Trying to convert WLC and APs from FlexConnect mode to Local Mode

Spork Schivago · ‎01-31-2019

Hi! I have a Cisco C1111-8PW router, which has a built-in WLC and a built-in Wireless AP. Currently, they are configured for FlexConnect, but I am having some issues setting up some VLANs on the WLC and the APs and using the VLANs, so I figured it's time to try ditching the FlexConnect and using Local Mode. I cannot seem to get the built-in AP to switch modes though.

This is my current setup:

On the Router
-------------
!
interface GigabitEthernet0/0/1
 description Gigabit Ethernet WAN port
 mac-address <MAC ADDRESS SWITCHED FOR ONT>
 ip address <STATIC PUBLIC IP> 255.255.255.128
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip nbar protocol-discovery
 ip verify unicast source reachable-via rx allow-default
 ip access-group NO_OUTFACING_SERVICES in
 speed 1000
 no negotiation auto
 vlan-range dot1q 1 40
 !
end

!
interface Wlan-GigabitEthernet0/1/8
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10,20,40
 switchport mode trunk
end

interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip access-group BLOCK_INTERVLAN_ROUTING in
 shutdown
!
interface Vlan10
 description VLAN interface (Layer 3) with 254 Usable Hosts (10.0.0.1 - 10.0.0.254), network address 10.0.0.0
 ip address 10.0.0.1 255.255.255.0
 ip broadcast-address 10.0.0.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan20
 description VLAN interface (Layer 3) with 254 Usable Hosts (10.0.20.1 - 10.0.20.254), network address 10.0.20.0
 ip address 10.0.20.1 255.255.255.0
 ip broadcast-address 10.0.20.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
interface Vlan40
 description Guest VLAN interface (Layer 3) with 254 Usable Hosts (10.0.40.1 - 10.0.40.254), network address 10.0.40.0
 ip address 10.0.40.1 255.255.255.0
 ip broadcast-address 10.0.40.255
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
!
ip access-list standard NAT_TRANSLATIONS
 permit 10.0.0.0 0.0.0.255
 permit 10.0.40.0 0.0.0.255
 permit 10.0.20.0 0.0.0.255
!
ip access-list extended BLOCK_INTERVLAN_ROUTING
 deny   ip 10.0.0.0 0.0.0.255 10.0.40.0 0.0.0.255
 deny   icmp 10.0.0.0 0.0.0.255 10.0.40.0 0.0.0.255
 permit ip any any
ip access-list extended NO_OUTFACING_SERVICES
 deny   tcp any any eq telnet
 deny   tcp any any eq 22
 deny   tcp any any eq www
 deny   tcp any any eq 443
 deny   tcp any any eq finger
 deny   tcp any any eq cmd
 permit ip any any

WLC CONFIG:
-----------
 Number of Interfaces.......................... 3

Interface Name                   Port Vlan Id  IP Address      Type    Ap Mgr Guest
-------------------------------- ---- -------- --------------- ------- ------ -----
management                       1    10       10.0.0.2        Static  Yes    No
virtual                          N/A  N/A      192.0.2.1       Static  No     No
vlan_employees                   1    20       10.0.20.2       Dynamic No     No

WLC BOOTUP MSG:
---------------
[*01/31/2019 12:22:26.6799] ethernet_port wired0, ip 10.0.20.3, netmask 255.255.255.0, gw 10.0.20.1, mtu 1500, bcast 10.0.20.255, dns1 1.0.0.1, is_static true, vid 0, static_ip_failover false, dhcp_vlan_failover false
[*01/31/2019 12:22:26.6899]
[*01/31/2019 12:22:26.6899] Configured VLAN Tag 20, failover_enabled 0
<CUT>
[*01/31/2019 12:22:29.5099] Failed to load flex AP config from file. Default config will be used.
[*01/31/2019 12:22:29.5599] Socket Valid Element wcp/wcp_db Handler set_vlan_name_map Data  Length 10
[*01/31/2019 12:22:30.7799] ethernet_port wired0, ip 10.0.20.56, netmask 255.255.255.0, gw 10.0.20.1, mtu 1500, bcast 10.0.20.255, dns1 1.1.1.1, dns2 1.0.0.1, vid 20, static_ip_failover true, dhcp_vlan_failover false
[*01/31/2019 12:22:39.6099] DOT11_CFG[0] Radio Mode is changed from FlexConnect to FlexConnect
[*01/31/2019 12:22:39.6199] DOT11_CFG[1] Radio Mode is changed from FlexConnect to FlexConnect
[*01/31/2019 12:22:39.7199] AP IPv4 Address updated from 0.0.0.0 to 10.0.20.3
[*01/31/2019 12:22:39.7299] send CAPWAP ctrl msg to the socket: Socket operation on non-socket
[*01/31/2019 12:22:39.7299] send_msg_to_capwap_sm: Capwap SM restart message send failed for message: 9
[*01/31/2019 12:22:44.9899] AP IPv4 Address updated from 10.0.20.3 to 10.0.20.56
[*01/31/2019 12:22:44.9999] send CAPWAP ctrl msg to the socket: Socket operation on non-socket
[*01/31/2019 12:22:44.9999] send_msg_to_capwap_sm: Capwap SM restart message send failed for message: 9
[*01/31/2019 12:25:36.9999] chatter: tohost_virtual :: ToHost: device 'virtual' went down
[*01/31/2019 12:25:37.0399] chatter: tohost_vlan0 :: ToHost: device 'vlan0' went down
[*01/31/2019 12:25:37.0999] chatter: tohost_vlan1 :: ToHost: device 'vlan1' went down
<CUT>
Starting the Switchdriver...

Originally, I wanted it so the corporation stuff was on the 10.0.0.0 / 24 network, the guests were on a different network, like 10.0.40.0 / 24. I couldn't get that working right though, so I tried putting the WLC on the 10.0.0.0 / 24 network, I was going to have the APs on the 10.0.20.0 / 24 network, and then a WLAN called MyBusiness Guest on 10.0.40.0 / 24 network.

To try and put the AP in Local mode, I typed this:

(WLC0) >show ap join stats summary all

Number of APs.............................................. 1

Base Mac             AP EthernetMac       AP Name                 IP Address         Status
00:bf:77:e0:00:c0    00:a3:8e:95:ac:30    WAP0                    10.0.20.56         Joined

(WLC0) >config macfilter add 00:a3:8e:95:ac:30 0 vlan_employees "Built-in WAP" 10.0.20.3
(WLC0)> config ap mode local submode none WAP0

I restarted, but as you can see from the WLC0's bootup messages that are displayed on the screen, the AP is still in the FlexConnect mode. Any ideas what I'm doing wrong in my attempt to stop using FlexConnect and switching everything over to Local mode? Any does anyone see anything wrong with the VLANs or know why from the WLC, I cannot reach the router or other various VLANs? I assigned the vlan_employees interface to the WLAN ID 1 (currently, the only wireless SSID). Thanks!

Flavio Miranda · ‎01-31-2019

Hi

Did you change the SSID from flexconnect to Local mode? WLAN, SSID> Advanced Tab> FlexConnect > Uncheck Fleconnect Local switching.

Try to add device config as txt file.

-If I helped you somehow, please, rate it as useful.-

Spork Schivago · ‎01-31-2019

@Flavio Miranda,

Thank you for the reply. Currently, because I cannot access any GUIs at all, I must do everything from the console ports. I did not do anything with the SSIDs, I didn't realize I had to. From your example, I have now issues the following command from the WLC's console session:

config wlan disable 1
config wlan flexconnect local-switching 1 disable
config wlan enable 1

Where currently, the only SSID, is the 1st one there.

