10-26-2017 07:50 AM - edited 07-05-2021 07:46 AM
Hello all,
I've had a second deployment failure with Cisco AIR-AP-1832i WLC/APs running Mobility Express. The issue is that I can't seem to get off VLAN1, or I suppose it would be more accurate to say the native VLAN.
Scenario is that I have two WLANs as follows:
WLAN1: SSID: Corporate VLAN: 1
WLAN2: SSID: Corporate-Guest VLAN: 100
I can connect to either WLAN/SSID successfully with a client. But only the Corporate WLAN gets me to the proper DHCP server and gives me the ability to pass traffic successfully. Connecting to Guest fails to locate a DHCP server, so I get an APIPA address and nothing works. Configuring a static IP on the proper subnet does not allow traffic to pass.
In this deployment, I am using a Cisco Catalyst 2960 switch with the WLC/AP port being a trunk with dot1q. Here's the best part: I replaced a Cisco WAP321 (yeah, small business) AP with the same WLAN/VLAN/SSID configuration that was connected to the very same switch port. The WAP321 handled the two SSIDs and VLANs perfectly. No issues whatsoever connecting, getting IP addresses on either network or passing traffic. I made no changes to the switch configuration.
The previous failed deployment I had was a bit different in symptoms: The VLAN configuration was the same, a corporate network and guest network, corporate was on VLAN1 and Guest was VLAN 10. This time, I could connect to either SSID, but I would always get an IP address from the DHCP server on VLAN 1. It's like the VLAN 10 tag was completely ignored. I had a TAC case on that one that became a nightmare when Cisco could find nothing wrong with my configuration of the WLC/AP, switch, or ASA (DHCP server for VLAN 10). They could offer no explanation, even though I provided a pcap from the WLC's switchport (mirrored to my laptop running Wireshark) to TAC. I opted to RMA the 1832s in that case after TAC failed to resolve the situation. I haven't deployed the new APs (different vendor) yet.
Anyway, my question to anyone familiar with these 1832i series units is, what am I missing, or is there a known problem with these things? I don't have these issues with real Cisco WLCs (2504 for example) or even the small business line, although Cisco's new crop is terrible and I won't buy them.
By the way, these last 1832i's shipped with 8.4.100.
Thanks
10-26-2017 09:53 AM
Hi Jon,
Got these problems since version 8.2.
Everything that evolves VLAN 1 without it being the Management VLAN is a nightmare and won't work.
The Tagging just don't work for VLAN1 when not Native VLAN.
I quited to use VLAN1 as a VLAN for SSIDs.
Best Regards,
Rui
10-30-2017 11:50 PM
Hi Jon,
Could I get the SR number? I understand what you are reporting but let me check on what TAC advised and I will get back to you.
Regards,
Rajat
11-01-2017 01:06 PM
Hi Jon,
Since I do not have the SR number, I made some assumption and tried it myself and it seems to be working for me. Here is what I did.
Connected my 1832I running Mobility Express version 8.4.100.0 to a 2960-X switch. Below is my switch configuration:
interface GigabitEthernet0/1
switchport trunk allowed vlan 1,100
switchport mode trunk
Native VLAN is 1 as shown below
Port Mode Encapsulation Status Native vlan
Gi0/1 on 802.1q trunking 1
Gi0/24 on 802.1q trunking 1
My APs were in VLAN 1 because Management traffic on Mobility Express has to be untagged.
Created two WLANs
To verify that my Native VLAN and tagged WLAN were configured correctly, I executed the following CLI
(Cisco Controller) >show flexconnect group detail default-flexgroup
This is a snippet of the CLI. After executing the command just scroll down till you see the following configuration highlighted in RED.
--More-- or (q)uit
Group-Specific Vlan Config:
Vlan Mode.................... Enabled
Native Vlan.................. 1
Override AP Config........... Enabled
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID Vlan ID
-------- --------------------
3 100
Let us test. I connected my MAC to ‘Corporate’ WLAN and iPhone to ‘Corporate-Guest’. Below is the output which shows my two clients connected to the ME-WLC.
