Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2380
Views
25
Helpful
5
Replies

9800 VLAN groups and static IP clients

prosa
Level 1
Level 1

‎09-17-2021 04:12 AM

Hello,

I'm migrating from AireOS controllers to these new 9800. In order to decrease the number of SSIDs emitted by each AP we were using interface groups in AireOS and it was working as expected; depending on the IP of the client, it's traffic was placed in the corresponding VLAN.

The problem now is that with VLAN groups, the client is assigned to a random VLAN of the group using a hash of it's MAC address. As the client has static IP, if it is not assigned to the correct vlan (corresponding to it's IP configuration) it can't communicate.

Is there an equivalent feature in the 9800s where the client is assigned to the vlan depending on it's IP address?

BTW The SVIs are created for each vlan with the corresponding IPs so the controller should know each VLAN IP domain (like in AireOS).

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Sandeep Choudhary
VIP Alumni
VIP Alumni

‎09-17-2021 10:19 PM

HI Prosa,

 

I think, at the moment its not supported by 9800 series.

 

Read the Restrictions for VLAN Groups

  • The number of VLANs mapped to a VLAN group is not limited by Cisco IOS XE software release. However, if the number of VLANs in a VLAN group exceeds the recommended value of 32, the mobility functionality might not work as expected and in the VLAN group, L2 multicast breaks for some VLANs. Therefore, it is the responsibility of network administrators to configure feasible number of VLANs in a VLAN group.

    For the VLAN Groups feature to work as expected, the VLANs mapped in a group must be present in the controller. The static IP client behavior is not supported.

  • ARP Broadcast feature is not supported on VLAN groups.

 

Regards

Dont forget to rate helpful posts

prosa
Level 1
Level 1
In response to Sandeep Choudhary

‎09-20-2021 08:58 AM

Hi Sandeep,

Thank you for your answer.

I read that line also but didn't want to believe it meant what I understood. Now I see it is the case.

I will check with TAC and see if they plan to implement it in future versions.

Regards.

0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎09-20-2021 08:03 AM

As an alternative to this variant (although that might need a redesign of your authentication infrastructure), switch to WPA2-Enterprise and let the Radius send the client VLAN based on the client properties.

prosa
Level 1
Level 1
In response to patoberli

‎09-20-2021 08:33 AM - edited ‎09-20-2021 09:01 AM

Hi, thank you for your answer.

Yes, we were thinking into going RADIUS based also for industrial devices but step by step, not forced by the removal of this functionality.

The difficulty we face is that we have more than 300 sites, each one with its own vlan distribution and with old devices connecting to the network. To add more, connectivity of these devices is critical and we cannot let them disconnected because the RADIUS server is down or not reachable. 

I'm in the process of openning a TAC and see which are our options.

0 Helpful

Tony Rosolek
Level 1
Level 1
In response to prosa

‎01-04-2023 01:07 AM

Hi Prosa, 

how did you solve the problem? What was the recommendation by Cisco TAC?

We are facing the same challenge and don't want to re-address dozens of client devices. As mentioned in this thread, an alternative might be the use of RADIUS Server with AAA Override. 

||| Please rate helpful posts. Thanks! |||
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card