Confused: Central Switching/Local Switching

Similar Messages

• Central Authentication / Local Switching for Mesh?

  Hi all,
  I'm afraid I know the answer but maybe I'm just missing something. Anyway, here's the situation: I have a multi-site installation with a centralized WLC (currently 2504). Each wireless VLAN at each site uses the same ID but has a local network (e.g. site 2 is 192.168.2.0/24, site 3 is 192.168.3.0/24 but both are VLAN 100).
  When I configure APs for H-REAP/FlexConnect, there's no problem. Users are authenticated via a centralized RADIUS server (Cisco SecureACS 5.x) and I have local switching enabled so clients pick up an address from a localized DHCP server (ASA firewall in most cases).
  However, the impetus for installing the WLC requires a mesh network, consisting of 2 RAPs and 2 MAPs. My catch 22 is now this: if a RAP is in FlexConnect mode, the MAP won't associate, but if the RAP is in RAP mode, the MAP associates, but clients don't appear to get IP addresses (on an iPhone for example, the wheel just keeps spinning until it gives up).
  It's my understanding that since the APs are no longer in FlexConnect mode, all the wireless traffic is now being tunneled back through the centralized WLC which associates the VLANs with networks that don't exist on site.
  Is my understanding correct? If so, is there any way I can go about achieving what I want to do which is get the FlexConnect effect but still have Mesh capabilities? Right now it seems the obvious (albeit very expensive answer) is to decentralize the WLC and have HA WLC configured on a per site basis.
  Any input/advice greatly appreciated. Thank you.

  I second your thought about mesh and as for what to do - I don't think you can do anything. Perhaps, a cheap way to solve this problem can be installing a local 2504 at sites that require mesh links. This will allow you terminating all VLAN/SSID mappings locally. Sorry :-(

• High CAPWAP traffic when locally switched

  Hello all,
  We're seeing an ongoing issue where several APs accross multiple sites log the error, "%CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST., 12)", then disassociates from the controller, and reassociates almost immediately.  The issue is the users get disassociated from the AP and call the helpdesk.
  A counter measure at one site was to add the CAPWAP traffic (udp ports 5246 & 5247)  to the controller in our QOS Platinum policy (setting the DSCP bit to 'ef'), but that doesn't seem to help.
  We're using Flexconnect with central authentication, local switching.
  A couple of questions:
  1) The Platinum queue on the QOS is showing over 500 kbps when the only thing put in that queue is the CAPWAP traffic - there aren't any phones.  Why so much bandwidth for authentication and control traffic?
  2) What is happening with the APs that they can't talk to the controller that causes the issue in the first place?  Bandwidth doesn't seem to be an issue.
  Below are some config and outputs:
  AP-1242#show capwap reap status
  AP Mode:         REAP, Connected
  Radar detected on:
  AP-1242#show capwap reap association
  REAP Data Switching: Local
  2960#show int fa0/22
    Hardware is Fast Ethernet
    Full-duplex, 100Mb/s, media type is 10/100BaseTX
    Last input 00:00:22, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 23000 bits/sec, 13 packets/sec
    5 minute output rate 208000 bits/sec, 48 packets/sec
       37478173 packets input, 13839718021 bytes, 0 no buffer
       Received 2818773 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 502342 multicast, 0 pause input
       0 input packets with dribble condition detected
       118634332 packets output, 36491262361 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  2811#show policy-map interface multilink 1
  Service-policy output: MPLS-QOS
      queue stats for all priority classes:
         queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 300637/46124112
      Class-map: PLATINUM (match-any)
        300637 packets, 46124112 bytes
        30 second offered rate 28000 bps, drop rate 0 bps
        Match: ip dscp ef (46)
          300637 packets, 46124112 bytes
          30 second rate 28000 bps
        Priority: 18% (552 kbps), burst bytes 13800, b/w exceed drops: -16
  Any help is appreciated.

