AP-Specific WLAN-VLAN Mapping audit

Similar Messages

• AP Flex-connect VLAN mapping auditing

  I am trying to find a way to conduct auditing for VLAN mapping for AP in flex-connect mode.
  I have seen the mapping changed due to AP reboot or other reasons untill the user reporting connection issues. I have looked NCS, and have not found a reporting function for this. Anyone uses script to do so?

  I also have created WCS/NCS/PI templates to push the WLAN to vlan changes in the early morning just I'm case. When users start complaining, it's faster to just push out the commands to all than trying to find what AP lost its vlan setting.
  Sent from Cisco Technical Support iPhone App

• Problem switching from AP-specific to Group-specific VLAN mapping

  Hello.
  Some days ago, I updated our 5508 WLC to software version 7.5.102.0.
  With that version, it should be possible to have a VLAN mapping specific for a Flexconnect group that is set within Flexconnect Group settings.
  I did that for all my Flexconnect groups and it works fine with new access point.
  For existing access point, which already have an AP-specific VLAN mapping, it is not possible to switch to Group-specific.
  When I mark the WLAN in Flexconnect setting of the AP and select "Remove AP specific", I get the error message "Request failed: Vlan is not enabled on this flexconnect".
  I wonder what the problem could be, because for newly installed access points, it works fine. Did I miss some settings?
  Regards,
  Sven Lindeke

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message

• Flex Connect Groups - WLAN to VLAN mapping

  I have a question about configuring WLAN to VLAN mapping on FlexConnect Groups.
  Do the mappings that are configured in the FC Group get inherited by the APs when they are placed in the group?
  It seems like they do not.
  I am playing around in a lab with a virtual WLC running 7.5 and an old 1131 AP.
  If I configure the WLAN to VLAN mapping on the individual AP, it works as expected.
  If I configure the WLAN to VLAN mapping within the FC group and add the AP to the group, it does not.
  The AP does not inherit the settings from the Group.
  I am wondering how you would deploy a lot of APs without having to configure each AP individually.
  Thanks

  Yes, you are correct. It is not like normal AP groups where it will map WLAN to AP belong to that AP group.
  Anyway since you have to convert each AP manually to FlexConnect mode, you should do the WLAN mapping at that point as additional step.
  FlexConnect Group is mainly to give fast roaming feature for FC APs in brach deployment solution (typically not so many APs). Also keep in mind you can have maximum  25 APs in FlexConnect AP group for WiSM2 or 5508 & you can go upto 100 in 7500 WLC. (see table 7.3 in below link)
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1108090
  HTH
  Rasika
  **** Pls rate all useful responses *****

• NCS Prime 1.4 does not display previous AP WLAN-VLAN mappings

  Hi,
  Just wondering if others have experienced this issue. I upgrade our Prime NCS from 1.3 to 1.4 last night. Upgrade appeared successful but today when looking through the web interface for testing I noticed that the  'Access Point Details' (Configure > Access Points > Access point details" no longer displays the flex connect vlan mappings which previously were shown in 1.3.
  When clicking on the WLAN-VLAN Mappings tab nothing appears there too? I tried to apply the wireless configuration template again but received an error.
  Has anyone had this issue? On the WLC, these configurations are still intact with the correct vlan-mappings so it only appears to be NCS that is having the issues.
  Only thing I can see from the release notes regarding NCS 1.4 Flexconnect VLAN mappings is CSCug17718. But this caveat is under the resolved section.
  Cheers,
  Wil

  Cheers thanks for the reply.
  I figured out what the problem was. Appears that Audit status has mismatches but once another audit is done it appears to display vlan mappings with at the access point detail page.
  Now... to figure out how to perfect bulk audits..
  Anyways thanks for your advice.

• Lost VLAN Mapping on WLC 5508 (Flexconnect)

  Hi guys, I have a WLC 5508 and some AIR-LAP1131AG-T-K9 all in flexconnect configuration.
  The problem is that 1130 Access Points lost the VLAN Mapping configuration without reason, simple change the vlan mapping to 999 and I need to reconfigure that.
  I search in some documents on cisco.com but I can't find anything about this issue.
  Could you help me please?
  Thanks guys.

  Hi Scott
  Thanks for the answer.
  We have around 350 ap's, in 50 different locations (customers). The WLC is running AirOS 7.3.101.0.
  Every WLAN is configured to a dummy interface, with the vlanID 2222.
  This is the VlanID that the Wlan to vlan mapping got “lost” to.
  Unfortunately, I am not able to see the right join time, because the WLC’s was booted. (After the error occurred). Next time I see this, I will look at the join time.
  Every location (costumers) has two SSID (guest and employee). The employee network has two vlans (PC’s and BYOD). We are using NPS rules to select witch VLAN the device connectes to.
  So in the FlexConnet settings, we do a WLAN to vlan mapping:
  GUEST to vlanID
  PC’ to vlan ID 5
  And in the FlexConnect group we but in the vlan ID for BYOD.
  Do you now if the AP stores this to configurations different (flash or RAM)?

