Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4371
Views
15
Helpful
5
Replies

C9800 non-management SVI security and reachability

Go to solution
Johannes Luther
Level 4
Level 4

‎10-03-2021 11:58 PM

Hi wireless professionals,

quick question regarding SVI (interface vlan <VLAN-ID>) on the Catalyst 9800 WLC (non SDA)

So normally a SVI is not needed, except the DHCP relay or mDNS gateway functionality is required on the WLC.

If - for any case an SVI is created, I wonder how this SVI shall be secured and how the platform actually works.

 

The WLC has "ip routing" enabled and has a static default route towards the gateway in the management VLAN. Local SVI interfaces are displayed as locally connected in the routing table. However, the SVI interfaces are not ping'able outside their own network. I wonder why - is there some kind of black magic involved?

 

I wonder whether there is some kind of best practice regarding SVI in the wireless client VLANs like infrastructure ACLs. Or are the interface "somehow" protected by default?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to Rich R

‎10-04-2021 07:36 AM

This is what TAC said:

"This is happening because 9800 is based on ASR architecture and routers are only applying ACLs attached on SVI when packet is routed between interfaces. Since WLC is not doing any form of routing those ACLs are transparent for WLAN traffic and have no effect. Hence,
• Use ACL under policy profile for client policy enforcement
• Use ACL under SVI if you want to limit MGMT traffic to the box.

I must admit that documentation on that subject is very poor and existing doc listing features that are not applicable to platform:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/ipv4-acls.html#concept_6CF08D950DFD417F89E13193DBD943C4

I have opened internal documentation bug - CSCvx94311 to track this issue and get documentation updated with relevant information."

 

That bug is hidden so not sure about status but doesn't look like they've updated the docs yet even on 17.6.1

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

5 Replies 5

Go to solution
Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-04-2021 04:52 AM

I was having the same doubts and approached our local cisco TCE. Response was very simple "Do not consider your 9800 as a router". 

Please update here if you find any information on the same. Meanwhile I will test this out in my LAB and provide my inputs as well.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Arshad Safrulla

‎10-04-2021 06:33 AM - edited ‎10-04-2021 06:39 AM

There is NO security by default, you MUST secure it using ACLs.

If they are not pingable then that is likely just because you don't have the right routing in place or maybe you're trying to ping through the mgmt interface in a separate VRF eg GigabitEthernet0 which is in Mgmt-intf VRF by default.

The traffic follows the routing table.

Yes, you should not consider it to be a router but it is built on IOS-XE and the base routing is the same as any other device running IOS-XE.

 

PS: apply the ACL to the wireless profile policy (ipv4 acl) not the SVI interface.

 

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Johannes Luther
Level 4
Level 4
In response to Rich R

‎10-04-2021 06:47 AM

Thanks for the response,

I'm thinking the same way (" it is built on IOS-XE and the base routing is the same as any other device running IOS-XE").
However my routing is correct. Of course it will be asymmetric, because the way to the WLC will follow towards the WLC client SVI IPv4.

Once the traffic reaches the WLC, the traffic follows the WLC default route (which is typically the wireless management interface).

 

But one additional question:

PS: apply the ACL to the wireless profile policy (ipv4 acl) not the SVI interface.

Question: Why?

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Johannes Luther

‎10-04-2021 07:27 AM

We tried on SVI, it didn't work (can't remember exactly what).

TAC confirmed that's by design - it must go on the wireless policy profile to work correctly not the SVI.

That's one of the differences in the WLC.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
Rich R
VIP
VIP
In response to Rich R

‎10-04-2021 07:36 AM

This is what TAC said:

"This is happening because 9800 is based on ASR architecture and routers are only applying ACLs attached on SVI when packet is routed between interfaces. Since WLC is not doing any form of routing those ACLs are transparent for WLAN traffic and have no effect. Hence,
• Use ACL under policy profile for client policy enforcement
• Use ACL under SVI if you want to limit MGMT traffic to the box.

I must admit that documentation on that subject is very poor and existing doc listing features that are not applicable to platform:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/ipv4-acls.html#concept_6CF08D950DFD417F89E13193DBD943C4

I have opened internal documentation bug - CSCvx94311 to track this issue and get documentation updated with relevant information."

 

That bug is hidden so not sure about status but doesn't look like they've updated the docs yet even on 17.6.1

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card