  Hi Jeff,
  I think you are hitting a bug (CSCse92856) specific to 1242 AP. Solution given is "Enable Proxy ARP on the default-gateway device of your AP". You can try that & see.
  Even I cannot view detail of this bug as of insufficient access permission.Therefore I do not know more details about this bug fix & which software version affected,etc. Better you contact Cisco TAC & get more information.
  I found this infomration here
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml
  One other reason that H-REAP APs do not join WLCs is if the Proxy ARP is disabled on the gateway for the H-REAP APs. From the AP console, this message is logged:
  *Jul 29 14:04:10.897: LWAPP_CLIENT_ERROR_DEBUG: 
  Retransmission count for packet exceeded more than max(CHANGE_STATE_EVENT , 1)
  This can be caused by Cisco bug ID CSCse92856. This problem applies only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or AP1200.
  This problem occurs when these conditions are met:
  HREAP mode is used in the WLAN. Local mode is not affected by this issue. Native VLAN mapping is required.
  The APs have to be on a different IP subnet than the AP Manager of the WLCs.
  Proxy ARP is disabled on the default gateway for the AP.
  The H-REAP AP gets the default gateway from a DHCP server.
  In order to resolve this issue, enable Proxy ARP on the default gateway router of the AP
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Same wlan both locally switched and centrally switched

  Scenario:
  1 virtual wireless controller
  50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
  Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
  I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
  I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
  Regards,
  Massimo. 

  Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
  I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
  Regards
  Rasika
  **** Pls rate all useful responses ****

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika

• Locally Switched / Centrally Switched on Flex Connect AP

  Hi All,
  Scenario (is this possible)
  I have HQ Site (Site A) -with the WLC
  I have a remote site (Site B) with one AP.
  Site A has Internet Breakout. Site B doesn't
  Is it possible with this one AP to have Multiple SSIDs, some of which are switched locally at the remote site and some which are switched centrally back at the HQ?
  E.G I want to have SSID for the data vlan at Site B. Any Laptop connecting to this is dropped onto the Data VLAN.
  I also want to have a GUEST SSID for Internet but have this traffic be tunneled back to HQ and use Internet Breakout there.
  Is this possible?
  Thanks

  On the advanced tab of the WLAN you can enable that SSID for FC Local Switching.  The AP then needs to be in Flexconnect mode.  You then go to the FC tab of the AP and define the local VLANs for the locally switched WLANs.  There will be 2 lists of SSIDs, locally switched and centrally switched.  Obviously you don't define VLANs for the centrally switched WLANs.
  Whatever you define on the AP will overwrite the interface on the WLC.
  AP Groups and FC Groups are not needed.

• Centralized Auth. / Local Switching - Common SSID

  Hi All,
  I'm looking at a design where I would have a few remote sites and a centralized WLC.  My requirement would be to have a common SSID advertised across the remote sites and have that SSID locally switch; so to note tunnel all the traffic across the WAN back to the central site.
  I know the feature I'm looking for is H-REAP with Centralized Authentication and Local switching...but I'm unsure of the second part...which is to have a common SSID across the remote sites.  How do I accomplish the second part?  I heard mention of using AP Groups in another post.  Just looking for more direction.

  You're all correct except on the last part.
  what you want to do is configure your SSID in advanced options to enable HREAP Local switching.
  Then only the APS at remote site you move to HREAP mode one by one.
  From there, all the APs you configured as HREAP will be locally switching traffic and the APs in local mode will still forward traffic through the controller.
  I hope this clarifies ?
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• Flex connect with a per user ACL with APs locally switched

  Hi all,
  Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
  Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
  Thanks
  Sent from Cisco Technical Support iPad App

  Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
  As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
  Sent from Cisco Technical Support iPhone App

• WebAuth on FlexConnect Local Switched SSID

  Hi All
  I'm working on getting internal WebAuth to work on a FlexConnect local switched SSID. From what I've been reading, it's possible but apparently not very straight forward. 
  FlexConnect AP - if the SSID isn't local switch, WebAuth of course works fine.
  Once I set it to local switching, WebAuth breaks. Any way around that in 7.6?
  Thanks

  Figured it out just now. When using the WLC as a DHCP server(this is just a lab), selecting the Central DHCP Processing for use when in Local Switching also selects a box for NAT-PAT. Unselecting the NAT-PAT box fixed the broken WebAuth. 
  Going to have to figure out what that does.

