Solved: Problem with 9800 WLC, native vlan and client vlan

DavidRoss · ‎10-18-2023

Hi i have this problem

I have to migrate all the access points to a management vlan, previously i had the access points that took ips from the same client ssid for clients (CLIENTS) that is the vlan1 (to be clear the ssid gave the same ips from the vlan 1/CLIENTS to aps and clients)

Now i put this kind of configuration on the switch interface connected to the access point:

description AP
switchport trunk native vlan 6
switchport trunk allowed vlan 1,6
switchport mode trunk

We have created a layer 3 vlan interface that gives the ips (relays to a dhcp server) for the vlan 6 to the APs, and it is good, but the problem is that clients connected to ssid CLIENTS that should receive ips from vlan 1 they take ips from vlan 6 (same vlan that is the management vlan for the aps)

Do you know how to solve tis problem?

Thank you!

Rich R · ‎10-18-2023

- Is the SSID central or locally switched?
To do what you want to (AP management on VLAN 6, clients on VLAN 1) your switch port config looks correct.
The fact that clients are landing in VLAN 6 means either your flexconnect profile is wrong or you're centrally switching them to the AP VLAN on the WLC...

Your flex profile should contain something like:
wireless profile flex clients
native-vlan-id 6
vlan-name CLIENTS
vlan-id 1

And then the site tag:
wireless tag site my-aps
ap-profile my-ap-profile
flex-profile clients
no local-site

And the WLAN:
no central association
no central authentication
no central dhcp
no central switching

And make sure you're using up to date code as per the TAC recommended link below (currently 17.9.4)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

marce1000 · ‎10-18-2023

- Are you using APs in Flexconnect mode ? Otherwise the APs don't need a trunk configuration on the connected ports and just access mode with the correct (capwap) vlan (?). As for client DHCP solutions , consider https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html#DHCPbridgingandDHCPrelay
being best practice(s)

You should probably abandon vlan1 too and use another vlan(/wlan) for the clients.

As for all configuration (attempts) on the 9800 platform validate any configuration with the CLI command show tech wireless
Feed the output into : Wireless Config Analyzer , consider this kind of mandatory and very useful as reported by other experiences from a customer (e.g.) : This is so good

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

DavidRoss · ‎10-18-2023

Thank you for the rply, Yes, we are using the ap in flexconnect mode (sorry, i didn't specify it previously). To abandon vlan 1 for me is a problem , do you think that that is the problem? Is there another solution for you?

marce1000 · ‎10-18-2023

>... receive ips from vlan 1 they take ips from vlan 6
(Ok = flexconnect) , (correcting reply because the earlier link was for aireos)
: Ref : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html
>....In FlexConnect APs with locally switched WLANs, the traffic is switched at the AP and the DHCP requests from the client goes into the wired network by the AP interface directly. The AP does not have any SVI in the client subnet, so it is not able to do DHCP proxy; and thus, the DHCP relay configuration (DHCP Server IP Address), in the Policy Profile > Advanced tab, has no meaning for locally switched WLANs. In these scenarios, the switchport needs to allow the client VLAN and then, if the DHCP server is in a different VLAN, configure the IP helper in the client SVI/default gateway so it knows where to send the DHCP request from the client.
Make sure the client finds the correct ('and only') DHCP server first

and also run the WirelessAnalyzer procedure as explained (when changing configurations on the 9800)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎10-18-2023

- Is the SSID central or locally switched?
To do what you want to (AP management on VLAN 6, clients on VLAN 1) your switch port config looks correct.
The fact that clients are landing in VLAN 6 means either your flexconnect profile is wrong or you're centrally switching them to the AP VLAN on the WLC...

Your flex profile should contain something like:
wireless profile flex clients
native-vlan-id 6
vlan-name CLIENTS
vlan-id 1

And then the site tag:
wireless tag site my-aps
ap-profile my-ap-profile
flex-profile clients
no local-site

And the WLAN:
no central association
no central authentication
no central dhcp
no central switching

And make sure you're using up to date code as per the TAC recommended link below (currently 17.9.4)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390