Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2364
Views
0
Helpful
3
Replies

FlexConnect WLAN users not receiving IP Addresses

MikeyP
Level 1
Level 1

‎02-08-2017 06:41 AM - edited ‎07-05-2021 06:31 AM

I'm currently working in an enterprise network with approximately 100 sites and 4500 APs mix of 1142, 2600, 2700, 3700.  I have a N+1 HA pair of 8510 WLCs running version 8.0.121.0 my WLC is acting as an adjunctor so there is a DHCP server located elsewhere in my network.  I also have a test environment but I'll explain that below.

What I'm attempting to do is take one of my existing WLANs and turn it into a FlexConnect WLAN, however I'm having issues with clients receiving IP addresses from the DHCP server after I enable all the necessary flexconnect settings.  Now I did notice that some users were still on the network and the controller could run a link test after making a change, however I was unable to receive an IP address from my device trying to connect to the desired SSID.  This issue occurs when I have FlexConnect Local Switching, FlexConnect Local Auth and Learn Client IP address all enabled.

My production network is built in this format

WLC <> Core <> WAN <> L3 Switch <> L2 Switch <> AP

<------------------------CAPWAP----------------------------------->

Now to my understanding traffic is encapsulated in a CAPWAP tunnel from AP to WLC and vice-versa without any devices in between being able to see any traffic, so regardless of Flexconnect being enabled shouldn't the traffic still flow within the CAPWAP tunnel until told otherwise when the VLAN for the specific SSID is changed on the AP?  Or is the CAPWAP tunnel supposed to be broken to the AP afterwards?

Now to explain why I asked that question just above, in my test environment which is setup as 

WLC<>2960X(DHCP)<>AP

<---------CAPWAP---------->

When I enable FlexConnect in this environment without providing the VLAN which I had as 11 for the WLAN I was unable to receive DHCP, when I did set the VLAN on the switch facing the AP with 11 on the trunk I was able to see my wireless device sending it's MAC addr from the AP, and finally when I removed FlexConnect I could see my MAC addr coming from the WLC.  Is this supposed to be normal?  Is the tunnel supposed to be broken from the moment you enable FlexConnect for a specific WLAN?  Or should it still be encapsulated in the CAPWAP tunnel until you modify the inheritance on the AP?

Any help would be appreciated and if there is something I didn't clarify well enough just let me know and I'll try to elaborate it in a better way.  I also have some logs that I took from a debug in the test environment while playing with some of the settings.  What I did below was left vlan 11 off of the trunk, changed the vlan to 329 on the controller for the AP-Specific FlexConnect setting and it worked.  I also went back and added VLAN 11 to the trunk later on and that worked natively with the WLAN inheritance, but broke when the VLAN was missing from the trunk.

***BEFORE ADDING VLAN 11 TO TRUNK***

*DHCP Socket Task: Feb 07 12:45:17.805: e8:50:8b:51:2f:25 DHCP dropping packet
*apfReceiveTask: Feb 07 12:56:20.288: e8:50:8b:51:2f:25 apfHreapClientCreate (apf_80211.c:13584) Changing state for mobile e8:50:8b:51:2f:25 on AP d0:c7:89:0f:db:f0 from Associated to Associated

*apfReceiveTask: Feb 07 12:56:20.288: e8:50:8b:51:2f:25 192.0.0.4 RUN (20) Change state to RUN (20) last state RUN (20)

*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 override for default ap group, marking intgrp NULL
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Re-applying interface policy for client

*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2399)
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2420)
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Setting the NAS Id to WLAN specific Id 'TEST_WLC'
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Applying site-specific Local Bridging override for station e8:50:8b:51:2f:25 - vapId 4, site 'FlexConnectTest', interface 'wifi'
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Applying Local Bridging Interface Policy for station e8:50:8b:51:2f:25 - vlan 11, interface id 12, interface 'wifi'
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 override from ap group, removing intf group from mscb
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Applying site-specific override for station e8:50:8b:51:2f:25 - vapId 4, site 'FlexConnectTest', interface 'wifi'
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 11

*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Re-applying interface policy for client

*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2399)
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2420)
*apfReceiveTask: Feb 07 12:56:20.289: e8:50:8b:51:2f:25 Stopping deletion of Mobile Station: (callerId: 83)
*apfReceiveTask: Feb 07 12:56:52.550: e8:50:8b:51:2f:25 apfHreapClientCreate (apf_80211.c:13584) Changing state for mobile e8:50:8b:51:2f:25 on AP d0:c7:89:0f:db:f0 from Associated to Associated

*apfReceiveTask: Feb 07 12:56:52.550: e8:50:8b:51:2f:25 192.0.0.4 RUN (20) Change state to RUN (20) last state RUN (20)

