EWC VLAN and DHCP

aPauld · ‎10-11-2022

Hello! I hope someone can assist this newbie. We have small test Wifi setup using new 9115’s with 3 Vlans. Vlan6, Vlan2 and vlan250.
A 9115AP is placed in vlan6 and is the active controller (EWC). A 9115 is in Vlan2, (capwap mode).
No AP’s in Vlan250.
Vlans are managed by central switch (CAT 3750) which is also acting as DHCP server.
The switch is configured as follows, with respect to DHCP and Vlans configs.
.............
Ip routing
ip dhcp pool office
network 10.3.6.0 255.255.254.0 <<<<AP EWC in vlan6
domain-name xxx
default-router 10.3.6.1
dns-server 10.3.6.97
option 43 hex f1080a030604
ip dhcp pool engineering
network 10.3.2.0 255.255.254.0 <<<<Second AP CAPWAP in vlan2
domain-name xxx
default-router 10.3.2.1
dns-server 10.3.6.97
option 43 hex f1080a030604
ip dhcp pool TempEmployees
network 172.16.56.0 255.255.255.0 <<<<<<< No AP’s in Vlan
default-router 172.16.56.1
domain-name xxx.local
dns-server 8.8.8.8
…....
interface GigabitEthernet1/0/5
description "Wifi6"
switchport trunk native vlan 6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,6,250
switchport mode trunk
……
interface Vlan2
ip address 10.3.2.1 255.255.254.0
…….
interface Vlan6
ip address 10.3.6.1 255.255.254.0
……
interface Vlan250
ip address 172.16.56.2 255.255.255.0
………….
Each AP can obtain an IP address from DHCP with respect to its Vlan.
Two WLAN’s and respective policies have been created. Policy Profiles below. No security applied for testing purposes.
Wireless profile policy TEMPEMP
no central association
no central dhcp
no central switching
vlan 250
no shutdown
wireless profile policy StaffPolicy
no central association
no central dhcp
no central switching
vlan 6
no shutdown

wireless profile policy default-policy-profile
Flex-policy Native vlan is Vlan6.

WLAN 1, “Staff”, allows wireless clients to obtain an IP address from DHCP with respect to the AP’s vlan subnet. That is, clients connect to AP in Vlan6, clients receive an IP address from that vlan6 subnet. Likewise, for clients connecting to an AP in vlan2, receive an IP address from vlan2 subnet.
WLAN 2, “TEMPEMP”, and its respective policy is to receive an IP address from Vlan250 but fails.

According to basic set up documentation this should function.

I have tried enforcing DHCP required and adding the DHCP server address in the TEMEMP policy but to no avail. I ran a trace through the debug analyzer and observed the following:

Entering IP learn state
Not performing DHCP profiling as it is not enabled
Sending DHCP Discover to: 255.255.255.255 on vlan 250 through gateway 0.0.0.0

Wireshark shows Discover packets being generated by AP and wireless client but no offers from DHCP.
Any ideas on what most likely simple configuration I may be missing?

Arshad Safrulla · ‎10-13-2022

It is recommended that all the CAPWAP AP's registering to an EWC belongs to same broadcast domain. (VLAN) So I would start by fixing this problem first, I will bring all the APs to the same VLAN as EWC WMI interface in your case VLAN6. Do not allow clients to connect to this VLAN as this is the best practice.

Then I understand your issue is that clients are not getting IP addresses from VLAN250. You default flex profile must look like below;

wireless profile flex default
native-vlan-id 149
vlan-name TEMPEMP
vlan-id 250
vlan-name Staff
vlan-id 2

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

aPauld · ‎10-31-2022

Thank you for the help!

Based on your input I made significant changes to the Wifi setup. I ended up creating a vlan only for the AP's. By placing all AP's on a single dedicated vlan, I had to reconfigure all of the switches in the network. Our core switch, 3750 acts as the DHCP server as well as the router for intervlan switching. All of the satellite switches are connected to the 3750 by fiber and configured to a specific vlan for the department. Those connections were created using access mode and not trunk mode. By creating a new vlan for the AP's I have been reconfiguring all the switches to connect to the core switch in trunk mode to allow for multiple vlan access, thus allowing us to assign a vlan to the appropriate physical interface.

Since these changes, and ensuring flex profile properly set, I have been successful in getting all of the AP's to properly assign the vlan based on the clients WLAN of choice (as assigned in policy/wlan profiles in EWC)..all except for one AP. Out of the three satellite switches connected to the core switch two are Dell 6224 switches. No issues with the Dells and AP operation. The third switch is a Cisco 2960. The AP assigned to the vlan in this switch communicates properly to the EWC and is on the same vlan as the other AP's, but I cannot get DHCP to assign an IP to clients no matter the WLAN chosen. I can get an IP assigned to the client if I create a Policy to connect to the same vlan the AP's are on. Can you point me in the direction I need to look at solving this issue? Relevant config are below for the 3750 and 2960. Thank you!

