Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3457
Views
5
Helpful
34
Replies

VLAN Setup on Catalyst APs with EWC and Vlans routed by switch

Go to solution
jeremy0463
Spotlight
Spotlight

‎12-02-2023 07:53 AM

I have a Catalyst 9200L and three Catalyst 9115 access points with EWC. I iam trying to understand SSID to Vlan setup when the vlans are routed on the switch and the port connected to the AP is a trunk prot with the management port as native.
 
I have used 2504 WLC and 1852 APs before with vlan switching handled by the layer3 switch (trunk port on the switch, managment vlan native, additonal vlans tagged>>>connected to port on 2504 with interfaces defined in each vlan, and each wlan set to that particular interface.) That works great. As I understand it, the APs create a capwap tunnel over the management vlan (each ap is connected to an access port on that vlan), then the vlans fron the switch are trunked to the WLC and the WLC handles the routing to the particular interface.
 
But EWC seems very different. Since there is no controller appliance on this network, and with the same switch configuration essentially (trunk port with routing handled on the layer3 switch), what is the best way to route wlans to vlans? Ii have a test wlan setup with policy and tag both setup and i have wireless access to the managment vlan. Policies only let me add one vlan per AP.
 
Please help.
0 Helpful
34 Replies 34

Go to solution
Rich R
VIP
VIP

‎12-08-2023 03:39 AM

I don't see anything obviously wrong but you do have a lot of different security features enabled on the AP switch ports so I would also try stripping those off to the bare minimum config (with portfast enabled) and then test again.  Then if it works you know one of those features is causing the issue and you can add them back one at a time to work out which it is.  Always best to start with the simplest config and then add features incrementally so you'll know when something causes a problem.  Check the logs for anything which might point you to a problem (logging buffered 200000 debug) for at least 200K log buffer.

You can also use packet capture on the switch port to monitor the traffic there.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
jeremy0463
Spotlight
Spotlight
In response to Rich R

‎12-09-2023 08:11 AM

Ok rich, here is the new switch config. Same result.

 

Sat Dec 09 2023 08:20:58 GMT-0600 (Central Standard Time)

===================================================================================

#show config

Using 31436 out of 2097152 bytes

!

! Last configuration change at 19:34:13 CST Thu Dec 7 2023 by admin

! NVRAM config last updated at 19:34:13 CST Thu Dec 7 2023 by admin

!

version 17.6

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service call-home

platform punt-keepalive disable-kernel-core

!

hostname Network_Switch

!

!

vrf definition Mgmt-vrf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

enable secret 9 $9$hBfaO/8DO5aOoE$GTsKjeos6up8oA1JnAonzisN8IT6taLpxX6Q1ZCufNg

!

!

!

!

no aaa new-model

clock timezone CST -6 0

switch 1 provision c9200l-48p-4g

!

!

!

!

vtp mode transparent

!

!

!

!

!

ip routing

!

!

!

!

!

ip name-server 8.8.8.8 1.1.1.1

no ip domain lookup

ip dhcp excluded-address 192.168.10.0 192.168.10.30

ip dhcp excluded-address 192.168.10.50 192.168.10.255

ip dhcp excluded-address 192.168.40.0 192.168.41.0

ip dhcp excluded-address 192.168.41.251 192.168.41.255

ip dhcp excluded-address 192.168.50.0 192.168.50.99

ip dhcp excluded-address 192.168.50.200 192.168.50.255

!

ip dhcp pool Users

network 192.168.40.0 255.255.254.0

default-router 192.168.40.1

dns-server 8.8.8.8 1.1.1.1

lease 7

!

ip dhcp pool WirelessAPS

network 192.168.10.0 255.255.255.0

default-router 192.168.10.20

dns-server 8.8.8.8 1.1.1.1

lease infinite

!

ip dhcp pool Guests

network 192.168.50.0 255.255.255.0

default-router 192.168.50.1

dns-server 8.8.8.8 1.1.1.1

lease infinite

!

!

!

ip arp inspection validate src-mac dst-mac ip

no ip igmp snooping vlan 40

login on-success log

ipv6 nd raguard policy HOST_POLICY

!

udld enable

!

!

!

crypto pki trustpoint SLA-TrustPoint

enrollment pkcs12

revocation-check crl

!

crypto pki trustpoint TP-self-signed-3080461521

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3080461521

revocation-check none

rsakeypair TP-self-signed-3080461521

!

!

crypto pki certificate chain SLA-TrustPoint

certificate ca 01 nvram:CiscoLicensi#1CA.cer

crypto pki certificate chain TP-self-signed-3080461521

certificate self-signed 01 nvram:IOS-Self-Sig#2.cer

!

crypto pki certificate pool

cabundle nvram:ios_core.p7b

!

!

port-channel load-balance src-dst-ip

license boot level network-advantage addon dna-advantage

!

!

diagnostic bootup level minimal

!

spanning-tree mode rapid-pvst

spanning-tree extend system-id

spanning-tree vlan 40,50,60 priority 4096

spanning-tree vlan 250 priority 20480

memory free low-watermark processor 10633

!

errdisable recovery cause udld

errdisable recovery cause bpduguard

errdisable recovery cause security-violation

errdisable recovery cause channel-misconfig

errdisable recovery cause pagp-flap

errdisable recovery cause dtp-flap

errdisable recovery cause link-flap

errdisable recovery cause sfp-config-mismatch

errdisable recovery cause gbic-invalid

errdisable recovery cause l2ptguard

errdisable recovery cause psecure-violation

errdisable recovery cause port-mode-failure

errdisable recovery cause dhcp-rate-limit

errdisable recovery cause pppoe-ia-rate-limit

errdisable recovery cause mac-limit

errdisable recovery cause storm-control

errdisable recovery cause inline-power

errdisable recovery cause arp-inspection

errdisable recovery cause loopback

errdisable recovery cause psp

errdisable recovery cause mrp-miscabling

errdisable recovery cause loopdetect

username admin privilege 15 secret 9 $9$3VII1lIE2lAG4.$MpTLOpIV2qPl6WwrPoQlKbAoNV/ZH98kazTFmBxx.vQ

!

redundancy

mode sso

!

!

transceiver type all

monitoring

!

vlan 8

name Native

!

vlan 9

name Blackhole

!

vlan 10

name Managment

!

vlan 40

name Users

!

vlan 50

name Guests

!

vlan 60

name Voice

!

vlan 70

name Security

!

vlan 80

name Video

!

vlan 100

name Audio

!

vlan 250

name WAN

!

!

class-map match-any system-cpp-police-ewlc-control

  description EWLC Control

class-map match-any MULTIMEDIA-STREAMING-QUEUE

match dscp af31

match dscp af32

match dscp af33

class-map match-any system-cpp-police-topology-control

  description Topology control

class-map match-any system-cpp-police-sw-forward

  description Sw forwarding, L2 LVX data packets, LOGGING, Transit Traffic

class-map match-any CONTROL-MGMT-QUEUE

match dscp cs7

match dscp cs6

match dscp cs3

match dscp cs2

class-map match-any TRANSACTIONAL-DATA-QUEUE

match dscp af21

match dscp af22

match dscp af23

class-map match-any system-cpp-default

  description EWLC data, Inter FED Traffic

class-map match-any VIDEO-PRIORITY-QUEUE

match dscp cs5

match dscp cs4

class-map match-any system-cpp-police-sys-data

  description Openflow, Exception, EGR Exception, NFL Sampled Data, RPF Failed

class-map match-any system-cpp-police-punt-webauth

  description Punt Webauth

class-map match-any BULK-SCAVENGER-DATA-QUEUE

match dscp af11

match dscp af12

match dscp af13

match dscp cs1

class-map match-any system-cpp-police-l2lvx-control

  description L2 LVX control packets

class-map match-any system-cpp-police-forus

  description Forus Address resolution and Forus traffic

class-map match-any system-cpp-police-multicast-end-station

  description MCAST END STATION

class-map match-any system-cpp-police-high-rate-app

  description High Rate Applications

class-map match-any system-cpp-police-multicast

  description MCAST Data

class-map match-any system-cpp-police-l2-control

  description L2 control

class-map match-any system-cpp-police-dot1x-auth

  description DOT1X Auth

class-map match-any system-cpp-police-data

  description ICMP redirect, ICMP_GEN and BROADCAST

class-map match-any MULTIMEDIA-CONFERENCING-QUEUE

match dscp af41

match dscp af42

match dscp af43

class-map match-any system-cpp-police-stackwise-virt-control

  description Stackwise Virtual OOB

class-map match-any non-client-nrt-class

class-map match-any system-cpp-police-routing-control

  description Routing control and Low Latency

class-map match-any system-cpp-police-protocol-snooping

  description Protocol snooping

class-map match-any system-cpp-police-dhcp-snooping

  description DHCP snooping

class-map match-any PRIORITY-QUEUE

match dscp ef

class-map match-any system-cpp-police-ios-routing

  description L2 control, Topology control, Routing control, Low Latency

class-map match-any system-cpp-police-system-critical

  description System Critical and Gold Pkt

class-map match-any system-cpp-police-ios-feature

  description ICMPGEN,BROADCAST,ICMP,L2LVXCntrl,ProtoSnoop,PuntWebauth,MCASTData,Transit,DOT1XAuth,Swfwd,LOGGING,L2LVXData,ForusTraffic,ForusARP,McastEndStn,Openflow,Exception,EGRExcption,NflSampled,RpfFailed

!

policy-map 2P6Q3T

class PRIORITY-QUEUE

  priority level 1

  police rate percent 10

class VIDEO-PRIORITY-QUEUE

  priority level 2

  police rate percent 20

class CONTROL-MGMT-QUEUE

  bandwidth remaining percent 10

  queue-buffers ratio 10

class MULTIMEDIA-CONFERENCING-QUEUE

  bandwidth remaining percent 10

  queue-buffers ratio 10

  queue-limit dscp af43 percent 80

  queue-limit dscp af42 percent 90

  queue-limit dscp af41 percent 100

class MULTIMEDIA-STREAMING-QUEUE

  bandwidth remaining percent 10

  queue-buffers ratio 10

  queue-limit dscp af33 percent 80

  queue-limit dscp af32 percent 90

  queue-limit dscp af31 percent 100

class TRANSACTIONAL-DATA-QUEUE

  bandwidth remaining percent 10

  queue-buffers ratio 10

  queue-limit dscp af23 percent 80

  queue-limit dscp af22 percent 90

  queue-limit dscp af21 percent 100

class BULK-SCAVENGER-DATA-QUEUE

  bandwidth remaining percent 5

  queue-buffers ratio 10

  queue-limit dscp values  cs1 af13 percent 80

  queue-limit dscp values  af12 percent 90

  queue-limit dscp values  af11 percent 100

class class-default

  bandwidth remaining percent 25

  queue-buffers ratio 25

policy-map system-cpp-policy

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

interface GigabitEthernet0/0

vrf forwarding Mgmt-vrf

ip address 192.168.10.20 255.255.255.0

!

interface GigabitEthernet1/0/1

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/2

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/3

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/4

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/5

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/6

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/7

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/8

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/9

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/10

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/11

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/12

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/13

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/14

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/15

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/16

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/17

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/18

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/19

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/20

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/21

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/22

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/23

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/24

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/25

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/26

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/27

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/28

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/29

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/30

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/31

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/32

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/33

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/34

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/35

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/36

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/37

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/38

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/39

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/40

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/41

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/42

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/43

description Laundry Room Wireless Access Point

switchport trunk native vlan 10

switchport trunk allowed vlan 10,40,50,60,70,80,100

switchport mode trunk

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast disable

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/44

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/45

description Hallway Wireless Access Point

switchport trunk native vlan 10

switchport trunk allowed vlan 10,40,50,60,70,80,100

switchport mode trunk

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast disable

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/46

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/47

description Management Interface

switchport access vlan 10

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/0/48

switchport access vlan 40

switchport mode access

switchport port-security maximum 11

switchport port-security violation restrict

switchport port-security aging time 2

switchport port-security aging type inactivity

switchport port-security

ip arp inspection limit rate 100

ipv6 nd raguard attach-policy HOST_POLICY

spanning-tree portfast

ip verify source

ip dhcp snooping limit rate 100

!

