Solved: VLAN Setup on Catalyst APs with EWC and Vlans routed by switch

jeremy0463 · ‎12-02-2023

I have a Catalyst 9200L and three Catalyst 9115 access points with EWC. I iam trying to understand SSID to Vlan setup when the vlans are routed on the switch and the port connected to the AP is a trunk prot with the management port as native.

I have used 2504 WLC and 1852 APs before with vlan switching handled by the layer3 switch (trunk port on the switch, managment vlan native, additonal vlans tagged>>>connected to port on 2504 with interfaces defined in each vlan, and each wlan set to that particular interface.) That works great. As I understand it, the APs create a capwap tunnel over the management vlan (each ap is connected to an access port on that vlan), then the vlans fron the switch are trunked to the WLC and the WLC handles the routing to the particular interface.

But EWC seems very different. Since there is no controller appliance on this network, and with the same switch configuration essentially (trunk port with routing handled on the layer3 switch), what is the best way to route wlans to vlans? Ii have a test wlan setup with policy and tag both setup and i have wireless access to the managment vlan. Policies only let me add one vlan per AP.

Please help.

Rich R · ‎12-08-2023

I don't see anything obviously wrong but you do have a lot of different security features enabled on the AP switch ports so I would also try stripping those off to the bare minimum config (with portfast enabled) and then test again. Then if it works you know one of those features is causing the issue and you can add them back one at a time to work out which it is. Always best to start with the simplest config and then add features incrementally so you'll know when something causes a problem. Check the logs for anything which might point you to a problem (logging buffered 200000 debug) for at least 200K log buffer.

You can also use packet capture on the switch port to monitor the traffic there.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

marce1000 · ‎12-02-2023

- Note that EWC only supports flexconnect local switching ; meaning the vlans are terminated with trunk configured ports at the AP connection (port) ; for further (and or ongoing) configuration checks (or attempts) on the EWC controller use the CLI command show tech wireless and feed the output into :
Wireless Config Analyzer

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jeremy0463 · ‎12-02-2023

So some questions with flex connect…just trying to understand this conceptually.

- Does the ewc itself handles Vlan routing between wlans instead of it going back to the switch?

- Can the vlans on the EWC match the vlans on the switch or will that conflict?

- Will traffic between wlan flex connect Vlan and wired Vlan on the 9200 be on the same broadcast domain essentially?

- can the 9200 still handle the dhcp, acls, etc instead of the ap?

- how does the traffic actually route from the wireless client back on one Vlan to the switch and then to a wireless client on another Vlan if the 9200 handles the routing? In other words, how does flex connect work differently than the 2504 or a 9800 wlc with standard trunk ports in terms of the traffic.

Sorry for all the questions, just trying to understand flex connect better.

marce1000 · ‎12-02-2023

- I would like you to review these documents (documentation) :
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/Flex_7500_DG.html
https://www.cisco.com/c/en/us/products/collateral/wireless/embedded-wireless-controller-catalyst-access-points/white-paper-c11-743398.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jeremy0463 · ‎12-02-2023

OK I reviewed those documents and I think I understand the concepts. I followed the configuration guide for the catalyst access points. I have the flex profile created and assigned. All the vlans that I need to be trunked to the switch are containing the flex profile. Now my struggle point is assigning particular VLANs in the flex profile to particular WLANs. What am I missing? Here is the config:

