Re: 9800 - WMI and APs in different VLAN, howto?

schulcz · ‎08-23-2022

Hi Guys!

I'm more familiar with AireOS systems than Catalyst, I'm just learning about the Catalyst wireless solution.

I would like to set up HA-SSO deployment by 2 physical 9800-40 WLC and 500 Access Points. I have read through the guides and documents, I understand the RP+RMI solution.
I have a couple of free IP addresses from general network management IP network (let's say it's VLAN 100, Network-A) and I planned I will use overall 4 IP addresses for 2 WLC from Network-A: 2 IP addresses for WMIs and 2 IPs for RMIs.

Configuration guide states that:
You can use only one AP manager interface on Cisco Catalyst 9800 Wireless Controller called the WMI to terminate CAPWAP traffic.

Best practices guide states that:
It is a best practice to place the Access Points in a different VLAN than the Wireless Management one, to avoid overloading the Wireless Management interface. If you need to do it (for staging or production) is recommended to limit the number of APs to 100.

I would like to put APs in a different VLAN and IP network. (let's say it's VLAN 200, Network-B) I know it is not recommended but at the beginning the WLCs will serve as a DHCP server for APs so I think I should make a VLAN 200 SVI also.

How can I accomplish that APs sits on a separate network than WMI will join to controllers successfully?

Thanks!

Arshad Safrulla · ‎08-23-2022

If you need to run DHCP server then SVI is mandatory. It is very simple you can have WMI in VLAN100 (Network A) then have vlan 200 different subnet where all the AP managements are assigned. Under VLAN200 DHCP server you will advertise DHCP option 43 pointing to WMI IP. You can also use DNS for this as well.
https://mrncciew.com/2013/03/17/ap-registration/

Refer the above link by Rasika for more info on how the AP registration process.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

schulcz · ‎08-24-2022

Thanks, it's sounds simple, but something not OK.

I configured VLAN 200 and Network-B SVI (10.0.0.1) on WLC, set DHCP server (pool: 10.0.0.10-10.0.1.250, default router: 10.0.0.1 and option 43 string). Test AP got IP address (10.0.0.10) and controllers WMI IP address (172.20.0.23), tried to send a discovery request to 172.20.0.23, but don't get response from WLC. I see this in AP console:

Got WLC address 172.20.0.23 from DHCP.

(172.20.0.23 is the Primary WLCs WMI IP address.)

Maybe something is missing?

wlc-1#sh ip int br
Interface              IP-Address      OK? Method Status                Protocol
Te0/0/0                unassigned      YES unset  up                    up
Te0/0/1                unassigned      YES unset  administratively down down
Te0/0/2                unassigned      YES unset  administratively down down
Te0/0/3                unassigned      YES unset  administratively down down
GigabitEthernet0       unassigned      YES NVRAM  administratively down down
Port-channel1          unassigned      YES unset  up                    up
Vlan100                172.20.0.23     YES unset  up                    up
Vlan200                10.0.0.1        YES manual up                    up
wlc-1#sh ip dhcp bind
Bindings from all pools not associated with VRF:
IP address      Client-ID/              Lease expiration        Type       State      Interface
                Hardware address/
                User name
10.0.0.10     xxxx.xxxx.xxxx.xx       Aug 24 2022 07:18 PM    Automatic  Active     Vlan200
wlc-1#sh ip dhcp pool

Pool ap-mgmt-pool :
 Utilization mark (high/low)    : 100 / 0
 Subnet size (first/next)       : 0 / 0
 Total addresses                : 1022
 Leased addresses               : 1
 Excluded addresses             : 522
 Pending event                  : none
 1 subnet is currently in the pool :
 Current index        IP address range                    Leased/Excluded/Total
 10.0.0.10            10.0.0.10      - 10.0.1.250         1     / 522   / 1022
wlc-1#

Arshad Safrulla · ‎08-24-2022

Sorry 9800 internal DHCP server doesn't support option43. So you may have to rely on some other way.

However from your side please verify the below;

1. WMI interface defined correctly in WLC.

2. IP routing. Default route added in WLC.

3. WLC is synced to NTP.

4. Configure the WMI IP directly in the AP console and check. If the AP cli reveals something useful please share. Also you can do a RA trace from WLC using AP MAC.

5. For testing you can move the AP to same VLAN as WMI.

6. Even if it is 500 AP's I expect it to register to the WLC. (I recently had 290 AP's registered in staging when AP and WMI in same broadcast domain)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

schulcz · ‎08-24-2022

9800 internal DHCP support option 43, I configured it on cli, it works, AP got WLCs IP address ftom DHCP response.

1. I think WMI interface is defined correctly:

wlc-1#show wireless interface sum

Wireless Interface Summary


Interface Name Interface Type VLAN ID IP Address     IP Netmask     NAT-IP Address   MAC Address
--------------------------------------------------------------------------------------------------
               Management     0       172.20.0.23    255.255.252.0                   0000.0000.0000

wlc-1#

2. Default route added on WLC. But now I tried that move routing to the switch that placed between WLC and test-AP. Now that switch is the default gateway in Network-A and Network-B. Now AP can ping WLCs WMI IP address and WLC can ping APs IP address with source of WMI. So the communication seems OK.

3. Its a lab environment, I havent got NTP yet, but show clock shows the correct time on WLC.

4. Configured it, AP try to send more discovery, but still not got any response from WLC.

schulcz · ‎08-24-2022

Now I tried that I made a DHCP server on Network-A, put test-AP to Network-A, AP tried to discovery WLC, but didn't got any answer.

[*03/24/2022 01:11:24.2490] AP IPv4 Address updated from 172.20.0.201 to 172.23.3.202
[*03/24/2022 01:11:30.7570]
[*03/24/2022 01:11:30.7570] CAPWAP State: Discovery
[*03/24/2022 01:11:30.7590] Discovery Request sent to 172.20.0.23, discovery type STATIC_CONFIG(1)
[*03/24/2022 01:11:30.7600] Discovery Request sent to 172.20.0.23, discovery type STATIC_CONFIG(1)
[*03/24/2022 01:11:30.7610] Discovery Request sent to 255.255.255.255, discovery type UNKNOWN(0)
[*03/24/2022 01:11:30.7610] Cleanning up DTLS connection.
[*03/24/2022 01:11:30.7780]
[*03/24/2022 01:11:30.7780] CAPWAP State: DTLS Teardown

APxxxx.xxxx.xxxx#ping 172.20.0.23
Sending 5, 100-byte ICMP Echos to 172.20.0.23, timeout is 2 seconds
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.843/0.885/0.946 ms
APxxxx.xxxx.xxxx#

schulcz · ‎08-24-2022

I found the error.

"wireless management interface Vlan 1" command was missing..

Arshad Safrulla · ‎08-24-2022

I am happy that this worked for you. But still wondering why you configured Vlan1 as wmi.

"wireless management interface Vlan 1"

it has to be vlan100 as per our previous inputs. If you are using native vlan in wlc to switch connecting ports please remove it and amend the wmi interface in your configuration as this is not recommended.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

schulcz · ‎08-29-2022

Typos, "wireless management interface vlan 100" is the correct command what I used.