent from Cisco Technical Support iPhone App
01-31-2013 07:28 AM
It is not possible.... the WLC requires an ip address on all dynamic interfaces in order to communicate to that subnet. So even though you might have a layer 2 vlan with no svi, the WLC needs an address along with any other devices on that layer 2 subnet to communicate.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
02-01-2013 04:00 AM
Thank you Scott,
what I realized later, not only the controller needs IP address on the interface but also DHCP server ( relay ) needs to be configured in case one needs to use DHCP within WLAN.
So something like pure L2 WLAN does not exist. I guess this is a just a question of controller OS, does anyone know is there a plan to have it implemented in future version ?
Vlad
02-01-2013 05:15 AM
No... The WLC bridges traffic so having an IP address on an interface doesn't affect a pure layer 2 VLAN unless for some reasons your devices don't need IP address. The wlc can't router and only bridges traffic. If its a security policy that you have, we'll that makes it tough. I just had a customer call regarding the same thing and they were eventually fine with doing it since we can place an ACL'S on the wlc to block traffic to any internal network. Other than that, they to wanted that layer 2 functionality
Sent from Cisco Technical Support iPhone App
02-01-2013 05:59 AM
Thanks Scott, yes, we know we can apply ACL and that there is no routing on the controller. I just needed to hear what you said.
02-01-2013 06:07 AM
oh okay.... one thing you might look at is the 3850 or the 5760 which is the new IOS WLC's. As far a s I know, you have a mangement address but might work in your case. Not 100% sure since i'm still testing that out and learning it:)
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide