AP Groups VLAN

Similar Messages

• AP Groups VLAN showing all SSIDs - Need help.....

  Hey everyone!
       I am hoping I can find some help with configuring the AP Groups VLAN feature on a WiSM + WCS ver 4.2 environment. I enabled and setup AP Groups VLAN for a campus type network acording to the guide here:
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  The issue I am having is that even though I enabled and setup the AP Group VLAN as well as assigned the interface / network the AP to the group, all the SSIDs still broadcast on that AP where I only want one SSID to be present. I am testing this in a building that is an extension of another and only have 1 AP thus far so I know I am not picking up the SSIDs from other APs. 
  Anyone have any suggestions or can help? I would greatly appreciate it.....
  Thank You!
  Ed

  Hi Ed,
  The feature you are looking for is called WLAN Override in 4.x release versions
  Enabling WLAN Override
  By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN Override option to select which WLANs are transmitted and which ones are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted or you can use it to disable a specific WLAN in a certain area of the network.
  From this doc;
  http://www.cisco.com/en/US/docs/wireless/controller/4.0/configuration/guide/c40wlan.html#wp1114777
  Once you create a new WLAN, the WLAN > Edit page for the new WLAN appears. In this page you can define various parameters specific to this WLAN including General Policies, RADIUS Servers, Security Policies, and 802.1x Parameters.
  **Check Admin Status under General Policies to enable the WLAN. If you want the AP to broadcast the SSID in its beacon frames, check Broadcast SSID.
  Note: You can configure up to sixteen WLANs on the controller. The Cisco WLAN Solution can control up to sixteen WLANs for Lightweight APs. Each WLAN has a separate WLAN ID (1 through 16), a separate WLAN SSID (WLAN name), and can be assigned unique security policies. Lightweight APs broadcast all active Cisco WLAN Solution WLAN SSIDs and enforce the policies that you define for each WLAN.
  From this good doc;
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a0080665d18.shtml#c3
  Hope this helps!
  Rob

• AP Group VLAN "Feelgood" does not exists on controller.

  Hi,
  While appling tenplates from WCS, i getting status report error message AP Group VLAN "Feelgood" does not exists on controller.
  I have double  checked the perticular AP group WLAN is created & mapped to the correct interface in the controller. This is not first AP group created on the controller, other AP groups are working on the same controller.
  Is there any Bug?
  Thanks

  Typically you still need to make sure that the country codes are indeed configured on the WLC. Thing can change when you upgrade code as standards might of changed and regulations also. If your AP's are functional, then you should be okay and I wouldn't worry too much about it, but if after the upgrade, the WLC complains about country code stuff, then you just need to verify that the AP's country code is defined on the WLC. May times the AP will not join and if it does join, the radios might be disabled or in a down status.
  Sent from Cisco Technical Support iPad App

• AP-Group vlan in 4.2.207

  Hello everyone,
  I'm trying to assign a separate interface (VLAN) to the same SSID on different APs. For this I have defined a new dynamic interface with a new vlan, I also defined an additional AP group has the same default SSID but changing the interface that is assigned. I took an AP and I've assigned to that group, but when a client is associated on that AP, controller ignores the new interface and keeps it in the interface definied at SSID at default group.
  Any suggestions?
  Thanks in advance.

  Thanks George for your answer.
  Your tutorial is the solution but I had already found another guide very similar at cisco:
  http://www.cisco.com/application/pdf/paws/71477/ap-group-vlans-wlc.pdf
  Thanks you.
  Regards.

