9 Replies Latest reply: Dec 12, 2017 12:26 AM by rtayal RSS

Multiple SSIDs and VLANs on 1832i with Mobility Express

ciscorbs4

Hello all,

 

I've had a second deployment failure with Cisco AIR-AP-1832i WLC/APs running Mobility Express. The issue is that I can't seem to get off VLAN1, or I suppose it would be more accurate to say the native VLAN.

 

Scenario is that I have two WLANs as follows:

 

WLAN1: SSID: Corporate     VLAN: 1

WLAN2: SSID: Corporate-Guest     VLAN: 100

 

I can connect to either WLAN/SSID successfully with a client. But only the Corporate WLAN gets me to the proper DHCP server and gives me the ability to pass traffic successfully. Connecting to Guest fails to locate a DHCP server, so I get an APIPA address and nothing works. Configuring a static IP on the proper subnet does not allow traffic to pass.

 

In this deployment, I am using a Cisco Catalyst 2960 switch with the WLC/AP port being a trunk with dot1q. Here's the best part: I replaced a Cisco WAP321 (yeah, small business) AP with the same WLAN/VLAN/SSID configuration that was connected to the very same switch port. The WAP321 handled the two SSIDs and VLANs perfectly. No issues whatsoever connecting, getting IP addresses on either network or passing traffic. I made no changes to the switch configuration.

 

The previous failed deployment I had was a bit different in symptoms: The VLAN configuration was the same, a corporate network and guest network, corporate was on VLAN1 and Guest was VLAN 10. This time, I could connect to either SSID, but I would always get an IP address from the DHCP server on VLAN 1. It's like the VLAN 10 tag was completely ignored. I had a TAC case on that one that became a nightmare when Cisco could find nothing wrong with my configuration of the WLC/AP, switch, or ASA (DHCP server for VLAN 10). They could offer no explanation, even though I provided a pcap from the WLC's switchport (mirrored to my laptop running Wireshark) to TAC. I opted to RMA the 1832s in that case after TAC failed to resolve the situation. I haven't deployed the new APs (different vendor) yet.

 

Anyway, my question to anyone familiar with these 1832i series units is, what am I missing, or is there a known problem with these things? I don't have these issues with real Cisco WLCs (2504 for example) or even the small business line, although Cisco's new crop is terrible and I won't buy them.

 

By the way, these last 1832i's shipped with 8.4.100.

 

Thanks

  • 1. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    ruimartins1000

    Hi Jon,

    Got these problems since version 8.2.

    Everything that evolves VLAN 1 without it being the Management VLAN is a nightmare and won't work.

    The Tagging just don't work for VLAN1 when not Native VLAN.

    I quited to use VLAN1 as a VLAN for SSIDs.

    Best Regards,

    Rui

  • 2. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    rtayal

    Hi Jon,

     

    Could I get the SR number? I understand what you are reporting but let me check on what TAC advised and I will get back to you.

     

    Regards,

    Rajat

  • 3. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    rtayal

    Hi Jon,

     

    Since I do not have the SR number, I made some assumption and tried it myself and it seems to be working for me. Here is what I did.

     

    Connected my 1832I running Mobility Express version 8.4.100.0 to a 2960-X switch. Below is my switch configuration:

    interface GigabitEthernet0/1

    switchport trunk allowed vlan 1,100

    switchport mode trunk

     

    Native VLAN is 1 as shown below

     

    Port        Mode             Encapsulation  Status Native vlan

    Gi0/1       on               802.1q         trunking      1

    Gi0/24      on               802.1q         trunking      1

     

    My APs were in VLAN 1 because Management traffic on Mobility Express has to be untagged.

     

    Created two WLANs

    1. ‘Corporate’ – This WLAN did not have any VLAN Tagging and therefore clients on this WLAN would be put on VLAN 1
    2. ‘Corporate-Guest’ – I enabled VLAN Tagging on this WLAN and tagged VLAN 100 to it. Later I will show you how to do that from WebUI as well. This would put Corporate-Guest clients in VLAN 100.

     

    To verify that my Native VLAN and tagged WLAN were configured correctly, I executed the following CLI

     

    (Cisco Controller) >show flexconnect group detail default-flexgroup

     

    This is a snippet of the CLI. After executing the command just scroll down till you see the following configuration highlighted in RED.

