Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
1
Replies

Wireless Clients Get DHCP from WLC but Cannot Reach Internet – Routing

phuocntlk135
Level 1
Level 1

‎05-14-2025 09:00 PM

  

Hi Community,

I’m working on a deployment where the WLC (Wireless LAN Controller) is configured to provide internal DHCP for wireless clients connecting to specific SSIDs. The clients are successfully associating with the SSID and receiving IP addresses from the WLC’s DHCP scope.

The network topology includes a Layer 3 switch that handles inter-VLAN routing and connects to a firewall for internet access.

Note: I use WLC 9800-Cl deploy on VMware Workstation. Use my own laptop ro run WLC

🧩 Current Behavior:

  • Wired (LAN) Clients:

    • Can reach the internet when assigned static IPs.

    • DHCP is not working for LAN clients (no IP assigned).

  • Wireless Clients (connected to WLC SSID):

    • Successfully associate with the SSID.

    • Receive IP addresses from WLC’s internal DHCP server.

    • Cannot reach the internet.

Setup Overview:

  • WLC is connected to the Layer 3 switch (trunk or access port).

  • WLC is configured with internal DHCP scopes for wireless VLANs.

  • Layer 3 switch has SVI interfaces for all VLANs (including VLAN for wireless clients).

  • Default route on Layer 3 switch points to the firewall.

  • Firewall provides NAT and internet access.

2426.png

Questions:

  1. Why are wireless clients able to get DHCP addresses but cannot access the internet?

  2. Do I need to add any static routes or special configuration on the WLC or Layer 3 switch to ensure return traffic from wireless clients gets routed correctly?

  3. Should the VLAN SVI used by wireless clients (e.g., VLAN 20 or VLAN 30) be created on the WLC, the L3 switch, or both?

  4. If wireless traffic is locally switched, is the WLC expected to route traffic to the next hop (L3 switch or firewall), or is bridging enough?

  5. Could missing trunk configuration or native VLAN mismatches between WLC and switch cause this issue?

 

Labels:
0 Helpful
1 Reply 1

Rich R
VIP
VIP

‎05-18-2025 02:29 PM

  1. Why are wireless clients able to get DHCP addresses but cannot access the internet?We can't tell you why your network design doesn't work - you'll need to troubleshoot systematically and methodically.

  2. Do I need to add any static routes or special configuration on the WLC or Layer 3 switch to ensure return traffic from wireless clients gets routed correctly?
    You probably do but same answer as 1.

  3. Should the VLAN SVI used by wireless clients (e.g., VLAN 20 or VLAN 30) be created on the WLC, the L3 switch, or both?
    Only on L3 switch.  Best Practice (see link below) is that SVI should NOT be configured on WLC except where required for specific features.

  4. If wireless traffic is locally switched, is the WLC expected to route traffic to the next hop (L3 switch or firewall), or is bridging enough?
    You need to understand the Cisco terminology.  If the AP is in Local Mode then the client traffic is Centrally Switched by the WLC (tunnelled from AP to WLC over CAPWAP). Without SVI on WLC (Best Practice) it is pure layer 2 (bridged) - the layer 3 functions are provided by switch/router/firewall.  If the AP is in Flexconnect Mode then the client traffic can be Locally Switched by the AP, which means the AP drops the traffic into a specified VLAN directly on the AP trunk port. (Flex AP can also support Centrally Switched WLANs).  Locally switched traffic is not tunnelled back to the WLC at all.  This is pure layer 2 - the AP simply bridges the traffic to the VLAN on the switch.

  5. Could missing trunk configuration or native VLAN mismatches between WLC and switch cause this issue?
    Of course it could - that's absolute basics which you must get right!

Note that 9800-CL on VMware Workstation is not supported.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/release-notes/rn-17-12-9800.html#Cisco_Concept.dita_c9f5f62c-3813-4ab2-9365-71d583c3a462
It is possible to make it work but requires some tweaks - you'll have to search for the details.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card