AP Groups VLAN
I have a controller that has 4 SSID's (3 corporate and 1 guest ssid)configured with 10 AP's. I want only 1 of the AP's to advertise all 4. This is my conference room and we will only allow guest access in the conference room. The other AP's need to be only the 3 corp ssid's.
I configured AP Groups for this. I enabled the AP Group vlan function and set up 1 group that only had my corp ssids-interfaces and I set up 1 group that had the corp-ssids and the guest ssid. I applied the corp only to the corp only AP's and the corp+guest to the conference room AP and rebooted all of the AP's.
All the AP's still seem to offer the guest ssid and this does not seem to limit the advertised ssid's.
Am I missing something or is there another way to control the ssid's per AP?
Thanks for any advice.
No need to use AP groups. AP groups are for logical segmentation of the wired traffic. To learn more about ap group check out my video http://www.my80211.com/cisco-labs/2009/3/22/cisco-ap-group-nugget.html
What you are interested in is WLAN OVERIDE. Dive into the controller and then AP level (the ap in question). Bottom of the screen you will see WLAN OVERIDE. Click on the SSIDs you want to service from that AP.
Cheers...
If you found this post helpful please rate it
Similar Messages
-
AP Groups VLAN showing all SSIDs - Need help.....
Hey everyone!
I am hoping I can find some help with configuring the AP Groups VLAN feature on a WiSM + WCS ver 4.2 environment. I enabled and setup AP Groups VLAN for a campus type network acording to the guide here:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
The issue I am having is that even though I enabled and setup the AP Group VLAN as well as assigned the interface / network the AP to the group, all the SSIDs still broadcast on that AP where I only want one SSID to be present. I am testing this in a building that is an extension of another and only have 1 AP thus far so I know I am not picking up the SSIDs from other APs.
Anyone have any suggestions or can help? I would greatly appreciate it.....
Thank You!
EdHi Ed,
The feature you are looking for is called WLAN Override in 4.x release versions
Enabling WLAN Override
By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN Override option to select which WLANs are transmitted and which ones are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted or you can use it to disable a specific WLAN in a certain area of the network.
From this doc;
http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40wlan.html#wp1114777
Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page you can define various parameters specific to this WLAN including General Policies, RADIUS Servers, Security Policies, and 802.1x Parameters.
**Check Admin Status under General Policies to enable the WLAN. If you want the AP to broadcast the SSID in its beacon frames, check Broadcast SSID.
Note: You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control up to sixteen WLANs for Lightweight APs. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight APs broadcast all active Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
From this good doc;
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3
Hope this helps!
Rob -
AP Group VLAN "Feelgood" does not exists on controller.
Hi,
While appling tenplates from WCS, i getting status report error message AP Group VLAN "Feelgood" does not exists on controller.
I have double checked the perticular AP group WLAN is created & mapped to the correct interface in the controller. This is not first AP group created on the controller, other AP groups are working on the same controller.
Is there any Bug?
ThanksTypically you still need to make sure that the country codes are indeed configured on the WLC. Thing can change when you upgrade code as standards might of changed and regulations also. If your AP's are functional, then you should be okay and I wouldn't worry too much about it, but if after the upgrade, the WLC complains about country code stuff, then you just need to verify that the AP's country code is defined on the WLC. May times the AP will not join and if it does join, the radios might be disabled or in a down status.
Sent from Cisco Technical Support iPad App -
AP-Group vlan in 4.2.207
Hello everyone,
I'm trying to assign a separate interface (VLAN) to the same SSID on different APs. For this I have defined a new dynamic interface with a new vlan, I also defined an additional AP group has the same default SSID but changing the interface that is assigned. I took an AP and I've assigned to that group, but when a client is associated on that AP, controller ignores the new interface and keeps it in the interface definied at SSID at default group.
Any suggestions?
Thanks in advance.Thanks George for your answer.
Your tutorial is the solution but I had already found another guide very similar at cisco:
http://www.cisco.com/application/pdf/paws/71477/ap-group-vlans-wlc.pdf
Thanks you.