     

    --More-- or (q)uit

    Group-Specific Vlan Config:

    Vlan Mode.................... Enabled

    Native Vlan.................. 1

    Override AP Config........... Enabled

    Group-Specific FlexConnect Wlan-Vlan Mapping:

     

    WLAN ID     Vlan ID

    -------- --------------------

    3          100

     

    Let us test. I connected my MAC to ‘Corporate’ WLAN and iPhone to ‘Corporate-Guest’. Below is the output which shows my two clients connected to the ME-WLC.

     

     

    (Cisco Controller) >show client summary

     

    Number of Clients................................ 2

     

    GLAN/

    MAC Address       AP Name                        Slot Status        WLAN Auth Protocol         Port Wired Tunnel  Role

    ----------------- ------------------------------ ---- ------------- ----- ---- ---------------- ---- ----- ------- ----------------

    70:70:0d:0b:f3:89 APDCCE.C12C.3A30                1   Associated     3 Yes   802.11ac(5 GHz)  1 No    No      Local

    a4:5e:60:f0:7c:bd APDCCE.C12C.3A30                1   Associated     2 Yes   802.11ac(5 GHz)  1 No    No      Local

     

    (Cisco Controller) >show client summary ip

     

    Number of Clients................................ 2

     

    MAC Address       AP Name          Status        IP Address

    ----------------- ---------------- ------------- --------------------------------

    70:70:0d:0b:f3:89 APDCCE.C12C.3A30  Associated 100.100.100.12

    a4:5e:60:f0:7c:bd APDCCE.C12C.3A30  Associated 1.1.1.13

     

    Now, how do I Tag a WLAN on the WebUI? When you are creating or editing a WLAN, click on the VLAN & Firewall tab and do the following-

     

    1. Use VLAN Tagging = Yes
    2. Specify the Native VLAN ID. I configured this to 1.
    3. For VLAN ID, I configured 100 because this is my Corporate-Guest WLANtagged_wlan.jpg

     

    Let me know if this helps.

     

    Regards,

    Rajat

  • 4. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    ciscorbs4

    Hi Rajat,

     

    I didn't actually open a TAC case on this one, since I was coming off the other failed deployment a few days before with similar issues. My configuration is pretty much identical to what you have above. Let's face it, this is not a very complicated setup. Interestingly, I was able to get this working recently, and without any configuration changes. All I did was that I configured another port on the 2960 as a trunk with identical configuration as the former, same as yours. I connected the 1832i to the new port and waited for it to fully boot. Tried connecting a wireless client to both WLANs as before and ran into the same problem. I reconnected the WAP321 to the first switch port and tried connecting - it worked fine as before for both WLANs. Then I swapped the 1832i back over to the first port again, and found that I could suddenly connect to both WLANs properly. It has been running a couple days now without a hiccup.

     

    I really wish I had done packet captures throughout all of this to get a sense of what was not working, but I figured it would be a waste of time since I was planning on doing another RMA for this unit as well. I am very much in the trenches with this stuff, and don't have a lot of time to spend trying to fix things that should just work in the first place. I also have a couple deployments using these APs that were very successful, so I know the product can work well and does have potential.

     

    Perhaps I got a few APs from a bad batch, maybe it's an issue with 8.4.100, I will probably never know. The TAC engineer I had on the previous deployment issue was going to report the problem I had as a bug when she could find nothing wrong with the configuration of any of the devices or CLI output form the WLC/AP. She told me later that Cisco's "BU team does not support 8.4.100" so I guess that means they know that version to be flaky for this or other reasons. The proposed solution was to downgrade the WLC and AP software. But I had to cut my losses on time and opted for a more reliable product, at least out of the box. I have been using these 1832s as a relatively low cost solution to replace aging SOHO-style autonomous APs with customers who won't pay the price for a a proper controller-based lightweight AP deployment. For now I'm rolling out Ubiquity UniFi systems for this segment. They have their issues, but they do seem to work with less fuss out of the box.

     

    But I'm a real fan of the 2504 and the 2700/2800 series APs for more serious implementations.

