CR-2026-03-10: C9130AX Access Point Deployment
1. Change Summary
Change ID |
CR-2026-03-10-001 |
Requestor |
evanusmodestus |
Date |
2026-03-10 |
Priority |
Medium |
Type |
Configuration Change |
Systems |
bind-01, bind-02, ISE, 3560-cx.inside.domusdigitalis.dev, WLC HA cluster |
1.1. Business Justification
Replacement Cisco C9130AX access point requires WLC discovery to join the wireless infrastructure. Cisco APs use DHCP Option 43 (vendor-specific) for controller discovery, but VyOS only supports Ubiquiti vendor options natively.
Solution: DNS-based CAPWAP discovery. Cisco APs query DNS for CISCO-CAPWAP-CONTROLLER.<domain> when Option 43 is unavailable.
Existing AP4800 (to be decommissioned) has static WLC configuration from prior deployment.
1.2. Technical Background
Cisco AP WLC discovery methods (in order):
1. DHCP Option 43 (vendor-specific TLV) - Not supported by VyOS
2. DHCP Option 138 (CAPWAP standard) - AP requests Option 43, not 138
3. DNS-based discovery - CISCO-CAPWAP-CONTROLLER.<domain> A records ✓
4. Broadcast discovery - Local subnet only
5. Static configuration - Manual, not scalable
2. Current State
| Component | Configuration | Notes |
|---|---|---|
VyOS DHCP (DATA VLAN) |
No Option 138 |
APs cannot discover WLC |
New AP (C9130AX) |
MAC: |
Replacement hardware |
New AP Port |
Te1/0/8 on 3560-cx.inside.domusdigitalis.dev |
10G uplink |
New AP IP |
10.50.10.111 (DHCP) |
VLAN 10 |
ISE Endpoint |
|
Static assignment |
Old AP (AP4800) |
MAC: |
Port Gi1/0/3 |
3. Target State
| Component | Configuration | Notes |
|---|---|---|
BIND DNS (bind-01) |
|
10.50.1.40, 10.50.1.41 |
BIND DNS (bind-02) |
Zone transfer from bind-01 |
Auto-replicates via AXFR |
New AP (C9130AX) |
Joined to WLC HA cluster |
Name: C9130AX-01 |
Old AP (AP4800) |
Decommissioned |
Endpoint removed from ISE |
4. Implementation
4.1. Phase 1: BIND DNS Configuration (bind-01)
Reference: BIND Operations Quick Reference
4.1.1. 1.1 Backup Zone File
TIMESTAMP=$(date +%Y%m%d%H%M)
sudo cp /var/named/inside.domusdigitalis.dev.zone /var/named/inside.domusdigitalis.dev.zone.bak.${TIMESTAMP}
ls -la /var/named/inside.domusdigitalis.dev.zone.bak.${TIMESTAMP}4.1.2. 1.2 Capture Current Serial
CURRENT_SERIAL=$(dig @10.50.1.90 inside.domusdigitalis.dev SOA +short | awk '{print $3}')
NEW_SERIAL=$((CURRENT_SERIAL + 1))
echo "Current: $CURRENT_SERIAL → New: $NEW_SERIAL"4.1.3. 1.3 Add CAPWAP Controller Records
# Add A records for WLC HA cluster
echo "CISCO-CAPWAP-CONTROLLER IN A 10.50.1.40" | sudo tee -a /var/named/inside.domusdigitalis.dev.zone
echo "CISCO-CAPWAP-CONTROLLER IN A 10.50.1.41" | sudo tee -a /var/named/inside.domusdigitalis.dev.zone4.1.4. 1.4 Increment Serial
sudo vim {bind-forward-zone}
# Manually increment serial number (YYYYMMDDNN format)4.2. Phase 2: Verify AXFR to bind-02
# Check zone transfer status
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev @10.50.1.91If not replicated, force transfer:
ssh bind-02 "sudo rndc retransfer {domain}"4.3. Phase 3: ISE Endpoint Configuration
| Completed prior to this change request. |
# Endpoint already exists from failed MAB attempt
netapi ise update-endpoint-group 8C:88:81:2A:00:00 "Trusted_Access_Points"4.4. Phase 4: Trigger AP DHCP Renewal
netapi ios run "conf t" "interface te1/0/8" "shut" "no shut" "end"4.5. Phase 5: Validate AP Join
# Check WLC for join attempt
netapi wlc run "show wireless stats ap join summary"
# Verify AP registered
netapi wlc run "show ap summary"4.6. Phase 6: Configure New AP
# Rename AP on WLC (replace <auto-name> with discovered name)
netapi wlc run "ap name <auto-name> name C9130AX-01"