• ISE works with Local-switch Mode

  Hi guys,
  My AP is configured to work as Flexconnect mode with my WLC, that means that my wireless data will be switched locally without getting through my WLC, is that ok for my ISE to controll my wireless access?
  Regards,

  Yes; FlexConnect supports central authentication with both locally and centrally switched traffic models.
  Lots of info about FlexConnect here;
  http://www.cisco.com/en/US/docs/wireless/controller/7.4/configuration/guides/flexconnect/config_flexconnect_chapter_01.html

• Local Switching on o-LAP when working on Bridge root mode

  Dears,
  Need your support in this solution please,
  i have 2 LWAPs one working bridge root and the second working bridge mesh, i want to create two SSID on of them work local and the second work centralized. what is the configuration for that. or clarify if this solution supported or not.
  Also I need to let O-LAP make local switching on bridge root mode.
  wait your feedback urgently ASAP.
  Thanks

  Stephen Rodriguez wrote:If you are going to share the WLAN(which is pretty standard), then you need to select the interface that you want the clients passing traffic to.
  You mean the interface that the local clients will be passing traffic to, right???

• Help needed to configure H-REAP with local switching

  Hi All,
  We are using following devices for campus Wi-fi.
  1. WLC - 4402
  2. AP (1131ag, 1042n) which support H-REAP.
  I want to configure HREAP central auth and local switching. I have enabled from local to HREAP after that I go to HREAP tab and native vlan 1 (by default)(I have changed native vlan 1 to 51.) vlan support is enabled. then click on vlan mapping and my wlan (guestwlan) is there with vlan id 24.
  I have assigned static IP to AP (192.168.51.40/24 gw 192.168.51.254).
  DHCP is running on controller.
  switch port configure is below:
  interface FastEthernet0/18
  description WiFi access point
  switchport trunk native vlan 51
  switchport mode trunk
  no ip address
  end
  Issue : authentication done through RADIUS (Cisco ACS 4.2) but no getting IP address from DHCP.
  Please help.
  Thanks in Adv.
  Thanks,
  AS

  Hi AS,
  Do not use the DHCP on the WLC.
  Use a DHCP on the neighbor swtich if possible for the native VLAN.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Local Switching, mDNS Snooping and Chromecast

  Hello everyone,
  we have a Cisco WiFi setup at our company constisting of one WLC (2504) and 5 access points, 4 of which are in the main office and one at a remote location (connected via an IPsec tunnel). The remote AP is configured to FlexConnect mode, and we have set up a staff WLAN using 802.1X auth and local switching. So far, everything works perfect.
  However, we now want to support Chromecast devices in our wireless network. I have setup a new WLAN with WPA2-PSK authentication for those devices, added the "Googlecast" entries to the mDNS profile and activated mDNS Snooping on this WLAN. This appears to be working as well, at least I can see the corresponding entries in the mDNS -> Domain Names tab (Chromecast switched from multicast/SSDP to mDNS recently).
  However, clients in the staff WLAN are not able to see the devices. My guess is that I would need to also activate mDNS snooping on the staff WLAN, but of course this is not possible because of local switching being enabled.
  I tried to create two different AP groups, one for the local APs and another for the remote one. Then I duplicated the staff WLAN, with the idea of deploying one copy on the local AP group with local switching disabled and mDNS snooping enabled and the other copy on the remote AP group, enabling local switching and disabling mDNS snooping. My idea was that this would allow the employees at the local office to use the Chromecast devices, but unfortunately it's not possible to configure two WLANs with the same SSID and L2 security, even if they're not on the same AP / AP group.
  Another solution would just be to create a separate WLAN for the remote AP, but that would require to push another profile and inevitably result in confused employees when they first visit the remote branch.
  Is there any way to make our Chromecasts work while still using the same WLAN for both locations? Any pointers are greatly appreciated.

  I'm not 100%sure about the details and why that works this way. But u can create two SSID as long as u use an ID higher than 16. So start at 17 and it works, maybe that has something to do with the default group they will not belong to..
  comming back to your 2504...I see no way to use an ID above 16 because that's the max it supports.
  So, please have a look at that Guide for Chromcast, as I run through i see that it hase maybe nothing to do with mDNS..
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
  Br,
  Sebastian
  pls. rate if helpful

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott