Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
10
Helpful
3
Replies

Catalyst 9800 How to block WLAN APs from joining temporarily

Gehrig_W
Beginner
Beginner

‎02-06-2023 06:14 AM

Hello Cisco WLAN experts,

we are running a mix of 9800-, 5520- and Wism2-WLCs.

I would like to upgrade the 5520-WLCs and would like to avoid APs joining the 9800-WLCs and Wism2-WLCs during boot time.

On Wism2-platform, I can achieve this by deactivating the Dynamic AP Management in the management interface during the upgrade of the 5520-WLCs.

Who knows a similar CLI-or Gui-command to achieve the same on 9800-80-platform ?

Thank You in advance

Best regards

Wini

 

 

 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
VIP
VIP

‎02-06-2023 09:40 AM

You can use ACL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame

‎02-06-2023 09:54 AM

You need to really be careful.  You should never of placed the 9800 or make that accessible to your existing wireless network.  This is all about proper planning so you don't ever run into issues.  Like what @balaji.bandi mentioned, you can use acl's, or make sure that the ap's have the controller and controller ip's on the high availability, which you should have anyways so that you know and the ap's know which controller will host which access points.  
As far as allowing what aps on what controller, AireOS has ap authorization list and so does the 9800's.  You can review that guide and decide which best works for you.
Catalyst 9800 Wireless Controllers AP Authorization List - Cisco

-Scott
*** Please rate helpful posts ***

Gehrig_W
Beginner
Beginner

‎02-07-2023 11:43 PM - edited ‎02-07-2023 11:46 PM

Hello Scott,

thank You very much for this valuable informaton guide to create an ACL to block WLAN APs from joining.

I configured the following single Pseudo-MAC to block all other WLAN-APs from joining the 9800-80-WLC during SW-Upgrade of our 5520-WLCs:

# config t

# aaa new-model

# aaa authorization credential-download AP-auth local

# ap auth-list authorize-mac

# ap auth-list method-list AP-auth

# username 123456789abc mac description Test

 

I did a test with a 3800-AP with 3 WLC-entries. The primary was the 9800-WLC.

The shown ACL blocks the WLAN-AP from joining the primary successfully.

Interesting to see, the WLAN AP does not try to connect to the secondary nor the tertiary WLC.

It tries endlessly to connect to the 9800-WLC, which blocks it again and again.

Also the WLCs learned in the past, to which the AP is sending discovery requests, are

not used in the join-desicion eventhough all of them are sending Discovery response answers.

That's a little strange, but will fit for us during the SW-upgrade.

The already joined WLAN-APs on the 9800 are still connected and not influenced negatively by this WLAN-AP-block-ACL.

 

Our DNS is pointing to one of the 5520-WLCs.

Also the Cisco-CAPWAP-controller-DNS-entry is pointing to the same 5520-WLC.

 

Let'S hope everything goes fine during the SW-upgrade of the 5520-WLcs.

Kind regards

Wini

 

 

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents