AVC, Netflow and Flexconnect APs

Hi all,
I have few questions - if anybody was solving the same problem.
My situation : few branches with Flexconnect APs (in every of them). APs are set for some SSIDs as locally switched (to save WAN connectivity) and some are centrally switched. WLC code 7.4.
I was very looking forward to implement AVC. AVC works fine but only on centrally switched SSID - this is a big problem.
Is there any chance how to export traffic info for locally switched SSID?
I was wondering if LAP can serve as Netflow source (when I'm unable to see AVC data)?
Any idea?
Thnx

HI,
First: AVC will not work if  you have locally swicthed.
if you checked the local switching under the SSID, then the AP will handle the traffic on its own, without sending the packets to the WLC, hence the WLC does not know what the users are using.
2nd : http://mrncciew.com/2013/02/12/configuring-netflow-on-wlc-7-4/
Reagrds

Similar Messages

  • Same SSID both on Local and FlexConnect sites

    Hi guys,
    I need to deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.
    First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?
    Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

    When creating a WLAN with the same SSID,
    follow these guidelines and requirements:
    You must create a unique profile name for each WLAN.
    When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a
    unique Layer 2 security policy so that clients can safely select between them.
    WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
    WLAN selection based on information advertised in
    beacon and probe responses. The available Layer 2
    security policies are as follows:
    None (open WLAN)
    Static WEP or 802.1X
    Note
    Because static WEP and 802.1X are both advertised by the same bit in beacon and probe
    responses, they cannot be differ
    entiated by clients. Therefore,
    they cannot both be used by
    multiple WLANs with the same SSID.
    CKIP
    WPA/WPA2
    Note
    Although WPA and WPA2 cannot be used by mul
    tiple WLANs with the same SSID, you can
    configure two WLANs with the same SSID with WPA/TKIP with PSK and WPA (Wi-Fi
    Protected Access) /TKIP (Temporal Key Integrity Protocol) with 802.1X, respectively, or
    with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.

  • "P2P Blocking" with different Flexconnect APs

    Hello,
    Does the "P2P Blocking" feature work for clients connected to different Flexconnect APs?
    In my case, apparently it doesn't work.
    We have 2 APs in Flexconnect Mode, an SSID with the "P2P Blocking" option set to drop and when we connect a client to one of the APs and another client to the other AP, these clients have visibility between them.
    Is that possible?
    Thank you.

    I think when this feature (P2P blocking) was added, there were no concept of interface groups, etc to map multiple vlan to same SSID. When additional features added the original P2P blocking was not optimized to work in all these scenario.
    This is a one feature I am not trusting well. I think it has drawbacks like what you found. Haven't tested in detail, but heard lots of issues with this feature.
    Open a TAC & confirm with them what is the expected behaviour in your situation
    HTH
    Rasika

  • Local Policies and FlexConnect

    Hello,
    My customer has a traditional guest access desgin with foreign and anchor WLC without an ISE.
    It works fine.
    Now he plans to install a new WLC5508 for remote offices.
    All APs in these remote offices will be in FlexConnect mode connected to the central WLC which is also an foreign WLC.
    The guest traffic is central switched and corporate SSIDs will be local switched.
    Now our problem is, is it possible to limit the guest bandwidth on each remote office with different values?
    Example:
    Office 1: Guest Bandwidth should be 1000k
    Office 2: Guest Bandwidth should be 2000k
    and so on....
    All APs in remote office 1 will be in FlexConnect Group 1 and the APs in remote office 2 in FlexConnect 2.
    Further I will create AP Groups for each remote office and add the belonging APs to this AP Group.
    Then I will create "local policies" and map the decided policy in AP group to the Guest SSID.
    So my question is; is this supported and does it work?
    I've read the config guide for 8.0 and didn't find anything about FlexConnect and local policies, I mean there are no Restrictions for Local Policy Classification
    Or is there another option available?
    thanks
    Martin

    Thanks for your help Scott. I'm not in full agreement with all you say, but you have helped me figure it out.
    You said the article was related only to 802.1x, but the article states that "802.1X is used in the example, but other mechanisms are equally applicable.".
    The article you linked regarding FlexConnect groups also states that central switching is only valid in "connected mode", i.e., when the WAN is up.
    However, I have found the following, which kind of explains the purpose of a central switched FlexConnect deployment
    http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml#central
    Thanks again.