Sat Dec 02 2023 18:51:17 GMT-0600 (Central Standard Time)
===================================================================================
#sh run
Building configuration...
Current configuration : 11120 bytes
!
! Last configuration change at 00:03:31 UTC Sun Nov 7 2021
!
version 16.12
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service call-home
no platform punt-keepalive disable-kernel-core
no platform punt-keepalive settings
platform console serial
!
hostname WLAN_Controller
!
boot-start-marker
boot-end-marker
!
!
enable secret 9
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
!
aaa session-id common
no fips authorization-key
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
!
!
!
ip name-server 208.67.222.222 208.67.220.220
login on-success log
!
!
!
!
!
!
flow exporter default-flow-exporter
destination local wlc
!
!
flow monitor default-flow-monitor
exporter default-flow-exporter
record wireless avc basic
!
!
access-session mac-move deny
password encryption aes
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-3395605568
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3395605568
revocation-check none
rsakeypair TP-self-signed-3395605568
!
!
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
32310E30 0C060355 040A1305 43697363 6F312030 1E060355 04031317 43697363
6F204C69 63656E73 696E6720 526F6F74 20434130 1E170D31 33303533 30313934
3834375A 170D3338 30353330 31393438 34375A30 32310E30 0C060355 040A1305
43697363 6F312030 1E060355 04031317 43697363 6F204C69 63656E73 696E6720
526F6F74 20434130 82012230 0D06092A 864886F7 0D010101 05000382 010F0030
82010A02 82010100 A6BCBD96 131E05F7 145EA72C 2CD686E6 17222EA1 F1EFF64D
CBB4C798 212AA147 C655D8D7 9471380D 8711441E 1AAF071A 9CAE6388 8A38E520
1C394D78 462EF239 C659F715 B98C0A59 5BBB5CBD 0CFEBEA3 700A8BF7 D8F256EE
4AA4E80D DB6FD1C9 60B1FD18 FFC69C96 6FA68957 A2617DE7 104FDC5F EA2956AC
7390A3EB 2B5436AD C847A2C5 DAB553EB 69A9A535 58E9F3E3 C0BD23CF 58BD7188
68E69491 20F320E7 948E71D7 AE3BCC84 F10684C7 4BC8E00F 539BA42B 42C68BB7
C7479096 B4CB2D62 EA2F505D C7B062A4 6811D95B E8250FC4 5D5D5FB8 8F27D191
C55F0D76 61F9A4CD 3D992327 A8BB03BD 4E6D7069 7CBADF8B DF5F4368 95135E44
DFC7C6CF 04DD7FD1 02030100 01A34230 40300E06 03551D0F 0101FF04 04030201
06300F06 03551D13 0101FF04 05300301 01FF301D 0603551D 0E041604 1449DC85
4B3D31E5 1B3E6A17 606AF333 3D3B4C73 E8300D06 092A8648 86F70D01 010B0500
03820101 00507F24 D3932A66 86025D9F E838AE5C 6D4DF6B0 49631C78 240DA905
604EDCDE FF4FED2B 77FC460E CD636FDB DD44681E 3A5673AB 9093D3B1 6C9E3D8B
D98987BF E40CBD9E 1AECA0C2 2189BB5C 8FA85686 CD98B646 5575B146 8DFC66A8
467A3DF4 4D565700 6ADF0F0D CF835015 3C04FF7C 21E878AC 11BA9CD2 55A9232C
7CA7B7E6 C1AF74F6 152E99B7 B1FCF9BB E973DE7F 5BDDEB86 C71E3B49 1765308B
5FB0DA06 B92AFE7F 494E8A9E 07B85737 F3A58BE1 1A48A229 C37C1E69 39F08678
80DDCD16 D6BACECA EEBC7CF9 8428787B 35202CDC 60E4616A B623CDBD 230E3AFB
418616A9 4093E049 4D10AB75 27E86F73 932E35B5 8862FDAE 0275156F 719BB2F0
D697DF7F 28
quit
crypto pki certificate chain TP-self-signed-3395605568
certificate self-signed 01
30820330 30820218 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333935 36303535 3638301E 170D3231 31313037 30303034
33355A17 0D333030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393536
30353536 38308201 22300D06 092A8648 86F70D01 01010500 0382010F 00308201
0A028201 0100A7BA DB3AA54D 76E6A250 501F264E 75071E3F 541FEFAB E944FEE0
1FF1848E A58820B6 6F257AF6 7C39C19F 5EAFE2D0 27741BD5 20EFFD14 12A148E0
66A06F3D 3AF7DA27 BF29C94C 5FE7E0FA 43FC7EAD 949CDC53 9BCC9210 12362A1F
671D6E33 45B284E0 7F73949E 1F748894 39C07EAD 239B75A0 221455C6 3E0E02D6
CF2ECC4A ACD6E75C BE42F593 DD34F09A 53180904 80C43A79 3DFC8FB5 FDEA6B1B
813E3A31 1010A53D C28BE646 84F02F4F 9D6D9D23 A13369A5 A6AEDD3C B5699459
DA433562 74992C99 AE9889AF B91EAC09 679C7866 189D16D9 E74E728B 7910FD1C
1D570791 89F26FFA 9CA19395 9CCB956C B6A58122 21D3187F 1C496F13 EE7512F0
F0EFFED7 2E170203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF
301F0603 551D2304 18301680 1425DC21 45CE6974 80E6E0E2 35B3ACE3 9D18D5D0
1A301D06 03551D0E 04160414 25DC2145 CE697480 E6E0E235 B3ACE39D 18D5D01A
300D0609 2A864886 F70D0101 05050003 82010100 75833A82 91DCFF27 51981D0A
17E455DE 3C345301 0378BCA6 F5CF1CAA 496102BC 8DE4BE55 E20F6921 AF9EADFE
255D8BCE B4F18DE3 48A1BE68 4AB54420 79CC821B 1910E145 5AB0B177 44B648C0
7D56A5DC 2D6EF14A C4022F66 439F4C24 0BC37988 A01BE979 9C9E7D97 A9AEA806
0CF79277 44EBFEBA 677E22AC EEC23F69 E9211291 44CB3F4D 5EBB196B 763AAA17
1E5D96B0 FFD172B8 BBEF540A A0DE9C50 34EE8D97 6D080D56 44D58578 65827598
1C0AE165 96AE9925 71054D0F 384E104A 445B3B17 8BEED3BA C86DCD86 61024ECA
81FE5F73 C960C0F3 92CAB660 7BFB3F17 3F521EF7 6433C02A C997B930 2B83C014
FBD2AD7E 84D6D0C5 805F4D01 0E686E1C 78F11571
quit
!
service-template webauth-global-inactive
