cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2381
Views
25
Helpful
5
Replies

9800 VLAN groups and static IP clients

prosa
Level 1
Level 1

Hello,

I'm migrating from AireOS controllers to these new 9800. In order to decrease the number of SSIDs emitted by each AP we were using interface groups in AireOS and it was working as expected; depending on the IP of the client, it's traffic was placed in the corresponding VLAN.

The problem now is that with VLAN groups, the client is assigned to a random VLAN of the group using a hash of it's MAC address. As the client has static IP, if it is not assigned to the correct vlan (corresponding to it's IP configuration) it can't communicate.

Is there an equivalent feature in the 9800s where the client is assigned to the vlan depending on it's IP address?

BTW The SVIs are created for each vlan with the corresponding IPs so the controller should know each VLAN IP domain (like in AireOS).

5 Replies 5

Sandeep Choudhary
VIP Alumni
VIP Alumni

HI Prosa,

 

I think, at the moment its not supported by 9800 series.

 

Read the Restrictions for VLAN Groups

  • The number of VLANs mapped to a VLAN group is not limited by Cisco IOS XE software release. However, if the number of VLANs in a VLAN group exceeds the recommended value of 32, the mobility functionality might not work as expected and in the VLAN group, L2 multicast breaks for some VLANs. Therefore, it is the responsibility of network administrators to configure feasible number of VLANs in a VLAN group.

    For the VLAN Groups feature to work as expected, the VLANs mapped in a group must be present in the controller. The static IP client behavior is not supported.

  • ARP Broadcast feature is not supported on VLAN groups.

 

Regards

Dont forget to rate helpful posts

Hi Sandeep,

Thank you for your answer.

I read that line also but didn't want to believe it meant what I understood. Now I see it is the case.

I will check with TAC and see if they plan to implement it in future versions.

Regards.

patoberli
VIP Alumni
VIP Alumni

As an alternative to this variant (although that might need a redesign of your authentication infrastructure), switch to WPA2-Enterprise and let the Radius send the client VLAN based on the client properties.

Hi, thank you for your answer.

Yes, we were thinking into going RADIUS based also for industrial devices but step by step, not forced by the removal of this functionality.

The difficulty we face is that we have more than 300 sites, each one with its own vlan distribution and with old devices connecting to the network. To add more, connectivity of these devices is critical and we cannot let them disconnected because the RADIUS server is down or not reachable. 

I'm in the process of openning a TAC and see which are our options.

Hi Prosa, 

how did you solve the problem? What was the recommendation by Cisco TAC?

We are facing the same challenge and don't want to re-address dozens of client devices. As mentioned in this thread, an alternative might be the use of RADIUS Server with AAA Override. 

||| Please rate helpful posts. Thanks! |||
Review Cisco Networking for a $25 gift card