topic Re: Catalyst 9800 How to block WLAN APs from joining temporarily in Wireless

Catalyst 9800 How to block WLAN APs from joining temporarily

Gehrig_W — Mon, 06 Feb 2023 14:14:18 GMT

Hello Cisco WLAN experts,

we are running a mix of 9800-, 5520- and Wism2-WLCs.

I would like to upgrade the 5520-WLCs and would like to avoid APs joining the 9800-WLCs and Wism2-WLCs during boot time.

On Wism2-platform, I can achieve this by deactivating the Dynamic AP Management in the management interface during the upgrade of the 5520-WLCs.

Who knows a similar CLI-or Gui-command to achieve the same on 9800-80-platform ?

Thank You in advance

Best regards

Wini

Re: Catalyst 9800 How to block WLAN APs from joining temporarily

balaji.bandi — Mon, 06 Feb 2023 17:40:17 GMT

You can use ACL ?

Re: Catalyst 9800 How to block WLAN APs from joining temporarily

Scott Fella — Mon, 06 Feb 2023 17:54:25 GMT

You need to really be careful. You should never of placed the 9800 or make that accessible to your existing wireless network. This is all about proper planning so you don't ever run into issues. Like what @balaji.bandi mentioned, you can use acl's, or make sure that the ap's have the controller and controller ip's on the high availability, which you should have anyways so that you know and the ap's know which controller will host which access points.
As far as allowing what aps on what controller, AireOS has ap authorization list and so does the 9800's. You can review that guide and decide which best works for you.
Catalyst 9800 Wireless Controllers AP Authorization List - Cisco

Re: Catalyst 9800 How to block WLAN APs from joining temporarily

Gehrig_W — Wed, 08 Feb 2023 07:46:40 GMT

Hello Scott,

thank You very much for this valuable informaton guide to create an ACL to block WLAN APs from joining.

I configured the following single Pseudo-MAC to block all other WLAN-APs from joining the 9800-80-WLC during SW-Upgrade of our 5520-WLCs:

# config t

# aaa new-model

# aaa authorization credential-download AP-auth local

# ap auth-list authorize-mac

# ap auth-list method-list AP-auth

# username 123456789abc mac description Test

I did a test with a 3800-AP with 3 WLC-entries. The primary was the 9800-WLC.

The shown ACL blocks the WLAN-AP from joining the primary successfully.

Interesting to see, the WLAN AP does not try to connect to the secondary nor the tertiary WLC.

It tries endlessly to connect to the 9800-WLC, which blocks it again and again.

Also the WLCs learned in the past, to which the AP is sending discovery requests, are

not used in the join-desicion eventhough all of them are sending Discovery response answers.

That's a little strange, but will fit for us during the SW-upgrade.

The already joined WLAN-APs on the 9800 are still connected and not influenced negatively by this WLAN-AP-block-ACL.

Our DNS is pointing to one of the 5520-WLCs.

Also the Cisco-CAPWAP-controller-DNS-entry is pointing to the same 5520-WLC.

Let'S hope everything goes fine during the SW-upgrade of the 5520-WLcs.

Kind regards

Wini