• Cisco 1702i WAP: how to get an interface in a non-native bridge group/ VLAN to be recognized by the internal DHCP server

  Does anyone know how the internal DHCP server in these access points connects to virtual interfaces and bridges in the unit?
  Is there some sort of default connection that connects the DHCP server to the native bridge group or VLAN?
  In a test case, with an SSID in the native VLAN and bridge group, the 1702i serves an IP address to a wireless client no problem. But with a second SSID in a non native VLAN and bridge group, no IP gets served. My only guess is that since the bvi1 defaults to the native bridge group and VLAN, sub-interfaces also in this group are assumed to be in the same subnet as bvi1, or in this case:
  interface bvi1
    ip address 192.168.1.205 255.255.255.0
    no ip route-cache
    exit
  It would be the ..1. subnet.
  Since the dhcp pool is set as:
  ip dhcp pool GeneralWiFi
    network 192.168.1.0 255.255.255.0
    lease 1
    default-router 192.168.1.1
    dns-server 8.8.8.8
    exit
  There may be an assumption that anything bvi1 can talk to is in the ..1. subnet, so the above pool gets activated on a request coming through bvi1.
  Is the DHCP server just hanging out waiting for a request from an "area" that is assumed to be on the same subnet as the given pool?
  Do I need to somehow show the device what subnet the 2nd SSID/ subinterfaces are in so the internal DHCP server can decide it needs to go to work, or is there some sort of bridging between the DHCP server and the interfaces that needs to be done? I am trying to use the same DHCP pool for the second subnet at this point, since I assume I will need another router to service an additional subnet and DHCP pool.

  Keep in mind that DHCP is a broadcast packet to start. So the AP can only listen in the subnet that it has an IP address for.
  Now, for any other subnet you can use the AP for DHCP but you have to have an IP helper address on your L3 pointing back to the AP.
  That being said, I wouldn't use the DHCP server on the AP as it is limited. You'd be better off using a Microsoft server or some other device that is designed for DHCP.
  HTH,
  Steve

• VLAN assignment depending on AP for one SSID

  Hi,
  I read the AP Group VLANs with WLC configuration examples but did not find exactly what I look for. I'm on a WLC 5500.
  I try to create AP groups which broadcast a set of SSID, but inside AP groups, depending on the AP on which the connection is made, i want to assign a specific VLAN for the clients.
  If connection is made on SSID1 and AP1 -> one VLAN, for example VLAN_SSID1_AP1
  same for SSID1 and AP2 -> another VLAN, for example VLAN_SSID1_AP2
  I want to assign some VLANs to one of my networks to get local IPs depending on the AP.
  The VLAN are all defined as dynamic interfaces, currently the SSID matches one VLAN, but i did not find how to do this assignment. I cannot define a VLAN for a network(SSID) and an AP.
  Thanks for your ideas,
  Christophe

  You need to create two AP Groups.  Both will have the SSID, but AP Group #1 will have SSID mapped to vlan 1 and AP Group #2 will have SSID mapped to vlan 2.  Then you add the appropriate ap's to which group you want.

• AP Grouping configuration

  Infrastructure:
  we have 3000 access point spread across 15 buildings,
  we have 15 WiSMs (3no.s of 6509 controllers) catering those AP's from central locations,
  we have 350 AP's in one building (3 floors) and in some 200 AP's(2 floors),
  planning for ACS with EAP-FAST implementation.
  Requirement:
  I want to use /24 subnet for AP's as well as for WLAN Clients.
  clients should have /24 subnet only
  I know about the AP grouping concept and I read some document aswell on the cisco site, but in those documents didn't help me much for AP Grouping VLAN and  external DHCP configuration (Client)
  Could anyone help me in configuring the AP grouping with external DHCP server for clients /24 subnet IP's.

  Thanks for your reply,
  My Switch working as L2 in buildings and L3 only in Datacenter location.
  I am Planning to use 8 SSID's,
  As a best practice from Cisco 100 AP's per subnet, I would like to go with AP grouping configuration, now I would like to know how to configure clients with /24 subnet, (external DHCP Server), if you have any sample configuration steps kindly share the same, or give me idea about how to configure /24 subnet for clients.
  in the WiSM I am configuring AP grouping 90 access point to one group, 150 access point to one group, remaining in the other group.
  Now since I have only 3 AP group and I want to configure /24 clients keeping max. 20 users per access point. how to configure the client IP address.

• AP Groups SSID's

  Hello
  When you create an Ap-Group you are defined that SSID is going to belong to the AP-Group.I don't understand because they in the AP spread all the SSID that they is definite in the Lan controller, I understand that only should publish the SSIS that they are defined when you define the AP-Group.
  Does any form exist of that the AP it only publish the SSID that they is definite in their AP-Group?

