Introduction
This document describes recommended IP addresses to use as a virtual interface on the WLC (Wireless LAN Controller).
Contributed by Rafael Enriquez Olguin and David McNeil Cisco TAC Engineers.
Background Information
For years, many Cisco configuration examples documents use 1.1.1.1 as virtual IP address for the WLC.
Addresses for the subnet 1.0.0.0/8 have been assigned to the public space, This causes re-direct issues for Web Authentication WLANs.
IP Address 1.1.1.1
Address 1.1.1.1 is now a secure Domain Name System (DNS) server. Anyone who uses this IP address uses a public IP address exclusively assigned to a private entity.
Now, some browsers such as Chrome, Firefox and Microsoft have included address 1.1.1.1 to their HTTP Strict Transport Security (HSTS) preload list, This prevents devices, which uses these browsers for re-direction, to complete Web Authentication.
Recommendation
The Virtual IP address for the WLC must be configured as a non-routable IP address. You must ensure it does not overlap with the network infrastructure. The address can be configured to use an IP address from the internal allocated networks. Defined on RFC1918.
The available subnets are:
The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
Or RFC5737
The available subnets are:
The blocks 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2),
and 203.0.113.0/24 (TEST-NET-3) are provided for use in documentation.
References
Feedback