Regards. -
Does anyone know how the internal DHCP server in these access points connects to virtual interfaces and bridges in the unit?
Is there some sort of default connection that connects the DHCP server to the native bridge group or VLAN?
In a test case, with an SSID in the native VLAN and bridge group, the 1702i serves an IP address to a wireless client no problem. But with a second SSID in a non native VLAN and bridge group, no IP gets served. My only guess is that since the bvi1 defaults to the native bridge group and VLAN, sub-interfaces also in this group are assumed to be in the same subnet as bvi1, or in this case:
interface bvi1
ip address 192.168.1.205 255.255.255.0
no ip route-cache
exit
It would be the ..1. subnet.
Since the dhcp pool is set as:
ip dhcp pool GeneralWiFi
network 192.168.1.0 255.255.255.0
lease 1
default-router 192.168.1.1
dns-server 8.8.8.8
exit
There may be an assumption that anything bvi1 can talk to is in the ..1. subnet, so the above pool gets activated on a request coming through bvi1.
Is the DHCP server just hanging out waiting for a request from an "area" that is assumed to be on the same subnet as the given pool?
Do I need to somehow show the device what subnet the 2nd SSID/ subinterfaces are in so the internal DHCP server can decide it needs to go to work, or is there some sort of bridging between the DHCP server and the interfaces that needs to be done? I am trying to use the same DHCP pool for the second subnet at this point, since I assume I will need another router to service an additional subnet and DHCP pool.Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
HTH,
Steve -
VLAN assignment depending on AP for one SSID
Hi,
I read the AP Group VLANs with WLC configuration examples but did not find exactly what I look for. I'm on a WLC 5500.
I try to create AP groups which broadcast a set of SSID, but inside AP groups, depending on the AP on which the connection is made, i want to assign a specific VLAN for the clients.
If connection is made on SSID1 and AP1 -> one VLAN, for example VLAN_SSID1_AP1
same for SSID1 and AP2 -> another VLAN, for example VLAN_SSID1_AP2
I want to assign some VLANs to one of my networks to get local IPs depending on the AP.
The VLAN are all defined as dynamic interfaces, currently the SSID matches one VLAN, but i did not find how to do this assignment. I cannot define a VLAN for a network(SSID) and an AP.
Thanks for your ideas,
ChristopheYou need to create two AP Groups. Both will have the SSID, but AP Group #1 will have SSID mapped to vlan 1 and AP Group #2 will have SSID mapped to vlan 2. Then you add the appropriate ap's to which group you want.
-
Infrastructure:
we have 3000 access point spread across 15 buildings,
we have 15 WiSMs (3no.s of 6509 controllers) catering those AP's from central locations,
we have 350 AP's in one building (3 floors) and in some 200 AP's(2 floors),
planning for ACS with EAP-FAST implementation.
Requirement:
I want to use /24 subnet for AP's as well as for WLAN Clients.
clients should have /24 subnet only
I know about the AP grouping concept and I read some document aswell on the cisco site, but in those documents didn't help me much for AP Grouping VLAN and external DHCP configuration (Client)
Could anyone help me in configuring the AP grouping with external DHCP server for clients /24 subnet IP's.Thanks for your reply,
My Switch working as L2 in buildings and L3 only in Datacenter location.
I am Planning to use 8 SSID's,
As a best practice from Cisco 100 AP's per subnet, I would like to go with AP grouping configuration, now I would like to know how to configure clients with /24 subnet, (external DHCP Server), if you have any sample configuration steps kindly share the same, or give me idea about how to configure /24 subnet for clients.
in the WiSM I am configuring AP grouping 90 access point to one group, 150 access point to one group, remaining in the other group.
Now since I have only 3 AP group and I want to configure /24 clients keeping max. 20 users per access point. how to configure the client IP address. -
Hello
When you create an Ap-Group you are defined that SSID is going to belong to the AP-Group.I don't understand because they in the AP spread all the SSID that they is definite in the Lan controller, I understand that only should publish the SSIS that they are defined when you define the AP-Group.
