ACL or VLAN Mappings

Similar Messages

• NCS Prime 1.4 does not display previous AP WLAN-VLAN mappings

  Hi,
  Just wondering if others have experienced this issue. I upgrade our Prime NCS from 1.3 to 1.4 last night. Upgrade appeared successful but today when looking through the web interface for testing I noticed that the  'Access Point Details' (Configure > Access Points > Access point details" no longer displays the flex connect vlan mappings which previously were shown in 1.3.
  When clicking on the WLAN-VLAN Mappings tab nothing appears there too? I tried to apply the wireless configuration template again but received an error.
  Has anyone had this issue? On the WLC, these configurations are still intact with the correct vlan-mappings so it only appears to be NCS that is having the issues.
  Only thing I can see from the release notes regarding NCS 1.4 Flexconnect VLAN mappings is CSCug17718. But this caveat is under the resolved section.
  Cheers,
  Wil

  Cheers thanks for the reply.
  I figured out what the problem was. Appears that Audit status has mismatches but once another audit is done it appears to display vlan mappings with at the access point detail page.
  Now... to figure out how to perfect bulk audits..
  Anyways thanks for your advice.

• HREAP APs lose local VLAN mappings

  Hello,
  We are using a 5508 controller (version 7.0.98.0) in a central location and 1242 access points in HREAP mode in remote locations. 
  I have noticed that, for no specific reason, HREAP APs sometimes lose their local VLAN mappings and revert to centrally switched interface VLAN tags?? Since central VLAN tags and local VLANs are not the same, local traffic can not be routed and clients lose connection.
  I have seen that a software bug has been reported CSCsw68997 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw68997) but it seems to have been fixed in software version that don't exit for 5508 WLCs.
  Would you have any idea if there is a fix to this issue?
  Thanks for your help, much appreciated,
  Laure

  It is important to note that CSCsw68997 is an enhancement, not exactly a bug.
  The bottom line is that if HREAP APs move between controllers, and those controllers are not identical with WLAN Order (including the AP group WLAN order) then your mappings might change.
  Now if you want the code this enhancement is added to, I believe both of those are readily available from TAC. If you need Cisco.com versions of the code, then you'll need to wait a few more weeks....

• FlexConnect VLAN Mappings Inheritance

  Hi guys,
  I have 3 APs, which joined the vWLC some time ago (FlexConnect mode). I setup the VLAN Mappings, add them to an AP Group and all went well.
  After some time I started to use FlexConnect Groups. I have created a group for these three and add each to the group.
  Trouble is, even after adding each AP to the FlexConnect Group the VLAN Mappings Inheritance stays on AP-Specific instead of Group-Specific.
  I tried Remove AP Specific option, but I receive an error message I have attached.
  Thanks in advance for any hint/tip.

  Yes... If your ap and users are going to be put in the data Vlan, you can just leave the port to an access port and you don't have to setup any native val. Or Vlan mapping in the FlexConnect AP. If you decide you want to map users to the voice Vlan, then you need to trunk it.
  If you want to trunk it anyways, then you can map a WLAN to the data Vlan too.
  Sent from Cisco Technical Support iPhone App

• Cisco 3550 ACL on VLAN

  i hav got Cisco 3550-12T, in that i hav created VLAN 2,3,4 & 5. now my requirement is VLAN 2 can communicate all VLAN's, where VLAN 5 should only communicate VLAN 2 & vice versa & VLAN 3,4 should only communicate VLAN 2 & vice versa. how do i proceed, by default if i enable "ip routing" i can able to communicate, but i do i filter the packetz as i said above?

  Hi,
  You can do it using extended acl's fro denying traffic from Vlan 3,4 to vlan 5. This can also be done using Vlan MAPS. Please go through the link below:
  http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swacl.htm#wp1082557
  regards,
  -amit singh

• Apply ACL on vlan

         Amended the post     
  Hello
  can someone guide how to  apply access-list to a vlan
  office_A connect to Office_B on different floors on vlan 10
  need to allow inbond and outbond traffic
  Config of Office_A and host
  VLAN
  int vlan 10
  ip address 192.168.177.254 255.255.255.252
  Allow the following host to communicate with host of Office_B
  host 192.168.110 port 443
  host 192.168.1.16
  network 192.168.25.0/24
  Network of Office_B
  allow following host to communicate with hos of Office_A
  192.168.100.10  port 443
  1192.168.100.17
  192.168.27.0/24
  plz guide with right inbond / outbond acl to apply on SVI
  thanks
  Vishal

  Just to be on the same side, you want hosts 192.168.1.10:443 & 192.168.1.16 to connect to 192.168.100.10:443 and hosts 192.168.100.10:443 & 192.168.100.17 to connect to 192.168.110:443?
  I'm asking because I got confused from your question. If you have a topology for your network, it would be of great asset.
  Best Regards,
  Islam M. Nadim

• ACL on Vlan interface

  I am trying to apply an acl on my vlan interfaces that would allow the vlan to initiate tcp traffic. When I apply it I am unable to surf the web from the vlan but I can tftp from the vlan .

