Local breakout help - Page 2

frederick.mercado · ‎04-29-2022

So maybe I am over thinking this or perhaps its not possible. I am trying to have clients maintain internal network connectivity by means of their VLAN and access internet for any http/https traffic. Similar to split tunneling or split traffic like we do with VPN. One would think I can connect an outside internet line to the WLC and perhaps configure an SVI and allow access to VLAN xxx out to the internet?

We have a network that is fairly simplistic.

The wireless clients are on VLANxxx. They get internal DHCP, and authenticate to RADIUS. We are trying to create a local breakout to the internet for their internet traffic so it does not hit our MPLS line and use precious resource. I know the WLC has Layer capabilities so I wonder if I can somehow setup a direct local breakout from this, or should I do inter VLAN routing, or is there an easier path? Internet ISP can be routable if needed, abut I have an internal IP from its own switch at: 10.x.x.x

Here is a simple diagram:

Outside internet to connect to WLC (10.x.x.x)

^

Client> AP (flex) > WLC (Has SSID and VLAN SVI)/Switch > Core

frederick.mercado · ‎05-11-2022

Indeed, I attempted this by doing a route-map as well, it seemed the traffic was not phased by this.

If I have a VLAN xxx (10.74.x.x) on the core with the mobile traffic, and I wanted it to reach the ISP or interface with 207.x.x.x (no switchport or L3 int) with a route map what would be a good example?

Arshad Safrulla · ‎05-11-2022

ip access-list extended Guest_ACL
permit ip 10.74.126.0 0.0.0.255 any
!
route-map Guest_PBR permit 10
match ip address Guest_ACL
set ip next-hop 207.91.252.28
!
interface vlan 126
ip policy route-map Guest_PBR
!

You need this in both switches. This switches must know how to reach 207.91.252.28 (route must be present in both the switches, otherwise still be routed over MPLS as I assume there is a default route recieved over MPLS)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

frederick.mercado · ‎05-12-2022

I have added this exact configuration.

frederick.mercado · ‎05-12-2022

Removed

Arshad Safrulla · ‎05-12-2022

207.91.252.28 is configured in GigabitEthernet1/0/44 ( in ur switch), so it will not work as this ip is defined as the next hop. You need to define the next hop (set ip next-hop 207.91.252.25)

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

frederick.mercado · ‎05-12-2022

Corrected on both. Still nothing past the local VLANs or subnets. Cannot ping .25/.28 from client. Still pings from CLI of cores to 8.8.8.8....

Clients getting DHCP from WLC but it seems the route is still not there?

frederick.mercado · ‎05-12-2022

Oddly a traceroute from client shows its hitting VLAN the ip cef shows the clients attached. Then going out to the MPLS. I wonder if it has to do with the HRSP. So I took down the VLAN for standby and now I can ping out to .28/.25 but I cannot get to 8.8.8.8

frederick.mercado · ‎05-12-2022

ip cef status

Rich R · ‎05-12-2022

Use packet capture and packet tracing https://www.cisco.com/c/en/us/support/docs/content-networking/adaptive-session-redundancy-asr/117858-technote-asr-00.html to work out what's happening to your packets.

I presume your DHCP is providing a default gateway which the sends the clients in the right direction to hit your PBR and NAT?

You haven't shown what your NAT config looks like?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

frederick.mercado · ‎05-13-2022

For simplicity I placed DHCP on the WLC. I see clients obtaining IPs. I set router to Core IP for VLAN and DNS to 8.8.8.8....

I was reading where since we do ip default-gateway it may not work well with ip routing. I did a show run all and it shows ip routing enabled.

ISP L3 port:

interface GigabitEthernet1/0/44
description ISP
no switchport
ip arp inspection trust
ip address 207.91.252.28 255.255.255.248
ip nat outside

Mobile Client VLAN:

interface Vlan126
description MOBILE_SSID
ip address 10.74.126.252 255.255.255.0
ip helper-address 10.74.35.10
no ip proxy-arp
ip nat inside
standby version 2
standby 126 ip 10.74.126.250
standby 126 timers msec 250 msec 750
standby 126 preempt delay minimum 180
standby 126 authentication md5 key-string 7 143B2127
ip policy route-map Guest_PBR

ip default-gateway 10.74.0.251
no ip forward-protocol nd
ip forward-protocol udp 4011
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list Guest_ACL interface GigabitEthernet1/0/44 overload
ip route 0.0.0.0 0.0.0.0 10.74.0.251
ip ssh version 2
!
!
ip access-list extended Guest_ACL
10 permit ip 10.74.126.0 0.0.0.255 any

frederick.mercado · ‎05-13-2022

I removed ip default-gateway as a test and still no ping out to 8.8.8.8

Rich R · ‎05-13-2022

At a glance that should work unless I've missed something. Any other ideas @Arshad Safrulla ?

Regarding ip routing and ip default-gateway: If ip routing is enabled the ip default-gateway command is ignored.

Instead you need the equivalent ip route 0.0.0.0 0.0.0.0 10.74.0.251 which you already have.

But that shouldn't make any difference to these clients because you're policy routing them to the ISP interface which overrides the standard routing.

You need to debug this using packet captures, packet traces and maybe ACLs too to work out what has been missed or isn't working or maybe isn't supported.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

frederick.mercado · ‎05-13-2022

Yeah, I figured the PBR should over rule this. Its basic... and makes no sense. I would think its an ISP issue, but a laptop can get out fine.

frederick.mercado · ‎05-13-2022

I have another un-used layer 3 switch with an empty config. I wonder if I can use this as an edge device just with IP routing and configure a VLAN for the ISP and route this to the core... any good ideas on a config for this?

Rich R · ‎05-16-2022

Yes if you can't get it working on the switch then might be easier to do on a separate router between the ISP router and your switch.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390