Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
30
Helpful
6
Replies

Issue with links between APs and VLANs

Go to solution
Soxi
Level 1
Level 1

‎02-24-2023 08:06 AM

Hello everyone,

 

I am currently trying to install the new Cisco APs the company got that are C9105AXI-E.

I have my APs in a native VLAN (we can say VLAN1).

The wireless clients will be going through a 802.1x authentication process which will determine where they will be placed, depending on the result of the auth phase.

The APs are communicating with a RADIUS server the instant a wireless client is attaching to it.

- If the client passes the authentication, the AP directs it to the VLAN2 (with DHCP set up inside).
- If the client isn't recognized by the RADIUS, then the AP directs the client inside the VLAN3, a VLAN for the guest devices (with DHCP also set up inside).

My issue is that when we try to join the SSIDs, we manage to be connected to it but we don't get any IP addresses.

Do you guys have any idea where the issue could come from ? I know I stayed quite vague about my infrastructure but I'm ready to provide information when needed so you can help me on that.

We think that we missed the parameter that is able to tell to the APs where are the VLANs 2 and 3 so they can redirect the clients in them, so they get their IP adresses by DHCP.

 

Thanks in advance for your help !

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to Soxi

‎02-27-2023 02:56 AM - edited ‎02-27-2023 03:34 AM

If the "little switch" is not configurable then it almost certainly is really a hub and doesn't support VLANs so that will be your problem.  You need the APs connected to a real VLAN supporting switch.  Chances are all your dot1q traffic is just getting dropped by the hub because it doesn't recognise the VLAN headers.

And EWC only supports flexconnect local switching so that's the only type of WLAN you'll be able to configure.
"no local-site", "no central association", "no central dhcp", "no central switching" under the wireless policy profile.

You do still need to define the VLANs in the flexconnect profile otherwise the AP doesn't "know" they exist.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Soxi

‎02-27-2023 07:41 AM

Switches connected to other switches don't inherently get configurations from the upstream switch.  So in the future if you need to add another wlan or vlan, you must make sure the switches have that vlan and the trunk ports also have that vlan.  At least you got it working.

-Scott
*** Please rate helpful posts ***

View solution in original post

6 Replies 6

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎02-24-2023 09:08 AM

Is your design local or flexconnect?  if using FlexConnect, make sure that you have the ap on a trunk port and that the vlan you are trying to assign to the device, is defined on the switches along the path.  You can validate this by connecting your laptop to the switch the ap is connected to and configure ex. vlan 2 and vlan 3 to see if your laptop gets a dhcp address.

If your ap's are in local mode, then the traffic is passed to the controller, so the controller needs to also be connected to a trunk port that allows the vlans you need.  You can use the laptop method on the swithc the controller is on to validate vlan 2 and vlan 3 are working from a wired side.  If it isn't, then you know the issue is with the spanning of the vlan or dhcp.

-Scott
*** Please rate helpful posts ***

Go to solution
Rich R
VIP
VIP

‎02-25-2023 08:07 AM

What model of WLC are you using?
What version of software is that running?
What radius server are you using?
As Scott said - how is the WLAN configured on AP - local mode (or flex with central switching) or flex local switching?  Which then leads to making sure the central or AP ports have the correct VLANs allowed and connected.  If you're using flex local the VLANs will need to be defined in your flexconnect profile.
Have you done a debug on a client to see exactly what is happening? And use https://cway.cisco.com/wireless-debug-analyzer/ to process the result of that.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
Soxi
Level 1
Level 1

‎02-27-2023 12:22 AM - edited ‎02-27-2023 12:23 AM

Thanks a lot for your answer.

I am using an eWLC that is supported by one of my APs and another one in standby.
Regarding the software version, they are all in IOS XE 17.06.04 and I have access to a 9800 GUI by http (if I understood well).

To be really precise, at the moment I have my WLC and my APs plugged to a little switch and this switch is not configurable. It is connected to an RJ45 outlet (which is directly linked to a switch port) and this is the one we configured. I am not sure that all the ports of the little switch are inheriting of the "outlet port" configuration, but in the end, the APs are supposed to all be connected to "outlet ports" so all directly to the real, configurable 48 ports switch.

I am gonna ask for the radius server and tell you asap.

Regarding the type of my WLAN design, I am not sure exactly what the two differents modes consist of since I am a beginner in the Networks. Are you in a local design by default and switching to the flex design when making a flex profile ?

We tried the two configurations I believe since we thought the issue was that we couldn't specify the VLAN ID of the VLAN 2 and 3 to the APs so they wouldn't know where to redirect the clients.

And we didn't try a debug yet.

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to Soxi

‎02-27-2023 02:56 AM - edited ‎02-27-2023 03:34 AM

If the "little switch" is not configurable then it almost certainly is really a hub and doesn't support VLANs so that will be your problem.  You need the APs connected to a real VLAN supporting switch.  Chances are all your dot1q traffic is just getting dropped by the hub because it doesn't recognise the VLAN headers.

And EWC only supports flexconnect local switching so that's the only type of WLAN you'll be able to configure.
"no local-site", "no central association", "no central dhcp", "no central switching" under the wireless policy profile.

You do still need to define the VLANs in the flexconnect profile otherwise the AP doesn't "know" they exist.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
Soxi
Level 1
Level 1

‎02-27-2023 05:32 AM - edited ‎02-27-2023 05:33 AM

Yes this is exactly what I figured out after posting my second message.

" I am not sure that all the ports of the little switch are inheriting of the "outlet port" configuration, but in the end, the APs are supposed to all be connected to "outlet ports" so all directly to the real, configurable 48 ports switch."

Apparently, the "little switch" can be configurated (but I don't know how since there is no console port and so I don't know how you give him an IP address).

Anyway, I supposed if the configurated port was linked with the first port of the little switch, would it spread its configuration to all the other ports ?

I plugged the eWLC directly to the configurated port and it magically worked, I had now an ip@ and was connected to internet via the AP's SSID.

In the end, our configuration wasn't wrong.

I thought about it when reading your messages and I thank you sooo much for your help, it helps a lot.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Soxi

‎02-27-2023 07:41 AM

Switches connected to other switches don't inherently get configurations from the upstream switch.  So in the future if you need to add another wlan or vlan, you must make sure the switches have that vlan and the trunk ports also have that vlan.  At least you got it working.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card