  • Users are able /not able to join Flexconnect APs

    Hi Community ,
    I have 2504 controllers(.6) at central office and remote APs have joined the Controllers . Flexconnect is Up and working . Problem is I can see some users are able to connect to some flexconnect APs but not to some other APs in the remote side .
    What is the reason for this type of behavior ?

    You don't happen to have a topology do you? Are you saying you have 6 x 2504's? Why so many? Flex APs are they doing local switching? Do you have VLANs identified on all the FLEX APs? Are the FLEX APs connected to a switch port that allows trunking if they are doing local switching?  How are the clients authenticating central or local AAA server? 
    Really need a L2/L3 topology even pencil sketch to help answer this.
    ~ Please rate helpful post ~

  • How do I re-activate my AVC Security and SKYPE since they were disabled by downloading FIREFOX 4.0??? Caan I return to an earlier version that I had prvious to FIREFOX 4.0?

    Pls advise how I can return to a previous version of FIREFOX so that my AVC security and SKYPE sites can be re-activated. Tx.

    In some cases, the incompatibility is due to the new HTML5 parser in Firefox 4. You could disable that and test whether the bank site works again.
    (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter. Click the button promising to be careful.
    (2) In the filter box, type or paste '''html5''' and pause while the list is filtered
    (3) Double-click '''html5.parser.enable''' to toggle it to false (it should turn bold).
    Then reload the bank page and see whether it works.
    And if you need it, here's the process to roll back:
    First, I recommend backing up your Firefox settings in case something goes wrong. See [https://support.mozilla.com/en-US/kb/Backing+up+your+information Backing up your information]. (You can copy your entire Firefox profile folder somewhere outside of the Mozilla folder.)
    Next, download and save Firefox 3.6 to your desktop for future installation. http://www.mozilla.com/firefox/all-older
    Close Firefox 4.
    You could install Firefox 3.6 over it (many have reported success) or you could uninstall Firefox first. If you uninstall, do not remove your personal data and settings, just the program.
    Unless you have installed an incompatible add-on, Firefox 3.6 should pick up where you left off. If there are serious issues, please post back with details.
    Note: I haven't actually tried this myself!

  • IPad mini capacity almost full, but there is no reason for it, there is nothing stored on it and minimal aps!!! Help!

    I have a brand new iPad mini that says the capacity is full, but there are no pictures, video, messages, contacts on it and minimal aps (less than 1 gb). Can't find out how to fix it. Help!

    Settings > General > Usage, your storage will be detailed there.

  • Minimum connection speeds 5508 controller and 2602E APs

                       We have an applicaiton that is sensitive to network speeds.  Is there a way to guarantee a minimum wireless network speed such as 100 MBs utilizing a 5508 controller and 2602e APs?

    We have an applicaiton that is sensitive to network speeds.  Is there a way to guarantee a minimum wireless network speed such as 100 MBs utilizing a 5508 controller and 2602e APs?
    Not easy.   Wireless is a shared medium.  This means if one client talks, everyone else has to stop and wait for their turn.
    It's like doing video.  Video is time-sensitive.  If you put a single AP in a room (granted you've got full 1Gbps ethernet access all the way), and you get 25 people continuously streaming videos, then you'll see some impact.  Bring the number down to say, 8 to 10 and you'll see improvements.
    What kind of application are we talking about here?

