We have a brand-new 9800 VM and are having trouble making sense of the interfaces.
We have an old physical 5508 and are migrating to the new VM based 9800.
All of our existing APs are on private IPs (192.168.x.x).
Because newer versions are using Smart Licenses more these days we've decided to make the "management" interface IP routable.
We do not want our APs to be routable so we are keeping them on the private IPs.
We have made the "management" interface on port 1 a routable IP in VLAN 123.
We have assigned the "service-port" a special IP that is not shared with anything.
We have created an additional virtual interface named "ap-mgmt" and put the IP in our existing AP private IP range as well as assigned it VLAN 666, we have this interface set as the singular "Dynamic AP Management" interface.
We have created the "4095" VLAN in the VM and assigned it to the VM's NIC2 to be used as a trunk port, and assigned the VM NIC1 to an access vlan for the "service-port".
We have decoded the decimal address of the controller to hex and created an option 43 in the private DHCP scope and it's being received by the APs (you can see it pop up in the console of the AP as "Got WLC address 192.168.0.2 from DHCP.")
Everything works as it should, we can access the web interface from the public IP and APs work on the private IPs as they should, but only after the AP has been configured with a "Primary Controller" address in the APs profile.
The AP cannot seem to find the WLC on any network other than the "management" one.
If we put the AP in the same VLAN 123 as the "management" network it finds the WLC on the public IP and you can see it point it to the private DAM IP in a different VLAN, it works even without an option 43, and if we configure the private IP as the "Primary Controller" while there, we can move the AP to any network we want and it will work fine after that.
If we have the AP in the private IP vlan it throws this error up in the WLC's log and never registers. (despite seeing "Got WLC address 192.168.0.2 from DHCP." in the AP's console)
*dtlArpTask: Jan 21 14:31:17.364: %LOG-4-Q_IND: capwap_ac_sm.c:2075 Ignoring discovery request received on a wrong VLAN (666) on interface (1) from AP 68:7d:b4:66:66:66 *spamApTask2: Jan 21 14:31:17.363: %CAPWAP-4-DISC_INTF_ERR2: capwap_ac_sm.c:2075 Ignoring discovery request received on a wrong VLAN (666) on interface (1) from AP 68:7d:b4:66:66:66
So even though the private IP vlan works, and option 43 is correct, it looks like only the "management" interface will allow incoming discovery requests and respond.
So we tried swapping their IPs around, and it works fine, only that whatever IP you have on the "management" VLAN is the only one you can use to access the web interface, so licensing isn't going to work from the private IP.
It seems like an oversite that you can assign "Dynamic AP Management" to an interface but that interface still won't accept incoming discovery requests (even if pointed directly at it by option 43), and that you can create other interfaces but be unable to assign them for web access.
Am I missing something? We can make it work, but we have to bring all new APs up on public IPs in the management VLAN to register and configure them.
Is there a special setting that allows an interface to accept incoming discovery requests (other than setting "Dynamic AP Management" which doesn't seem to work)?
Is there a way to allow Web and SSH on another interface other than the only one that allows incoming discovery requests?
"NOTE: There is only one Wireless Management Interface (WMI) on the controller."
"NOTE: You can use only one AP manager interface on Cisco Catalyst 9800 Wireless Controller called the WMI to terminate CAPWAP traffic."
And so if you want the WLC to be able to access the license server, the built-in interface will have to be on a public facing network, and because discovery will only work on that interface (regardless of which interface you deem the "AP management" one), therefore all APs must be able to reach that public facing network IP in order to be added to the WLC, once added, they can be managed by an additional virtual interface, but only after being added, despite putting a check in the AP management box.
Correct, and I have them, and if I put a public IP on the built-in management interface (for smart license server access reasons) and create a virtual interface with a private IP for AP management, and put a check in the AP management box (and make it a WMI) on that interface, it will work to point the APs to for management but won't work for discovery. If I swap them around, the private network it will work for discovery, but now the public IP on the new virtual interface won't let me access the web interface or connect to the smart license server.
So in order to add new APs to the WLC I have to allow them access to the public facing IP, simply put, you can not add APs with any other address other than that of the built-in management interface despite being able to create additional virtual interfaces for AP management purposes.