Our previous article introduced Cisco’s popular Wireless Controller (WLC) devices and examined their benefits to enterprise networks, different models offered and finally took a look at their friendly GUI interfaces. This article continues by explaining the purpose and functionality of each WLC interface (Management interface, Virtual interface, AP-Manager interface, Dynamic interfaces etc), WLC Port (Service port, Redundant port, Distribution ports etc), how WLCs connect to the network infrastructure, VLAN requirements and mapping to SSIDs.
Users can freely download Cisco's WLC product portfolio in our Cisco's Wireless Controller Datasheets download section. The datasheets contain all currently available WLC models, brief specification overview/comparison and much more.
WLC Interface Concepts – Understanding Ports and Logical Interfaces
Every WLC is fitted with a number of ports (physical interfaces) and logical interfaces, all critical for the device’s proper operation and integration with the network infrastructure. It is important that engineers working with WLCs, understand the purpose of each interface and how it should be used. This will help maximize the stability and scalability of any WLC deployment by correctly configuring all necessary interfaces and attached devices.
WLC Ports (Physical Interfaces)
We will now take a look at the different ports that can be found on WLCs and explain their purpose. Depending on the WLC model, some ports might or might not be present. The Console Port and Distribution System Ports are found on all WLCs.
Figure 1. Available Ports on a Cisco WLC 5500
This port is used for High-Availability (HA) deployment designs when there are two WLCs available. In this setup, both WLCs are physically connected with each other through the Redundant Port using an Ethernet cable. The redundancy port is used for configuration, operational data synchronization and role negotiation between the primary and secondary controllers.
The redundancy port checks for peer reachability by sending UDP keepalive messages every 100 milliseconds from the standby-hot WLC to the active WLC. Finally, the first two octets of the redundancy port’s IP address is always 169.254.xxx.xxx.
The service port is used for out-of-band management of the controller and system recovery and maintenance in the event of a network failure. It is important to note that the service port does not support VLAN trunking or VLAN tagging and is therefore required to connect to an access port on the switch.
It is also recommended not to connect the service port to the same VLAN as the wired clients network because by doing so, administrators will not be able to access the management interface (analysed later) of the controller.
SFP/Ethernet Distribution System Ports
The distribution system ports are the most important ports on the WLC as they connect the internal logical interfaces (analysed below) and wireless client traffic to the rest of our network. High-end WLCs as the WLC 5500 series above, have multiple SFP-based distribution system ports allowing engineers to connect the WLC with the network backbone using different configurations. The SFP Ports are able to accept fiber optic or Ethernet copper interfaces, with the use of the appropriate SFPs.
Figure 2. Picture of Fiber & Ethernet Copper SFPs
Lower-end WLCs such as the WLC2504 or the older WLC2100 series provide Ethernet interfaces only, because of the limited number of access points supported. For example, the WLC2504 provides up to 4 Gigabit Ethernet ports and can support up to 75 access points, while the WLC2125 provides up to 8 FastEthernet ports and supports up to 25 access points.
Figure 3. Pictures of WLC2504 & WLC2124
WLC Interfaces (logical Interfaces)
In this section, we will examine the logical interfaces that can be found on all WLCs. Understanding the functionality of each logical interface is crucial for the correct setup and deployment of any Cisco WLC-based wireless network.
The WLC’s logical interfaces are used to help manage the Wireless SSIDs broadcasted by the access points, manage the controller, access point and user data, plus more.
The diagram below provides and visual layout of the logical interfaces and how they connect to the physical ports of a WLC:
The above layout shows how each Wireless SSID (WLAN 1, WLAN 2 etc), maps to a Dynamic interface. In turn, each Dynamic interface maps to a specific VLAN. The number of WLANs & Dynamic interfaces depend on the WLC model. The bigger the WLC model, the more SSIDs (Wireless Networks)/Dynamic interfaces it supports.
All Dynamic interfaces and AP-Manager/Manager interfaces connect to the network infrastructure via the Distribution ports which depending on the WLC model are SFP or Ethernet (10/100 or Gigabit) interfaces.
Because all WLCs have multiple physical Distribution ports, it is possible to assign all Dynamic interfaces and AP-Manager/Manager interfaces to one physical Distribution port, as shown in the above diagram. In this case, the Distribution port is configured as an 802.1q Trunk port. Alternatively, Dynamic interfaces can also be assigned to separate physical Distribution ports, so that a specific WLAN/Dynamic interface can tunnel its traffic through a single Distribution port.