Does any form exist of that the AP it only publish the SSID that they is definite in their AP-Group?Hi Jose,
Thats is not the main purpose of AP group I believe and I believe what you see is expected.
The whole purpose of AP Group vlan is that same ssid can be mapped to multiple vlans and then mapped to different ap groups which is further mapped to APs and when you roam to different APs which are mapped to different AP groups depending upon which AP you are associated you will get assigned to that vlan as the SSID remain same but mapped to dfferent vlans.
I believe what you should configure is WLAN Override feature where you can select which AP should advertise which WLANS and you can specify it per radio also.
Have a look at this link
http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40wlan.htm#wp1114777
HTH
Ankur
*Pls rate all helpfull post -
Hi All
Cisco WiSM
LWAPP 1000 - 1200 Serries APs
4 x wLANs (guest, data, voice, manufacturing)
I have a requirement to only allow one wLAN (voice) on a specific group of access points? is this possible? if so, how do you do it? I have created an AP Groups VLAN and only allowed the voice vlan. I then added the specific access points to this group. However, it seems that al four wLANs are still being serviced by these APs...? Any ideas?
Many thanks
MichaelDepending on the code version that you are running you will want to use AP Groups or WLAN Override. These two features were combined into one in the later versions. Since you mention using 1000 series AP's I'll assume you are running 4.2 or earlier. In this case you would use WLAN override. Go to Wireless - AP's - 802.11a (or b/g) and configure the radio interface for the AP. Under there you will see a dropdown to enable WLAN Override. After you enable it check the WLANs you want to be broadcast on that radio. Apply the changes and reboot the AP.
-
ISE policy, DACLs and VLAN changes together
So I have been having a hard time finding consistency in a policy that both changes the VLAN and applies a DACL. Originally, I found out that remarks were causing it to mess up. But I can't find any consistency. I can use the vanilla 'oermit all' DACL in ISE, along with a VLAN change, and it just doesn't work. My AuthZ is very simple...If you are wired_MAB and your endpoint is in a particular group, then apply a policy that changes the VLAN and applies a DACL. This seems like it's at the root of what ISE is supposed to do, but it seems so buggy. Weird thing is, that if I do the VLAN change by itself, it works. But when I add the DACL neither work. Anyone have any ideas as to why this is?
So it worked this time. The machine has been sitting in sleep mode for a while now. This is so inconsistent. Could it have something to do with me using the same machine to test a few different policies? I'm just switching the machine's MAC between different groups in order to test different policies. Thats really when it stops working.
- Do you have a pre-auth acl configured already on the port ? Yes, one that says permit any any
- Is the port running open mode ? Yes
- What does the "show auth sess int x/x" tell you once the ise has sent the authorization result to the switch ?
SJ5051IDF1#show authentication sess int g1/5 d
Interface: GigabitEthernet1/5
MAC Address: d4be.d905.3973
IPv6 Address: Unknown
IPv4 Address: 10.42.163.59
User-Name: D4-BE-D9-05-39-73
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0600210000007B24636E88
Acct Session ID: 0x00000086
Handle: 0x4A000055
Current Policy: POLICY_Gi1/5
Local Policies:
Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
Security Policy: Should Secure
Security Status: Link Unsecure
Server Policies:
Vlan Group: Vlan: 1620
ACS ACL: xACSACLx-IP-BLDG-AUTOMATION-DACL-52fa7487
Method status list:
Method State
mab Authc Success
interface GigabitEthernet1/5
switchport access vlan 32
switchport mode access
switchport voice vlan 64
ip access-group ACL-ALLOW in
logging event link-status
authentication event fail action next-method
authentication event server dead action authorize vlan 2700
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
dot1x timeout tx-period 10
service-policy input QoS-Input-Policy
service-policy output QoS-Host-Port-Output-Policy
end -
Hi All,
I have read the exapmles on this forum of setting up vlans but must have missed something.