inactivity-timer 3600
service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE
linksec policy must-secure
service-template DEFAULT_LINKSEC_POLICY_SHOULD_SECURE
linksec policy should-secure
service-template DEFAULT_CRITICAL_VOICE_TEMPLATE
voice vlan
service-template DEFAULT_CRITICAL_DATA_TEMPLATE
memory free low-watermark processor 33020
!
license udi pid C9800-AP sn
device classifier
username ------ privilege 15 secret 9
!
redundancy
mode sso
!
!
!
!
!
!
!
interface GigabitEthernet0
description Management Interface
mac-address 0000.5e00.0101
ip dhcp client client-id GigabitEthernet0
ip dhcp client broadcast-flag clear
ip address 192.168.10.30 255.255.255.0
no negotiation auto
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint CISCO_IDEVID_SUDI
ip http client source-interface GigabitEthernet0
ip forward-protocol nd
ip tftp blocksize 8192
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 250
ip dns server
!
!
!
!
!
!
control-plane
!
banner exec ^C
########################################################################################################
# #
# Welcome to the Cisco Catalyst 9800-AP Embedded Wireless Controller command line interface. #
# #
# Please see command reference guide for the complete list of supported commands for this release: #
# https://www.cisco.com/c/en/us/td/docs/wireless/embedded_wireless_controller_configuration_guide.html #
# #
########################################################################################################
^C
banner login ^CWireless LAN Controller^C
!
line con 0
exec-timeout 0 0
stopbits 1
line vty 0
length 0
transport input ssh
line vty 1 4
transport input ssh
line vty 5 15
transport input ssh
!
ntp server 0.ciscome.pool.ntp.org
ntp server 1.ciscome.pool.ntp.org
ntp server 2.ciscome.pool.ntp.org
!
!
!
!
!
wireless aaa policy default-aaa-policy
wireless cts-sxp profile default-sxp-profile
no wireless ipv6 ra wired
wireless management interface GigabitEthernet0
wireless profile airtime-fairness default-atf-policy 0
wireless profile flex default-flex-profile
description "default flex profile"
native-vlan-id 10
vlan-name Audio
vlan-id 100
vlan-name Users
vlan-id 40
vlan-name Video
vlan-id 80
vlan-name Voice
vlan-id 60
vlan-name Guests
vlan-id 50
vlan-name Security
vlan-id 70
wireless profile image-download default
description "default image download profile"
wireless profile mesh default-mesh-profile
description "default mesh profile"
wireless profile policy default-policy-profile
no central association
no central dhcp
no central switching
description "default policy profile"
http-tlv-caching
ipv4 flow monitor default-flow-monitor input
ipv4 flow monitor default-flow-monitor output
vlan 10
no shutdown
wireless tag site default-site-tag
description "default site tag"
no local-site
wireless tag policy default-policy-tag
description "default policy-tag"
wlan Cisco10 policy default-policy-profile
wireless tag rf default-rf-tag
description "default RF tag"
wireless fabric control-plane default-control-plane
wlan Cisco10 10 Cisco10
security wpa psk set-key ascii 8 QgIeHMYGJBIbJaUKDQ]\JShgTdeK_VAAB
no security wpa akm dot1x
security wpa akm psk
no shutdown
ap dot11 24ghz rf-profile Low_Client_Density_rf_24gh
coverage data rssi threshold -90
coverage level 2
coverage voice rssi threshold -90
description "pre configured Low Client Density rfprofile for 2.4gh radio"
high-density rx-sop threshold low
tx-power v1 threshold -65
no shutdown
ap dot11 24ghz rf-profile High_Client_Density_rf_24gh
description "pre configured High Client Density rfprofile for 2.4gh radio"
high-density rx-sop threshold medium
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
tx-power min 7
no shutdown
ap dot11 24ghz rf-profile Typical_Client_Density_rf_24gh
description "pre configured Typical Client Density rfprofile for 2.4gh radio"
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
no shutdown
ap dot11 5ghz rf-profile Low_Client_Density_rf_5gh
coverage data rssi threshold -90
coverage level 2
coverage voice rssi threshold -90
description "pre configured Low Client Density rfprofile for 5gh radio"
high-density rx-sop threshold low
tx-power v1 threshold -60
no shutdown
ap dot11 5ghz rf-profile High_Client_Density_rf_5gh
description "pre configured High Client Density rfprofile for 5gh radio"
high-density rx-sop threshold medium
rate RATE_6M disable
rate RATE_9M disable
tx-power min 7
tx-power v1 threshold -65
no shutdown
ap dot11 5ghz rf-profile Typical_Client_Density_rf_5gh
description "pre configured Typical Density rfprofile for 5gh radio"
no shutdown
ap country US
ap tag-source-priority 2 source filter
ap tag-source-priority 3 source ap
ap location name Default_Location
description Default_Location
ap profile default-ap-profile
description "default ap profile"
mgmtuser username ——- password 8
end