  • MDNS and FlexConnect

    Hello,
    I know that it is not possible to enable mDNS snooping and FlexConnect local switching on a WLAN at the same time. Is there anyway around this if you have FlexConnect AP's and want to alos have mDNS on your (non-flexconnect) local AP's?? Do I have to create a separate WLAN just for my FlexConnect AP's??
    Thanks!

    one mDNS profile per WLAN
    http://www.cisco.com/c/en/us/td/docs/wireless/technology/bonjour/7-5/Bonjour_Gateway_Phase-2_WLC_software_release_7-5.html
    Cheers

  • Windows Sensor and Location Platform, ThinkVantage GPS, and the APS accelerometer

    Has Lenovo considered linking ThinkVantage GPS and the APS accelerometer to the Windows sensor framework? If not, why not? If so, when might we look forward to being able to use them this way?

    hey belteshazzar,
    thank you for your suggestion, we will pass this onto our product engineers and see if it is a viable option or not.
    WW Social Media
    Important Note: If you need help, post your question in the forum, and include your system type, model number and OS. Do not post your serial number.
    Did someone help you today? Press the star on the left to thank them with a Kudo!
    If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
    Follow @LenovoForums on Twitter!
    Have you checked out the Community Knowledgebase yet?!
    How to send a private message? --> Check out this article.

  • Configuring NetFlow and Dynamic Vulnerability Scanning

    Hi All,
    Configuring of NetFlow and Vulnerability Scanning are done.Where and how to check the netflow and Vulnerabilty scanning?
    Thanks.

    After enabling network scanning, you can view individual scan reports from Device Management > Clean Access > Network Scanner > Reports. The report shown here is the full administrator report (Figure 13-13). The report shown to end users contains only the vulnerability results for the enabled plugins. (Users can access their version of the scan report by clicking the Scan Report link in their Logout page.)
    for more information follow up on this link:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/418/cam/m_netsca.html#wp1050604

  • WLC 7.4 and Flexconnect AP support

    Hi all,
    Forgive me for not finding it on my own since I am sure it exists. Does anyone have a link to a support chart that shows where support for APs stops on WLC 7.4 code? Specifically, while running APs in Flexconnect mode? Thanks in advance

    Sure, it's always in the release notes.
    http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html#wp1029587
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

  • Flexconnect APs stopped joining

    Hello Community,
    A customer of mine has a centralized 2504 WLC with 7.2 code running.  They have 1142N APs deployed locally as well as in remote sites (3) in FlexConnect mode.  For no apparent reason last Thursday all the remote APs disassociated with the controller and could not rejoin.  All the local APs remained up and unaffected.
    No changes to the WLAN, LAN, Firewall or MPLS WAN occured to cause this.
    The customer opened a TAC case and their determination was that ports 5246-5247 were not getting thru.  When the customer engaged me this morning I had him run a packet capture on the Sonicwall firewall to prove out if the CAPWAP signals were leaving and returning across the WAN.  Sure enough we can see this bi-directional traffic (pic attached).  Also, I had the MPLS provider run a trace at the far end and they see the same traffic leave the remote site. 
    And then an odd thing happened; one of the APs at one of the remote sites all of a sudden Joined the controller.  So I tried rebooting the AP that is located in the same office, and it fails to Join.  When I look on the controller under AP Join statistics, the last activity shows the controller receiving a Discovery Request and response is sent, but no further Config Request and response or Join Request and response.
    Frankly a little stumped, we are re-engaging TAC, but thought that maybe someone in the community has run across this scenario before. 
    I also thought that it may be good to upgrade to 7.4, just on spec.
    As always any feedback, advice and comments are appreciated and welcome.
    Thanks.

    I just checked, and that world-mode command isn't even available on the radio interface, so it must only be available for Autonomous APs.  I wondered if that was the case.  I'd love to try the remote AP swap, but the closest remote site is about 2000km away.  may come to that.  I'll see if they have a spare lying around we can try that with.
    When I look at the AP Join stats for a failed AP, theres a Discovery Request Received, and a Discovery Response sent, but nothing past that.
    When I do a #show ap join stats detailed the reason for failure shows as "Unavailable"
    I did confirm that all the working APs have a country code of CA, which makes sense if they just received that from the controller upon joining, so that may just be a rat-hole I'm chasing down.
    We do see that traffic leave and come back across the edge firewall, so it must be traversing, just not the full process.  If it was blocked it should be totally blocked, not mid-way thru?

