topic Re: FlexConnect + Local Switching = No Network Access in Wireless

FlexConnect + Local Switching = No Network Access

JamieThompson9945 — Mon, 05 Jul 2021 17:28:20 GMT

Hi, I'm working with cisco wireless for the first time.

Im trying to setup some access points with multiple SSIDs/Vlans and to have the access points work even if the VWLC goes down (its on the same network as the APs) . I have a VWLC setup on a hyperV host with 3 networks on 3 different vlans.

I have confirmed that the VWLC subinterface ip's can be pinged from each network so I don't think its an issue with the vwlc the network adapter for it is in trunk mode and I made it using the powershell script on the cisco website.

The host is connected to a 2901 with an EHWIC-D-8ESG-P which is also where the APs are connected.

On the EHWIC-D-8ESG-P I have the following configured. the following for all 8 ports

interface GigabitEthernet0/1/0
switchport trunk native vlan 10
switchport trunk allowed vlan 1,2,10-12,1002-1005
switchport mode trunk
no ip address

On the VWLC I have for the access points

AP Mode FlexConnect

In the FlexConnect tab for the APs I have

VLAN Support checked and when I go into VLAN Mappings I can see my SSIDs which I have specified local mode assigned to their vlans

WLAN Id VLAN ID

Guest WiFi 12

On the interfaces I have setup

Interface Name VLAN IP Address

management 10 10.0.0.11

clientnet 11 10.0.1.11

dmznet 12 10.0.2.11

However when I connect any wifi client to the ssid I do not get an IP address from the DHCP server on this vlan.

I have not configured DHCP relay as there is a DHCP server on each vlan

The APs themselves get the following config

interface GigabitEthernet0.10
 encapsulation dot1Q 10 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 5
 bridge-group 5 spanning-disabled
 no bridge-group 5 source-learning
!
interface GigabitEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 6
 bridge-group 6 spanning-disabled
 no bridge-group 6 source-learning
!

Am I doing something wrong ?

Re: FlexConnect + Local Switching = No Network Access

Mikey Boy — Tue, 28 May 2019 09:39:54 GMT

Hi, on the SSID which you have set to flexconnect local switching you will have assigned an interface. If you go to the interfaces tab, under DHCP proxy mode what is that set to? I would set it to disable for my flexconnect SSIDs as normal practice.

If this is a live enviroment and that interface is used on any local mode SSID's you will need to be careful not to prevent other users being affected.

Regards

Re: FlexConnect + Local Switching = No Network Access

JamieThompson9945 — Tue, 28 May 2019 09:49:06 GMT

Yes everything under the DHCP section is disabled for the interface the wlans are on.

Primary DHCP Server empty

Secondary DHCP Server empty

DHCP Proxy Mode unticked

Enable DHCP Option 82 unticked

Enable DHCP Option 6 OpenDNS unticked

So the local dhcp server on each vlan should be used, Yet whenever I connect a device to the ssid it gets stuck on APIPA.

I have a hyperv vm for testing that im assigning to the various vlans by changing the vlan tag and this gets the right IP address every time. But not anything going through the access points

Re: FlexConnect + Local Switching = No Network Access

Sathiyanarayanan Ravindran — Tue, 28 May 2019 15:15:59 GMT

For an example if your AP VLAN is 10 , Domain WiFi is 12 and Guest VLAN is 13. Your AP switch port configuration should be as below.

Switch port mode trunk

Switch port trunk native VLAN 10

Switch port trunk allowed VLAN 10,12-13

Re: FlexConnect + Local Switching = No Network Access

Mikey Boy — Tue, 28 May 2019 15:51:20 GMT

It sounds like you have everything configured. Is there any DHCP snooping config present on the switching?

Quick solution to see what is happening, span the switchport with an AP on it during a client association. You should see DHCP traffic outside of the CAPWAP tunnel. This will verify instantly whether or not the DHCP traffic is happening locally on the switchport.

Re: FlexConnect + Local Switching = No Network Access

JamieThompson9945 — Tue, 28 May 2019 21:15:08 GMT

Because its a ehwic ive had to add the following default vlans

interface GigabitEthernet0/1/x
switchport trunk native vlan 10
switchport trunk allowed vlan 1,2,10-12,1002-1005
switchport mode trunk
no ip address

This should work correct ?