  Hi Jose,
  Thats is not the main purpose of AP group I believe and I believe what you see is expected.
  The whole purpose of AP Group vlan is that same ssid can be mapped to multiple vlans and then mapped to different ap groups which is further mapped to APs and when you roam to different APs which are mapped to different AP groups depending upon which AP you are associated you will get assigned to that vlan as the SSID remain same but mapped to dfferent vlans.
  I believe what you should configure is WLAN Override feature where you can select which AP should advertise which WLANS and you can specify it per radio also.
  Have a look at this link
  http://www.cisco.com/univercd/cc/td/doc/product/wireless/control/c44/ccfig40/c40wlan.htm#wp1114777
  HTH
  Ankur
  *Pls rate all helpfull post

• AP Groups

  Hi All
  Cisco WiSM
  LWAPP 1000 - 1200 Serries APs
  4 x wLANs (guest, data, voice, manufacturing)
  I have a requirement to only allow one wLAN (voice) on a specific group of access points? is this possible? if so, how do you do it? I have created an AP Groups VLAN and only allowed the voice vlan. I then added the specific access points to this group. However, it seems that al four wLANs are still being serviced by these APs...? Any ideas?
  Many thanks
  Michael

  Depending on the code version that you are running you will want to use AP Groups or WLAN Override.  These two features were combined into one in the later versions.  Since you mention using 1000 series AP's I'll assume you are running 4.2 or earlier.  In this case you would use WLAN override.  Go to Wireless - AP's - 802.11a (or b/g) and configure the radio interface for the AP.  Under there you will see a dropdown to enable WLAN Override.  After you enable it check the WLANs you want to be broadcast on that radio.  Apply the changes and reboot the AP.

• ISE policy, DACLs and VLAN changes together

  So I have been having a hard time finding consistency in a policy that both changes the VLAN and applies a DACL. Originally, I found out that remarks were causing it to mess up. But I can't find any consistency. I can use the vanilla 'oermit all' DACL in ISE, along with a VLAN change, and it just doesn't work. My AuthZ is very simple...If you are wired_MAB and your endpoint is in a particular group, then apply a policy that changes the VLAN and applies a DACL. This seems like it's at the root of what ISE is supposed to do, but it seems so buggy. Weird thing is, that if I do the VLAN change by itself, it works. But when I add the DACL neither work. Anyone have any ideas as to why this is?

  So it worked this time. The machine has been sitting in sleep mode for a while now. This is so inconsistent. Could it have something to do with me using the same machine to test a few different policies? I'm just switching the machine's MAC between different groups in order to test different policies. Thats really when it stops working.
  - Do you have a pre-auth acl configured already on the port ? Yes, one that says permit any any
  - Is the port running open mode ? Yes
  - What does the "show auth sess int x/x" tell you once the ise has sent the authorization result to the switch ?
  SJ5051IDF1#show authentication sess int g1/5 d
              Interface:  GigabitEthernet1/5
            MAC Address:  d4be.d905.3973
           IPv6 Address:  Unknown
           IPv4 Address:  10.42.163.59
              User-Name:  D4-BE-D9-05-39-73
                 Status:  Authorized
                 Domain:  DATA
         Oper host mode:  multi-auth
       Oper control dir:  both
        Session timeout:  N/A
      Common Session ID:  0A0600210000007B24636E88
        Acct Session ID:  0x00000086
                 Handle:  0x4A000055
         Current Policy:  POLICY_Gi1/5
  Local Policies:
  Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
        Security Policy:  Should Secure
        Security Status:  Link Unsecure
  Server Policies:
             Vlan Group:  Vlan: 1620
                ACS ACL:  xACSACLx-IP-BLDG-AUTOMATION-DACL-52fa7487
  Method status list:
         Method           State
         mab              Authc Success
  interface GigabitEthernet1/5
  switchport access vlan 32
  switchport mode access
  switchport voice vlan 64
  ip access-group ACL-ALLOW in
  logging event link-status
  authentication event fail action next-method
  authentication event server dead action authorize vlan 2700
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  service-policy input QoS-Input-Policy
  service-policy output QoS-Host-Port-Output-Policy
  end

