Re: WLC 9800 design with vlan issue

teddyhsu1011 · ‎06-28-2023

Hi

My company have new 9800-CL and C9115AXI wireless AP.

My toplogy is like that The WLC is Install on vmware vsphere 6.7 u3, the VM have 3 interfaces, Gi 1 is management port, using access mode to vlan 10, Gi 2 is service port, using trunk mode to vlan 11,70,90. Gi 3 is HA sync port ,using access mode to vlan 600.

The ESXi is using VDS to connect VM and outside switch , the uplink is lag and trunk port to phyical Cisco Switch.

The AP is register and connect WLC by using VLAN11, use same subnet /24.

I have 2 SSID, One is OA using 802.1x and flexconnect to access VLAN 90, other one is guest using Central Switching and web auth to access VLAN 70.

Now the OA SSID is working,but the guest SSID isn't.

I can not get dhcp ip and web portal by guest SSID.

I connect phyical cable to VLAN 70, I can get DHCP IP address by 3rd party DHCP server and get internet access.

How to trubleshooting the root cause?

Kasun Bandara · ‎06-28-2023

check DHCP settings in Guest SSID interface. point it to correct DHCP. is OA using DHCP?

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

ammahend · ‎06-28-2023

you can start with capture on 9800 to see dhcp packet exchange, will give you an idea whats failing, under policy profile central dhcp is checked for guest ?

-hope this helps-

marce1000 · ‎06-28-2023

- You can debug and analyze guest access with these tools : https://logadvisor.cisco.com/logadvisor/wireless/9800/9800CWA
Also have a checkup of the 9800-CL configuration with the CLI command show tech wireless ; feed the output into :
https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

teddyhsu1011 · ‎06-29-2023

Hi all.

I do some test.

1. Capture packet from guest pc, The guest SSID is connected but it only show send 0.0.0.0 to 255.255.255.255 dhcp request, no any dhcp reponse.

2. I do capture packet from wlc only Gi2. The WLC have 2 SVI , VLAN 11 is 172.16.11.251 and VLAN 70 is 172.16.70.251. the result show that traffic is tagged by right vlan tag but only VLAN 11 SVI response, the VLAN 70 only get in-bound traffic, no respones.

Any advice?

BR

JPavonM · ‎06-29-2023

Check policies if Guest VLAN70 is behind a firewall.

Check whether VLAN70 SVI has a dhcp helper address configured on the switch/router side.

Check whether wireless profile policy for Guest is properly configured to that VLAN, and the Flex profile maps the correct vlan id.

You can paste the configuration from them here so we can help you.

teddyhsu1011 · ‎06-29-2023

Hi

the configuration section is like below

Interface and VLAN

vlan 11,70,92,101

interface GigabitEthernet1
 no switchport
 ip address 192.168.10.191 255.255.255.0
 negotiation auto
 no mop enabled
 no mop sysid
 service-policy output AutoQos-4.0-wlan-Port-Output-Policy
!
interface GigabitEthernet2
 switchport trunk allowed vlan 10,11,70
 switchport mode trunk
 negotiation auto
 no mop enabled
 no mop sysid
 service-policy output AutoQos-4.0-wlan-Port-Output-Policy
!
interface Vlan1
 no ip address
 no mop enabled
 no mop sysid
!
interface Vlan11
 ip address 172.16.11.191 255.255.255.0
 no mop enabled
 no mop sysid
!
interface Vlan70
 ip address 172.16.70.251 255.255.255.0
 no mop enabled
 no mop sysid
!

The flex profile

wireless profile flex Flex-Profile
 no arp-caching
 ip http client proxy 0.0.0.0 0
 native-vlan-id 11
 vlan-name VLAN0011
  vlan-id 11
 vlan-name VLAN0070
  vlan-id 70
 vlan-name VLAN0090
  vlan-id 90

The wireless tag and policy

parameter-map type webauth global
 type webauth
 virtual-ip ipv4 172.16.70.20
 trustpoint server.pfx
!
parameter-map type webauth guest-web
 type webauth
 max-http-conns 10
 cisco-logo-disable
!
!
wireless profile policy Guest-Policy
 aaa-override
 aaa-policy CWA-AAA-Policy
 autoqos mode guest
 no central dhcp
 description Guest-Policy
 no flex umbrella dhcp-dns-option
 flex vlan-central-switching
 ipv4 dhcp opt82
 ipv4 dhcp opt82 format ssid
 ipv4 dhcp server 172.16.70.1
 service-policy input AutoQos-4.0-wlan-GT-SSID-Input-Policy
 service-policy output AutoQos-4.0-wlan-GT-SSID-Output-Policy
 vlan VLAN0070
 no shutdown

wireless tag policy Tag-Lab
 wlan Lab policy Guest-Policy
 wlan Lab-WLAN policy WLAN
 wlan Lab-Employee policy WLAN
 
wlan Lab 4 Lab-guest
 radio policy dot11 24ghz
 radio policy dot11 5ghz
 no security ft adaptive
 security wpa psk set-key ascii xxx
 no security wpa akm dot1x
 security wpa akm psk
 security dot1x authentication-list default
 security web-auth parameter-map guest-web
 no shutdown

marce1000 · ‎06-29-2023

- Have a checkup of the 9800-CL configuration with the CLI command show tech wireless ; feed the output into :
https://cway.cisco.com/wireless-config-analyzer/

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

teddyhsu1011 · ‎06-29-2023

Hi

It show 3 errors ans 26 warnings. Does the SVI error cause the issue?

230059
mDNS: WLAN is using mDNS gateway functionality, but not corresponding SVI Interface detected. WLANs/Policies:
Action: Add: Define a Interface vlan (SVI) for all vlans where mDNS gateway functionality is required. This check may not apply on AAA override scenarios
250018
DHCP: Policy profile is using DHCP relay functionality, but not corresponding SVI Interface detected. Policies:
Action: Add: Define a Interface vlan (SVI) for all vlans where DHCP relay feature is set on the policy profile. This check may not apply on AAA override scenarios
10028
WCAE: Critical error while running checks against file, section Client Audit - Apple/RF profiles,Client Audit - Vocera/RF profiles
Action: A group of checks did not execute properly. If the file is believed to be correct, please contact wcae@cisco.com

marce1000 · ‎06-29-2023

- Not sure but normally at least all the errors from WirelessAnalyzer should be corrected ; the last one however seems an internal issue and can be ignored for the time being , (warnings should be reviewed and check potential impact on your issue)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Rich R · ‎07-09-2023

Why have you defined vlan 70 in your flex profile when 70 is centrally switched?
You've configured "no central DHCP" but you want central DHCP and switching so need to change that to central DHCP.
Is the DHCP server on VLAN 70 - if so no DHCP relay required, if the server is not on VLAN 70 then you need to configure DHCP relay.
Are you using mdns gateway? If not then no SVI is necessary.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

teddyhsu1011 · ‎07-10-2023

Hi

My WLC and AP are working in flexconnect mode.

The SSID for OA is offloading to near edge switch with VLAN 90 for best afford. The SSID for guest is central switch to WLC, the clients should use WLC portal to login and central offloading from WLC to VLAN70 and rate-limit to 20Mbps per devices, working like local mode.

What setting should I changing in the guest policy?

BR

Rich R · ‎07-10-2023

Like I already said above - that means you need central DHCP!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390