CR-2026-03-10: C9130AX WiFi 6 Access Point Deployment

Change Summary

Change ID

CR-2026-03-10-001

Date

2026-03-10

Priority

Medium

Type

Configuration Change

Systems

bind-01, bind-02, ISE, C3560-CX, WLC HA cluster

Status

Completed

Problem Statement

Replacement Cisco C9130AX access point required WLC discovery to join the wireless infrastructure. Standard approach (DHCP Option 43) was unavailable.

Challenge: VyOS (our DHCP server) only supports Ubiquiti vendor options natively - no Cisco Option 43 support.

Technical Background

Cisco AP WLC discovery methods (in priority order):

Method Description Available?

DHCP Option 43

Vendor-specific TLV with WLC IPs

Not supported by VyOS

DHCP Option 138

CAPWAP standard

AP requests Option 43, not 138

DNS-based discovery

CISCO-CAPWAP-CONTROLLER.<domain> A records

Used this

Broadcast discovery

Local subnet only

Not viable (WLCs on different VLAN)

Static configuration

Manual per-AP

Not scalable

Solution

Add DNS A records for CISCO-CAPWAP-CONTROLLER pointing to both WLCs in the HA cluster.

Phase 1: BIND DNS Configuration

1.1 Backup Zone File
TIMESTAMP=$(date +%Y%m%d%H%M)
sudo cp /var/named/inside.domusdigitalis.dev.zone \
        /var/named/inside.domusdigitalis.dev.zone.bak.${TIMESTAMP}
1.2 Add CAPWAP Controller Records
# Add A records for WLC HA cluster
echo "CISCO-CAPWAP-CONTROLLER    IN    A    10.50.1.40" | sudo tee -a /var/named/inside.domusdigitalis.dev.zone
echo "CISCO-CAPWAP-CONTROLLER    IN    A    10.50.1.41" | sudo tee -a /var/named/inside.domusdigitalis.dev.zone
1.3 Increment Serial and Reload
# Increment serial (YYYYMMDDNN format)
sudo vim /var/named/inside.domusdigitalis.dev.zone

# Validate zone
sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

# Reload
sudo rndc reload inside.domusdigitalis.dev
1.4 Verify Resolution
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev @10.50.1.90

Expected:

;; ANSWER SECTION:
CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev. 3600 IN A 10.50.1.40
CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev. 3600 IN A 10.50.1.41

Phase 2: Verify AXFR Replication

# Check zone transfer to bind-02
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev @10.50.1.91

If not replicated, force transfer:

ssh bind-02 "sudo rndc retransfer inside.domusdigitalis.dev"

Phase 3: Trigger AP Discovery

# Bounce switch port to trigger DHCP renewal
netapi ios run "conf t" "interface te1/0/8" "shut" "no shut" "end"

Phase 4: Verify AP Join

# Check WLC for join attempt
netapi wlc run "show wireless stats ap join summary"

# Verify AP registered
netapi wlc run "show ap summary"

Implementation Log

Time Action Result

2026-03-10 13:30

Initial attempt: VyOS Option 138

Failed - AP requests Option 43, not 138

2026-03-10 14:00

Investigated VyOS vendor-option

Only Ubiquiti supported, no Cisco

2026-03-10 14:15

BIND DNS: Added CISCO-CAPWAP-CONTROLLER records

Serial 2026031005 → 2026031006

2026-03-10 14:16

Zone reload + AXFR verification

Both bind-01 and bind-02 resolving

2026-03-10 14:17

AP discovery

JOINED - C9130AX-01 at 10.50.10.111

Verification Output

WLC Confirmation
9800-WLC-01#show wireless stats ap join summary
Number of APs: 2
Base MAC        Ethernet MAC    AP Name         IP Address      Status
a0a4.7f20.dd00  8c88.812a.0000  C9130AX-01      10.50.10.111    Joined
Client Distribution - All clients migrated to WiFi 6
MAC Address     AP Name       Type   State  Protocol    Method
14f6.d87b.3180  C9130AX-01    WLAN 4 Run    11ax(5)     Dot1x
80a9.9734.a120  C9130AX-01    WLAN 5 Run    11ax(5)     MAB
bcd0.740c.057e  C9130AX-01    WLAN 5 Run    11ax(2.4)   MAB

CLI Mastery Patterns

BIND Zone Management

# Capture current serial with dig + awk
CURRENT_SERIAL=$(dig @10.50.1.90 inside.domusdigitalis.dev SOA +short | awk '{print $3}')
NEW_SERIAL=$((CURRENT_SERIAL + 1))
echo "Current: $CURRENT_SERIAL → New: $NEW_SERIAL"

# Validate zone before reload (always!)
sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone

# Force zone transfer to secondary
sudo rndc retransfer inside.domusdigitalis.dev

CAPWAP Troubleshooting

# Test DNS resolution from workstation
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev +short

# Verify both WLCs returned (HA)
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev +short | wc -l
# Expected: 2

# Check CAPWAP UDP ports (5246, 5247)
ss -unap | grep -E '524[67]'

AP Status Commands

# Show all APs with their status
netapi wlc run "show ap summary"

# Show detailed join statistics
netapi wlc run "show wireless stats ap join summary"

# Show radio status (channels, power)
netapi wlc run "show ap dot11 5ghz summary"
netapi wlc run "show ap dot11 6ghz summary"

# Show clients per AP
netapi wlc run "show wireless client summary"

Key Lessons

Lesson Detail

Vendor limitations matter

VyOS doesn’t support Cisco DHCP Option 43. DNS discovery is the workaround.

DNS HA verification

Always verify AXFR replication to secondary DNS before relying on records.

Serial increment is critical

Zone changes without serial increment = no replication.

WiFi 6 (802.11ax) benefits

C9130AX supports 5GHz + 6GHz. All clients migrated automatically.

Related Documentation