  • Best way to configure a network comprising WLSE and many APs ?

    Hi the Cisco NetPro community,
    I would like to have a discussion with you on the best way to configure a network containing a WLSE and a large amount of Access Points.
    The network I want to configure comprises some subnetnorks, each comprising about 10 access points (with some advanced settings for security). It might be a quite long and boring process to set the configuration for all those, so I am looking for the quickest and easiest solution to do so.
    First of all, the configuration of IP addresses have to be done on each Access Point after unpacking it. The configuration of my network comprises 1 WDS active AP, 1 WDS backup AP and the rest of infrastructure APs, that for each developement site.
    I thought about several solutions :
    - 1st solution could be to apply a configuration file (i.e. load the config.txt file) to each AP manually, changing some values (IP, local radius...).
    But problem is that passwords can't be changed with text editor because of the passwords written in "hash".
    - 2nd solution could be to configure each AP (after IP is set) using its web interface.
    No more problem for hash written passwords, but this method is quite boring when surfing on menu pages of the AP web interface...
    - 3rd solution, which could appear as the best solution, is to create a template on the WLSE, and to apply it to all APs.
    No more boring connection to each AP, but problem are : we need to create as many templates as APs (or change some parameters each time), and we still need to set parameters directly to APs before (SNMP, SSH, WDS configuration...), in order the WLSE to manage the APs.
    So, what do you think could be the best solution in order to deploy such a network with many APs ?
    How is it possible to avoid (so far as we can) the configuration of APs one by one ?
    Thanks a lot in advance for your consideration and your ideas !
    Alexis.

    Well for one of my clients that had over 60 sites, we actually created a couple of templates. We created a basic template and a template for each site. You can have the ap's obtain the configuration from the WLSE, but you need to configure a DHCP option. My client did mac address reservations, but of course you need the mac address first. I guess you can also let the ap get an address and change it later. They tried doing different things, first let the ap obtain a default config and then pushing out the configuration for that site.
    As for the hash, you can set the password in ascii... when you do a show run, then of cours it will be hash'd.
    http://www.cisco.com/en/US/docs/wireless/wlse/2.12/user/guide/deploywz.html#wp1936755