• Guest Wlan - foreign maps

  Hi,
  I am testing guest wlan with foreign map feature.
  I am not able to assign the client an IP address from the subnet mapped under wlan > foreign map (WLC specific subnet)
  The debugs on the anchor show a DHCP relay been sent from the interface mapped on the wlan and not the interface mapped under the foreign map.
  I tried to map the wlan on anchor WLC to the management interface and have dhcp scopes locally on the WLC. Still same result, it is trying to obtain an IP address from the management subnet. This was based on the example in the link below
  http://wifinigel.blogspot.com/2011_08_01_archive.html
  I am using WLC version 7.0.116.0 on foreign wlc and verson 7.2.110.0 on the anchor.
  Any suggestions will be helpful.
  Thanks
  Vikram

  Rasikanayanajith,
  Thanks for the reply. I just got off the phone with Cisco TAC and it looks like I am hitting bug CSCuh69558. I provided the config and debugs to TAC.
  The bug has to do with having AAA Override configured on the WLAN Advanced tab and the RADIUS server not actually sending an interface attribute which is a common config in a BYOB WLAN controlled by ISE. The default interface configured on the WLAN is incorrectly used instead of the foreign map in this situation.
  TAC also recommended upgrading away from the current version for the same reason you gave. I will be upgrading soon.
  Thank you,
  Mark

• H-REAP LWAPs losing VLAN mapping when fail to secondary WLC's

  Hello,
  I have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.
  All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties  tab.  The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.
  I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.
  I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!
  From config guide:
  For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point
  Anyone using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?
  Thanks!

  Shawn,
  I went back and reviewed everything and everything was duplicated , Except... WLAN_ID. The Wlan ID tags were different. I created a test and failled my two test AP's and they both came up on the backup controller with the proper vlan ID. now I know. When it was working for everyone else I was begining to wonder if I found a new bug or it was my config. This is one I wont forget ..
  Thank you

• QinQ vs. Vlan mapping

  Hi guys, for me it is new, so i would like to ask that what is different between QinQ and vlan mapping. I hope all guy let could explain me. Thank

  To my knowledge vlan-mapping is another word for vlan translation, meaning you translate (modify) the vlan ID in the frame when entering / exiting a specific interface.
  QinQ is sometimes also called vlan stacking, meaning a frame is altered with a outer vlan tag (ID) and keeping the inner tag of the original frame. This technique is mostly used by service providers to designate a vlan ID per customer in a VPLS network.

• FlexConnect Vlan Mapping

  5508 WLC on 7.3. For locally switched WLANS, when configuring FlexConnect Vlan Mappings, concerning the native vlan, can this vlan also be used as a vlan mapping for an SSID or not?  This would mean that the mgmt IP of the AP's, and this particular SSID would be on the same network. 

  Yes... If your ap and users are going to be put in the data Vlan, you can just leave the port to an access port and you don't have to setup any native val. Or Vlan mapping in the FlexConnect AP. If you decide you want to map users to the voice Vlan, then you need to trunk it.
  If you want to trunk it anyways, then you can map a WLAN to the data Vlan too.
  Sent from Cisco Technical Support iPhone App

• FlexConnect VLAN mapping management

  How to manage larger amout of FlexConnect APs? Especialy VLAN mapping, which is saved separately in each AP. I would like to have a list of AP-WLAN-VLAN settings. Is there any CLI command (except show run-config) for it? And what about backup of this setting? How to restore it in case of an AP crash?
  Many thanks.

  Yes... If your ap and users are going to be put in the data Vlan, you can just leave the port to an access port and you don't have to setup any native val. Or Vlan mapping in the FlexConnect AP. If you decide you want to map users to the voice Vlan, then you need to trunk it.
  If you want to trunk it anyways, then you can map a WLAN to the data Vlan too.
  Sent from Cisco Technical Support iPhone App

• ISE vlan mapping.

  have one query for ISE 1.2
  Is the following scenario is supported with ISE?
  Can we configure ISE VLAN mapping with SSID authentication web auth only.