Scott Fella · ‎12-02-2023

Here is where you would mat the wlan to the vlan in the GUI:

-Scott
*** Please rate helpful posts ***

jeremy0463 · ‎12-02-2023

Ok Scott, so if I am understanding correctly, you create a wlan profile for each ssid, then a policy profile for each vlan, then a policy tag that maps each wlan profile to each of those policy profiles. I would not need a flex profile in that case then right?

marce1000 · ‎12-02-2023

>... I would not need a flex profile in that case then right?
- (Also) use the WirelessAnalyzer procedure as outlined in my first reply , it's easy and will keep you on track , in order to finalize a correct configuration ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jeremy0463 · ‎12-04-2023

Ok marce1000, everything seems to be up and running and working. Still doing some testing. I am however getting one warning using the analyzer.

10025

WCAE: Parsing: missing configuration file section(s), checks may not be executed properly:VLAN Config,Interface Config,RF Profile Conversion,Policy Profile

Action: One or more configuration sections were not found, this is indication of corrupted file, or very old software version. If the file is believed to be correct, please contact wcae@cisco.com, otherwise try to capture it again: https://developer.cisco.com/docs/wireless-troubleshooting-tools/#!how-to-colletct-sh-run-config

What does this mean?

marce1000 · ‎12-04-2023

>...What does this mean?
- Possibly a problem within WirelessAnalyzer ; or a corrupted output from 'show tech wireless' ; output not completely provided (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jeremy0463 · ‎12-05-2023

OK I guess I can just ignore that error. I’m only experiencing one problem now. I currently only have two access points connected. Devices are having a hard time connecting or staying connected. Sometimes I get a connection failure. Sometimes connect with no ip. Sometimes I get dropped. When I looked at the EWC, some devices show connected to one access point, and some devices show connected to the other access point. If I disconnect the secondary access point, and leave the master running, it works flawlessly. Both access points are connected to trunk ports, configured the same. Any ideas?

marce1000 · ‎12-05-2023

- Normally you should only have one active EWC controller on the network ; in that case client behavior can further be observed according to https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/217738-monitor-catalyst-9800-kpis-key-performa.html#anc5 (e.g.)

Persistent client problems can be analyzed with debugging : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800ClientConnectivity
RadioActive Traces (the obtained client debug(s)) can be analyzed with https://cway.cisco.com/tools/WirelessDebugAnalyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jeremy0463 · ‎12-05-2023

OK the issue with the clients is that they are failing to obtain an IP address. Again it works sometimes and sometimes it doesn’t. I’m getting the same problem whenever I use one access point only now. it seems like there’s something going on with allowing the clients to communicate with DHCP. I did notice that the day zero configuration set up a default route on the EWC to point to the gbe interface with a 250 after it. is it possible that that is going straight to Veland 250 on my switch which is the WAN access VLAN and bypassing the DHCP server?

marce1000 · ‎12-05-2023

- Best solution is to have the central DHCP server available on VLAN 250 , either direct or through dhcp relay configured vlan 250 SVI , same for other WLAN/VLAN pairs (so DHCP is external w.r.t. EWC)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

jeremy0463 · ‎12-05-2023

but why would it work sometimes and not others?

The current set up on the switch is Vlan 250 has the edge router, switch has access port to the edge router. Default route on the switch goes to to edge router. The switch has an SVI in the 250 vlan. Three other vlans are defined and have an SVI… Vlan 40 for users and Vlan 50 for guest And vlan 10 for management. DHCP servers are set up on vlan 10, 40, and 50. The least time is seven days and there are 100 addresses available in each. The primary access point that is the master for the ewc is on a trunk port with a native Vlan of 10 and Vlan 40 and 50 tagged.

something Hass to be missing on the wireless controller side of things, because wired clients connected to the same switch on access points in each Vlan work fine and remain