• Help with VLANs on ASR9001

  Hi All,
  I have read the exapmles on this forum of setting up vlans but must have missed something.
  Im trying to setup Bundle ether 1 to connect to a 3750x on vlan 220, bundle ether 2 will goto a customer (not active yet)
  Both the asr and 3750 are reporting port chanel active but i cannot ping end to end
  here is my ASR currect (non production) config
  lacp system mac e4c7.2243.689c
  rp mgmtethernet forwarding
  interface Bundle-Ether1
  description 2x10GbE Bundle to SecurITon Core
  mac-address e4c7.2243.689c
  interface Bundle-Ether1.220 l2transport
  description -220-
  encapsulation dot1q 220
  rewrite ingress tag pop 1 symmetric
  interface Bundle-Ether2
  description 220
  bundle minimum-active links 1
  l2transport
  interface TenGigE0/0/2/0
  bundle id 1 mode active
  interface TenGigE0/0/2/1
  nv
    edge
     interface
  transceiver permit pid all
  interface TenGigE0/0/2/2
  bundle id 2 mode active
  interface TenGigE0/0/2/3
  nv
    edge
     interface
  interface TenGigE1/0/2/0
  bundle id 1 mode active
  interface TenGigE1/0/2/1
  nv
    edge
     interface
  transceiver permit pid all
  interface TenGigE1/0/2/2
  bundle id 2 mode active
  interface TenGigE1/0/2/3
  nv
    edge
     interface
  interface BVI220
  ipv4 address 172.17.220.2 255.255.255.0
  l2vpn
  bridge group VLANs
    bridge-domain vlan220
     interface Bundle-Ether2
     interface Bundle-Ether1.220
     routed interface BVI220
  here is sh int br
                 Intf       Intf        LineP              Encap  MTU        BW
                 Name       State       State               Type (byte)    (Kbps)
                BV220          up          up               ARPA  1514   10000000
                  BE1          up          up               ARPA  1514   20000000
              BE1.220          up          up             802.1Q  1518   20000000
                  BE2        down        down               ARPA  1514          0
                  Nu0          up          up               Null  1500          0
      Mg0/RSP0/CPU0/0          up          up               ARPA  1514    1000000
      Mg0/RSP0/CPU0/1          up          up               ARPA  1514    1000000
            Te0/0/2/0          up          up               ARPA  1514   10000000
            Te0/0/2/1          up          up               ARPA  1514   10000000
            Te0/0/2/2        down        down               ARPA  1514   10000000
            Te0/0/2/3          up          up               ARPA  1514   10000000
      Mg1/RSP0/CPU0/0          up          up               ARPA  1514    1000000
      Mg1/RSP0/CPU0/1          up          up               ARPA  1514    1000000
            Te1/0/2/0          up          up               ARPA  1514   10000000
            Te1/0/2/1          up          up               ARPA  1514   10000000
            Te1/0/2/2        down        down               ARPA  1514   10000000
            Te1/0/2/3          up          up               ARPA  1514   10000000
  here is the 3750 x config
  vlan 220
  name220
  Interface vlan 220
  description 220
  ip address 172.17.220.10 255.255.255.0
  interface TenGigabitEthernet1/1/2
  description —ASR9001
  switchport access vlan 220
  switchport mode access
  no cdp enable
  no cdp tlv server-location
  no cdp tlv app
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  channel-protocol lacp
  channel-group 12 mode active
  interface TenGigabitEthernet2/1/2
  description —ASR9001
  switchport access vlan 220
  switchport mode access
  no cdp enable
  no cdp tlv server-location
  no cdp tlv app
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable
  channel-protocol lacp
  channel-group 12 mode active
  interface Port-channel12
  description --ASR9001
  switchport access vlan 220
  switchport mode access
  spanning-tree portfast trunk
  spanning-tree bpdufilter enable

