Solved: WLC 9800-L and AP9136I in different VLANs

m-talha-98 · ‎05-02-2024

Hello All,

We are in the process of migrating from old cisco ap's and wlc's to new wlc's 9800-L and ap's 9136I.

The dhcp server for all the vlans, ssid's etc are located in the core switch.

Now, the issue is that when the AP's and WLC's are in the same subnet the CAPWAP tunnel is successfully formed between the AP's and WLC's. But, when the AP's and WLC's are in different vlan the CAPWAP is not formed.

- Connectivity is there between the vlans.

- option 43 configured in the DHCP of AP's vlan.

- When the ap is booted it keep getting discard CAPWAP, ipv6 loop timeout etc.

Would be great if anyone can point me to the right direction, thanks.

marce1000 · ‎05-02-2024

>...No, I was not able to ping the controller from the ap.
- That should work first , make sure no firewalls or acl's are hampering this , also are you using ipv6 ?
For flexibility you may test further with a laptop in the same vlan as the 'remote ap' where you might have additional testing tools such as traceroute (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

marce1000 · ‎05-02-2024

- Can a booted ap on the remote vlan ping the controller ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

m-talha-98 · ‎05-02-2024

No, I was not able to ping the controller from the ap.

but, I can ping the gateway of the WLC which is in the core sw and vice versa I can ping the ap from the core sw with management vlan interface of WLC and management vlan interface of the ap itself. But, unable to ping the ap from the wlc back to back.

marce1000 · ‎05-02-2024

>...No, I was not able to ping the controller from the ap.
- That should work first , make sure no firewalls or acl's are hampering this , also are you using ipv6 ?
For flexibility you may test further with a laptop in the same vlan as the 'remote ap' where you might have additional testing tools such as traceroute (e.g.)

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

m-talha-98 · ‎05-03-2024

There was an ACL in the test switch, thanks.

balaji.bandi · ‎05-02-2024

But, when the AP's and WLC's are in different vlan the CAPWAP is not formed.

can you provide more information - WLC to AP (what devices in the path ?)

Do you have any Firewalls ? does the switch has any ACL ?

can you post complete boot log from AP when it failing ?

Does the AP get IP address from DHCP ?

are you able to Ping from VLAN SVI to WLC Controller IP using source that VLAN ? (same from other side to WLC ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

m-talha-98 · ‎05-02-2024

Okay, so there are no firewalls in between.

The ap is directly connected to the test core sw, and the wlc is also connected directly to the test core sw (Trunk mode).

Yes, there is an acl but it is not tagged with the physical interface.

The AP gets the IP from the dhcp successfully, the DHCP is in the test core sw and again option 43 is configured with hex value.

I am able to ping the WLC controller IP from the all vlan SVIs on the core, but can not ping from the ap itself to the WLC.

Vice versa, I can ping all the vlan SVI on the core from the WLC, but can not ping the ap from the WLC.

Note: Once The ap is in the same vlan as the wlc, the CAPWAP tunnel is successfully formed.

m-talha-98 · ‎05-02-2024

@balaji.bandi The below acl is configured and the IP of ap vlan is 10.1.166.0/24. and this acl is not tagged with the physical interface which I believe that it wont make any affect.

! config acl apply GUEST_Internet-Access
! config acl create GUEST_Internet-Access
! config acl rule add GUEST_Internet-Access 1
! config acl rule action GUEST_Internet-Access 1 permit
! config acl rule destination address GUEST_Internet-Access 1 192.168.99.11 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 1 0 65535
! config acl rule destination port range GUEST_Internet-Access 1 0 65535
! config acl rule add GUEST_Internet-Access 2
! config acl rule action GUEST_Internet-Access 2 permit
! config acl rule destination address GUEST_Internet-Access 2 10.1.169.1 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 2 0 65535
! config acl rule destination port range GUEST_Internet-Access 2 0 65535
! config acl rule add GUEST_Internet-Access 3
! config acl rule action GUEST_Internet-Access 3 permit
! config acl rule destination address GUEST_Internet-Access 3 10.26.1.100 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 3 0 65535
! config acl rule destination port range GUEST_Internet-Access 3 0 65535
! config acl rule add GUEST_Internet-Access 4
! config acl rule action GUEST_Internet-Access 4 permit
! config acl rule destination address GUEST_Internet-Access 4 10.26.1.251 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 4 0 65535
! config acl rule destination port range GUEST_Internet-Access 4 0 65535
! config acl rule add GUEST_Internet-Access 5
! config acl rule action GUEST_Internet-Access 5 permit
! config acl rule direction GUEST_Internet-Access 5 in
! config acl rule destination address GUEST_Internet-Access 5 10.1.169.1 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 5 0 65535
! config acl rule destination port range GUEST_Internet-Access 5 0 65535
! config acl rule add GUEST_Internet-Access 6
! config acl rule action GUEST_Internet-Access 6 permit
! config acl rule destination address GUEST_Internet-Access 6 10.26.1.200 255.255.255.255
! config acl rule source port range GUEST_Internet-Access 6 0 65535
! config acl rule destination port range GUEST_Internet-Access 6 0 65535
! config acl rule add GUEST_Internet-Access 7
! config acl rule direction GUEST_Internet-Access 7 in
! config acl rule destination address GUEST_Internet-Access 7 192.168.0.0 255.255.0.0
! config acl rule source port range GUEST_Internet-Access 7 0 65535
! config acl rule destination port range GUEST_Internet-Access 7 0 65535
! config acl rule add GUEST_Internet-Access 8
! config acl rule direction GUEST_Internet-Access 8 in
! config acl rule destination address GUEST_Internet-Access 8 172.16.0.0 255.240.0.0
! config acl rule source port range GUEST_Internet-Access 8 0 65535
! config acl rule destination port range GUEST_Internet-Access 8 0 65535
! config acl rule add GUEST_Internet-Access 9
! config acl rule direction GUEST_Internet-Access 9 in
! config acl rule destination address GUEST_Internet-Access 9 10.0.0.0 255.0.0.0
! config acl rule source port range GUEST_Internet-Access 9 0 65535
! config acl rule destination port range GUEST_Internet-Access 9 0 65535
! config acl rule add GUEST_Internet-Access 10
! config acl rule action GUEST_Internet-Access 10 permit
! config acl rule source port range GUEST_Internet-Access 10 0 65535
! config acl rule destination port range GUEST_Internet-Access 10 0 65535
! config acl rule add GUEST_Internet-Access 65
! config acl rule source port range GUEST_Internet-Access 65 0 65535
! config acl rule destination port range GUEST_Internet-Access 65 0 65535
ip access-list extended GUEST_Internet-Access
1 permit ip any host 192.168.99.11
2 permit ip any host 10.1.169.1
3 permit ip any host 10.26.1.100
4 permit ip any host 10.26.1.251
5 permit ip any host 10.1.169.1
6 permit ip any host 10.26.1.200
7 deny ip any 192.168.0.0 0.0.255.255
8 deny ip any 172.16.0.0 0.15.255.255
9 deny ip any 10.0.0.0 0.255.255.255
10 permit ip any any
65 deny ip any any

Leo Laohoo · ‎05-02-2024

What firmware is the controller on?

Console into the AP and boot the AP. Post the entire bootup process of the AP.

David Ritter · ‎05-03-2024

OK. so the core SW is not bridging the vlans. That is a function of the core Router.

my N9k-9324 is the core rtr linked to the c9k-9200 core sw which links to 1) c9800-40 2) all other distro switch's which host all the AP's.