Re: Flex Profile Maximal

hs08 · ‎06-02-2026

Hello,

My AP running using flex connect with WLC9800 and i will build dynamic vlan for this SSID. The vlan will be based on the department and i have more than 40 depts. The issue is when i create flex profile then i add vlan mapping then i got 'The maximum number of interfaces 16 have been added to the flex-profile.

How i can add more than 16?

Mark Elsen · ‎06-02-2026

_ @hs08 Why do you need to map more than 16 VLANs under Flex profile if there are only 16 possible SSIDs per AP? This is not only Cisco feature but most of the vendors.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

hs08 · ‎06-02-2026

hi @Mark Elsen

I'm not going to create 16 SSID but only one SSID with dynamic vlan and the vlan belong to our department where i have more than 40 departements.

Mark Elsen · ‎06-02-2026

- @hs08 Ref : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html
>..... Note: A maximum of 16 locally switched VLANs can be mapped to a Flex profile.

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Rich R · ‎06-03-2026

16 VLANs is a hard limit - there is nothing you can do to increase that @hs08

However - you do not need to map VLANs in the flex profile unless you want to refer to them by name.

If you simply reference the VLANs by VLAN ID (number) then they will simply work - at least that is the case for static SSID configuration - I have not tested with dynamic VLAN assignment. Suggest you test it to confirm.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

aleabrahao · ‎06-03-2026

@Rich R , things work a little differently on the C9800. Even if you dynamically assign the VLAN when working with FlexConnect, you need to have the VLAN mapped in the Flex Profile.

@Mark Elsen , it's not about the number of WLANs, but rather the number of VLANs he wants to apply dynamically to a specific user depending on the department.

@hs08 , the only thing I can think of is creating a Flex Profile for each department, but I think that will be a problem because you would have to create a specific Site Tag for each department as well, so I think it's impractical.

Are these departments physically in the same place? Because if they are in different locations, you can standardize the VLAN.

For example, the HR Department is at site A and the Finance Department at site B, so you could use the same VLAN Tag (10 for example) with a different subnet.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Rich R · ‎06-03-2026

@aleabrahao you say "things work a little differently on the C9800. Even if you dynamically assign the VLAN when working with FlexConnect, you need to have the VLAN mapped in the Flex Profile."

We've had the discussion about the need to map VLANs in flex profile before and the answer (in general) is that it categorically is not necessary (at least for statically assigned VLANs). But I have never tested it with dynamic VLAN assignment so that might be an exception to the rule.

Are you saying that you have personally tested it and that dynamic VLAN assignment definitely does not work if the VLAN is not defined in the flex profile?

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

aleabrahao · ‎06-03-2026

@Rich R I not only tested it personally, but I also have it applied to my environment, so I can say this with confidence. If you read the documentation on how to configure dynamic VLANs with Flexconnect, you'll see that there's a step where you map the VLAN to the Flex Profile.

This statement is true for AirOS controllers, but unfortunately, on the 9800 series, the controllers work differently.

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Rich R · ‎06-03-2026

Hmmm you didn't actually answer my question @aleabrahao - I understand that you have tested and use the positive use case (mapping configured) but have you tested the negative use case (without mapping configured). The fact that there is a step in the documentation does not make it necessary - the same applies to static - the documentation shows that step but it is not necessary (unless you need to use names). So again my question - very specifically: did you test without the flex profile mapping? And what was the outcome of that test?
Of course if you are using names instead of IDs then it will obviously be necessary so I guess the added question is whether that test used names or VLAN IDs?

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

aleabrahao · ‎06-03-2026

Yes, my friend, I tested it in both scenarios.

When you don't have the VLAN mapped, it's not that the VLAN isn't applied; the VLAN is applied correctly if you look at the user information. The issue is that without mapping it in Flex Profile, the AP doesn't understand this, and the IP assigned to the client is the default one configured for the SSID, not the one from the dynamically assigned VLAN.

I don't know if I was clear enough, but I tested it in both scenarios. 😉

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

Rich R · ‎06-03-2026

Ack 👍😁

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390