Re: Client's not getting IP 9120 EWC on 1 installation but do on the o

Yachting · ‎02-01-2024

Hi All,

I'm searching for some clarification on a issue that seems to be fixed but it's not clear why it's fixed.

The original problem was that my WiFi clients were not receiving an IP address and couldn't reach the DHCP server.
The network is built with a total of 24 AP's of which 2 are EWC and the rest is setup as CAPWAP. There are 5 SSID's and the problem was across all SSID's. The EWC AP's were connected to a trunk port and the CAPWAP to a Access Port allowing the Management VLAN 20 which we setup for the WiFi.
In the end it turned out that I had to add the different VLANs to the flex profile and make all the switchports a trunk to allow the VLANs for the different SSID's. The DHCP server runs on a 3rd party device.

What the really strange thing is and what I don't understand and the Cisco support engineer couldn't answer:
The config for this project was 99% copied from a different project that is operational for some months already without issues. This is a network with approx 70 AP's and 3 EWC's. Only the EWC are on trunk and the rest is access ports. The VLANs are not in the flex profle and ARP Proxy is enabled. The big difference is that the DHCP server for this network is running on the Cisco Core (C9300L) switch.

The Cisco support engineer tried to explain to me why all the ports had to be trunk but the connection was not great so I'm not sure that I understood correctly. He said: Basically all AP's act as a separate switching device. So I try to connect on a SSID for VLAN 50. The DHCP request get's tagged for VLAN 50 and tries to go to the DHCP server. The switchport discards the traffic because the port is configured as access VLAN20. This sounds pretty logical. But what isn't logical for me is why does this issue not occur in the other installation. Clients are also connecting there on VLAN's that are not configured on the port. I could understand (assumption) that the DHCP traffic is send out through ARP proxy for instance. But when a client has received it's IP it's going to communicate on it's own VLAN. Why is this traffic not being blocked by the port? Is all this traffic going to the EWC first to be tagged there and go to the rest of the network?
As said, I really don't have a clue why it works on the 1 project and not on the other since the only difference is the DHCP server being Cisco or 3rd party.

Thanks for any assistance provide. I'm greatful if we can clarify this issue because we have more pojects like this coming up and I want to be sure we don't face the same issues again.

Tim,

RoadRunner4k · ‎02-01-2024

To get a clear picture. All access points are configured in Flexconnect mode? if yes then you need to have to switchport where the AP connects to be a trunk port where you allow the VLANs from the Flexprofile.

Understand FlexConnect on Catalyst 9800 Wireless Controller - Cisco

Yachting · ‎02-01-2024

Hey,

The AP's are in CAPWAP or EWC, See below a partial screenshot
AP overview.jpg

MHM Cisco World · ‎02-01-2024

Each VLAN must have interface in SW you connect EWC' did you config that?

MHM

Yachting · ‎02-01-2024

Yes, Like I said in the long story. The EWC were connected to a trunk port but the capwap to an access port

Rich R · ‎02-01-2024

It's simple really <smile> EWC on AP only supports Flexconnect Local Switching, not Central Switching. So if you're using anything other than the default/native/AP management VLAN (which you could do) then the APs must have direct connection to those VLANs on the AP trunk port because traffic will always be tagged and dropped onto the VLAN locally by the AP.

With a proper WLC you can do Central Switching where everything is tunnelled to the WLC over the CAPWAP tunnel and then switched on the WLC but that is not supported at all on EWC. In fact the EWC itself doesn't even support VLANs. The trunk port (with VLANs) on the EWC is only used by the AP part of the EWC. The IOS-XE controller part only uses the native VLAN on G0.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Yachting · ‎02-01-2024

Thanks Rich for your explanation.

I fully understand what you mean. However can you think of a reason why it does work on another project with 2 EWC and 70 normal AP's?

All the ports of the normal AP's are setup as Access ports on VLAN 20 and only the EWC has the rest of the VLANS on the trunk. The AP's host 5 at least 5 different SSID's in different VLANs.

That's the main part I don't understand. Why doe the setup work on 2 projects already delivered and not on this new we are working on. Where the only difference that I can find is the DHCP running on the Cisco core vs running on a 3rd party device.

Rich R · ‎02-02-2024

It shouldn't work, so I don't know ...

I would have a closer look to see whether it is actually using all those VLANs or not.
Maybe it's all just running on VLAN 20?
Or maybe everyone using the other VLANs is connected to the EWC with trunk port?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Client's not getting IP 9120 EWC on 1 installation but do on the other