Solved: Re: WLC-4402 Multiple ap-manager interface config

BeomYong Park · ‎11-30-2010

Hi all.

I have a network that is separated into two.

One of them is an internal network, and the other is an external network.

Please see the attached picture.

My WLC interface config is

management : 10.86.38.19 / VID 1 / Port1

ap-manager : 10.86.38.20 / VID 1 / Port1

ap-manager2 : 192.168.100.40 / untagged / Port2

An AP setting is "lwapp ap ip address" command used.

Internal networks AP's join very well, but external AP's not joining.

WLC's debug message

•*spamReceiveTask: Nov 29 06:10:55.082: 58:8d:09:b1:db:30 Discovery Request received on non management interface '2' in L3 LWAPP mode, management interface is '1', dropping the packet
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 CAPWAP Control Msg Received from 192.168.100.41:25043
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 packet received of length 116 from 192.168.100.41:25043
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Msg Type = 1 Capwap state = 0
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 msgEleLength = 1 msgEleType = 20
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Total msgEleLen = 87
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 msgEleLength = 40 msgEleType = 39
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Total msgEleLen = 43
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 msgEleLength = 1 msgEleType = 41
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Total msgEleLen = 38
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 msgEleLength = 1 msgEleType = 44
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Total msgEleLen = 33
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 msgEleLength = 10 msgEleType = 37
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Vendor specific payload from AP 58:8D:09:B1:DB:30 validated
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Total msgEleLen = 19
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 msgEleLength = 15 msgEleType = 37
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Vendor specific payload from AP 58:8D:09:B1:DB:30 validated
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Total msgEleLen = 0
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Discovery Request received on non management interface '2', management interface is '1', dropping the packet from 192:168:100:41:25043
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 WTP already released
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Discovery Request received on non management interface '2' in L3 LWAPP mode, management interface is '1', dropping the packet
*spamReceiveTask: Nov 29 06:11:23.080: 58:8d:09:b1:db:30 Discovery Request received on non management interface '2' in L3 LWAPP mode, management interface is '1', dropping the packet

What can i join external networks AP's to WLC-4402 port2 ap-manager2 interface?

Is there another way?

Thanks,

Park.

Nicolas Darchis · ‎12-01-2010

Hi Park,

let me explain to you how the join process work and you will understand immediately :

1)AP sends a discovery request to the management interface of WLC (whether it learned it through option 43, dns, or statically configured on AP, this is always true)

2) The management interface replies and gives the ap manager interface that is the least loaded with APs.

3)AP sends a join request to the ap manager.

This raises 2 problems :

1)Your external APs can't access the management interface (it's on internal subnet)

2) One time out of 2, an external AP would be given the ap manager that is on internal network. The WLC can't figure which ap manager the ap can reach and which one it cannot.

So your design is invalid.

Nicolas

===

Don't forget to rate answers that you find useful

View solution in original post

Nicolas Darchis · ‎12-01-2010

Hi Park,

let me explain to you how the join process work and you will understand immediately :

1)AP sends a discovery request to the management interface of WLC (whether it learned it through option 43, dns, or statically configured on AP, this is always true)

2) The management interface replies and gives the ap manager interface that is the least loaded with APs.

3)AP sends a join request to the ap manager.

This raises 2 problems :

1)Your external APs can't access the management interface (it's on internal subnet)

2) One time out of 2, an external AP would be given the ap manager that is on internal network. The WLC can't figure which ap manager the ap can reach and which one it cannot.

So your design is invalid.

Nicolas

===

Don't forget to rate answers that you find useful

BeomYong Park · ‎12-01-2010

Thanks Nicolas.

What qualities are in this condition, the optimum design?

Please see the picture. The design is right?

Using the SSID of the wireless users were separated.

Would there be security issues?

Guest users must use a separate DHCP server. And it only exists inside the Guest VLAN.

This clearly internal users and guest users can be separated?

Thanks,

Park.

Nicolas Darchis · ‎12-01-2010

The last diagram looks better. The part that most people confuse is the following :

-The AP ip address doesn't matter. It can be in an internal network and that won't give any internal network access to the clients.

So best is to have all your APs in the internal network, and they service SSIDs that are in various vlans.

They can even service one corporate SSID with internal network access (with wpa security) and another SSID giving only external network access. Every traffic is totally separated.

So no security concern in this at all.

Nicolas

===

Don't forget to rate answers that you find useful