# Assign tags
netapi wlc run "ap name C9130AX-01 site-tag default-site-tag"
netapi wlc run "ap name C9130AX-01 policy-tag default-policy-tag"
netapi wlc run "ap name C9130AX-01 rf-tag default-rf-tag"5. Validation Checklist
| Test | Command | Expected Result |
|---|---|---|
BIND DNS (bind-01) |
|
A records: 10.50.1.40, 10.50.1.41 |
BIND DNS (bind-02) |
|
A records: 10.50.1.40, 10.50.1.41 |
AP DNS resolution |
From AP console: |
Resolves CAPWAP controller |
New AP DHCP lease |
|
8C:88:81:2A:00:00 VLAN 10 |
New AP WLC join |
|
C9130AX-01 Registered |
New AP ISE auth |
|
MAC in active sessions |
Old AP removed |
|
AP4800 not listed |
Client connectivity |
Associate to Domus-Secure |
Internet access |
6. Rollback Plan
6.1. If new AP fails to join
# Verify DNS resolution from workstation
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev @10.50.1.90
# Check CAPWAP connectivity from WLC
netapi wlc run "ping 10.50.10.111"
# Check firewall rules MGMT↔DATA
ssh vyos-01 "show firewall ipv4 name DATA_MGMT rule 45"6.2. Full DNS rollback (bind-01)
# Restore from backup
TIMESTAMP=<backup_timestamp>
sudo cp /var/named/inside.domusdigitalis.dev.zone.bak.${TIMESTAMP} /var/named/inside.domusdigitalis.dev.zone
# Validate and reload
sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone
sudo rndc reload inside.domusdigitalis.dev
# Verify records removed
dig CISCO-CAPWAP-CONTROLLER.inside.domusdigitalis.dev @10.50.1.90
# Expected: NXDOMAIN7. Risk Assessment
| Risk | Likelihood | Impact | Mitigation |
|---|---|---|---|
New AP fails to join |
Low |
Medium |
Rollback to old AP |
DNS change breaks other services |
Very Low |
Low |
New record only, no modifications |
AXFR fails to bind-02 |
Low |
Low |
Manual retransfer command |
WLC rejects AP (version mismatch) |
Low |
Medium |
Pre-check compatibility |
Firewall blocks CAPWAP |
Medium |
High |
Verify rules before decommission |
8. Approvals
| Role | Name | Date | Signature |
|---|---|---|---|
Requestor |
evanusmodestus |
2026-03-10 |
|
Change Manager |
|||
Technical Reviewer |
9. Implementation Log
| Time | Action | Result |
|---|---|---|
2026-03-10 13:30 |
Initial attempt: VyOS Option 138 |
Failed - AP requests Option 43, not 138 |
2026-03-10 14:00 |
Investigated VyOS vendor-option |
Only Ubiquiti supported, no Cisco |
2026-03-10 14:15 |
BIND DNS: Added CISCO-CAPWAP-CONTROLLER records |
Serial 2026031005 → 2026031006 |
2026-03-10 14:16 |
Zone reload + AXFR verification |
Both bind-01 and bind-02 resolving |
2026-03-10 14:17 |
AP discovery |
JOINED - ap8c88-812a-0000 at 10.50.10.111 |
9800-WLC-01#show wireless stats ap join summary Number of APs: 2 Base MAC Ethernet MAC AP Name IP Address Status a0a4.7f20.dd00 8c88.812a.0000 C9130AX-01 10.50.10.111 Joined
AP Name Slot Admin State Oper State Width Txpwr Channel AP4800 1 Enabled Up 40 *1/7 (20dBm) (100,104)* C9130AX-01 1 Enabled Up 40 *1/8 (22dBm) (116,120)*
AP Name Slot Admin State Oper State Width Txpwr Channel C9130AX-01 2 Enabled Up 160 *1/8 (20dBm) (21,17,25,29,1,5,9,13)*
MAC Address AP Name Type State Protocol Method 14f6.d87b.3180 C9130AX-01 WLAN 4 Run 11ax(5) Dot1x 80a9.9734.a120 C9130AX-01 WLAN 5 Run 11ax(5) MAB bcd0.740c.057e C9130AX-01 WLAN 5 Run 11ax(2.4) MAB
Result: All 3 clients connected to C9130AX-01 using WiFi 6 (11ax). AP4800 has 0 clients.
10. Post-Implementation Review
-
New AP joined WLC
-
New AP serving clients
-
RSSI/SNR acceptable
-
Old AP physically removed
-
AP renamed to C9130AX-01
-
Documentation updated
-
BIND zone backup confirmed