  • Updated WLCs shows wierd log messages and most APs do not associate

    Hi, I recently updated my 4402 WLC to latest Software Version                 (7.0.98.0).
    This first seamed to have worked fine. WLCs rebooted fine, then APs rebooted and upgraded their software images.
    All fine as it seamed.
    The I went on to also upgrade to latest Emergency Image Version(5.2.157.0).
    After rebooting the WLCs most APs won't associate again.
    Logs from WLCs shows a lot of messages like:
    Oct  7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:38 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:38 wlc-1 WLC-1:
    Oct  7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:38 wlc-1 WLC-1: *mmListen: Oct 07 22:11:38.857: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:38 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:38 wlc-1 WLC-1:
    Oct  7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:39 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:39 wlc-1 WLC-1:
    Oct  7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:39 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:39 wlc-1 WLC-1:
    Oct  7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:40 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:40 wlc-1 WLC-1:
    Oct  7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:40 wlc-1 WLC-1: *mmListen: Oct 07 22:11:40.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:40 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:40 wlc-1 WLC-1:
    Oct  7 20:11:40 wlc-1 WLC-1: *osapiReaper: Oct 07 22:11:40.905: %OSAPI-6-FILE_DOES_NOT_EXIST: osapi_file.c:348 File : /proc/755/stat does not exist.(errno 2)
    Oct  7 20:11:40 wlc-1 WLC-1: -Traceback:  105eaae4 105f4d44 105f7848 105fa648 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:40 wlc-1 WLC-1:
    Oct  7 20:11:43 wlc-1 WLC-1: *mmMobility: Oct 07 22:11:43.210: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:43 wlc-1 WLC-1: -Traceback:  105fbe18 102d8be0 102bc81c 102d5d20 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:43 wlc-1 WLC-1:
    Oct  7 20:11:43 wlc-1 WLC-1: *mmListen: Oct 07 22:11:43.210: %MM-3-INVALID_PKT_RECVD: mm_listen.c:6691 Received an invalid packet from 192.168.128.18. Source member:0.0.0.0. source member unknown.
    Oct  7 20:11:43 wlc-1 WLC-1: *mmListen: Oct 07 22:11:43.211: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:43 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:43 wlc-1 WLC-1:
    Oct  7 20:11:50 wlc-1 WLC-1: *osapiReaper: Oct 07 22:11:50.913: %OSAPI-6-FILE_DOES_NOT_EXIST: osapi_file.c:348 File : /proc/755/stat does not exist.(errno 2)
    Oct  7 20:11:50 wlc-1 WLC-1: -Traceback:  105eaae4 105f4d44 105f7848 105fa648 105f3ab0 10c0d250 111cd0cc
    When looking back a bit in the logs it looks like this started after upgrading the Software version. But after this first reload it the APs came back and worked. Now they don't.
    The case seams to be the same with both my WLCs.
    What could have gone wrong?
    Please advice.

    Not sure which messages are concerning you the most...
    Regarding the message:
    Oct  7 20:11:39 wlc-1 WLC-1: *mmListen: Oct 07 22:11:39.749: %OSAPI-5-OSAPI_INVALID_TIMER: timerlib.c:542 Failed to retrive timer.
    Oct  7 20:11:39 wlc-1 WLC-1: -Traceback:  105fbe18 102cb318 105f3ab0 10c0d250 111cd0cc
    Oct  7 20:11:39 wlc-1 WLC-1:
    There is already a bug for it: CSCth64522
    And for:
    Oct  7 20:11:50 wlc-1 WLC-1: *osapiReaper: Oct 07 22:11:50.913: %OSAPI-6-FILE_DOES_NOT_EXIST: osapi_file.c:348 File : /proc/755/stat does not exist.(errno 2)
    Oct  7 20:11:50 wlc-1 WLC-1: -Traceback:  105eaae4 105f4d44 105f7848 105fa648 105f3ab0 10c0d250 111cd0cc
    Looks like it's matching CSCtf39550
    Both bug fixes should be included in the next 7.0 release and should not impact the WLC behavior.
    Hope this helps...

Maybe you are looking for

  • WBS Element report - FS

    Hi, I want to pick WBS elements with released  status only . WBS status should not be Created / Closed . I am getting WBS elements from Table - PRPS . Status is getting from JEST table . Still all 03 status -  WBS elements are getting picked to the r

  • Implement commit,rollback,cancel popup when swapping task in dynamic region

    Hello, I have been trying to implement this functionality when I swap task flows in a dynamic region.... A popup/dialog to be displayed with the following options (assuming there are changes to be saved on the task flow being swapped out) Commit - sa

  • Archiving print list step

    Hello I am Trying Print list Archiving Can some body told me steps, how to archive print list. I want  archiving print list for archiving object FI_documnt. Thanks

  • ASPNET schema upgrade

    Hello Team, I have a test development scenario where my database is in 11.2.0.3 with ASPNET schema for handling ASP.NET application sessions state. We want to test the upgrade of ASPNET schema to 12c [along with client version to 12.1.0.2] but the da

  • How to troubleshoot Crystal Errors

    Hi, I am hoping someone can help me.  We print Crystal Reports through a third part application.  We have Crystal 2008 developers edition installed.  Things will be fine and after about the 10th job we receive the following error:  Exception:CrystalD