FlexConnect VLAN Mappings Inheritance

Similar Messages

• NCS Prime 1.4 does not display previous AP WLAN-VLAN mappings

  Hi,
  Just wondering if others have experienced this issue. I upgrade our Prime NCS from 1.3 to 1.4 last night. Upgrade appeared successful but today when looking through the web interface for testing I noticed that the  'Access Point Details' (Configure > Access Points > Access point details" no longer displays the flex connect vlan mappings which previously were shown in 1.3.
  When clicking on the WLAN-VLAN Mappings tab nothing appears there too? I tried to apply the wireless configuration template again but received an error.
  Has anyone had this issue? On the WLC, these configurations are still intact with the correct vlan-mappings so it only appears to be NCS that is having the issues.
  Only thing I can see from the release notes regarding NCS 1.4 Flexconnect VLAN mappings is CSCug17718. But this caveat is under the resolved section.
  Cheers,
  Wil

  Cheers thanks for the reply.
  I figured out what the problem was. Appears that Audit status has mismatches but once another audit is done it appears to display vlan mappings with at the access point detail page.
  Now... to figure out how to perfect bulk audits..
  Anyways thanks for your advice.

• FlexConnect Vlan Mapping Report

  Hello,
  I am wondering if anyone has a solution to report on FlexConnect Vlan Mappings.
  The only way I now of is to look at each AP individually, which is very time consuming.  We have trouble sometimes with the templates not applying properly, and sometimes after a power outage we have AP's that lose there mappings.  Because of this we need a way to report on this.
  I know you can do a:
  show ap config general AP_NAME on the controller, but there is no way to do this for all the AP's at once.
  Any ideas?
  Dan.

  Dan,
  I don't use putty, but I use SecureCRT and have a large buffer in which I can cut and paste.  I do have to log the output to a text file if I have a large number of access point.  This I believe you can do with putty.  So as long as you have the cli scipts for the show ap config general <ap name>, you should be good to go.  Make sure you also issue the show paging disable prior to you entering these commands.  I use excel to create my commands from the show ap summary.
  -Scott

• FlexConnect Vlan Mapping

  5508 WLC on 7.3. For locally switched WLANS, when configuring FlexConnect Vlan Mappings, concerning the native vlan, can this vlan also be used as a vlan mapping for an SSID or not?  This would mean that the mgmt IP of the AP's, and this particular SSID would be on the same network. 

  Yes... If your ap and users are going to be put in the data Vlan, you can just leave the port to an access port and you don't have to setup any native val. Or Vlan mapping in the FlexConnect AP. If you decide you want to map users to the voice Vlan, then you need to trunk it.
  If you want to trunk it anyways, then you can map a WLAN to the data Vlan too.
  Sent from Cisco Technical Support iPhone App

• HREAP APs lose local VLAN mappings

  Hello,
  We are using a 5508 controller (version 7.0.98.0) in a central location and 1242 access points in HREAP mode in remote locations. 
  I have noticed that, for no specific reason, HREAP APs sometimes lose their local VLAN mappings and revert to centrally switched interface VLAN tags?? Since central VLAN tags and local VLANs are not the same, local traffic can not be routed and clients lose connection.
  I have seen that a software bug has been reported CSCsw68997 (http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw68997) but it seems to have been fixed in software version that don't exit for 5508 WLCs.
  Would you have any idea if there is a fix to this issue?
  Thanks for your help, much appreciated,
  Laure

  It is important to note that CSCsw68997 is an enhancement, not exactly a bug.
  The bottom line is that if HREAP APs move between controllers, and those controllers are not identical with WLAN Order (including the AP group WLAN order) then your mappings might change.
  Now if you want the code this enhancement is added to, I believe both of those are readily available from TAC. If you need Cisco.com versions of the code, then you'll need to wait a few more weeks....

• ACL or VLAN Mappings

  Good afternoon,
  We have several VLANs and would like to restrict traffic on some of them.
  For one VLAN, lets say vlan 140 we would it to drop all packets except for traffic going to / from 172.30.0.49. Is this possible? If so how? Also, would users be able to obtain DHCP / DNS queries if this rule was in place?
  Just like to get an understanding on how this can be done on our core using either ACL or vlan mappings.
  Regards,
  Mark

  Yes, the main advantages are performance and usability.
  With ACLs each document can have different security settings.
  As for performance, if you enter a query like "what document can a user read?" it requires to check all ACLs (not sure if it is still true, but I think in earlier versions ACLs were implemented as comma-separated strings, so this query was quite costly). With accounts, or security groups, the logic is much closer to relational database, so even though the queries require few OUTER JOINs, in the end they are much faster.
  As for usability, imagine a scenario like "I want to replace a person X with a person Y" - with accounts you do it in one place, with ACLs I do not know (not sure if there is anything like "mass ACL update" available).
  Note that "a large number of WLS group" should be auto-generated, ideally, in cooperation with an IDM solution.
  In general, I'd recommend ACLs only for very specific situations - namely, if security settings change during items lifetime (in 10g, they were a part of a component called Collaboration Manager, and it meant that a user might be granted access to an item only for the sake of a workflow, which is something you cannot do with accounts/security groups - or to be precise, you cannot do it easily).
  I have also heard, with no further details, that recently ACLs were redesigned, so some statements above might become obsolete.

• FlexConnect VLAN Central Switching and guest WEB Auth

  Hi,
  I have a senario where all my AP's are flexconnect AP's, that is because og WVoIP.
  In most loacation I have a local intenet connection for guests, and beacuse of that the Guest SSID is locally sitched.
  I have a few small locations that do not have a local subnet for guests and on those locations I would like to centrally switch the guest trafic.
  I was looking at FlexConnect VLAN Central Switching to solve my problem, but as far as I can see this only works with 802.1x SSID's and aaa override.
  Is there no way to do FlexConnect VLAN Central Switching on SSID's with WEB auth or PSK?
  Hope some one can answer me.
  Thanks
  Aksel

  So create a new WLAN, the WLAN profile will be different that the original guest WLAN and assign it a WLAN ID of 16 or higher. This new WLAN will have the same setting as the original guest SSID except that local switching is not enabled.
  You now need to create AP Groups so you can specify site with local guest vlan's will use the original SSID and the sites with no guest local clan will use the new SSID you created.
  Here is a doc regarding AP Groups
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
  Sent from Cisco Technical Support iPhone App

• FlexConnect VLAN assignment changes by itself

  About a year ago I changed the VLAN assignment of a WLAN for LWAPs in a particular AP Group.  The LWAPs in this group are in 5 different locations. All LWAPs are joined to the same controller  Ocassionally I'll get a call saying this WLAN isn't working and when I investigate the issue, I notice that the VLAN assignment has changed.  I change the VLAN assignment and the WLAN works again.  This seems to happen about every 3 months or so.  Whats odd is that it doesn't happen to all of the LWAPs in the AP Group.  It seems to only affect the LWAPs at one site or the other at a time.  Any clues on what could be causing this behavior?
  1142LAPs
  software version 7.3.101.0
  5508WLC
  software version 7.3.101.0
  Cisco Prime Infrastructure
  software version 1.2 (1.2.0.103)

  We can create a command -line to set the WLAN to VLAN mapping and create .Or we can create a script that also uses CLI and simply paste the commands to all AP's.We can check the AP connectivity statistics by looking at the monitor AP.
  For FlexConnect access points, the interface mapping at the controller for WLANs configured for FlexConnect local switching is inherited at the access point as the default VLAN tagging. This can be easily changed per SSID and per FlexConnect access point. Non-FlexConnect access points tunnel all traffic back to the controller, and VLAN tagging is dictated by each interface mapping of the WLAN
  By default, a VLAN is not enabled on the FlexConnect access point. When FlexConnect is enabled, the access point inherits the VLAN ID associated to the WLAN. This configuration is saved in the access point and received after the successful join response.
  By default, the native VLAN is 1. One native VLAN must be configured per FlexConnect access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive packets to and from the controller. When the client is assigned a VLAN from the RADIUS server, that VLAN is associated to the locally switched WLAN.

• FlexConnect VLAN mapping management

  How to manage larger amout of FlexConnect APs? Especialy VLAN mapping, which is saved separately in each AP. I would like to have a list of AP-WLAN-VLAN settings. Is there any CLI command (except show run-config) for it? And what about backup of this setting? How to restore it in case of an AP crash?
  Many thanks.

  Yes... If your ap and users are going to be put in the data Vlan, you can just leave the port to an access port and you don't have to setup any native val. Or Vlan mapping in the FlexConnect AP. If you decide you want to map users to the voice Vlan, then you need to trunk it.
  If you want to trunk it anyways, then you can map a WLAN to the data Vlan too.
  Sent from Cisco Technical Support iPhone App

• WLC 5508 Flexconnect dhcp request landing on wrong vlan/dhcp pool

  Hi,
  We've recently setup our 5508 to work with Flexconnect. The 5508's run on 8.0.100, they are setup redundant. On the remote site we've setup a local dhcp pool for the various WLAN's/VLAN's. The AP's have registered with the WLC succesfully.
  We then setup the flexconnect groups, added the ap's and configured 1 vlan mapping to it's corresponding wlan id. Alsio setup the wlan, made it so it's using flexconnect, bound it to the interface which will allow it to reach the local dhcp machine.
  User can see the SSID, can login using the password, but they are awarded an ip addres from a different dhcp pool, meant for antoher vlan than the bonding in the flexconnect group is indicating.
  When I check the local dhcp pool for bindings on the mac address of a machine I can see multiple bindings. At 1 point I had 3 bindings in different pools, 1 on the native vlan for the AP, 1 on the vlan it should have and 1 on another vlan which wasn't configured anywhere in the flexconnect setup.
  Does anybody have a clue how and why this is happening?