  This is normal behavior. The first packet coming from the station on the VLAN would not be considered as established.
  On the other hand, the established keyword could be configured on an outbound ACL applied to the same VLAN. This would only allow TCP traffic initiated from the VLAN to reenter that same VLAN.
  Hope this helps,

• ACL on 4507R VLANs

  Hi All,
  I wanted to implement a Security ACL on VLAN for 4507R (IOS 12.24 EWA) i.e. I want to regulate the traffic to and from from the VLANs.
  However when I implemented the normal Extended ACL I was surprized to find that it was not acting as it should on a Routed Port or L-2 Port.
  However when cross checked in the config guide, I guess that its a VLAN MAP that needs to be used rather than a normal ACL to filter traffic to and fro on a VLAN in 4507R.
  Am I correct over here or am I missing something out there?
  Any help would be appreciable.
  Kind Regards,
  Wilson Samuel

  Hi Bosalaza,
  My query is:-
  1. Is VLAN Map the only answer to filter traffic in 4507s??
  2. Wont the traditional ACL implementation work in 4507s??
  Regards,
  Wilson SAmuel

• ACL's and VLan interfaces

  I am trying to understand the boundries of a Vlan on a given switch. When a packet that is passed from Vlan int 1 to Vlan int 2 on the same switch if Vlan 2 has an inbound ACL denying this packet would it get acted upon in this manner or does the ACL only get introduced if the packet enters a physical interface.

  A packet coming into a device from one interface and going out another interface does not pass two 'inbound' ACLs. It can pass two ACLs but one will be inbound and one will be outbound.
  The situation is no different when you are using logical interfaces like SVI (L3 VLAN interfaces). In your case if you have an ACL defined inbound on VLAN 1 in the distribution switch then the packets coming into VLAN1 will be subject to inspection against the rules of this ACL. However, if there is no outbound ACL for VLAN 2 then packets leaving the distribution switch and going out of VLAN 2 to switch 2 will not be subject to any ACLs.
  The concept of inbound and outbound is the same in case of both physical interfaces or logical interfaces.

• Flexconnect ACLs

  Hi,
  Has anyone gotten Flexconnect ACLs to work properly in 8.x? Here's my test setup:
  One 3700 AP, in flexconnect mode, Part of an AP group that is only broadcasting one test SSID.
  Primary goal of getting this flexconnect AP to drop users on different VLANs based on RADIUS parameters was successful (though I couldn't ever drop anyone on VLAN 1, no matter what the native vlan for the AP was).
  In order for the AP to know the VLANs I had to create a Flexconnect Group and create "AAA VLAN ACL MAPPING"s for all the VLANs I wanted the AP to know about. As mentioned, that part worked fine.
  Next I created a very simple Flexconnect ACL to block any traffic to 8.8.4.4. I applied it to one of the VLANs on the same tab (Wireless>FlexConnect Groups>ACL Mapping>AAA VLAN-ACL mapping). I tried all sorts of combinations of applying the ACL to ingress or egress, disassociating the client, moving client to a different vlan and back etc. I got it working once, on one of the VLANs, but couldn't repeat it. It might have been after removing the AP from the FlexConnect group and putting it back.
  The only result all this had is that I lost web access to the WLC suddenly. As far as I can tell, the WLC ended up rebooting itself and the HA unit took over. A bit scary.
  How are Flexconnect ACLs supposed to work, do they get applied the moment you apply them to the ingress /egress of the VLAN? Does the client have to disassociate and re-associate? Does something else have to happen to trigger the ACLs being applied? 
  From what I could tell in the Flexconnect ACL Debug, all the changes were being pushed to the AP as I made them. However, at one point when checking the VLAN Mappings on the AP, the vlans with ACLs in the Flexconnect group, showed no ACLs on the AP. Another time the VLANs that had the ACLs applied were no longer there at all.
  As I'm writing this, I noticed that I can now crash the WLC, just by clicking the VLAN mappings on that AP....  