interface GigabitEthernet1/1/1

description Link to Edge Router

switchport access vlan 250

switchport trunk native vlan 8

switchport mode access

ip arp inspection trust

logging event trunk-status

load-interval 30

spanning-tree portfast disable

ip dhcp snooping trust

!

interface GigabitEthernet1/1/2

switchport trunk allowed vlan 40,60

switchport mode trunk

ip arp inspection trust

logging event trunk-status

load-interval 30

ip dhcp snooping trust

!

interface GigabitEthernet1/1/3

switchport trunk allowed vlan 40,60

switchport mode trunk

ip arp inspection trust

logging event trunk-status

load-interval 30

ip dhcp snooping trust

!

interface GigabitEthernet1/1/4

switchport trunk allowed vlan 40,60

switchport mode trunk

ip arp inspection trust

logging event trunk-status

load-interval 30

ip dhcp snooping trust

!

interface Vlan1

no ip address

shutdown

!

interface Vlan8

description Native

ip address 192.168.8.1 255.255.255.0

!

interface Vlan9

description Blackhole

ip address 192.168.9.1 255.255.255.0

!

interface Vlan10

description Management

ip address 192.168.10.20 255.255.255.0

!

interface Vlan40

description Users

ip address 192.168.40.1 255.255.254.0

!

interface Vlan50

description Guests

ip address 192.168.50.1 255.255.255.0

!

interface Vlan60

description Voice

ip address 192.168.60.1 255.255.255.0

!

interface Vlan70

description Security

ip address 192.168.70.1 255.255.255.0

!

interface Vlan80

description Video

ip address 192.168.80.1 255.255.255.0

!

interface Vlan100

description Audio

ip address 192.168.100.1 255.255.255.0

!

interface Vlan250

description WAN

ip address 192.168.250.1 255.255.255.0

!

router ospf 1

!

ip default-gateway 192.168.250.10

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip route 0.0.0.0 0.0.0.0 192.168.250.10

ip ssh time-out 60

ip ssh version 2

ip scp server enable

!

!

!

!

!

!

!

control-plane

service-policy input system-cpp-policy

!

banner login ^CNetwork Switch^C

!

line con 0

exec-timeout 0 0

stopbits 1

line aux 0

line vty 0 4

login local

length 0

transport input telnet

transport output telnet

line vty 5 15

login local

length 0

transport input telnet

transport output telnet

!

call-home

! If contact email address in call-home is configured as sch-smart-licensing@cisco.com

! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.

contact-email-addr sch-smart-licensing@cisco.com

profile "CiscoTAC-1"

  active

  destination transport-method http

!

!

!

!

!

!

end

 

0 Helpful

Go to solution
jeremy0463
Spotlight
Spotlight
In response to jeremy0463

‎12-09-2023 08:17 AM

Packet capture is mostly foreign territory for me. I have wireshark but I don’t really know how to use it effectively.

0 Helpful

Go to solution
jeremy0463
Spotlight
Spotlight

‎12-09-2023 03:35 PM

Port security! It was the dumb port security! Cisco day0 config applied all of that stuff automatically. Once I deleted all the port security (which I learned how to do on CLI now) and left port fast trunk and Vlan config only, it worked like a champ! Don’t even know which one of these to mark as solution, so I will mark the port security one so someone reads all the way to the bottom. Thank you both so much!

0 Helpful

Go to solution
Rich R
VIP
VIP
In response to jeremy0463

‎12-09-2023 04:08 PM

Glad you solved it <smile>
Golden rule: Always best to start with the simplest config and then add features incrementally so you'll know when something causes a problem.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card