Solved: Flex WLC client with same IP address

ANKUSH_SINGLA · ‎03-21-2025

Hi Team,

we have a setup for flex wlc with Guest WiFi services via C9800-CL Controller . we have meraki locally on each site which is acting as DHCP server.

Scenario - i have two sites using same DHCP scope , tomorrow there is possibility that clients from both sites takes same IP , will WLC allow to have two clients with same IP , as our ISE server Authenticate users with MAC address.

Rich R · ‎03-21-2025

Yes it will work but like @Mark Elsen said you must use recent code (it wasn't possible in older 9800 code) - see TAC recommended link below.

You must also configure "ip overlap" on the flex profile otherwise the WLC will report "IP theft" and exclude the clients. Your sites must also have unique site tags.
wireless profile flex <flex-profile-name>
ip overlap

See https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#FlexConnectsitetag

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Mark Elsen · ‎03-21-2025

- I think in more recent versions , this is no longer a problem , but you should use 17.9.x or above (not older).
Also always validate the C9800-CL Controller's configuration with the CLI command :
show tech wireless and feed the output from that into Wireless Config Analyzer
Please note : do not use show tech-support for this procedure (use the full command as shown in green)
The use of this procedure should be considered mandatory!

P.s: I now moved this post to
https://community.cisco.com/t5/wireless/bd-p/discussions-wireless

M.

-- Let everything happen to you
   Beauty and terror
      Just keep going
     No feeling is final
Reiner Maria Rilke (1899)

Scott Fella · ‎03-21-2025

I will add my thoughts to this. I don't think this would be a good idea because it can cause more issue later on especially if your are routing that vlan. If you have local egress for guest in each site it might work, but then again, the single controller might be alerting on duplicate mac. The main issue is that the Meraki, I'm assuming your MX, does not know of the other MX handing out, so just make sure that is not routing internally. I don't see why you would not just use the same vlan id, but create a different dhcp scope. That would simplify everything and you would know what subnet belongs to what site, especially for troubleshooting.

-Scott
*** Please rate helpful posts ***

Rich R · ‎03-21-2025

Yes it will work but like @Mark Elsen said you must use recent code (it wasn't possible in older 9800 code) - see TAC recommended link below.

You must also configure "ip overlap" on the flex profile otherwise the WLC will report "IP theft" and exclude the clients. Your sites must also have unique site tags.
wireless profile flex <flex-profile-name>
ip overlap

See https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#FlexConnectsitetag

------------------------------
Please click Helpful if this post helped you and Accept as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390