FROM 3750 SWITCH

ip dhcp pool Planning Office
network 10.3.2.0 255.255.254.0
domain-name xxx.local
default-router 10.3.2.1
dns-server 10.3.6.97 10.3.6.98 10.3.6.99
option 43 hex f108.0a03.0804

ip dhcp pool AP VLAN
network 10.3.8.0 255.255.254.0
domain-name xxx.local
default-router 10.3.8.1
dns-server 10.3.6.97 10.3.6.98 10.3.6.99
option 43 hex f108.0a03.0804
...................
interface GigabitEthernet1/0/3
description Engineering Office <---------------9115AXI AP. No Issues operates as desired.
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport trunk allowed vlan 2,5,6,8,10,250
switchport mode trunk
.......................
interface GigabitEthernet1/0/17
description Front Office Training Area <---------------9115AXI AP. No Issues operates as desired.
switchport trunk encapsulation dot1q
switchport trunk native vlan 8
switchport trunk allowed vlan 2,5,6,8,10,250
switchport mode trunk
spanning-tree portfast
......................
interface GigabitEthernet1/1/1
description To 2960S Switch Planning Office <------------Fiber trunk to Cisco 2960. Trunk operating normally.
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 2,5,6,8,10,250
switchport mode trunk
spanning-tree portfast
......................................................
!
interface Vlan1
no ip address
!
interface Vlan2
ip address 10.3.2.1 255.255.254.0
....................................................
interface Vlan8
ip address 10.3.8.1 255.255.254.0

FROM 2960 SWITCH<--- NOTE: All Physical interfaces except Gi1/0/51 assigned on this switch is in access mode assigned vlan 2, no issues with clients (PC's, Printers, etc.), obtaining IP from dhcp.

.......................

interface GigabitEthernet1/0/7
description Planning Office AP <---------------9115AXI AP. Fails to provide IP to Client for any vlan. Will assign IP if Policy allows for native vlan.
switchport trunk native vlan 8
switchport trunk allowed vlan 2,5,6,8,10,250
switchport mode trunk
..................................................
interface GigabitEthernet1/0/51
description To 3750 Core Switch <------------Fiber trunk to Cisco 3750. Trunk operating normally.
switchport trunk allowed vlan 2,5,6,8,10,250
switchport mode trunk
spanning-tree portfast

interface Vlan1
no ip address
!
interface Vlan2
ip address 10.3.2.5 255.255.254.0 <-------For Switch management
!
interface Vlan5
no ip address
!
interface Vlan6
no ip address
!
interface Vlan8
no ip address
!
interface Vlan10
no ip address
!
interface Vlan250
no ip address
......................
ip default-gateway 10.3.2.1

................................

Arshad Safrulla · ‎10-31-2022

Hi,

I would start by removing "spanning-tree portfast" from all the trunk ports connecting between switches. Also I would remove any interface VLANs created in 2960 switches.

!
interface Vlan1

shutdown

!
no interface Vlan5
no interface Vlan6
no interface Vlan8
no interface Vlan10
no interface Vlan250
!

I would also make sure that no dhcp/arp inspection enabled in 2960 switches. Check whether there is any output for "sh run | i snoop". If there is prepend no to disable them. If you want more info read the dhcp/arp snooping configuration guide.

If you really want fast convergence for AP connecting trunk ports then I would add "spanning-tree portfast trunk"

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

aPauld · ‎10-31-2022

Hi,

Thank you for the quick reply! I did make the recommended changes by removing spanning-tree portfast from the trunks and removing the vlan interfaces. Confirmed DHCP/ARP inspections are not enabled and added spanning-tree portfast trunk to the interface the AP is on. (On the 2960) Still not getting IP from DHCP. I did run a PCAP on the 3750 trunk interface Gi1/1/1 to ensure that discover packets were making it across the trunk from the 2960 generated by the wifi client. However no offer packets were sent in return. I confirmed the DHCP server is not receiving the packets as Debug IP DHCP does not show any inbound request from the AP/client. I can only guess that the packet are being dropped by DHCP as it is malformed or not trusted? I do not have any snooping or trusted ports enabled on any switch. Any ideas? Thanks!

Rich R · ‎01-28-2023

Did you solve this @aPauld ?

So you were seeing the discover packets arrive on the 3750 (via trunk to 2960)?
But 3750 DHCP is ignoring the DHCP?

Unlikely that they're malformed but you'd see that in the pcap anyway.
You need to work out why they're getting dropped by the 3750 - options somewhat limited.
Look at IP and UDP drop reasons in "show ip traffic" and whether "sh ip dhcp server statistics" shows anything useful.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390