  • 5. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    GarryGlendown

    I'm having the same problem on an 1832 ... I need three SSIDs, each on a separate VLAN ... one should be on the default VLAN 1 (untagged), the other two on tagged VLANs. All the APs (the 1832 and two 1815) are on trunk/multi-vlan ports, running in mobility express mode, but no matter what I try, all SSIDs end up in the default vlan untagged ...

    Do I need to switch to capwap mode in order to get this to work?

    The 1832 is running 8.4.100.0 ...

  • 6. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    rtayal

    Hi Garry,

     

    You do not need to change the mode to CAPWAP. Can you please send the full output of the following from the controller CLI.

     

    (Cisco Controller) >show flexconnect group detail default-flexgroup



  • 7. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    nethinksfulda

    Here's the output:

     

    Number of AP's in Group: 3

     

    AP Ethernet MAC        Name                   Status             Mode              Type      Conflict with PnP

    --------------------   --------------------  ---------------    --------------   ---------- ------------------

     

    2c:31:24:c6:1d:20    AP2C31.24C6.1D20         Joined             Flexconnect      Manual      No

    40:01:7a:b1:9e:30    AP4001.7AB1.9E30         Joined             Flexconnect      Manual      No

    50:0f:80:6e:8e:78    AP500F.806E.8E78         Joined             Flexconnect      Manual      No

     

    Efficient AP Image Upgrade ..... Disabled

     

    Master-AP-Mac     Master-AP-Name                    Model      Manual

     

    Group Radius Servers Settings:

    Type           Server Address    Port

    -------------  ----------------  -------

                                             Primary       Unconfigured      Unconfigured

                                                                                          Secondary     Unconfigured      Unconfigured

    Group Radius/Local Auth Parameters :

    Radius Retransmit Count......................... 3 (default)

    Active Radius Timeout........................... 5 (default)

     

    --More-- or (q)uit

     

    Group Radius AP Settings:

    AP RADIUS server............ Disabled

    EAP-FAST Auth............... Disabled

    LEAP Auth................... Disabled

    EAP-TLS Auth................ Disabled

    EAP-TLS CERT Download....... Disabled

    PEAP Auth................... Disabled

    Server Key Auto Generated... No

    Server Key..................     <hidden>

    Authority ID................ 436973636f0000000000000000000000

    Authority Info.............. Cisco A_ID

    PAC Timeout................. 0

    HTTP-Proxy Ip Address....... 0.0.0.0

    HTTP-Proxy Port............. 0

    Multicast on Overridden interface config: Disabled

    DHCP Broadcast Overridden interface config: Disabled

    Number of User's in Group: 0

    Vlan :........................................... 50

            Ingress ACL :................................... GAST

            Egress ACL :.................................... GAST

    FlexConnect Vlan-name to Id Template name: none

    Flex-Group Wlan Avc Mappings

     

    --More-- or (q)uit

     

    WLAN ID Visibility Avc-profile

    ------- ---------- --------------------------------

    1          disable    XXXXXX

    2          disable    GAST

    3          disable    MOBIL

    Group-Specific Vlan Config:

    Vlan Mode.................... Enabled

    Native Vlan.................. 1

    Override AP Config........... Enabled

    Group-Specific FlexConnect Wlan-Vlan Mapping:

     

    WLAN ID     Vlan ID

    --------   --------------------

    1          1

    2          50

    3          40

     

    WLAN ID   SSID                            Central-Dhcp  Dns-Override  Nat-Pat

  • 8. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    GarryGlendown

    I just did some more debugging ... it turns out the VLAN assignment as such work fine, but the controller seems to behave as if a DHCP helper were configured ... so instead of just ignoring anything and letting the DHCP requests be forwarded to the VLAN the SSID is part of, it gets the DHCP request and forwards it on the management/default VLAN ... the client gets its IP from there, and then goes on to search for the MAC address of the default gateway inside the other VLAN ...

     

    I've tried enabling/disabling the local profiling, no success. Removed/added a local DHCP server, again, no success. Enabled/disabled the DHCP pool used inside an SSID, again, IP from the default vlan.

     

    I'm pretty much out of ideas ...

  • 9. Re: Multiple SSIDs and VLANs on 1832i with Mobility Express
    rtayal

    Hi Garry,

     

    I did try and was not able to repro.  Let us get on a WebEx and have a look at your issue. Please email me @ rtayal@cisco.com and we can get started.


    Regards,

    Rajat