Re: C9800 Mac Adress Conflict with WlClient

florian.hanig1 · ‎10-20-2021

Hello,

I've a new installed C9800 Wifi Controller

GigabitEthernet1 is for Management and configured:

interface GigabitEthernet1
 no switchport
 ip address 10.2.99.250 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid

Gigabit Ethernet2 ist the Trunk with SVI's...

interface GigabitEthernet2
 switchport trunk native vlan 1
 switchport trunk allowed vlan 30,90
 switchport mode trunk
 negotiation auto
 no mop enabled
 no mop sysid

And here are the SVI's:

interface Vlan30
 description "multimedia"
 ip address 10.2.30.250 255.255.255.0
 no mop enabled
 no mop sysid

interface Vlan90
 description data
 ip address 10.2.9.250 255.255.255.0
 no mop enabled
 no mop sysid

VLAN 30 + VLAN 90 are deployed via Flexconnect Local Switching in 2 seperate SSID's...

As long as the interface "GigabitEthernet2" is switched on, there are some failures in the Log:

%IOSXE-4-PLATFORM: Chassis 1 R0/0: cpp_cp: QFP:0.0 Thread:001 TS:000000006xxxxxxxxxxxxxxx %SWPORT-4-MAC_CONFLICT: Dynamic mac 001E.xxxx.xxxx from GigabitEthernet2 conflict with SVI, please check the network topology and make sure there is no loop.

The mac-adresses, they conflict are mac-adresses from some wifi Clients in VLAN 30 and 90...

How to do this configuration ?

I need the SVI for MDNS Gateway on the C9800 Controller...

marce1000 · ‎10-20-2021

- FYI : https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt96686

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

florian.hanig1 · ‎10-21-2021

I've already seen this bug...

But I have only one Wifi Controller in my Network... !?

And I'm on sw release 17.3.3.

On BST 17.3.3 is a fixed release for this bug..

marce1000 · ‎10-21-2021

- Usually means that fragments of this bug are still applicable and or have not been completely resolved for your current wireless environment and or controller software version.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

florian.hanig1 · ‎10-21-2021

I can not imagine this...

So my version is the suggested version and my deployment is not a special deployment... ?!

Arshad Safrulla · ‎10-21-2021

Can you remove the Native VLAN command under the physical interface and try?

Also I assume you are using a 9800-CL considering the port numbers in the logs shared, I recommend that you match the below in the port group config

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

florian.hanig1 · ‎10-22-2021

I can later try to remove the native vlan in the inferface, but I think that's not the solution.

If i shut down GigabitEthernet1 and only GigabitEthernet2 is up, the mac address conflict message doesn't go away...

Settings in VMWARE are exactly what you posted in Screenshot...

Arshad Safrulla · ‎10-22-2021

Best practices guide explicitly states that no native VLAN.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#:~:text=Wireless%20management%20interface%20VLAN%20tag

Also you must not mix Layer 3 ports and Layer 2 ports in the WLC, it is not designed to work like a router even though it is running similar code to a router. My recommendations are as below

1. Remove interface IP from Gig1 and configure it as a trunk

2. Assign the gig1 IP range to to VLAN1 and allow only vlan 1 in the trunk port connecting to gig1.

2. Remove native VLAN

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Rich R · ‎10-22-2021

"VLAN 30 + VLAN 90 are deployed via Flexconnect Local Switching in 2 seperate SSID's..."

So they should NOT be configured at all on the WLC!

You simply enter the VLAN number instead of an interface name in the "VLAN/VLAN Group" field of the Wireless Policy Profile.

On CLI:

wireless profile policy <POLICYNAME>

...

vlan XXX

...

This is documented at: https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

"Step 2. Go to the Access Policies tab and type the VLAN (You do not see it in the dropdown list because this VLAN does not exists on the 9800 WLC)."

but it's really not made clear in the main configuration guide unfortunately.

If you want to use SVIs on the WLC then that is central switching not local switching.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

florian.hanig1 · ‎10-22-2021

Okay I understand.

But then it's not possible to use MDNS Gateway, right ?

With Flexconnect Local Switching the only option is MDNS Bridging ?

Because MDNS Gateway need's the local SVI's... !?

Arshad Safrulla · ‎10-22-2021

As @Rich R highlighted you don't need SVI's in WLC for Flexconnect VLANs. What you are referring is valid only for Local mode AP's or Flex central switching.

In your case mdns gateway will be the L3 interface for that particular vlan (could be your core switch, firewall or router)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

Scott Fella · ‎10-22-2021

Take a look at the guide for mDNS for FlexConnect on the 9800

Cisco mDNS Technical Guide for Cisco Catalyst 9800 Series Wireless Controllers

Once you figure that piece out, then you need to review what the others have mentioned and figure out how you will design your network. Seems like you might not understand how FlexConnect is used on the 9800's. Just try to understand the basics then assess what you have to change to get clients authenticated to the correct vlan and also mDNS working as expected.

-Scott
*** Please rate helpful posts ***

m.yildiz · ‎11-24-2021

Hi,

did you resolve the issue?

i have the same issue.

Gruss

Alex Pfeil · ‎02-21-2022

I shutdown VLAN 1 with similar configuration and I have not logged the issue since. I was not sure if that would be a solution. I will monitor it for the rest of the day and see.