(Cisco Controller) >show client summary
Number of Clients................................ 2
GLAN/
MAC Address AP Name Slot Status WLAN Auth Protocol Port Wired Tunnel Role
----------------- ------------------------------ ---- ------------- ----- ---- ---------------- ---- ----- ------- ----------------
70:70:0d:0b:f3:89 APDCCE.C12C.3A30 1 Associated 3 Yes 802.11ac(5 GHz) 1 No No Local
a4:5e:60:f0:7c:bd APDCCE.C12C.3A30 1 Associated 2 Yes 802.11ac(5 GHz) 1 No No Local
(Cisco Controller) >show client summary ip
Number of Clients................................ 2
MAC Address AP Name Status IP Address
----------------- ---------------- ------------- --------------------------------
70:70:0d:0b:f3:89 APDCCE.C12C.3A30 Associated 100.100.100.12
a4:5e:60:f0:7c:bd APDCCE.C12C.3A30 Associated 1.1.1.13
Now, how do I Tag a WLAN on the WebUI? When you are creating or editing a WLAN, click on the VLAN & Firewall tab and do the following-
Let me know if this helps.
Regards,
Rajat
11-02-2017 07:21 AM
Hi Rajat,
I didn't actually open a TAC case on this one, since I was coming off the other failed deployment a few days before with similar issues. My configuration is pretty much identical to what you have above. Let's face it, this is not a very complicated setup. Interestingly, I was able to get this working recently, and without any configuration changes. All I did was that I configured another port on the 2960 as a trunk with identical configuration as the former, same as yours. I connected the 1832i to the new port and waited for it to fully boot. Tried connecting a wireless client to both WLANs as before and ran into the same problem. I reconnected the WAP321 to the first switch port and tried connecting - it worked fine as before for both WLANs. Then I swapped the 1832i back over to the first port again, and found that I could suddenly connect to both WLANs properly. It has been running a couple days now without a hiccup.
I really wish I had done packet captures throughout all of this to get a sense of what was not working, but I figured it would be a waste of time since I was planning on doing another RMA for this unit as well. I am very much in the trenches with this stuff, and don't have a lot of time to spend trying to fix things that should just work in the first place. I also have a couple deployments using these APs that were very successful, so I know the product can work well and does have potential.
Perhaps I got a few APs from a bad batch, maybe it's an issue with 8.4.100, I will probably never know. The TAC engineer I had on the previous deployment issue was going to report the problem I had as a bug when she could find nothing wrong with the configuration of any of the devices or CLI output form the WLC/AP. She told me later that Cisco's "BU team does not support 8.4.100" so I guess that means they know that version to be flaky for this or other reasons. The proposed solution was to downgrade the WLC and AP software. But I had to cut my losses on time and opted for a more reliable product, at least out of the box. I have been using these 1832s as a relatively low cost solution to replace aging SOHO-style autonomous APs with customers who won't pay the price for a a proper controller-based lightweight AP deployment. For now I'm rolling out Ubiquity UniFi systems for this segment. They have their issues, but they do seem to work with less fuss out of the box.
But I'm a real fan of the 2504 and the 2700/2800 series APs for more serious implementations.
12-06-2017 11:17 PM
I'm having the same problem on an 1832 ... I need three SSIDs, each on a separate VLAN ... one should be on the default VLAN 1 (untagged), the other two on tagged VLANs. All the APs (the 1832 and two 1815) are on trunk/multi-vlan ports, running in mobility express mode, but no matter what I try, all SSIDs end up in the default vlan untagged ...
Do I need to switch to capwap mode in order to get this to work?
The 1832 is running 8.4.100.0 ...
12-08-2017 10:54 AM
Hi Garry,
You do not need to change the mode to CAPWAP. Can you please send the full output of the following from the controller CLI.