Im trying to setup Bundle ether 1 to connect to a 3750x on vlan 220, bundle ether 2 will goto a customer (not active yet)
Both the asr and 3750 are reporting port chanel active but i cannot ping end to end
here is my ASR currect (non production) config
lacp system mac e4c7.2243.689c
rp mgmtethernet forwarding
interface Bundle-Ether1
description 2x10GbE Bundle to SecurITon Core
mac-address e4c7.2243.689c
interface Bundle-Ether1.220 l2transport
description -220-
encapsulation dot1q 220
rewrite ingress tag pop 1 symmetric
interface Bundle-Ether2
description 220
bundle minimum-active links 1
l2transport
interface TenGigE0/0/2/0
bundle id 1 mode active
interface TenGigE0/0/2/1
nv
edge
interface
transceiver permit pid all
interface TenGigE0/0/2/2
bundle id 2 mode active
interface TenGigE0/0/2/3
nv
edge
interface
interface TenGigE1/0/2/0
bundle id 1 mode active
interface TenGigE1/0/2/1
nv
edge
interface
transceiver permit pid all
interface TenGigE1/0/2/2
bundle id 2 mode active
interface TenGigE1/0/2/3
nv
edge
interface
interface BVI220
ipv4 address 172.17.220.2 255.255.255.0
l2vpn
bridge group VLANs
bridge-domain vlan220
interface Bundle-Ether2
interface Bundle-Ether1.220
routed interface BVI220
here is sh int br
Intf Intf LineP Encap MTU BW
Name State State Type (byte) (Kbps)
BV220 up up ARPA 1514 10000000
BE1 up up ARPA 1514 20000000
BE1.220 up up 802.1Q 1518 20000000
BE2 down down ARPA 1514 0
Nu0 up up Null 1500 0
Mg0/RSP0/CPU0/0 up up ARPA 1514 1000000
Mg0/RSP0/CPU0/1 up up ARPA 1514 1000000
Te0/0/2/0 up up ARPA 1514 10000000
Te0/0/2/1 up up ARPA 1514 10000000
Te0/0/2/2 down down ARPA 1514 10000000
Te0/0/2/3 up up ARPA 1514 10000000
Mg1/RSP0/CPU0/0 up up ARPA 1514 1000000
Mg1/RSP0/CPU0/1 up up ARPA 1514 1000000
Te1/0/2/0 up up ARPA 1514 10000000
Te1/0/2/1 up up ARPA 1514 10000000
Te1/0/2/2 down down ARPA 1514 10000000
Te1/0/2/3 up up ARPA 1514 10000000
here is the 3750 x config
vlan 220
name220
Interface vlan 220
description 220
ip address 172.17.220.10 255.255.255.0
interface TenGigabitEthernet1/1/2
description —ASR9001
switchport access vlan 220
switchport mode access
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast trunk
spanning-tree bpdufilter enable
channel-protocol lacp
channel-group 12 mode active
interface TenGigabitEthernet2/1/2
description —ASR9001
switchport access vlan 220
switchport mode access
no cdp enable
no cdp tlv server-location
no cdp tlv app
spanning-tree portfast trunk
spanning-tree bpdufilter enable
channel-protocol lacp
channel-group 12 mode active
interface Port-channel12
description --ASR9001
switchport access vlan 220
switchport mode access
spanning-tree portfast trunk
spanning-tree bpdufilter enableThank you
-
I can to have two SSIDs for all branch of my country, but each ones in a differents subnets,for example:
Area 1
SSID 1 : guest -> 192.168.1.1
SSID 2 : office -> 192.168.2.1
Area 2
SSID 1 : guest -> 192.168.3.1
SSID 2 : office -> 192.168.4.1
I have configured AP-Group, and this works succesfull but only with one SSID, I need two SSID, each one associated a multiples vlans, when the user are connect to SSID guest they receive the correct ip from the subnet corresponding,(Area1 ip address of host is 192.168.1.X and the Area 2 the usuer receibe the address 192.168.3.X both using the same SSID "guest"), How I can reach this requerimients using two SSID?. Using Ap-Group or there is other methods.AP Group VLANs are used in a setup where a Universal WLAN (service set identifier [SSID]) is required but clients need to be differentiated (placed on different interfaces configured on the WLC) by virtue of physical LAPs they associate with. Refer URL
http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml#c2 -
AP group vs WLAN override interface priority
Hi,
SW version 4.2.207.0
Which interface(VLAN ID) of SSID has priority while AP is configured with WLAN override?