Because I can ping the VWLC interface ips from the respective network think the wlc is working fine.

Here is the network config on the AP.

bridge irb
!
!
!
interface Dot11Radio0
 antenna gain 0
 rxsop-threshold 85
 stbc
 ampdu transmit priority 1
 ampdu transmit priority 2
 ampdu transmit priority 3
 mbssid
 speed  basic-1.0 basic-2.0 basic-5.5 basic-11.0 basic-6.0 basic-9.0 basic-12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15. m16. m17. m18. m19. m20. m21. m22. m23.
 power client local
 packet retries 64 drop-packet
 station-role root
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 6
 bridge-group 6 subscriber-loop-control
 bridge-group 6 spanning-disabled
 bridge-group 6 block-unknown-source
 no bridge-group 6 source-learning
 no bridge-group 6 unicast-flooding
!
interface Dot11Radio0.3
 encapsulation dot1Q 3
 no cdp enable
 bridge-group 5
 bridge-group 5 subscriber-loop-control
 bridge-group 5 spanning-disabled
 bridge-group 5 block-unknown-source
 no bridge-group 5 source-learning
 no bridge-group 5 unicast-flooding
!
interface Dot11Radio0.18
 encapsulation dot1Q 18
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio0.19
 encapsulation dot1Q 19
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no cdp enable
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 spanning-disabled
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
!
!
interface Dot11Radio1
 antenna gain 0
 peakdetect
 rxsop-threshold 80
 stbc
 ampdu transmit priority 1
 ampdu transmit priority 2
 ampdu transmit priority 3
 mbssid
 power client local
 packet retries 64 drop-packet
 station-role root
 no cdp enable
!
interface Dot11Radio1.2
 encapsulation dot1Q 2
 no cdp enable
 bridge-group 6
 bridge-group 6 subscriber-loop-control
 bridge-group 6 spanning-disabled
 bridge-group 6 block-unknown-source
 no bridge-group 6 source-learning
 no bridge-group 6 unicast-flooding
!
interface Dot11Radio1.18
 encapsulation dot1Q 18
 no cdp enable
 bridge-group 2
 bridge-group 2 subscriber-loop-control
 bridge-group 2 spanning-disabled
 bridge-group 2 block-unknown-source
 no bridge-group 2 source-learning
 no bridge-group 2 unicast-flooding
!
interface Dot11Radio1.19
 encapsulation dot1Q 19
 no cdp enable
 bridge-group 3
 bridge-group 3 subscriber-loop-control
 bridge-group 3 spanning-disabled
 bridge-group 3 block-unknown-source
 no bridge-group 3 source-learning
 no bridge-group 3 unicast-flooding
!
interface Dot11Radio1.20
 encapsulation dot1Q 20
 no cdp enable
 bridge-group 4
 bridge-group 4 subscriber-loop-control
 bridge-group 4 spanning-disabled
 bridge-group 4 block-unknown-source
 no bridge-group 4 source-learning
 no bridge-group 4 unicast-flooding
!
interface GigabitEthernet0
 no ip route-cache
 duplex auto
 speed auto
!
interface GigabitEthernet0.10
 encapsulation dot1Q 10 native
 no ip route-cache
 bridge-group 1
 bridge-group 1 spanning-disabled
 no bridge-group 1 source-learning
!
interface GigabitEthernet0.11
 encapsulation dot1Q 11
 no ip route-cache
 bridge-group 5
 bridge-group 5 spanning-disabled
 no bridge-group 5 source-learning
!
interface GigabitEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 6
 bridge-group 6 spanning-disabled
 no bridge-group 6 source-learning
!
interface BVI1
 mac-address 
 ip address dhcp client-id BVI1
 no ip route-cache
 ipv6 address dhcp
 ipv6 address autoconfig
 ipv6 enable
!
interface BVI2
 mac-address 
 no ip address
!
interface BVI3
 mac-address 
 no ip address
!
interface BVI4
 mac-address 
 no ip address
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 route ip
bridge 3 route ip
bridge 4 route ip