(Cisco Controller) >show flexconnect group detail default-flexgroup
12-08-2017 11:17 AM
Here's the output:
Number of AP's in Group: 3
AP Ethernet MAC Name Status Mode Type Conflict with PnP
-------------------- -------------------- --------------- -------------- ---------- ------------------
2c:31:24:c6:1d:20 AP2C31.24C6.1D20 Joined Flexconnect Manual No
40:01:7a:b1:9e:30 AP4001.7AB1.9E30 Joined Flexconnect Manual No
50:0f:80:6e:8e:78 AP500F.806E.8E78 Joined Flexconnect Manual No
Efficient AP Image Upgrade ..... Disabled
Master-AP-Mac Master-AP-Name Model Manual
Group Radius Servers Settings:
Type Server Address Port
------------- ---------------- -------
Primary Unconfigured Unconfigured
Secondary Unconfigured Unconfigured
Group Radius/Local Auth Parameters :
Radius Retransmit Count......................... 3 (default)
Active Radius Timeout........................... 5 (default)
--More-- or (q)uit
Group Radius AP Settings:
AP RADIUS server............ Disabled
EAP-FAST Auth............... Disabled
LEAP Auth................... Disabled
EAP-TLS Auth................ Disabled
EAP-TLS CERT Download....... Disabled
PEAP Auth................... Disabled
Server Key Auto Generated... No
Server Key.................. <hidden>
Authority ID................ 436973636f0000000000000000000000
Authority Info.............. Cisco A_ID
PAC Timeout................. 0
HTTP-Proxy Ip Address....... 0.0.0.0
HTTP-Proxy Port............. 0
Multicast on Overridden interface config: Disabled
DHCP Broadcast Overridden interface config: Disabled
Number of User's in Group: 0
Vlan :........................................... 50
Ingress ACL :................................... GAST
Egress ACL :.................................... GAST
FlexConnect Vlan-name to Id Template name: none
Flex-Group Wlan Avc Mappings
--More-- or (q)uit
WLAN ID Visibility Avc-profile
------- ---------- --------------------------------
1 disable XXXXXX
2 disable GAST
3 disable MOBIL
Group-Specific Vlan Config:
Vlan Mode.................... Enabled
Native Vlan.................. 1
Override AP Config........... Enabled
Group-Specific FlexConnect Wlan-Vlan Mapping:
WLAN ID Vlan ID
-------- --------------------
1 1
2 50
3 40
WLAN ID SSID Central-Dhcp Dns-Override Nat-Pat
12-12-2017 12:17 AM
I just did some more debugging ... it turns out the VLAN assignment as such work fine, but the controller seems to behave as if a DHCP helper were configured ... so instead of just ignoring anything and letting the DHCP requests be forwarded to the VLAN the SSID is part of, it gets the DHCP request and forwards it on the management/default VLAN ... the client gets its IP from there, and then goes on to search for the MAC address of the default gateway inside the other VLAN ...
I've tried enabling/disabling the local profiling, no success. Removed/added a local DHCP server, again, no success. Enabled/disabled the DHCP pool used inside an SSID, again, IP from the default vlan.
I'm pretty much out of ideas ...
12-12-2017 12:26 AM
Hi Garry,
I did try and was not able to repro. Let us get on a WebEx and have a look at your issue. Please email me @ rtayal@cisco.com and we can get started.
Regards,
Rajat
03-15-2018 02:39 PM
We started out with the exact same problem as the original post (all traffic sent out untagged, regardless of any VLAN settings on the WLANs).
After downgrading to firmware 8.2 on the advice of TAC, we then ended up in the same place as Garry - DHCP request was being forwarded out the native VLAN, then all subsequent traffic was sent out the correct VLAN.
You could connect to the desired VLAN, set your IP statically and everything would work - it was just the DHCP requests that were being sent to the wrong place.
We resolved by disabling DHCP Proxy on the controller (config dhcp proxy-mode disable) and then restarting all the APs.
Important to note that even if you disabled/enabled the WLAN, rebooted the controller etc. the settings wouldn't take effect until the AP that the client connected through was rebooted.
11-12-2018 03:54 AM - edited 11-12-2018 03:57 AM
HI.. Im having the same problem. I need 2 SSID(Different VLAN ) but cant configure it. Is there any document can you share with me ? I need to solve the issue ASAP.
I have not received the Smartnets yet. So cant open a TAC.
I have 8 ME AP.
I need to deploy 1 Employee SSID and 1 Guest SSID . Both of them should be different network.
