Solved: New Cisco EWC deployment and I cannot drop traffic on vlan1

narone · ‎01-10-2022

I'm just learning the new Cisco EWC lingo on a Cisco 9120AX. Got over the initial shock of Policies and Tags and think I have a good handle on it. But my situation now is that my WLAN configured for vlan 1 will not drop the client on vlan 1, but drops it on the native vlan.

Here is my scenario:

1. Cisco switch port configured for my Cisco 9120AX ap;

interface GigabitEthernet1/0/12
description Link to EWC AP
switchport trunk native vlan 52
switchport mode trunk
end

2. Cisco 9120AX ap and EWC get an IP from the DHCP server on vlan 52

3. Cisco switch is passing vlan 52 (Corporate), vlan 5 (Guest), and vlan 1 (default)

4. A firewall is acting as Gateway and DHCP server for all three vlans

5. Connecting a workstation to a different switch port configured as an access port with any of the vlans will provide me with a correct IP address on the respective vlans

6. Cisco EWC configured with three WLANs (Corporate, Guest, and Machine)

7. Cisco EWC configured with three Policy Profiles using the following vlan under Access Policies (Corporate-Vlan52, Guest-Vlan5, and Machine-Vlan1)

8. Cisco EWC using default-policy-tag with the following WLAN-POLICY Maps:

Guest - Guest vlan5

Machine - Machine vlan1

Corporate - Corporate vlan52

9. Cisco EWC using default-flex-profile with Native VLAN ID set to 52

AP, EWC, and Corporate WLAN users all get proper IP address on Vlan 52, 10.161.52.x

Guest WLAN users all get proper address on vlan 5, 192.168.5.x

Problem is that Machine users get and IP on vlan 52, 10.161.52.x - NOT vlan 1, 192.168.1.x

My wireless debug shows the following:

Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1
Policy profile is configured for local switching
Starting Mobility Anchor discovery for client
Entering IP learn state
Client got IP: 10.161.52.71, discovered through: DHCP
Client reached RUN state, connection completed.

I'm confused and frustrated! Any help would be appreciated.

Haydn Andrews · ‎01-10-2022

Try creating a VLAN Group Called anything but VLAN1, but assigning VLAN1 to that group. Assign that VLAN Group to the policy profile

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

View solution in original post

marce1000 · ‎01-10-2022

- You can have the attached debug file processed by https://cway.cisco.com/wireless-debug-analyzer/ where it seems that the client is effectively assigned to vlan 1 (see output in Appendix ). You may repeat this process for future debugging outputs after configuration changes in order to check if intended behavior can be achieved or not. Further more on the EWC (CLI) use show tech wireless and have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , look for errors and advisories and correct accordingly

Appendix

Show Time

Show Task

Show Translated

Show Original

Show Prior First Connection

Show All

TimeTaskTranslated

2022/01/06 18:11:05.705	client-orch-sm	Client made a new Association to an AP/BSSID: BSSID 1cd1.e062.878f, old BSSID 0000.0000.0000, WLAN Corp SSID, Slot 1 AP 1cd1.e062.8780, AP1CD1.E039.D0C8
2022/01/06 18:11:05.706	dot11	Association success for client, assigned AID is: 2
2022/01/06 18:11:05.724	client-keymgmt	Negotiated the following encryption mechanism: AKM:PSK Cipher:CCMP WPA2
2022/01/06 18:11:05.724	client-auth	Client successfully completed Pre-shared Key authentication. Assigned VLAN: 1
2022/01/06 18:11:05.724	client-orch-sm	Policy profile is configured for local switching
2022/01/06 18:11:05.724	client-orch-state	Starting Mobility Anchor discovery for client
2022/01/06 18:11:05.726	client-orch-state	Entering IP learn state
2022/01/06 18:11:06.035	client-iplearn	Client got IP: 10.161.52.71, discovered through: DHCP
2022/01/06 18:11:06.036	client-orch-state	Client reached RUN state, connection completed.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

narone · ‎01-10-2022

Thanks for the reply marce1000, this is why I'm confused....it says the client was assigned to vlan1, but it's getting an IP from the native vlan52. Am I missing something on the EWC whereby I have to 'tag' vlan1?

