Solved: Re: Cisco AP2802 with Mobility Express has no internet on native VLAN

JonathanIliev · ‎12-20-2024

I've recently migrated to Mobility Express and I've had some issues with the VLANs. So in a nutshell, I have a PFsense router that has couple of VLANs for different services. The two main are VLAN 10 for private devices and management and VLAN 20 for Guest devices. The PfSense box is connected to a HP 1810 managed Switch. The ethernet port that is connected to the PfSense box is tagged on all VLANs. Until now I've used Cisco CAP3502I with an autonomous image and the config was the following: The port connected to the AP was untagged on VLAN 10 and tagged on all other VLANs. In the AP settings VLAN 10 was setup as the Native VLAN and I had multiple SSIDs linked to the different VLANs. And this still this works.

But now I've done the same thing with mobility express and now clients connected to the SSID on VLAN 20 work without any problems. But clients connected to the SSID on VLAN 10 do get an IP address ( I can see the DHCP lease in PfSense) but they all say connected without internet and the only thing they can access is the Mobility express management page. I've checked the PfSense firewall logs and I can't see anything that could be blocking this traffic. I've tried playing with the settings but no luck. Some screenshots of the config are attached.

I've tried switching the Use VLAN tagging but the only thing that is changing is whenever is turn off Use VLAN tagging the Native VLAN jumps back to 1. In both cases the clients do get an IP address from VLAN 10 but they can't access anything else but the controller itself

Any help will be greatly appreciated as I'm new in Mobility express.

Flavio Miranda · ‎12-20-2024

@JonathanIliev

I beliive the problem arise from the fact that autonomous AP does not have the same concept of management as newer solution like Mobility Express and Embedded EWC.

For AP in autonomous mode, the only requirement is that one vlan on the interface was configured as native for DHCP.

But, it has change on those newer solution and now the native vlan is for AP management only and that´s why you can get to the AP portal but not to the internet. Basically you are accessing the management interface.

I believe you need to consider using a third vlan on this case.

Cisco Mobility Express Configuration and User Guide, Cisco Wireless Release 8.3 - Getting Started [Cisco Mobility Express for Aironet Access Points] - Cisco

Configuring the Switch Port

Connect the access points to the switch and power them up. Ensure the following while configuring the switch port:

All access points, including the primary AP, in a Mobility Express network should be in the same L2 broadcast domain. Management traffic must not be tagged.
The switch port to which the primary AP is connected can be a trunk port or an access port and must be configured to trunk Native VLAN for management traffic. Data traffic must be trunked with appropriate VLANs for local switching as well.
The following is a sample switch port configuration.
```
Interface GigabitEthernet1/0/37
description » Connected to Master AP « 
switchport trunk native vlan 122 
switchport trunk allowed vlan 10,20,122
switchport mode trunk
```

View solution in original post

Flavio Miranda · ‎12-20-2024

@JonathanIliev

I beliive the problem arise from the fact that autonomous AP does not have the same concept of management as newer solution like Mobility Express and Embedded EWC.

For AP in autonomous mode, the only requirement is that one vlan on the interface was configured as native for DHCP.

But, it has change on those newer solution and now the native vlan is for AP management only and that´s why you can get to the AP portal but not to the internet. Basically you are accessing the management interface.

I believe you need to consider using a third vlan on this case.

Cisco Mobility Express Configuration and User Guide, Cisco Wireless Release 8.3 - Getting Started [Cisco Mobility Express for Aironet Access Points] - Cisco

Configuring the Switch Port

Connect the access points to the switch and power them up. Ensure the following while configuring the switch port:

All access points, including the primary AP, in a Mobility Express network should be in the same L2 broadcast domain. Management traffic must not be tagged.
The switch port to which the primary AP is connected can be a trunk port or an access port and must be configured to trunk Native VLAN for management traffic. Data traffic must be trunked with appropriate VLANs for local switching as well.
The following is a sample switch port configuration.
```
Interface GigabitEthernet1/0/37
description » Connected to Master AP « 
switchport trunk native vlan 122 
switchport trunk allowed vlan 10,20,122
switchport mode trunk
```

JonathanIliev · ‎12-20-2024

@Flavio Miranda thank you a lot for the suggestion. Ill try this and I'll keep you updated on the progress.

MHM Cisco World · ‎12-20-2024

How do routing here' do you have L3SW or Router ?

MHM

JonathanIliev · ‎12-20-2024

@MHM Cisco World Its a router. A Mini PC running PfSense CE

MHM Cisco World · ‎12-20-2024

This router have interface in vlan10 and vlan20 subnet?

This router have NATing these subnet into public IP ?

It not issue of wifi it issue of reachability.

MHM

JonathanIliev · ‎12-22-2024

Both VLAN 10 and VLAN 20 are properly configured on the router side. Both VLANs have clients connected over ethernet and have no problems connecting to the internet and other locally hosted services. I went with @Flavio Miranda 's solution and created a separate management VLAN and I made it the Native VLAN in ME and that solved the problem. Once again I want to thank everyone for the help.