Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
7
Helpful
9
Replies

9800-40 mobility to 9800-40 setup

Michael Voity
Level 5
Level 5

‎01-18-2024 05:56 PM

Hello Community, 

I have read the article - 
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213913-building-mobility-tunnels-on-catalyst-98.html

I want to enable the mobility between 2 of my controllers to get rid of errors for when my users roam from 1 side of campus to the other.  We are higher edu,   Academic Admin controller vs Residential Controller.

I understand I need v4 Multicast routing enabled on the router of where the Wireless management vlan's live

My questions are -    when i enable this,  will it bounce APs and or clients off the controller when its enabled on both controllers as it forms the tunnel?  Do i need pim running on each of the wireless managemnet vlan's?

 

 

Thank you in advance for any reply.

-Mike

 

 

 

0 Helpful
9 Replies 9

balaji.bandi
Hall of Fame
Hall of Fame

‎01-18-2024 06:04 PM 

when i enable this,  will it bounce APs and or clients off the controller when its enabled on both controllers as it forms the tunnel?

No there is no effect on the AP or exiting connections.

Just follow the guide you do not need anything else. Make sure in the path any firewall required ports to be open.

if both CAT 9800 follow below guide :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Michael Voity
Level 5
Level 5
In response to balaji.bandi

‎01-18-2024 06:29 PM

Wow that was fast.   Thank you .

Questions,  Once i build the tunnel from the first guide, 9800 <-> 9800 I need to do the anchor and forgien policys on each controller in order for the mobility to work?    What happens if i do not do the guide you posted?

Reason for wanting to do mobility is that i have clients that use a device in class that are one 1 controller and then go back to their residence that is on another controller.   I am seeing users having issues with onboarding  where they are getting ip theft  errors  and  DHCP NAK: Requested address not in the pool or in a different subnet or already in use by another client 

Thoughts?

Thanks in advance again.

-Mike

 

 

0 Helpful

marce1000
VIP
VIP
In response to Michael Voity

‎01-19-2024 12:18 AM

 

 - In general ; when trying to config the controllers you can always check the intended configuration with the CLI command 
show tech wireless and feed the output into : Wireless Config Analyzer
                                                Using WirelessAnalyzer is a must do!

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R
VIP
VIP
In response to Michael Voity

‎01-19-2024 07:00 AM - edited ‎01-19-2024 10:00 AM

Anchor-foreign is really only intended for guest-DMZ setups if that's what you're intending.
If you're just wanting to support simple mobility then no need for anchor-foreign setup.

Hard to comment on ip theft without more detail on topology and setup.
Presume you're aware that in early versions of 9800 software the developers mistakenly assumed that no 2 users could ever have the same IP resulting in false "ip theft" errors and outages for users.  They had to add the "ip overlap" feature from 17.3.3 to allow this - see:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-4/config-guide/b_wl_17_4_cg/m_vewlc_flex_connect.html#Cisco_Concept.dita_b7aa7e2e-9efb-4bcb-9d75-27eb91f6662f Overlapping Client IP Address in Flex Deployment
https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#FlexConnectsitetag
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr98802

More generally make sure you've been through the Best Practice guide below and make sure your WLC code is up tp date as per the TAC recommended link below.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Michael Voity
Level 5
Level 5
In response to Rich R

‎01-19-2024 12:27 PM

Thank you all for  your replys!

I was able to get the mobility tunnel setup and working.

This is the error i am seeing frequently - 
CLIENT_ORCH_LOG-5-ADD_TO_BLACKLIST_REASON: Chassis 1 R0/0: wncd: Client MAC: 1edf.0d51.9145 with IP: 10.245.92.183 was added to exclusion list, legit Client MAC: 5a8e.740d.eb26, IP: 10.245.92.183, reason: IP address theft

I am also starting to see this message too - 

%CLIENT_EXCLUSION_SERVER-5-ADD_TO_BLACKLIST_REASON_DYNAMIC: Chassis 1 R0/0: wncmgrd: Client MAC: 1acd.9197.2751 was added to exclusion list associated with AP Name:CCRH-W-136, BSSID:MAC: a03d.6f47.dbe0, reason:Excluded by Mobility Peer

My topology is simple  Academic Controller and Residential Controller, Both have same SSID's  but different client vlans based on geographic area.


Example,  student goes to class on Library, connects to SSID,  gets put in the “central student” client group, on the Academic Admin Controller.   Leaves class to arrive at resident hall, connects to SSID  and get put in the “wdw” clinet group of the ResHall Controller.    It will be hit or miss if the user will get the following error on the DNA center or controller.-  ip theft  errors  and  DHCP NAK: Requested address not in the pool or in a different subnet or already in use by another client 

Thank you in advance for any replys!

 

-Mike

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Michael Voity

‎01-19-2024 03:06 PM

Is the both the SSID use same  IP pool ? as you mentioned they are different client groups ?

what is your DHCP timeout ?

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/ip-theft.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Michael Voity
Level 5
Level 5
In response to balaji.bandi

‎01-19-2024 03:33 PM

Thanks again for the response.

Not the same IP pool,   client vlans based on geographic area, each client group is a /20

I can not find the DHCP timeout  in the config, cli,  looking at best practice says its a fixed value of 120.

I have a tac case open about this, not going anywhere,  they said initially that "IP theft on the WLC as it is a good feature to have on the 9800."

I am leaning towards disabling it as the command "show wireless exclusionlist "  is showing a lot of mac's and the count down to release them.

Thanks again for the reply.

-Mike

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to Michael Voity

‎01-19-2024 04:11 PM

I mean to say how is your lease time in the DHCP Server.

you can also try  - profile policy

exclusionlist timeout X 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Michael Voity
Level 5
Level 5
In response to balaji.bandi

‎01-20-2024 06:09 AM

Most subnets are at 28800 seconds.

Thanks again.

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card