  Limitations
  No support for  guest clients – posture for guest user is not supported.
  Hreap local switching is not supported -
  No support for wlans without 802.1x support
  Client will go through posture during slow roam – when client is associated used 802.1x (not wpa2 or cckm) then when client roams from one wlc to other – wlc will send new session ID hence client will again go through posture validation process.
  No support for guest tunneling mobility
  Mac auth bypass is not supported
  Vlan pooling is not supported.
  No support for WGB AP
  No support for AP group.
  Kindly find the link information regarding integration is mention.
  https://supportforums.cisco.com/docs/DOC-18121

• Switchport vlan mapping

  Anyone use this "switchport vlan mapping" in the 3750 Metro?
  I can filter the vlans that I want from the q-in-q tunnel?

  "switchport vlan mapping" is more of a feature which helps you overcome translation needs which may arise because of some specific adhoc needs.
  IF your design is right in place you may never need to use it.
  Now to answer your question about translation, yes its possible on 3750.
  This feature on 3750, uses three categories for transaltion
  a) single tagged traffic to be translated to a Metro Tag.
  b) Double Tagged combination to be transalted only the Metro Tag.
  (For Eg: CUVLAN-10 & Outer Vlan 100 <--> Translated to CUVLAN10 and Outer Vlan 200)
  c) Double Tagged combination to be translated both tags.
  (For Eg: CUVLAN-10 & Outer Vlan 100 <--> Translated to CUVLAN20 and Outer Vlan 200)
  THe conversion is almost like NAT, where the original values are used to switch traffic only on the local switch and the new converted values are used beyond the 3750 in your Metro.
  Now here is the link to configure the same.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750m/12225seg/3750mcr/cli3.htm#wp1926065
  HTH-Cheers,
  Swaroop

• CDP nei results and Flex Connect AP vlan mapping behavior

  Hi all,
      We're running controller code 7.4.100.108 and PRIME version 1.3.
      Occassionally, usually as the result of some networking event that causes flex connect AP's to lose connectivity to their controller, the flex connect AP's lose their vlan mapping configuration when they reconnect to their home controller.
      We "think" we have noticed that the cdp nei results are different for AP's that have proper vlan mappings from those that have lost their mappings.  For example, in the below example, only AP's 8213 and 8219 have lost their vlan mapping configs (all the AP's below are flex connect):
  8107   Gig 1/0/45        177           R T      AIR-LAP11 Gig 0
  8106   Gig 1/0/44        163           R T      AIR-LAP11 Gig 0
  8216   Gig 1/0/47        136           R T      AIR-LAP11 Gig 0
  8213   Gig 1/0/48        135           R T      AIR-LAP11 Gig 0.2
  8219   Gig 1/0/46        159           R T      AIR-LAP11 Gig 0.2
  8109   Gig 2/0/48        153           R T      AIR-LAP11 Gig 0
  ...and when the vlan mapping is fixed:
  8107   Gig 1/0/45        177           R T      AIR-LAP11 Gig 0
  8106   Gig 1/0/44        163           R T      AIR-LAP11 Gig 0
  8216   Gig 1/0/47        149           R T      AIR-LAP11 Gig 0
  8213   Gig 1/0/48        149           R T      AIR-LAP11 Gig 0
  8219   Gig 1/0/46        152           R T      AIR-LAP11 Gig 0
  8109   Gig 2/0/48        153           R T      AIR-LAP11 Gig 0
       I've done some reading to try to understand the details of the "Port ID" field of cdp neighbor with AP's but haven't found my answer.  I want to know what the significance of the difference between "Gig 0" and "Gig 0.2" is.
       I'm going to lab up an AP and see if I can replicate the behavior and confirm that it is related to the vlan mapping, but haven't gotten to it yet.   If anyone can point me to the nuts/bolts behind that sublte change in "Port ID" it'll help.
       By the way, I'm interested in this problem so that I can quickly identify which of my hundreds of flex connect AP's have lost their vlan mappings after a network disruptive event.  I can't find an interesting report in PRIME that will let me see it quickly.  So if a scriptable cdp nei command could identify the problem as well, that would be interesting.
       Thanks in advance for the help.

  I also have created WCS/NCS/PI templates to push the WLAN to vlan changes in the early morning just I'm case. When users start complaining, it's faster to just push out the commands to all than trying to find what AP lost its vlan setting.
  Sent from Cisco Technical Support iPhone App

• VLAN Map issue

  I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
  ip access-list extended testboxes
  permit ip host x.x.x.x host x.x.x.x
  vlan access-map denytest 10
  match ip address testboxes
  action drop
  vlan filter denytest vlan-list 1
  Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
  Thanks
  Ian

  Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
  permit tcp host X.X.X.X host X.X.X.X eq telnet
  Best Regards
  Francisco