After executing those commands though, I still see the AP is not joined to the controller, I still can only ping 10.0.0.2 (the management interface), I still cannot ping the vlan_employees interface (10.0.20.2), I cannot ping VLAN10 (10.0.0.1) or VLAN20 (10.0.20.1). I can ping the address the built-in AP is assigned though (currently through DHCP, it's ignoring my static IP address, 10.0.20.58).

I am going about it the right way, trying to tell the WLC what APs are allowed to join? Using the config macaddress command? I am not certain which of the two MAC addresses for the WAP I am supposed to use either, whether I'm supposed to use the Base MAC or the AP EthernetMac (that's what they're called when I do the show ap join stats summary all).

I do not know what you mean by try using a txt file for the device config.

Thanks for helping.

Flavio Miranda · ‎02-01-2019

I think I may misunderstood your problem.

I though the AP was joined and you were facing problem with the client on the SSID. Then, I though your AP was in flexconnect but your SSID not.

But, if you AP does not yet joined the WLC then forget it completely.

It seems to me that the AP is not able to reach the WLC and you may have network config problem.

What I said about the txt file is for you to attach the switch config file in a txt file to make it easier to read. This is also true for the wlc.

Keep in mind that the WLC and switch needs to be as trunk mode in order to carrier more that one vlan.

You need also create subinterfaces on the WLC and interface-vlans on your layer 3 switch with ip-helper address pointing to the DHCP server.

Most of it I'm guessing as I don't know your environment.

You may provide a draw to make it easier.

-If I helped you somehow, please, rate it as useful.-

Spork Schivago · ‎02-04-2019

Thank you!

I also believe it's a configuration issue. I am uploading a hand-drawn picture of my network topology. The WLC and first AP are built into the router. I have not figured out how to disable FlexConnect on the WLC, nor have I figured out how to configure the interface as a trunk line on the WLC.

In the Network Topology picture, I did not draw the Wireless APs. There are four total. One is built into the Router (along with the WLC), and the other three I have connected to the router instead of the switch because the router supports PoE and my switch does not.

I have tried putting the management interface on the WLC and the wireless APs on one VLAN but the SSIDs on another VLAN, so users connecting to either SSIDs wouldn't have access to any of the management hardware (WLCs, Routers, Wireless APs, etc), but I could not get that working, then I tried putting the WLC, APs, and the employee SSID all on the same VLAN, with the SSID for Guests on another VLAN, but I could not get that working at all either.

Depending on the configuration, I can get the built-in AP to show Join. I currently want FlexConnect disabled, just to try and make it a little easier getting everything working, but I am not against keeping FlexConnect enabled, I just thought it would be easier right now with it disabled. Eventually, we will be expanding (if everything goes right) and we will have a need for FlexConnect when that time comes.

Thanks for the help!!!!

Flavio Miranda · ‎02-04-2019

Take a look on this doc:

https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/70530-nm-wlc-config-guide.html

The router model is different but you may benefit from the concept. Honestly, dont have experient with WLC and ISR

but I´d say you need some interface between WLC and router in order to work.

Something like:

c2811#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
c2811(config)#
c2811(config)#interface wlan-controller 1/0
c2811(config-if)#ip address 192.168.99.254 255.255.255.0
c2811(config-if)#no shut
c2811(config-if)#end
c2811#

Considering in your scenario the interface would be :

interface Wlan-GigabitEthernet0/1/8
switchport trunk native vlan 999
switchport trunk allowed vlan 10,20,40
switchport mode trunk
!

Then you can try to put the APs on the vlan 999 in the router.

-If I helped you somehow, please, rate it as useful.-

Haydn Andrews · ‎02-04-2019

Have you configured the controller part first?

service-module wlan-controller 1/0 session

Before you can get the APs to register you need to configure that part?

You will then need sub interfaces created for the WLANs on the controller on the router

The AP router port config can either be a connected to a switch or straight to an AP.

You will need a DHCP scope for the APs with option 43 pointing to the WLC IP that you configured.

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***