  After two failovers that seemed to be triggered by me making changes in the Flexconnect Group config, one controller hung up completely (no response anywhere including console). I had to power cycle it.
  After that, the flexconnect ACLs seemed to work just as expected. Changes in the ACLs would immediately reflect on the client connected to the AP without having to re-associate the client (something that definitely wasn't working before).

• WLC 5508 Flexconnect dhcp request landing on wrong vlan/dhcp pool

  Hi,
  We've recently setup our 5508 to work with Flexconnect. The 5508's run on 8.0.100, they are setup redundant. On the remote site we've setup a local dhcp pool for the various WLAN's/VLAN's. The AP's have registered with the WLC succesfully.
  We then setup the flexconnect groups, added the ap's and configured 1 vlan mapping to it's corresponding wlan id. Alsio setup the wlan, made it so it's using flexconnect, bound it to the interface which will allow it to reach the local dhcp machine.
  User can see the SSID, can login using the password, but they are awarded an ip addres from a different dhcp pool, meant for antoher vlan than the bonding in the flexconnect group is indicating.
  When I check the local dhcp pool for bindings on the mac address of a machine I can see multiple bindings. At 1 point I had 3 bindings in different pools, 1 on the native vlan for the AP, 1 on the vlan it should have and 1 on another vlan which wasn't configured anywhere in the flexconnect setup.
  Does anybody have a clue how and why this is happening?

  Just to add to Salma... All your AP's in FlexConnect are most likely connected to a trunk port. Make sure the native Vlan is defined and the vlan's are allowed on the trunk port. Then you need to verify that the AP's native Vlan and WLAN to Vlan mappings are correct. Seems like you might have some AP's that are not defined properly and that's why users that connect to a WLAN is getting in the wrong subnet. 
  Scott

• 802.1x Dynamic VLans

  I'm trying to figure out a way to get to 802.1x and Dynamic Vlans.
  I have all types of devices, some login into windows AD some don't.
  Is this possilbe?
  port is setup to use 802.1x. Radius server first checks against AD, then checks for MAC address, if no conditions are met ports is set to a catch all type VLAN and starts forwarding.
  Something like:
  1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
  2. A printer is connected and assigned to a printer VLan.
  3. A guest connects and is assigned to a guest VLan.
  I like to not have to put MAC addresses in for PCs that are members of the the windows domain.

  Hi
  Please find the answers inline:
  1. A Domain user/PC connects, user login to AD and assigned to a user VLan.
  This is possible by using RADIUS extended attributes, to assign VLAN dynamically.. for this to work ,you need to define the radius server host & key on the switch/NAD. then enable dot1x on the switchport, to force authentication through RADIUS.. you can have a NAC client to key-in your AD username/password..  You would need to configure your RADIUS server to send vendor-specific attributes:
  –[64] Tunnel-Type = VLAN
  –[65] Tunnel-Medium-Type = 802
  –[81] Tunnel-Private-Group-ID = VLAN name or VLAN ID
  refer to CCO for more info on how the ACS server is configured for sending this info... apart from this on the switch configure "radius-server host x.x.x.x auth-port 1612 key *****" and the appropriate aaa commands to force dot1x to refer to RADIUS "aaa authentication dot1x default radius"
  2. A printer is connected and assigned to a printer VLan.
  For printers, or any non-dot1x compliant device, its general to use MAC authentication Bypass feature.. by doing this we can make sure the ports connecting to printers use the default "Switchport access vlan " configuration on these ports.. with MAB, we add the MAC address of the printer on the ACS server (with pw as mac-address) and make sure the printer is authenticated via the switch.. if you dont want to use MAC address for bypassing dot1x, you can probably disable dot1x on such ports.. similar methodology can be adopted for Servers, which wouldnt need dot1x.. since there are few printers & servers on networks, you can disable dot1x on these ports...
  3. A guest connects and is assigned to a guest VLan.
  This is achieved by using the guest-vlan feature.. guests who dont have dot1x client, will be put on a seperate isolated VLAN called guest vlan.. you can create a vlan say vlan  99 on the switch for guests, and on the switchport configure "dot1x guest-vlan 99" .. this would make sure the guests  are seperated and isolated.. make sure you have vlan ACLs on VLAN 99 to restrict traffic for guest users only to internet, or place them behind DMZ of firewalls... you also have "authentication failure" VLAN which you can enable for production users when they fail authentication...
  Refer to this Guide.. it has all information about 802.1x on switches...
  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_50_se/configuration/guide/sw8021x.html#wp1270660
  Hope this helps.. all the best..
  Raj