*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 override for default ap group, marking intgrp NULL
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0

*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Re-applying interface policy for client

*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2399)
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2420)
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Setting the NAS Id to WLAN specific Id 'TEST_WLC'
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Applying site-specific Local Bridging override for station e8:50:8b:51:2f:25 - vapId 4, site 'FlexConnectTest', interface 'wifi'
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Applying Local Bridging Interface Policy for station e8:50:8b:51:2f:25 - vlan 11, interface id 12, interface 'wifi'
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 override from ap group, removing intf group from mscb
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Applying site-specific override for station e8:50:8b:51:2f:25 - vapId 4, site 'FlexConnectTest', interface 'wifi'
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 11

*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 Re-applying interface policy for client

*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2399)
*apfReceiveTask: Feb 07 12:56:52.551: e8:50:8b:51:2f:25 0.0.0.0 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2420)

-------------------------------------------------

***AFTER CHANGING FLEXCONNECT VLAN TO 329***

*DHCP Socket Task: Feb 07 13:02:00.909: e8:50:8b:51:2f:25 DHCP received op BOOTREPLY (2) (len 308,vlan 10, port 13, encap 0xec03)
*DHCP Socket Task: Feb 07 13:02:00.909: e8:50:8b:51:2f:25 DHCP setting server from OFFER (server 10.80.0.1, yiaddr 10.80.0.3)
*DHCP Socket Task: Feb 07 13:02:00.914: e8:50:8b:51:2f:25 DHCP received op BOOTREPLY (2) (len 308,vlan 10, port 13, encap 0xec03)
*DHCP Socket Task: Feb 07 13:02:00.914: e8:50:8b:51:2f:25 DHCP setting server from ACK (mscb=0x454206f0 ip=0xa500003)(server 10.80.0.1, yiaddr 10.80.0.3)
*DHCP Socket Task: Feb 07 13:02:00.914: e8:50:8b:51:2f:25 apfMsRunStateDec
*DHCP Socket Task: Feb 07 13:02:00.914: e8:50:8b:51:2f:25 192.0.0.4 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)

*DHCP Socket Task: Feb 07 13:02:00.914: e8:50:8b:51:2f:25 apfMsRunStateInc
*DHCP Socket Task: Feb 07 13:02:00.914: e8:50:8b:51:2f:25 10.80.0.3 DHCP_REQD (7) Change state to RUN (20) last state DHCP_REQD (7)

*DHCP Socket Task: Feb 07 13:02:00.915: e8:50:8b:51:2f:25 Assigning Address 10.80.0.3 to mobile
*DHCP Socket Task: Feb 07 13:02:00.915: e8:50:8b:51:2f:25 DHCP success event for client. Clearing dhcp failure count for interface wifi.

---------------------------------------------------

Labels:
0 Helpful
3 Replies 3

Prateek Saxena
Cisco Employee
Cisco Employee

‎02-08-2017 07:54 AM

There are 2 types of plane in capwap. The data and control plane. Assuming that you are using Layer 2 authentication (like psk,dot1x) and you have local switching enabled in the ssid, after the authentication is complete the AP will locally switch all the client traffic including DHCP packets meaning that the DHCP request will come directly from AP to switch. So the port should be trunk and that vlan allowed on the interface for it to take IP address from the pool.

When you have local switching disabled. Then all the client data will be sent to the controller and controller will forward it to the DHCP server that is set on the interface. In that case it doesn't matter if the AP switchport is trunk or access, it should only have reachability to the controller so that it can form the capwap tunnel.

0 Helpful

MikeyP
Level 1
Level 1
In response to Prateek Saxena

‎02-08-2017 11:13 AM

So I managed to get it up and running, took me a while but I had to tweak a few settings.  Thanks for the help it also gave me some clarity at something I was over looking.

DHCP Addr. Assignment required

FlexConnect Local Switching - Enabled

Local Auth - Disabled

Learn Client IP - Enabled

Central Switching - Disabled

Central DHCP - Enabled

DNS - Disabled

NAT-PAT - Disabled (This setting was stopping me from modifying the VLANs)

Also to my understanding partially related, would mDNS be disabled globally on this WLAN?  As it's not compatible with FlexConnect or would that only occur at sites where I have FlexConnect VLANs modified?

0 Helpful

Prateek Saxena
Cisco Employee
Cisco Employee
In response to MikeyP

‎02-09-2017 04:43 AM

If you have local switching enabled, you won't be able to enable mdns snooping it will prompt you an error as it is not supported.

You can enable multicast though, from the command:

config flexconnect group <group_name> multicast overridden-interface <enable/disable>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card