I have two Cisco 1140 access points and two Cisco 1252AG access points. Can I use the Cisco AIR-CT2504 WLC to manage all of them? What versions of the LWAPP Cisco IOS are required? I tried looking for a compatibility matrix, but couldn't find one.
Cisco WLC – Supported Access Points and IOS Versions for AIR-CT2504
ciscocisco-wirelesscisco-wlc
Related Solutions
It appears the answer is that it is unnecessary configuration. If DHCP snooping is not running on that VLAN, then this configuration has no effect.
I still couldn't find documentation that clearly states this, so I decided to test this myself.
Started off with DHCP snooping enabled for all VLANs and a rate limit of one (1) DHCP packet per second (assuming that the client will send the DISCOVER and REQUEST in one second if the DHCP server responds quickly enough):
router#show ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-4094
Insertion of option 82 is disabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/8 no 1
router#show run int fa 0/8
Building configuration...
Current configuration : 230 bytes
!
interface FastEthernet0/8
switchport access vlan 841
switchport mode access
ip dhcp snooping limit rate 1
shutdown
end
Time for the control test, which should err-disable the port, which is exactly what occurs in about a second after the port transitions to up/up:
router#term mon
router#config t
Enter configuration commands, one per line. End with CNTL/Z.
router(config)#int fa 0/8
router(config-if)#no shut
router(config-if)#
Feb 13 22:57:04.589 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
Feb 13 22:57:07.701 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
Feb 13 22:57:08.553 CST: %PM-4-ERR_DISABLE: dhcp-rate-limit error detected on Fa0/8, putting Fa0/8 in err-disable state
Feb 13 22:57:08.561 CST: %DHCP_SNOOPING-4-DHCP_SNOOPING_RATE_LIMIT_EXCEEDED: The interface Fa0/8 is receiving more than the threshold set
Feb 13 22:57:10.561 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
router(config-if)#shut
Since the control worked as expected, I now remove VLAN 841 from the DHCP snooping configuration and enable the port again. One minute later, I shut the port (to show the timestamp):
router(config-if)#no ip dhcp snooping vlan 841
router(config)#do sh ip dhcp snoop
Switch DHCP snooping is enabled
DHCP snooping is configured on following VLANs:
1-840,842-4094
Insertion of option 82 is disabled
Interface Trusted Rate limit (pps)
------------------------ ------- ----------------
FastEthernet0/8 no 1
router(config)#int fa 0/8
router(config-if)#no shut
router(config-if)#
Feb 13 22:58:49.150 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to down
Feb 13 22:58:52.290 CST: %LINK-3-UPDOWN: Interface FastEthernet0/8, changed state to up
Feb 13 22:58:53.290 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to up
router(config-if)#shut
Feb 13 22:59:55.119 CST: %LINK-5-CHANGED: Interface FastEthernet0/8, changed state to administratively down
Feb 13 22:59:56.119 CST: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/8, changed state to down
Repeated multiple times with the same results using the following:
- Three different client devices
- 2950 running 12.1(22)EA14
- 3750 running 12.2(55)SE8
Would still love for someone to find documentation for this though.
Untagged (native) VLANs don't really offer you any benefit over tagged VLANs, and they present a certain level of security risk. There is no real reason to use untagged VLANs when tagged VLANs are available.
Some people prefer to use a network-wide VLAN for management, one for printers, etc. This scenario presents both security and operational risks. Cisco has been recommending one access switch per VLAN (an access swtich can have multiple VLANs, but those VLANs don't extend to any other access switch), and, if you can, use layer-3 connections to the access switches instead of trunks.
There is a book published by Cisco Press, "LAN Switch Security: What Hackers Know About Your Switches" by Eric Vyncke and Christopher Paggen that explains a lot of these sorts of things.
Best Answer
According to Cisco release notes for the Cisco 2504 Wireless LAN Controller, the last software, that supported the Cisco 1140 Series AP and Cisco 1250 Series AP is Releases 8.0.150.0 (31-Aug-2017) and 8.0.152.0 (21-Oct-2017).
From Cisco documentation:
You can still download the 8.0.150.0 and 8.0.152.0 software from Cisco software center.
Source: https://www.cisco.com/c/en/us/td/docs/wireless/controller/release/notes/crn80mr5.html#pgfId-1142589
Cisco 2500 Series Wireless LAN controller complete release notes: https://www.cisco.com/c/en/us/support/wireless/2500-series-wireless-controllers/products-release-notes-list.html