The dedicated Service-Port seen in the above diagram can be found only on the WLC 5500 series and 7500/8500 series which connects directly to the network.
Let’s take a closer look at each logical interface and explain its purpose:
The management interface is the default interface used to access and manage the WLC. The management interface is also used by the access points to communicate with the WLC. The management interface IP address is the only ping-able IP address and is used by administrators to manage the WLC.
Administrators can log into the WLC’s configuration GUI by entering the management interface IP address in a web browser and logging into the system.
A controller can have one of more AP-Manager interfaces which are used for all Layer 3 communications between the controller and lightweight access points after they have joined the controller. The AP-Manager IP address is used as the tunnel source for CAPWAP/LWAPP packets from the controller to the access points, and as the destination IP address for CAPWAP/ LWAPP packets from the access points to the controller.
While the configuration and usage of the AP-Manager interfaces is optional, models such as the WLC2504 and WLC5508, do not have a dedicated AP-Manager interface. For these models, under the Management interface settings, there is an option labeled Enable Dynamic AP Management, that allows the Management interface to work as an AP-Manager interface at the same time:
According to Cisco's documentation, each AP-Manager interface can handle up to 48 access points, however we belieive with the latest firmware updates that this limit has been increased to 75, because the smaller WLC model (2504) can now handle up to 75 access points with its dual-purpose management/AP-Manager interface. If more access points are installed, then multiple AP-Manager interfaces are required to be configured.
The virtual interface is used to manage and support wireless clients by providing DHCP relay functionality, guest web authentication, VPN termination and other services. The virtual interface plays the following two primary roles:
- Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP server.
- Serves as the redirect address for the web authentication login page (if configured).
The virtual interface IP address is only used for communications between the controller and wireless clients. It never appears as the source or destination address of a packet that goes out through the distribution ports and on to the local network.
Finally, the IP address of the virtual interface must be unique on the network. For this reason, a common IP address used for the virtual interface is 188.8.131.52. All controllers within a mobility group must be configured with the same virtual interface IP address to ensure inter-controller roaming works correctly without connectivity loss.
The service-port interface is used for out-of-band management of the controller. If the management workstation is in a remote subnet, it may be necessary to add a IPv4 route on the controller in order to manage the controller from the remote workstation.
It is important to note that the service-port IP address must not reside on the same subnet as the Manager/AP-Manager interface.
Smaller WLC models such as the WLC2124, WLC2504 do not have a service-port interface.
The easiest way to explain dynamic interfaces is to think of them as VLAN interfaces for your wireless networks (SSIDs). One dynamic interface is created per wireless network/SSID. The wireless network or SSID is mapped to a dynamic interface, which is then mapped to a specific VLAN network.
As mentioned earlier, dynamic interfaces can be assigned to separate physical distribution ports, so that traffic from specific WLANs, pass to the wired network via specific distribution ports. In this scenario, each distribution port is a single access-link carrying one VLAN only.
Alternatively, all dynamic interfaces can be mapped to one distribution port, in which case will be a trunk port so that it can carry all WLANs/VLANs. This is a common setup method for smaller networks.
Finally, each dynamic interface must be on a different VLAN or IP subnet from all other interfaces.
Since the WLC2504 controller can handle up to 16 SSIDs, it can have a maximum of 16 dynamic interfaces, and support a maximum of 16 VLANs.
Distribution Port - Link Aggregation
All WLCs support the aggregation of multiple distribution ports into a single port using the 802.3ad port standard. This allows an administrator to create one large link between the WLC and the local switch.
For example, the WLC2504 provides 4 Gigabit Ethernet ports, allowing us to aggregate all 4 ports with the neighbour switch and create a 4 Gigabit Ethernet link with the wired network. EtherChannel will have to be configured on the local switch for the link aggregation to work.
WLCs do not support Link Aggregation Control Protocol (LACP) or Cisco’s proprietary Port Aggregation Protocol (PAgP), and therefore the switch must be set unconditionally to LAG. Only one LAG group is supported per controller.
This article introduced the Cisco Wireless LAN Controller interfaces. We covered the interfaces and ports found on WLCs, and analysed each interface's purpose, including Ethernet distribution ports, service port, redundancy port, interfaces such as the management interface, ap-manager interface, virtual interface and dynamic interfaces.