Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
196
Views
4
Helpful
4
Replies

cisco catalyst 9800 SSID configuration with different subnets

Ahmed Gamal
Level 1
Level 1

‎05-17-2025 09:53 AM

We have two datacenters, each hosting multiple Cisco Catalyst 9800 Wireless LAN Controllers deployed in both SSO (Stateful Switchover) and N+1 redundancy modes. These datacenters are connected to multiple IDF locations using Layer 3 routing between all the location . Each IDF has its own set of Wi-Fi subnets for different user groups (such as corporate users, guests, etc.).

AhmedGamal_0-1747500766953.jpeg

Is there any way to use different subnets for each SSID in wireless controller , please check the demo diagram 

0 Helpful
4 Replies 4

Saikat Nandy
Cisco Employee
Cisco Employee

‎05-17-2025 10:17 AM

If I have understood your requirement in a correct way then you would like to use same SSID in 2 different locations, each having their own subnet. If this is true, then yes it is possible. I would say keep the APs in flex mode... create different policy profiles and flex profiles with required vlan and map appropriate policy tag and site tag to the respective APs.

Ahmed Gamal
Level 1
Level 1

‎05-17-2025 11:03 AM

for flex connect access points we can i know what about the local access points there's any way 

0 Helpful

Saikat Nandy
Cisco Employee
Cisco Employee
In response to Ahmed Gamal

‎05-17-2025 06:35 PM

well probably a pretty broad question to answer just by looking at this diagram.. but if I think logically it might work..fact is that when AP is in local mode, all the client traffic will land to your controller interface..so you need L2 VLANs for sure.. since this is not straightforward, you can create SVIs for different VLANs in the controller and add the IP helper addresses.. create different policy profiles and separate Policy TAGs for respective location APs..and I hope your underlying routing will take care of the rest. Test this with one SSID first..

Rich R
VIP
VIP

‎05-18-2025 06:19 AM

You've stated you want to do this with APs in Local Mode - the crucial point here is that means the WLANs are Centrally Switched on the WLC.

Your diagram shows Corporate using the same VLAN 10 with different subnets 10.10.10.0/24 and 10.20.10.0/24 which is not possible when Central Switching (unless you started doing something really stupid like secondary addressing but I would say do not even consider that).  It is possible to have the same SSID (WLAN) using 2 different subnets but they will need to be in different VLANs.  Your can re-use the same WLAN for both sites but attach different policy profiles - one using VLAN 10 and the other using new Corporate VLAN (eg 15) for the other Corporate subnet.  Same applies to the Guest WLAN/SSID.

Showing essential config only (rest removed for clarity).
vlan 10
 name corp_vl10
vlan 15
 name corp_vl15
vlan 20
 name guest_vl20
vlan 25
 name guest_vl25
!
wireless profile policy Corporate-vlan10
 vlan corp_vl10
wireless profile policy Corporate-vlan15
 vlan corp_vl15
wireless profile policy Guest-vlan20
 vlan guest_vl20
wireless profile policy Guest-vlan25
 vlan guest_vl25
!
wireless tag policy site1
 wlan Corporate policy Corporate-vlan10
 wlan Guest policy Guest-vlan20
wireless tag policy site2
 wlan Corporate policy Corporate-vlan15
 wlan Guest policy Guest-vlan25

Remember your WLC trunk port and corresponding switch port will need to allow all 4 of those VLANs and they'll obviously need to be defined on the switch too.  And of course the router/switch which provides the default gateway and DHCP relay for those VLANs will need to have them enabled too.

Not sure why @Saikat Nandy recommended using SVIs on the WLC!
WLC SVI is not recommended on 9800 (requires extra security config and routing controls) and is not best practice.  Refer to the Best Practices guide link below for the specific cases where SVI on WLC is actually needed.  It's recommended that in most cases your WLC VLANs should be layer 2 only and the layer 3 routing handled externally.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card