  Just to add to Salma... All your AP's in FlexConnect are most likely connected to a trunk port. Make sure the native Vlan is defined and the vlan's are allowed on the trunk port. Then you need to verify that the AP's native Vlan and WLAN to Vlan mappings are correct. Seems like you might have some AP's that are not defined properly and that's why users that connect to a WLAN is getting in the wrong subnet. 
  Scott

• Flexconnect static mapping of WLAN to VLAN

  5508 running 7.4
  I want to create a definition for a particular site that maps WLANs (SSIDs) to switched VLANs.   I know that I can go to Wireless => Select AP => VLAN mappings on an individual AP basis.  But is there a way to create a group that will do this?  I thought it could be done with flexconnect groups but I just could not find a way to make it happen there.  Then I ran across this Architecting Network for Branch Offices with Cisco Unified Wireless Cisco Live presentation:
  http://d2zmdbbm9feqrf.cloudfront.net/2013/usa/pdf/BRKEWN-2016.pdf
  And on page 28 it states:
  AP groups give the ability to statically map Wi-Fi service (WLAN) to VLAN based on physical location
  And it then goes on to give a Configuration/VLAN mapping example in which I fail to see where VLANs are mentioned at all.
  Is what I am trying to do possible?
  Thanks,
  -JEff

  Hi Scott, thanks for the reply
  I have a main campus with several different distribution blocks that each use unique VLAN IDs.  And I have about a dozen remote sites that will all use common VLAN IDs.  I am configuring a single SSID (WLAN 2) to be used across all of these locations.  So at my main campus building "A" will have WLAN 2 mapped to VLAN 55 while building "B" will have WLAN 2 mapped to VLAN 65.  At each of the remote sites WLAN 2 needs to be maped to VLAN 15.
  So let's say I want to configure the main campus buildings A and B.  I create a dynamic interface for vlan 55 and name it something creative like vlan-55, Likewise for vlan 65.  Then I create an AP group named APG-55, add WLAN 2 to it and add all of my APs in that buliding.  What I don't understand is where the dynamic interface comes into play.  From your explanation it would seem that I need to assoiciate the dynamic interface to an AP group somehow.  What am I missing?
  Thanks!
  -Jeff

• Requirement for Native VLAN on Flexconnect Access Point

  Hi All,
  Just looking at AP configuration using 5508 WLC.
  We have APs deployed at all branch sites connected over a corporate L3 WAN to a Data Centre which houses the WLC(s)
  When setting the AP for Flexconnect mode there is a requirement that one native VLAN must be configured for each FlexConnect AP. If the AP is attached to a L2 switch and I want to enable multiple VLAN Mappings then I would need to add these VLANs to the allowed VLAN list on a trunk link between the AP and the switch (802.1Q) on the branch site.
  Normally if I configured a trunk link I would never add the Native VLAN to the trunk and never use it for any traffic. In this case it would appear that I MUST use the native VLAN (which seems to go against my better judgement). So my question (after all this) is: What must the AP use the Native VLAN?
  Thanks All.

  This has always been a standard practice for access points that has to connect to a trunk port. This goes back to the autonomous access points and also with FlexConnect and Mesh if your setting up Ethernet bridging.  Wired side is different from the wireless side as you have noticed. 
  Please rate helpful post and Cisco Support Community will donate to Kiva
  Scotty

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott

• Flexconnect AP - dynamic VLAN and local/central switched via radius possible?

  Hello at all,
  is it possible to tell a flexconnect ap if the client at a single ssid should get local switched or central switched and if central switched, which vlan it should use?
  All I got so far was either central switched with dynamic vlan assignment or local switched with static vlan (because it falls back to the default static vlan configured at the ap if the radius assigned vlan doesn't exist), but I need a flexconnect ap that puts client a into the local switched vlan a and client b to the central switched vlan b, both in the same ssid. Is there a radius attribute to tell a flexconnect ap how to handle this while non flexconnect aps ignore it?
  To be more detailed:
  At the central location all APs are running in local-mode, radius assigns different vlans to the clients (different departments), lets say client a = vlan 100, client b = vlan 200 and this works fine. At the remote locations the APs are running in flexconnect-mode with default vlan 10 so that the authenticated clients can break out locally and use the local infrastructure for printing and file storage. At this locations radius also says client a = vlan 100, but client a should be forwarded to local vlan 10 (which already works because there is no vlan 100 configured at the ap so the default static configuration with vlan 10 is used), while client b should stay at vlan 200 and should be central switched to the controller because it isn't allowed to access the local infrastructure. How could this be done? Creating another ssid isn't a valid option.
  Thank you,
  Christian

  Hi Christian.
  This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.
  "From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.
  In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."
  FlexConnect VLAN Central Switching Summary
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
  •If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.
  Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:
  •If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
  •If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
  •If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.
  Enjoy your weekend & I am sure you will be able to get this working.
  HTH
  Rasika
  *** Pls rate all useful responses ****

• AP-Specific WLAN-VLAN Mapping audit

  Is there anyway to audit the access points in FC mode to determine the WLAN-VLAN mapping and if it is AP or WLAN specific?
  or
  Is there a script that I can run to make the WLAN-VLAN mappings on all FC mode APs AP-Specific?

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message