CCIE Wireless · CCIEW Lab · CCIEW Written

CCIEW – 2.3 – Configure and Troubleshoot Network Connectivity

N.B. All configurations are based off the lab build seen in the introduction post.

I’ve completely skipped 2.2 Plan network infrastructure capacity and gone this which should also be a quick unless I’m underestimating things.

2.3 Configure and troubleshoot network connectivity for:

  • 2.3.a WLAN clients
  • 2.3.b WLCs
  • 2.3.c Lightweight APs
  • 2.3.d Autonomous APs


This section was probably quite simple with the old CCIE Wireless and this is only complicated a little further by the converged architecture being added to the syllabus this time around. There are only a few major considerations for the wired side with most of those covered off in previous posts during configurations. I’ve probably paid woeful attention to this topic but feel much of this topic comes from the broader experience gained from the other sections.

WLAN Controllers

For Unified the WLCs are going to connect to the infrastructure using a Trunk port. This allows multiple SSIDs to be mapped to multiple VLANs and tagged accordingly. Configuring a trunk port should be fairly simple but they could chuck in a curve ball and make you setup an Etherchannel. Restricting access to particular VLANs is expected and part of the setup could see an unused VLAN setup for the native VLAN for security purposes. Tagging native VLAN traffic with an unused VLAN means all non-tagged traffic will immediately be black-holed and so only genuine traffic will traverse the port.

Example Config:

switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk allowed vlan 10,20-100,200,250
switchport trunk native vlan 999
no shut

Cisco may also ask you to setup out-of-band (OOB) management access via the WLCs Service Port. This is restricted to a single subnet/VLAN and thus will require an Access Port on the switch.

Converged WLCs are within the switch and so no interface configuration is required other than normal operations.

Access Points

Access Points require different ports depending on their mode.

  • Autonomous
    • Although you could use an Access Port it is expected that you will separate your management traffic out and so a Trunk link is required with a Native VLAN of the management VLAN
  • Lightweight
    • Local Mode – All traffic is tunnelled back to the WLC via CAPWAP so an Access Port is required for the single VLAN the tunnel will traverse.
    • FlexConnect Mode
      • Local Switching – Trunk link to allow local switch breakout
      • Central Switching – Either will work but an Access Port is recommended
  • Bridge Mode – Bridges require trunk to allow local breakout of traffic

Converged Wireless will see all APs connected directly to the switches with an Access Port only. The APs will not come up properly if the mode is Trunk.


Troubleshooting why clients can’t connect is definitely expected and not being able to obtain a DHCP lease is often a symptom.

Cisco recommends using DHCP Snooping on active wireless VLANs so that’s one check. Another is to ensure the helper-address is set on the SVI if the option is not being used on the WLC. The ip-helper takes a Layer 2 DHCP lease request broadcast and unicasts it to the specified layer 3 address which should be your DHCP server.

interface vlan 20
ip-helper address

For converged access an additional IOS-XE command may be required to facilitate the helper component – ip dhcp snooping wireless bootp-broadcast enable


Expected Questions

  1. For a WLC, configure an Etherchannel trunk using Cisco best practices that restricts access to VLANs 10,20 and 30 only. Do not allow traffic for the default native VLAN to traverse the port.
  2. Configure DHCP Helpers on the wired SVIs – I expect this will only occur for the converged access


Converged Wired and Wireless Best Practices





Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.