Now I Can get a document (successful deployment of this kind of scenario) ??? Thanks in advance.
best Regards
ARIQ
03-01-2019 03:04 PM
Pardon for resurrecting an old thread. But I had same issue and thanks for the pointer here... finally able to get it to work.
The key is to have all the vlan marked as "tagged".
3x AP1815w running ME v8.8.111.0.
One of the AP is the controller. the management IPs are in vlan 1.
1x home ssid = vlan 1 [untagged on the switch side]
1x guest ssid = vlan 12 [tagged on the switch side]
I have to configure both SSID/VLAN as follow for it to work and get proper IP from DHCP server on the network.
For home SSID under VLAN and Firewall:
For guest under vlan and firewall:
Hopefully this help out others that having similar issue.
01-22-2019 11:08 AM
I am struggling with the same thing. I have setup the management as vlan 1 and have the dhcp server for the management vlan handing out address that are within the main corporate scope. my main scope is 192.168.128.0 255.255.128.0 my normal dhcp server hands out 192.168.253.50 to 192.168.254.200 with some exclusions. the Management hands out 192.168.240.20 to 240.30
my gateway is 192.168.254.252
that scope is marked as management network
I have created a 2nd DHCP scope for my guests that is 10.10.10.0 255.255.255.0 the range is 10.10.10.100 to 10.10.10.200 the gateway is 10.10.10.200 which is the same as the DHCP server IP. the DHCP scope is tagged as vlan 100
If i connect the AP to my network here is what I get-
if I sign into the management network I am able to get connected but it is handing out my corporate IP not the IP range set in the management scope.
if I sign into the other network I get the IP address assigned that is correct for the ssid but I cannot connect to the internet.
If I do not have the AP connected to my main network i get -
when signed into the mgnt ssid I get the dhcp address that is in scope but of course I cannot reach the internet...
when I connect to the guest network I get the proper dhcp address range but I still cannot connect to the internet since it is not connected.
I am using version 8.4.100.0
the units are brand new.
06-03-2019 11:19 AM - edited 06-03-2019 11:33 AM
Get with it Cisco. You obviously have a big problem with Mobility Express. I have another two deployments of these 1832i systems that are going wrong. Each has a different issue, but the latest one is the EXACT problem I mentioned as this thread's OP in 2017. Now running 8.5.131.0 - absolutely CANNOT get 2 SSIDs with 2 two VLANs to work. With the WLC uplink switchport configured 1U, 222T and with one SSID set to VLAN 222 (Native VLAN 1) I get DHCP from VLAN 1 rather than VLAN 222.
As one poster mentioned, I tried the config dhcp proxy-mode thing, but that command was rejected by the WLC.
So I tried what another poster suggested - TAGGING both VLANs (VLAN 1 for the corp SSID and VLAN 222 for the Guest SSID) even though that makes absolutely no sense to me - how can that work if you leave the uplink switchport as 1U and 222T? Well, after rebooting the WLC/AP, I found that it didn't work. But then I found that the blasted thing set the native VLAN to 222 for both WLANs. I know I had them set to VLAN 1. So I changed them both back to VLAN 1 and rebooted again.
My Phone (my test client) actually connected to the Guest WLAN and got the right address via DHCP! (VLAN 222).
I then tried connecting to the corp SSID and no go. No IP via DHCP. A look back at the WLAN settings on the WLC showed that it changed the native VLAN back to 222 for both WLANs.
I can't see how this is still an issue. Cisco responding back with "unable to reproduce" is pretty useless. How many posters now have the SAME issue? Obviously not an isolated incident. I will say that I have been successful in deploying ME systems, and every time it works, I end up having the corporate WLAN untagged (native VLAN is 1) and the guest VLAN tagged with the proper VLAN ID and a native VLAN set to 1. My switch/trunk configuration is always the same, and I most often use either Cisco Catalyst or Cisco SMB switches like the SG200/300/250/350. Some work and some do not - with IDENTICAL configurations. I think the real problem is potentially the issue of this native VLAN that seems to bounce back and forth.
What is the native VLAN configuration even for (in the context of WLAN configuration)? Why would the native VLAN ever change between WLANs?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide