05-02-2024 05:37 AM
Hello All,
We are in the process of migrating from old cisco ap's and wlc's to new wlc's 9800-L and ap's 9136I.
The dhcp server for all the vlans, ssid's etc are located in the core switch.
Now, the issue is that when the AP's and WLC's are in the same subnet the CAPWAP tunnel is successfully formed between the AP's and WLC's. But, when the AP's and WLC's are in different vlan the CAPWAP is not formed.
- Connectivity is there between the vlans.
- option 43 configured in the DHCP of AP's vlan.
- When the ap is booted it keep getting discard CAPWAP, ipv6 loop timeout etc.
Would be great if anyone can point me to the right direction, thanks.
Solved! Go to Solution.
05-02-2024 07:15 AM
>...No, I was not able to ping the controller from the ap.
- That should work first , make sure no firewalls or acl's are hampering this , also are you using ipv6 ?
For flexibility you may test further with a laptop in the same vlan as the 'remote ap' where you might have additional testing tools such as traceroute (e.g.)
M.
05-02-2024 05:52 AM
05-02-2024 05:55 AM
No, I was not able to ping the controller from the ap.
but, I can ping the gateway of the WLC which is in the core sw and vice versa I can ping the ap from the core sw with management vlan interface of WLC and management vlan interface of the ap itself. But, unable to ping the ap from the wlc back to back.
05-02-2024 07:15 AM
>...No, I was not able to ping the controller from the ap.
- That should work first , make sure no firewalls or acl's are hampering this , also are you using ipv6 ?
For flexibility you may test further with a laptop in the same vlan as the 'remote ap' where you might have additional testing tools such as traceroute (e.g.)
M.
05-03-2024 01:13 AM
There was an ACL in the test switch, thanks.
05-02-2024 06:10 AM
But, when the AP's and WLC's are in different vlan the CAPWAP is not formed.
can you provide more information - WLC to AP (what devices in the path ?)
Do you have any Firewalls ? does the switch has any ACL ?
can you post complete boot log from AP when it failing ?
Does the AP get IP address from DHCP ?
are you able to Ping from VLAN SVI to WLC Controller IP using source that VLAN ? (same from other side to WLC ?)
05-02-2024 06:39 AM
Okay, so there are no firewalls in between.
The ap is directly connected to the test core sw, and the wlc is also connected directly to the test core sw (Trunk mode).
Yes, there is an acl but it is not tagged with the physical interface.
The AP gets the IP from the dhcp successfully, the DHCP is in the test core sw and again option 43 is configured with hex value.
I am able to ping the WLC controller IP from the all vlan SVIs on the core, but can not ping from the ap itself to the WLC.
Vice versa, I can ping all the vlan SVI on the core from the WLC, but can not ping the ap from the WLC.
Note: Once The ap is in the same vlan as the wlc, the CAPWAP tunnel is successfully formed.
05-02-2024 06:40 AM
@balaji.bandi The below acl is configured and the IP of ap vlan is 10.1.166.0/24. and this acl is not tagged with the physical interface which I believe that it wont make any affect.
! config acl apply GUEST_Internet-Access
! config acl create GUEST_Internet-Access
! config acl rule add GUEST_Internet-Access 1
! config acl rule action GUEST_Internet-Access 1 permit
! config acl rule destination address GUEST_Internet-Access 1 192.168.99.11 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 1 0 65535
! config acl rule destination port range GUEST_Internet-Access 1 0 65535
! config acl rule add GUEST_Internet-Access 2
! config acl rule action GUEST_Internet-Access 2 permit
! config acl rule destination address GUEST_Internet-Access 2 10.1.169.1 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 2 0 65535
! config acl rule destination port range GUEST_Internet-Access 2 0 65535
! config acl rule add GUEST_Internet-Access 3
! config acl rule action GUEST_Internet-Access 3 permit
! config acl rule destination address GUEST_Internet-Access 3 10.26.1.100 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 3 0 65535
! config acl rule destination port range GUEST_Internet-Access 3 0 65535
! config acl rule add GUEST_Internet-Access 4
! config acl rule action GUEST_Internet-Access 4 permit
! config acl rule destination address GUEST_Internet-Access 4 10.26.1.251 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 4 0 65535
! config acl rule destination port range GUEST_Internet-Access 4 0 65535
! config acl rule add GUEST_Internet-Access 5
! config acl rule action GUEST_Internet-Access 5 permit
! config acl rule direction GUEST_Internet-Access 5 in
! config acl rule destination address GUEST_Internet-Access 5 10.1.169.1 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 5 0 65535
! config acl rule destination port range GUEST_Internet-Access 5 0 65535
! config acl rule add GUEST_Internet-Access 6
! config acl rule action GUEST_Internet-Access 6 permit
! config acl rule destination address GUEST_Internet-Access 6 10.26.1.200 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 6 0 65535
! config acl rule destination port range GUEST_Internet-Access 6 0 65535
! config acl rule add GUEST_Internet-Access 7
! config acl rule direction GUEST_Internet-Access 7 in
! config acl rule destination address GUEST_Internet-Access 7 192.168.0.0 255.255.0.0
! config acl rule source port range GUEST_Internet-Access 7 0 65535
! config acl rule destination port range GUEST_Internet-Access 7 0 65535
! config acl rule add GUEST_Internet-Access 8
! config acl rule direction GUEST_Internet-Access 8 in
! config acl rule destination address GUEST_Internet-Access 8 172.16.0.0 255.240.0.0
! config acl rule source port range GUEST_Internet-Access 8 0 65535
! config acl rule destination port range GUEST_Internet-Access 8 0 65535
! config acl rule add GUEST_Internet-Access 9
! config acl rule direction GUEST_Internet-Access 9 in
! config acl rule destination address GUEST_Internet-Access 9 10.0.0.0 255.0.0.0
! config acl rule source port range GUEST_Internet-Access 9 0 65535
! config acl rule destination port range GUEST_Internet-Access 9 0 65535
! config acl rule add GUEST_Internet-Access 10
! config acl rule action GUEST_Internet-Access 10 permit
! config acl rule source port range GUEST_Internet-Access 10 0 65535
! config acl rule destination port range GUEST_Internet-Access 10 0 65535
! config acl rule add GUEST_Internet-Access 65
! config acl rule source port range GUEST_Internet-Access 65 0 65535
! config acl rule destination port range GUEST_Internet-Access 65 0 65535
ip access-list extended GUEST_Internet-Access
1 permit ip any host 192.168.99.11
2 permit ip any host 10.1.169.1
3 permit ip any host 10.26.1.100
4 permit ip any host 10.26.1.251
5 permit ip any host 10.1.169.1
6 permit ip any host 10.26.1.200
7 deny ip any 192.168.0.0 0.0.255.255
8 deny ip any 172.16.0.0 0.15.255.255
9 deny ip any 10.0.0.0 0.255.255.255
10 permit ip any any
65 deny ip any any
05-02-2024 04:04 PM
What firmware is the controller on?
Console into the AP and boot the AP. Post the entire bootup process of the AP.
05-03-2024 10:47 AM
OK. so the core SW is not bridging the vlans. That is a function of the core Router.
my N9k-9324 is the core rtr linked to the c9k-9200 core sw which links to 1) c9800-40 2) all other distro switch's which host all the AP's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide