WLC 2504 - Can't access CLI or GUI from a different subnet

G3000LEE · ‎03-23-2022

Hi All,

I have read a few posts with the same issue, but none really had a solution.
I can only access WLC when connected to the same VLAN (103)

This is in a test environment and I didn't have this issue on the 2100, vWLC and other WLCs. I have noticed there isn't a Route option to configure the WLC to reach other subnets like on other models. I was thinking this is a routing issue where the WLC doesn't know a route back.

I would like to access the WLC from the LAB LAN MGMT subnet. Basically, I want the 172.16.100/24 subnet to access/manage the WLC via GUI/CLI

WLC mgmt IP = 172.16.103.100 (VLAN 103)
WLC Gateway/3850 switch = 172.16.103.253
LAN MGMT = 172.16.100.0/24

(Cisco Controller) >show interface summary
Number of Interfaces.......................... 3
Interface Name Port Vlan Id IP Address Type Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management 1 103 172.16.103.100 Static Yes No
virtual N/A N/A 192.1.2.3 Static No No
vlan104 1 104 172.16.104.100 Dynamic No No

APPLIED THE BELOW:
(Cisco Controller) >config network mgmt-via-dynamic-interface enable
(Cisco Controller) >config network mgmt-via-wireless enable
(Cisco Controller) save>config
Are you sure you want to save? (y/n) y

THE CORE SWITCH CAN PING WLC:
LAB-CORE#ping 172.16.103.100 source vlan 100
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
LAB-CORE#ping 172.16.104.100 source vlan 100
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

LAPTOP ON LAN MGMT SUBNET CAN NOT PING WLC:
MacBook-Pro ~ % ifconfig | grep 172.16.
inet 172.16.100.163 netmask 0xffffff00 broadcast 172.16.100.255

MacBook-Pro ~ % ping 172.16.103.100
PING 172.16.103.100 (172.16.103.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

MacBook-Pro ~ % ping 172.16.104.100
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

TRACEROUTE FAILS FROM CORE SWITCH:
LAB-CORE#traceroute 172.16.103.100
1 * * *
2 * * *

leemac18@LeeMac18s-MacBook-Pro ~ % ifconfig | grep 172.16.
inet 172.16.100.163 netmask 0xffffff00 broadcast 172.16.100.255
leemac18@LeeMac18s-MacBook-Pro ~ %
leemac18@LeeMac18s-MacBook-Pro ~ % ping 172.16.103.100
PING 172.16.103.100 (172.16.103.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
^C
--- 172.16.103.100 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
leemac18@LeeMac18s-MacBook-Pro ~ % ping 172.16.104.100
PING 172.16.104.100 (172.16.104.100): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2

I CAN PING THE GATEWAY OF THE WLC AND THE LAN MGMT FORM MACBOOK

MacBook-Pro ~ % ping 172.16.103.253
64 bytes from 172.16.103.253: icmp_seq=0 ttl=255 time=2.520 ms
64 bytes from 172.16.103.253: icmp_seq=1 ttl=255 time=2.730 ms

MacBook-Pro ~ % ping 172.16.100.253
64 bytes from 172.16.100.253: icmp_seq=0 ttl=255 time=2.925 ms
64 bytes from 172.16.100.253: icmp_seq=1 ttl=255 time=3.072 ms

balaji.bandi · ‎03-23-2022

what is the gateway for MACbook - 172.16.100.163?

can you able to ping gateway before you ping to WLC ?

traceroute 172.16.103.100 (help you where it dropping)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

G3000LEE · ‎03-24-2022

I CAN PING THE GATEWAY OF THE WLC AND THE LAN MGMT FORM MACBOOK

MacBook-Pro ~ % ping 172.16.103.253
64 bytes from 172.16.103.253: icmp_seq=0 ttl=255 time=2.520 ms
64 bytes from 172.16.103.253: icmp_seq=1 ttl=255 time=2.730 ms

MacBook-Pro ~ % ping 172.16.100.253
64 bytes from 172.16.100.253: icmp_seq=0 ttl=255 time=2.925 ms
64 bytes from 172.16.100.253: icmp_seq=1 ttl=255 time=3.072 ms

balaji.bandi · ‎03-24-2022

But you are not able to ping controller ? please confirm from Controller are you able to ping gateway ?

TRACEROUTE FAILS FROM CORE SWITCH:
LAB-CORE#traceroute 172.16.103.100
1 * * *
2 * * *

is the controller connected to this switch ?

from this switch can you check arp table ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ammahend · ‎03-23-2022

your WLC IP is 172.16.103.100 and gateway is 172.166.103.253, fix the typo(extra 6), change the gateway to 172.16.103.253 first and try.

-hope this helps-

balaji.bandi · ‎03-23-2022

WLC Gateway/3850 switch = 172.166.103.253

@ammahend good spot

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

G3000LEE · ‎03-24-2022

This was a typo only in the post, not in config.

It's not like I displayed an output from the switch which displayed this information

G3000LEE · ‎03-24-2022

It was a typo when writing this post not what I was typing in the command.

As you can see it wasn't like it was an output from the command line. But thanks for pointing it out

G3000LEE · ‎03-24-2022

This was a typo only in the post only NOT in configuration.

Arshad Safrulla · ‎03-24-2022

Do you have any CPU ACL enabled in WLC? How is the switchport connecting to WLC is configured?

Since u are tagging management VLAN from the WLC itself you don't need any native vlan to be configured from switch side.

Can you access the WLC when connected to the same VLAN (VLAN103)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

G3000LEE · ‎03-24-2022

Hi,

Maybe you missed what I typed in my post...

As I've have stated,.... I can only access WLC when connected to the same VLAN (103).

No native VLANs are configured. this is a very basic setup.

The WLC is connected to the Lab Core swicth.

LAB-CORE#show run int gi1/0/37

interface GigabitEthernet1/0/37

switchport access vlan 103

switchport mode trunk

The WLC can ping it's gateway also the LAN mgmt gateway.

spanning-tree portfast

Arshad Safrulla · ‎03-24-2022

Change the switchport config as below

!

interface GigabitEthernet1/0/37

no switchport access vlan 103

switchport mode trunk

switchport trunk allowed vlan 103-104

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

G3000LEE · ‎03-24-2022

I already removed the switchort access command even though I 100% know this isn't the issue.

When a port is configured as an access port and you change it to a trunk, the switchport access is disabled but the command isn't removed.

This is a trunk port or I would lose connectivity to the WLC.

There is no need to configure switchport trunk allowed vlan 103-104. We all know that all VLANs are permitted when no VLANS are specified.

No ACL have been configured anywere.

But thanks

balaji.bandi · ‎03-24-2022

But you are not able to ping controller ? please confirm from Controller are you able to ping gateway ?

TRACEROUTE FAILS FROM CORE SWITCH:
LAB-CORE#traceroute 172.16.103.100
1 * * *
2 * * *

is the controller connected to this switch ?

from this switch can you check arp table ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

G3000LEE · ‎03-24-2022

Hi, I already replied to another helper that the WLC can ping its gateway and the Lan mgmt gateway

The controller is connected to the lab core switch.