Same vlan for local breakout and capwapped ssid

Geert Reijnders · ‎11-27-2024

Hi,

We have two kinds of SSID networks in our environment. One is tunneled to our Central WLC (Catalyst 9800-40) and the other uses local breakout. For the WLAN that is tunneled, we want to use the same VLAN as for the SSID that uses local breakout.

When I configure the VLAN for the tunneled SSID, the switches connected to the WLC see all the MAC addresses of the clients using local breakout.

I would think that the switches wouldn’t see these MAC addresses because they “don’t live” on the WLC. Is this expected behavior that I don’t understand, or am I encountering some kind of error?

The software version of the WLC is 17.12.2

Flavio Miranda · ‎11-27-2024

@Geert Reijnders

Local Breakout or flexconnect Will use WLC for management but the traffic stay in the local network Just like a Wired client. Thats why you should see the cliente Mac address on the switch.

For central switching, client Mac address Will not be on the switch but on the WLC and on the layer3 device where the WLC interfaces terminares.

marce1000 · ‎11-27-2024

- To me that looks normal ; the question comes down to : why use such a design and not simply use another VLAN.
Also check if the 9800-40 agrees with this by validating the configuration using CLI show tech wireless (not show tech)
and feed the output from that into Wireless Config Analyzer
If WirelessAnalyzer does not agree then you must change the design

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎11-27-2024

It doesn't sound right to me (although I've never tried using the same vlan on both) but some questions...
Is the "local breakout" WLAN local switching, local authentication and local DHCP (ie central disabled for all)?

And how have you defined the VLAN for the flexconnect "local breakout" WLAN?
Have you simply entered the VLAN ID (VLAN number - this does not require VLAN definition in Flex Profile), or have you defined the VLAN name in the Flex Profile (the only place flex VLANs can be defined) and then used that name, or have you tried to use the VLAN name which you defined for the central VLAN (you should NOT do this)?
If using Flex Profile VLAN definition I would make sure to use a different name to the central VLAN to ensure that the controller doesn't confuse them but I've never tried that.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Geert Reijnders · ‎11-28-2024

Thank you all for your answers. to provide a bit of context. hereby the configuration parts:

wireless profile policy tunneled-vlan
wireless profile policy XXXX
description XXX-tunneled
dhcp-tlv-caching
http-tlv-caching
idle-timeout 1800
radius-profiling
session-timeout 0
vlan 320

!

wireless profile policy XXX_Flex_vl320
no central association
no central dhcp
no central switching
description "xxxx flexconnect vlan 320"
dhcp-tlv-caching
http-tlv-caching
radius-profiling
vlan 320

Rich R · ‎11-28-2024

The only thing that catches my attention is that you have radius-profiling enabled on the local policy which might be what is unexpectedly pushing client details to the WLC especially since I don't think it is supported.
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215661-in-depth-look-into-client-profiling-on-9.html#toc-hId-392046632
Try disabling that to see whether it makes any difference?

Otherwise I'd say it's a bug <smile>
I'd say it's in the same category as when using local .1x auth on the AP - the WLC still tries to send accounting to radius even though it's the AP doing the auth and accounting. And then the WLC reports millions of radius accounting failures/timeouts when it shouldn't even be sending the packets at all.

Depending on how much time and patience you have then open a TAC case - get a bug raised and then they might fix it one day if it ever gets onto their list for fixing. There are some bugs which they seem content to leave there forever no matter how easy they might be to fix.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Geert Reijnders · ‎11-28-2024

Thanks, I removed this from the policy. However the mac addressess didn't disappear. Even when I delete the vlan on our WLC, the mac addresses stay in the mac address table. Even after clearing it.

WLC#sh vl id 320
VLAN id 320 not found in current VLAN database

WLC#sh mac add vlan 320
VLAN MAC Address Type AgeIdx InPkt Interface
-------------------------------------------------------------
320 aaaa.bbbb.cccc.ddd1 WlClient 0 85 WLCLIENT-IF-0x00a0006e6d
320 aaaa.bbbb.cccc.ddd2 WlClient 0 85 WLCLIENT-IF-0x00a0006070
320 aaaa.bbbb.cccc.ddd3 WlClient 0 85 WLCLIENT-IF-0x00a0006786
320 aaaa.bbbb.cccc.ddd4 WlClient 0 85 WLCLIENT-IF-0x00a0006dc3
320 aaaa.bbbb.cccc.ddd5 WlClient 0 85 WLCLIENT-IF-0x00a00070a4

Rich R · ‎11-28-2024

<smile> 100% a bug!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Geert Reijnders · ‎12-16-2024

I reported a bug at Cisco. I tested some more and also for other vlans this is the case. I'll hope they will fix this.

Geert Reijnders · ‎12-19-2024

The response from Cisco is indeed that the mac addresses for flexconnect clients are stored in the mac address table for management purposes.

For me not really a solution, because I don't want our mac address tables to be filled with mac addresses which don't belong there. But it is what it is..

Rich R · ‎12-25-2024

It's a feature LOL got to love how they justify things that are clearly bugs!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390