3-6
Cisco Wireless LAN Controller Configuration Guide
OL-8335-02
Chapter 3 Configuring Ports and Interfaces
Overview of Ports and Interfaces
Note If the service port is in use, the management interface must be on a different subnet from the service-port
interface.
AP-Manager InterfaceA controller has one or more AP-manager interfaces, which are used for all Layer 3 communications
between the controller and lightweight access points after the access points have joined the controller.
The AP-manager IP address is used as the tunnel source for LWAPP packets from the controller to the
access point and as the destination for LWAPP packets from the access point to the controller.
The static (or permanent) AP-manager interface must be assigned to distribution system port 1 and must
have a unique IP address. It cannot be mapped to a backup port. It is usually configured on the same
VLAN or IP subnet as the management interface, but this is not a requirement. The AP-manager
interface can communicate through any distribution system port as follows:
•Sends Layer 3 messages through the network to autodiscover and communicate with other
controllers.
•Listens across the network for Layer 3 lightweight access point LWAPP polling messages to
autodiscover, associate to, and communicate with as many lightweight access points as possible.
Note Refer to the “Using Multiple AP-Manager Interfaces” section on page 3-31 for information on creating
and using multiple AP-manager interfaces.
Note When LAG is disabled, you must assign an AP-manager interface to each port on the controller.
Virtual InterfaceThe virtual interface is used to support mobility management, Dynamic Host Configuration Protocol
(DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination.
It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify
the source of certificates when Layer 3 web authorization is enabled.
Specifically, the virtual interface plays these three primary roles:
•Acts as the DHCP server placeholder for wireless clients that obtain their IP address from a DHCP
server.
•Serves as the redirect address for the Web Authentication Login window.
Note See Chapter 5 for additional information on web authentication.
•Acts as part of the IPSec configuration when the controller is used to terminate IPSec tunnels
between wireless clients and the controller.
The virtual interface IP address is used only in communications between the controller and wireless
clients. It never appears as the source or destination address of a packet that goes out a distribution
system port and onto the switched network. For the system to operate correctly, the virtual interface IP
address must be set (it cannot be 0.0.0.0), and no other device on the network can have the same address
as the virtual interface. Therefore, the virtual interface must be configured with an unassigned and