• HREAP VLAN Mapping

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  Hi,
  I've searched around to see if someone else has experienced the same issue regarding HREAP AP's losing their VLAN mappings; however I could not find any related topics.
  Scenario
  I've got a 5508 WLC running ver 7.0 with local VLANs assigned as follow:
  VLAN 241 - Data Users
  VLAN 253 - Voice Users
  The HREAP AP's (Cisco 1242AG) running at the remote branches is mapped to the following:
  VLAN 2 - Data Users
  VLAN 253 - Voice
  The Problem...
  HREAP works perfect; users get the local DHCP addresses at the branch office and have no issues with connectivity. Once and a while some of the HREAP AP's will lose the VLAN mapping I've assigned to them. In this case I've mapped VLAN 2 to the SSID for the Data Users, I will get complaints that users can't connect to the network when I go check the HREAP AP's VLAN mapping it defaulted back to VLAN 241 (the same VLAN the local AP's at head office use for the same SSID). Of course with the Voice SSID I don't have this problem as it's using the same VLAN ID as head office.
  Once I've corrected the mapping everything works perfect.
  Why...
  I just want to know why this happens, I've rebooted the AP's to see if they retain the mappings and they did. I've seen in the HREAP design deployment that it is preferred to use the same VLAN ID's of the head office where the WLC is located as for the same to the branch offices where the HREAP AP's are located.
  I can see why as this will resolve my problem, however this network was designed without the knowledge of HREAP being deployed to the remote sites and I would like to minimize change from a LAN perspective.
  Will this be my only solution by standardizing the branch office VLAN ID's the same as the head office network or should I be able to use different VLAN ID's for the branch offices?
  Thanks for your time reading this and for your input. If you know any discussion regarding this, please add the url.
  Regards
  Jurgens

  Hi,
  I'm having the same problem. And I have two WLCs (WISM) with 7.0.220 version.
  I think because of this BUG: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
  Anyone knows how can I solve this problem?
  I Have 42 HREAP APs, and when I have some link problem on the remote Branch and the AP lose for a few seconds Connectivity to the 1º Controller its loses the VLAN Mappings (all turned to the Native VLAN).

• AP-Specific WLAN-VLAN Mapping audit

  Is there anyway to audit the access points in FC mode to determine the WLAN-VLAN mapping and if it is AP or WLAN specific?
  or
  Is there a script that I can run to make the WLAN-VLAN mappings on all FC mode APs AP-Specific?

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message

• Flexconnect static mapping of WLAN to VLAN

  5508 running 7.4
  I want to create a definition for a particular site that maps WLANs (SSIDs) to switched VLANs.   I know that I can go to Wireless => Select AP => VLAN mappings on an individual AP basis.  But is there a way to create a group that will do this?  I thought it could be done with flexconnect groups but I just could not find a way to make it happen there.  Then I ran across this Architecting Network for Branch Offices with Cisco Unified Wireless Cisco Live presentation:
  http://d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKEWN-2016.pdf
  And on page 28 it states:
  AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location
  And it then goes on to give a Configuration/VLAN mapping example in which I fail to see where VLANs are mentioned at all.
  Is what I am trying to do possible?
  Thanks,
  -JEff

  Hi Scott, thanks for the reply
  I have a main campus with several different distribution blocks that each use unique VLAN IDs.  And I have about a dozen remote sites that will all use common VLAN IDs.  I am configuring a single SSID (WLAN 2) to be used across all of these locations.  So at my main campus building "A" will have WLAN 2 mapped to VLAN 55 while building "B" will have WLAN 2 mapped to VLAN 65.  At each of the remote sites WLAN 2 needs to be maped to VLAN 15.
  So let's say I want to configure the main campus buildings A and B.  I create a dynamic interface for vlan 55 and name it something creative like vlan-55, Likewise for vlan 65.  Then I create an AP group named APG-55, add WLAN 2 to it and add all of my APs in that buliding.  What I don't understand is where the dynamic interface comes into play.  From your explanation it would seem that I need to assoiciate the dynamic interface to an AP group somehow.  What am I missing?
  Thanks!
  -Jeff