Arshad Safrulla · ‎01-10-2022

Hi,

First of usage of VLAN1 for clients is not recommended by Cisco, If possible try to move away from VLAN1 and use another VLAN.

Then Cisco 9800 behavior dictates that if you configure VLAN id 1 under the policy profile VLAN/VLAN Group then the client will be assigned to Wireless Management VLAN (which in your case is VLAN52), so to overcome this you can specify the VLAN name as default under the policy profile >> VLAN/VLAN Group.

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

narone · ‎01-10-2022

Thanks for the reply Arshadsaf.

I agree that we shouldn't be using vlan1 for clients, but we are trying to avoid making significant changes to their existing environment.

Remember that I'm using a Cisco 9120AX EWC and not a Cisco 9800 WLC (that's coming next), so when I change the VLAN/VLAN Group to 'default' as you suggest, I lose the SSID all together. I can restore the SSID when I add a VLAN #.

Recap;

- with VLAN/VLAN Group = 1, client is put onto wireless management vlan (in my case vlan52)

- with VLAN/VLAN Group = default, SSID is no longer broadcasted

- with VLAN/VLAN Group = any other vlan #, client is put onto respective vlan

This doesn't make sense, since I can make it work with Meraki, where I tag vlan1 traffic, and other vendors - just an observation.

Haydn Andrews · ‎01-10-2022

Try creating a VLAN Group Called anything but VLAN1, but assigning VLAN1 to that group. Assign that VLAN Group to the policy profile

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

narone · ‎01-10-2022

Thanks Hayden, I was just about to try something like that when I saw your reply.

I was frustrated because I created a VLAN under the default-flex-profile named VLAN001 and assigned it vlan1, then modified the policy profile using VLAN001 - no change, still got an IP in vlan52.

I then thought of Arshadsaf's comment above telling me to use 'default', so I created a VLAN under default-flex-profile named 'default' and assigned it vlan1 (this is what I didn't understand that I had to do), modified the policy to use 'default' and viola - I got an IP in vlan1.

By the way, I tried creating a flex-profile vlan named VLAN1, VLAN001, VLAN001, and VLAN0001 using vlan1 and it always failed. I guess I could always use 'default' for vlan1 or I could just name it the same as the SSID for simplicity (like you said, something other than VLAN1) so that I can use vlan1. Is this documented anywhere on Cisco's site?

Thanks for your help!!!

Rich R · ‎01-11-2022

For flex local switching you can just specify the vlan number (1) without having to use names/groups.

This is not well documented but one of my previous replies on another post has a link to the only bit of doc where it explains this.

You just type the vlan number in the vlan field.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

narone · ‎01-11-2022

Thanks rrudling, but I tried that - just using vlan numbers. In my example it worked for vlan 5 and 52, but not for 1. It only worked if I used a named vlan, and one that did not use the number 1 at the end of it.

Rich R · ‎01-11-2022

Works fine for me on 17.7.1 (and since 17.3.2 at least) as per attached screenshot.

Update: As per subsequent replies I was mistaken - it only works for me because 1 is my native vlan.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

narone · ‎01-11-2022

Hi again rrudling, the image you shared is showing the WLAN ID number, not the Vlan id. The VLANs are assigned under the Policy Profile (see attached images). I figured out if you want to use names, you must update or create a Flex profile. Hence I created 'default' and 'Machine' to use vlan1. Both work when applied to the Machine Policy Profile. I cannot use the number 1 or VLAN1.

Rich R · ‎01-11-2022

Sorry you're quite right - mine works only because 1 is the native vlan!

Latest IOS actually provides a detailed warning in the info text.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

narone · ‎01-11-2022

I guess I'm not using the latest IOS! Thanks for the follow-up.