Cisco Cisco 2000 Series Wireless LAN Controller Guia De Informação
00:0b:85:68:ab:01
. Why?
A. You can receive this error message if the LWAPP tunnel between the AP and the WLC
traverses a network path with an MTU under 1500 bytes. This causes the fragmentation of the
LWAPP packets. This is a known bug in the controller. Refer to Cisco bug ID CSCsd39911 (
traverses a network path with an MTU under 1500 bytes. This causes the fragmentation of the
LWAPP packets. This is a known bug in the controller. Refer to Cisco bug ID CSCsd39911 (
registered customers only
) .
The solution is to upgrade the controller firmware to 4.0(155).
Q. I am trying to establish guest tunneling between my internal controller
and the virtual anchor controller on the De−Militarized Zone (DMZ).
However, when a user attempts to associate with a guest SSID, the user
is unable to receive the IP address from the DMZ, as expected.
Therefore, the user traffic is not tunneled to the controller on the DMZ.
The output of the debug mobile handoff command displays a message
similar to this:
and the virtual anchor controller on the De−Militarized Zone (DMZ).
However, when a user attempts to associate with a guest SSID, the user
is unable to receive the IP address from the DMZ, as expected.
Therefore, the user traffic is not tunneled to the controller on the DMZ.
The output of the debug mobile handoff command displays a message
similar to this:
Security Policy Mismatch for WLAN <Wlan ID>.
Anchor Export Request from Switch IP: <controller Ip
address> Ignored
. What is the problem?
A. Guest tunneling provides additional security for guest−user access to the corporate
wireless network. This helps to ensure that guest users are unable to access the corporate
network without first passing through the corporate firewall. When a user associates with a
WLAN that is designated as the guest WLAN, the user traffic is tunneled to the WLAN
controller that is located on the DMZ outside of the corporate firewall.
wireless network. This helps to ensure that guest users are unable to access the corporate
network without first passing through the corporate firewall. When a user associates with a
WLAN that is designated as the guest WLAN, the user traffic is tunneled to the WLAN
controller that is located on the DMZ outside of the corporate firewall.
Now, in consideration of this scenario, there can be several reasons for this guest tunneling to
not function as expected. As the debug command output implies, the problem might be with
the mismatch in any of the security policies configured for that particular WLAN in the
internal as well as in the DMZ controllers. Check whether the security policies as well as
other settings, such as session time out settings, are matched.
not function as expected. As the debug command output implies, the problem might be with
the mismatch in any of the security policies configured for that particular WLAN in the
internal as well as in the DMZ controllers. Check whether the security policies as well as
other settings, such as session time out settings, are matched.
Another common reason for this issue is the DMZ controller not being anchored to itself for
that particular WLAN. For a guest tunneling to work properly and for the DMZ to administer
the IP address of the user (user that belongs to a guest WLAN), it is essential that proper
anchoring is done for that particular WLAN.
that particular WLAN. For a guest tunneling to work properly and for the DMZ to administer
the IP address of the user (user that belongs to a guest WLAN), it is essential that proper
anchoring is done for that particular WLAN.
Q. I see a lot of
"CPU Receive Multicast Queue is full on
Controller"
messages on the 2006 Wireless LAN Controller (WLC), but
not on the 4400 WLCs. Why? I have disabled multicast on the
controllers. What is the difference in the Multicast Queue Limit between
the 2006 and 4400 WLC platforms?
controllers. What is the difference in the Multicast Queue Limit between
the 2006 and 4400 WLC platforms?
A. Because multicast is disabled on the controllers, the messages that cause this alarm might
be Address Resolution Protocol (ARP) messages. There is no difference in queue depth (512
packets) between the 2000 WLCs and the 4400 WLCs. The difference is that the 4400 NPU
filters ARP packets whereas everything is done in software on the 2006. This explains why
the 2006 WLC sees the messages but not the 4400 WLC. A 44xx WLC processes multicast
packets via hardware (through CPU). A 2000 WLC processes multicast packets via software.
CPU processing is more efficient than software. Therefore, the 4400's queue is cleared faster,
whereas the 2006 WLC struggles a bit when it sees a lot of these messages.
be Address Resolution Protocol (ARP) messages. There is no difference in queue depth (512
packets) between the 2000 WLCs and the 4400 WLCs. The difference is that the 4400 NPU
filters ARP packets whereas everything is done in software on the 2006. This explains why
the 2006 WLC sees the messages but not the 4400 WLC. A 44xx WLC processes multicast
packets via hardware (through CPU). A 2000 WLC processes multicast packets via software.
CPU processing is more efficient than software. Therefore, the 4400's queue is cleared faster,
whereas the 2006 WLC struggles a bit when it sees a lot of these messages.