One configured in AP group or one configured in WLAN SSID.
Example:
LAP1 is in AP group with SSID1 to interface VLAN2 mapping
WLAN SSID1 has mapping to interface VLAN3
LAP1 has WLAN override enable for SSID1.
Clients connected to LAP1 will be in VLAN2 or VLAN3?
Thanks for clarifying.clients will be connecting to VLAN3. WLAN overrides what WLAN needs to be enabled/broadcasted on specific AP while AP group overrides WLAN to VLAN mappings.
http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1127323
Configuring WLAN Override
By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN override option to select which WLANs are transmitted and which are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted, or you can use it to disable a specific WLAN in a certain area of the network.
Configuring Access Point Groups
In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated with that WLAN are on the same subnet or VLAN. However, you can override this default WLAN setting to distribute the load among several interfaces or to group users based on specific criteria such as individual departments (for example, marketing) by creating access point groups (formerly known as site-specific VLANs). Additionally, these access point groups can be configured in separate VLANs to simplify network administration
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
AP Group VLANs with Wireless LAN Controllers Configuration Example -
Copy AP Configuration Templates-WCS 7.0.172.0
I am wondering if anyone has seen a way to copy an AP configuration template. We have several distribution centers and the templates are essentially identical other than the Template name and the AP Group VLAN (different for each DC). We set up a new template for each new DC. Being able to copy a template, rename it and change the Group VLAN setting would save a lot of time.
I haven't been able to make it work like it was in prior versions. I have found you can initiate the session from monitor-->access points--->ap name and selecting the radio type. 802.11b/g/n, or 802.11a/n. The icon is under cleanair management operation.
-
How to have H-REAP broadcast only specific locally switched SSID's?
I'm new to this H-REAP configuration, but in the main office we have about 6 WLAN's. I have a remote office which I want to have 2 new WLAN's and have them switched locally. How can I only have the H-REAP AP's at this site only broadcast those 2 SSID's vs all 8? I haven't really read anything about using AP Group VLAN's with H-REAP or know if that's even possible, but is this a possibility and if no,t what would you recommend?
Thanks for the help!I may create another topic - but here it goes...
I've decided to try to use an existing WLAN in the H-REAP config...
-I've joined the AP to the remote controller, assigned it an IP, put it in H-REAP mode.
-I chose a WLAN, enabled local switching
-I went into the AP, configured the native VLAN, however, I CAN NOT change the vlan of the WLAN listed. It always goes back to default.
I verified the vlan exists on the switch, is routable, etc, the switch port is a member of that vlan, it is set as a trunk w/ 802.1q, etc.
Any ideas on what would cause this?
I am SOO close Thanks!
Maybe you are looking for
-
How to hide reset button in af-query panel in ADF
Hello All, i am using Jdeveloper version- 11.1.2.0.38.60.17 ,i am facing problem with hiding reset button in "af-Query panel". kindly suggest me how to hide it. it's urgent. Thanks & Regards AbhijeetPS Edited by: 967068 on Oct 23, 2012 12:39 PM
-
Passing array of Types to java class
I am trying to pass a user defined type (that is an array) from PL/Sql to a javaclass. Here are the definitions that make-up the parameter to pass from PL/Sql to Java (uri_digest_array): CREATE OR REPLACE TYPE uri_digest as object (uri VARCHAR2(256),
-
After installing Photoshop Elements trial version where do I find the icon to start?
Where's the icon for Elements after trial version download?
-
Is there a forum for N1 Provisioning system?
What forum should I be using to discuss Sun's N1 Provisioning Software? Thanks...
-
HT1541 I loaded my card and the money is there but it keeps asking for a code
I loaded card money is there but it keeps along for a code