  Thank you

• SSID and Vlans

  I can to have two SSIDs for all branch of my country, but each ones in a differents subnets,for example:
  Area 1
  SSID 1 : guest -> 192.168.1.1
  SSID 2 : office -> 192.168.2.1
  Area 2
  SSID 1 : guest -> 192.168.3.1
  SSID 2 : office -> 192.168.4.1
  I have configured AP-Group, and this works succesfull but only with one SSID, I need two SSID, each one associated a multiples vlans, when the user are connect to SSID guest they receive the correct ip from the subnet corresponding,(Area1 ip address of host is 192.168.1.X and the Area 2 the usuer receibe the address 192.168.3.X both using the same SSID "guest"), How I can reach this requerimients using two SSID?. Using Ap-Group or there is other methods.

  AP Group VLANs are used in a setup where a Universal WLAN (service set identifier [SSID]) is required but clients need to be differentiated (placed on different interfaces configured on the WLC) by virtue of physical LAPs they associate with. Refer URL
  http://cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml#c2

• AP group vs WLAN override interface priority

  Hi,
  SW version 4.2.207.0
  Which interface(VLAN ID) of SSID has priority while AP is configured with WLAN override?
  One configured in AP group or one configured in WLAN SSID.
  Example:
  LAP1 is in AP group with SSID1 to interface VLAN2 mapping
  WLAN SSID1 has mapping to interface VLAN3
  LAP1 has WLAN override enable for SSID1.
  Clients connected to LAP1 will be in VLAN2 or VLAN3?
  Thanks for clarifying.

  clients will be connecting to VLAN3. WLAN overrides what WLAN needs to be enabled/broadcasted on specific AP while AP group overrides WLAN to VLAN mappings.
  http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/c42wlan.html#wp1127323
  Configuring WLAN Override
  By default, access points transmit all defined WLANs on the controller. However, you can use the WLAN override option to select which WLANs are transmitted and which are not on a per access point basis. For example, you can use WLAN override to control where in the network the guest WLAN is transmitted, or you can use it to disable a specific WLAN in a certain area of the network.
  Configuring Access Point Groups
  In a typical deployment, all users on a WLAN are mapped to a single interface on the controller. Therefore, all users associated with that WLAN are on the same subnet or VLAN. However, you can override this default WLAN setting to distribute the load among several interfaces or to group users based on specific criteria such as individual departments (for example, marketing) by creating access point groups (formerly known as site-specific VLANs). Additionally, these access point groups can be configured in separate VLANs to simplify network administration
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  AP Group VLANs with Wireless LAN Controllers Configuration Example

• Copy AP Configuration Templates-WCS 7.0.172.0

  I am wondering if anyone has seen a way to copy an AP configuration template. We have several distribution centers and the templates are essentially identical other than the Template name and the AP Group VLAN (different for each DC). We set up a new template for each new DC. Being able to copy a template, rename it and change the Group VLAN setting would save a lot of time.

  I haven't been able to make it work like it was in prior versions.  I have found you can initiate the session from monitor-->access points--->ap name and selecting the radio type.  802.11b/g/n, or 802.11a/n.  The icon is under cleanair management operation.

• How to have H-REAP broadcast only specific locally switched SSID's?

  I'm new to this H-REAP configuration, but in the main office we have about 6 WLAN's.  I have a remote office which I want to have 2 new WLAN's and have them switched locally.  How can I only have the H-REAP AP's at this site only broadcast those 2 SSID's vs all 8?  I haven't really read anything about using AP Group VLAN's with H-REAP or know if that's even possible, but is this a possibility and if no,t what would you recommend?
  Thanks for the help!

  I may create another topic - but here it goes...
  I've decided to try to use an existing WLAN in the H-REAP config...
  -I've joined the AP to the remote controller, assigned it an IP, put it in H-REAP mode.
  -I chose a WLAN, enabled local switching
  -I went into the AP, configured the native VLAN, however, I CAN NOT change the vlan of the WLAN listed.  It always goes back to default.
  I verified the vlan exists on the switch, is routable, etc, the switch port is a member of that vlan, it is set as a trunk w/ 802.1q, etc.
  Any ideas on what would cause this?
  I am SOO close   Thanks!