ISR 1111 Mobility Express vlan tagging with multiple SSID

srauen · ‎07-21-2021

I had an issue with configuring my router with built-in mobility express AP. Here was my specific situation:

C1111-4PWB

Cisco IOS XE Software, Version 16.09.05
Cisco IOS Software [Fuji], ISR Software (ARMV8EB_LINUX_IOSD-UNIVERSALK9_IAS-M), Version 16.9.5, RELEASE SOFTWARE (fc1)

Mobility Express Controller version 8.8.111.0

I did the basic configuration on the router - IP addresses, Vlan SVI's (1 Data, 2 Wireless Data, 3 Wireless Guest), DHCP scopes. From a wired perspective, all was well. I could configure any of the switchports for a specific vlan, and I would receive an address via DHCP correctly and I was able to ping any interface on the router. To me, this meant that I had the basics correct. I configured all switchports, as well as Wlan-GigabitEthernet0/1/4, to be a trunk with native vlan 1. Great start.

Now I moved on to configure the mobility express controller. I tried both methods - CLI and using the AirProvision SSID (with resetting to factory defaults in between) but both times I ended up in the same situation. I would configure my SSID's, set the vlan number as appropriate for the ssid, PSK, etc. When I went to connect to those SSID's, I would always end up getting a dhcp IP address from vlan 1, even though both SSID's were set for a non-vlan 1. I tried all sorts of things - DHCP on the mobility express controller, combinations of native/tagged vlan settings on the wlan profile, but nothing proved to correct the issue. At the best, I would end up in a situation were one of the WLANs would get me the correct ip/vlan via DHCP, but the other WLAN would always send me to vlan 1.

In another forum, I saw someone suggest checking that FlexConnect was enabled via cli, and to check for a specific spot in the command:

(Cisco Controller) >show ap summary

--------------- ------- --------------
*AP687D.xxxx.xxxx 2 ISR-AP1100AC-B xxxxxxxx default location US 192.168.200.102 1 [0 ,0 ,0 ]

(Cisco Controller) >show ap config general AP687D.xxxx.xxxx

---- output omitted ----

FlexConnect Vlan mode :.......................... Enabled
Native ID :..................................... 3

WLAN 1 :........................................ 3 (Wlan-Specific)
WLAN 2 :........................................ 2 (Group-Specific)

That alone didn't answer my issue as FlexConnect was in fact enabled, but it did get me wondering... What's the deal with Native ID? Coincidentally, the WLAN that matched the native ID was also the WLAN that would send me to vlan 1 even though it was not configured to do so.

I then did the following:

I deleted WLAN with the ID of 1 (the first wlan you created)

I configured a new dummy vlan, admin disabled, bogus password, and set it for native vlan 5, enabled tagging for vlan 5. saved. Vlan 5 for me is a bogus vlan that doesn't actually exist.

I re-configured the WLAN that I had deleted, and how it had an WLAN ID other than 1. (both of my non-dummy WLANs had native vlan defined and tagging enabled for that vlan)

I created an AP group, added all 3 WLANs and my AP, saved/applied config.

Back on the controller CLI, I ran that command again and looked for the specific part of the output:

FlexConnect Vlan mode :.......................... Enabled
Native ID :..................................... 5

WLAN 2 :........................................ 2 (Group-Specific)
WLAN 3 :........................................ 3 (Group-Specific)

The Native ID did not match/overlap either of my active WLANs. I tested it out and surprise! Everything worked as expected. I got the correct vlan/ip/dhcp from the router as I was supposed to.

Not sure if what I did was the correct way to make this work. Perhaps I was doing something wrong in the first place which caused me to have issues from the beginning. If anyone else is experiencing the same problem, I hope this helps.