Solved: 9800WLC vlan based central switching issue

00uocpdgddPszkvs85d6 · ‎02-27-2024

We are facing an issue that vlan based central switching is not working on 9800 (Version: 17.9.3).

we have configured "flex vlan-central-switching" on the policy profile. Make sure the vlan ID is not in the flex profile vlan list. Radius has configured with the right vlan ID in the authorisation profile.

What we observed is WLC receives DHCP discovery from the client in capwap packets sent by flexconnect AP. However, WLC fails to pass on the DHCP discovery to upstream Layer 3 device for the centrally switched vlan, where ip helper address is configured. The client stays in IP Learn state.

{wncd_x_R0-0}{1}: [sisf-packet] [22116]: (info): RX: DHCPv4 from interface capwap_90000081 on vlan xxx Src MAC: xxxx.xxxx.xxxx Dst MAC: ffff.ffff.ffff src_ip: 0.0.0.0, dst_ip: 255.255.255.255, BOOTPREQUEST, SISF_DHCPDISCOVER, giaddr: 0.0.0.0, yiaddr: 0.0.0.0, CMAC: xxxx.xxxx.xxxx

In contrast, with centrally switching SSID configured with the same vlan. DHCP discovery packets are passed on by WLC to the upstream Layer 3 device on the right vlan and the subsequent DHCP offer, DHCP request and DHCP ACK flow as per normal and working fine.

So, the vlan configuration on WLC and upstream layer 3 device seems fine.

Could anyone shed any light on what could cause the WLC not passing on DHCP discovery packets; or point to us what we might have missed in terms of configuration required for vlan based central switching to work?

Thanks,

Skjoedt · ‎09-16-2025

Hello

I have now "completed" a Cisco TAC case on the issue and there is a "bug" on the issue, but unfortunately it is a "documentation bug", meaning that it is working as designed, this is the behavior in 9800.

Quote from the bug:
"Conditions: You need to have multiple conditions to hit this defect :
1 - Have one SSID linked to a policy profile with VLAN-based central switching enabled on a policy tag
2 - Add a second SSID to this policy tag, linked to a policy profile where a "central" VLAN is used (= a VLAN not present in the flex profile).

When this second SSID is added, the first SSID will not behave correctly and all clients will be locally switched, instead of being switched based on the VLAN.

Workaround:
- Remove the policy profile causing the issue from the policy tag (create a different policy tag , or
- Avoid using a central VLAN (= not defined on the flex profile) on the second policy profile."

View solution in original post

MyHomeNWLab · ‎09-17-2025

Thank you for the information!
I've found the relevant issue — it's CSCwm40007.

CSCwm40007: VLAN based central switching breaks when PP with central VLAN is pushed to policy tag
https://bst.cisco.com/bugsearch/bug/CSCwm40007

View solution in original post

Mark Elsen · ‎02-27-2024

>.... what we might have missed in terms of configuration required for vlan based central switching to work?
- Start with a checkup of the 9800 WLC configuration using the CLI command show tech wireless and feed that output into :
Wireless Config Analyzer

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

00uocpdgddPszkvs85d6 · ‎02-27-2024

Thanks for the reply!
Have checked config with the analyzer tool, and nothing stands out as configuration errors specially related to the SSID and policy profile and flex profile.

Thanks

Mark Elsen · ‎02-28-2024

- Note however that any errors red flagged by WirelessAnalyzer should be corrected first ; further fully debug the particular client(s) using : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
Client debugs (so called RadioActive Traces) ; can be high level analyzed with : Wireless Debug Analyzer

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎02-28-2024

Why are you using "flex vlan-central-switching"? If you want the SSID centrally switched then why not make it centrally switched?

Have you checked the restrictions for use of the "VLAN-based Central Switching for FlexConnect" feature?
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-9/config-guide/b_wl_17_9_cg/m_vewlc_flex_connect.html#vlan-central-switching

Update to TAC recommended software version as per the link below to eliminate known, fixed bugs.

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

00uocpdgddPszkvs85d6 · ‎02-29-2024

the restrictions are checked and they are not applied to us.

BTW, we have used the exact same feature on Aire8540 and working fine.

Rich R · ‎03-01-2024

Never assume AireOS and IOS-XE will work the same way.
DHCP, in particular, is one of the features that has major changes. AireOS used DHCP proxy while IOS-XE uses standards based DHCP relay and follows the WLC routing table to DHCP server.

You did not answer my questions so I'll ask again:
Why are you using "flex vlan-central-switching"?
If you want the SSID centrally switched then why not make it centrally switched?

It's entirely possible that you've found a bug in that particular feature (which I've never heard of anyone using before - I had to read up what it does) which is why I asked the question about why you're using that feature. If you're making the config more complicated than it needs to be by using a feature you don't need then the answer may be to simplify the config and don't use that feature.

Also see:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwf13740
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwh43715

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Skjoedt · ‎06-27-2025

Did you find a fix for the issue?
- It seems that i am running into the same issue at a customer running ver. 17.15.3 because of the new CW9800M minimum software requirement.

My customer wants to flexconnect local switch EAP-TLS clients and Central switch PEAP clients to a guest VLAN.

Skjoedt · ‎09-16-2025

Hello

I have now "completed" a Cisco TAC case on the issue and there is a "bug" on the issue, but unfortunately it is a "documentation bug", meaning that it is working as designed, this is the behavior in 9800.

Quote from the bug:
"Conditions: You need to have multiple conditions to hit this defect :
1 - Have one SSID linked to a policy profile with VLAN-based central switching enabled on a policy tag
2 - Add a second SSID to this policy tag, linked to a policy profile where a "central" VLAN is used (= a VLAN not present in the flex profile).

When this second SSID is added, the first SSID will not behave correctly and all clients will be locally switched, instead of being switched based on the VLAN.

Workaround:
- Remove the policy profile causing the issue from the policy tag (create a different policy tag , or
- Avoid using a central VLAN (= not defined on the flex profile) on the second policy profile."

MyHomeNWLab · ‎09-17-2025

Thank you for the information!
I've found the relevant issue — it's CSCwm40007.

CSCwm40007: VLAN based central switching breaks when PP with central VLAN is pushed to policy tag
https://bst.cisco.com/bugsearch/bug/CSCwm40007