topic Re: Overlapping subnets in different wireless VLANs in Wireless

Overlapping subnets in different wireless VLANs (same SSID)

Alex Mac — Thu, 11 Nov 2021 21:28:55 GMT

Hi all,

It's the first time that I'm facing this challenge but I may run into a scenario where different dynamically assigned VLANs might host the same subnet, like 10.10.34.0/24. The VLANs are extended to different VRFs so there won't be any conflict in terms of routing.

As far as I know I always thought of wireless VLANs as simple L2 domains but I'm told that for mobility WLCs take into account L3 information and two VLANs managed by the same WLCs and with the same L3 IP addressing used within may run into problems. Like all he VLANs were flattened at WLC level and two client with the same IP address but in different VLANs could be seen as one by the WLC.

Does anyone have experience on this?

Thanks

Could anyone help in shedding some light on this please?

Alex

Re: Overlapping subnets in different wireless VLANs

Mark Elsen — Thu, 28 Oct 2021 09:25:34 GMT

- Note sure if this can work referencing : https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-vlan/68100-wlan-controllers-vlans.html

>...

Dynamic Interfaces on WLCs

>...

>... If the port is untagged, all dynamic interfaces must be on a different IP subnet from any other interface configured on the port.

Re: Overlapping subnets in different wireless VLANs

Arshad Safrulla — Thu, 28 Oct 2021 09:41:19 GMT

Hi Alex,

I assume that you are running 9800 platform and Flex AP's. If the same IP is seen twice by WLC it will report as IP Theft and client will excluded as per the configured timeout. Please refer to the below enhancement request.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr98802?rfs=iqvred

As you can find in the above link, this enhancement is added starting from 17.3.3 and higher. Make sure you have the correct IOS-XE code running in your WLC. Config guide as below

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-4/config-guide/b_wl_17_4_cg/m_vewlc_flex_connect.html#concept_hvw_sjw_clb

Re: Overlapping subnets in different wireless VLANs

Rich R — Tue, 02 Nov 2021 15:04:55 GMT

But that's only for flex local switching. I think it will still be a problem for anything centrally switched?

Re: Overlapping subnets in different wireless VLANs

Arshad Safrulla — Tue, 02 Nov 2021 21:30:29 GMT

I think the scenario which you are referring will be very low. I have very rarely come across networks where they use overlapping IP addresses even if it's in different VRF's. I think if AP's are in local mode we need to look at the design as a whole. Only solution I see is converting the AP's to Flex.

Re: Overlapping subnets in different wireless VLANs

Alex Mac — Wed, 03 Nov 2021 12:42:26 GMT

Not sure what you mean by "low". The impression I have is that when dealing with all the stuff to prevent intrusive action by unauthorized clients or duplicated address the controller flattens the VLANs but I don't know why. It would be that simple. Just imagine the same (DHCP snooping etc etc) in a switch, would you consider it normal? 🙂

Re: Overlapping subnets in different wireless VLANs

Arshad Safrulla — Thu, 04 Nov 2021 10:45:55 GMT

Hi Alex,

You can't even configure dynamic interfaces with overlapping IP subnets in AireOS (Dynamic interface is compulsory in AireOS world), but in 9800 platforms you really don't need L3 SVI's unless there is mdns gateway or dhcp relay. So technically you can get away wth configuring the L2 VLAN which offers same subnet under 2 SSID's in 9800. The real problem happens when there are 2 clients with the same IP address. WLC will mark the client to be excluded for IP Theft.

If AP's are in local mode there is a workaround (only in 9800 no L3 SVI's), but not recommended. You can divide the DHCP IP scopes

VLAN 10 - VRF DATA - 10.0.0.0/24 - SSID EMPLOYEE - DHCP SCOPE 10.0.0.1-10.0.0.128

VLAN 20 - VRF PERSONAL - 10.0.0.0/24 - SSID EMPLOYEE2 - DHCP SCOPE 10.0.0.129-10.0.0.254

By manipulating the DHCP scopes you are avoiding duplicate IP issue. But you have to compensate on the available IP addresses.

Re: Overlapping subnets in different wireless VLANs (same SSID)

Alex Mac — Thu, 11 Nov 2021 21:31:27 GMT

Hi Arshad,

unfortunately we are speaking of the same SSID and VLANs assigned dynamically by the RADIUS, that would be the scenario.

Alex

Re: Overlapping subnets in different wireless VLANs (same SSID)

Arshad Safrulla — Thu, 11 Nov 2021 22:07:00 GMT

Still the same theory applies, you cannot have 2 clients with same IP. You can try to manipulate your DHCP scope to stop assignment of same IP to 2 clients.