H-Reap vlan mapping groups

Similar Messages

• H-REAP LWAPs losing VLAN mapping when fail to secondary WLC's

  Hello,
  I have three 5508 WLCs, running code 7.0.98.0 supporting 100+ LWAPs in H-REAP mode. The LWAPs are servicing 2-3 WLANs each. Some are using central authentication and local switching, some are configured for central authentication and central switching. When the LWAPs fail from one WLC to another WLC, the LWAP's lose all of their VLAN mappings and pick up the VLAN of the management interface on the new WLC.
  All WLANs are configured to use the management interface on the WLC and the VLAN mappings are configured per LWAP on the H-REAP properties  tab.  The WLAN ID numbers and all the WLAN settings are the same across all 3 WLC's. I have created AP groups on all 3 WLC's and the AP group config matches across the 3 WLCs.
  I can get the LWAPs to keep their VLAN mapping by creating an interface on the WLC with the VLAN ID of the locally switched/remote site VLAN and then setting the interface for the WLAN to the new interface. However, then the WLAN doesn't work, because the centrally located WLC doesn't have the remote site VLAN. It also seems to keep the VLAN mapping if I create the locally switched/remote site VLAN interface on the WLC , and point the WLAN to the management interface. This shouldn't be a necessary step though... In H-REAP with local switching, the LWAPs aren't using the interface on the WLC.
  I found a note in the 7.0 WLC config guide that explains why the VLANs are picking up the management interface VLAN, but that same note says the VLAN mappings can be changed per LWAP/WLAN!
  From config guide:
  For hybrid-REAP access points, the interface mapping at the controller for WLANs that is configured for H-REAP Local Switching is inherited at the access point as the default VLAN tagging. This mapping can be easily changed per SSID, per hybrid-REAP access point
  Anyone using H-REAP and been able to get the LWAPs to keep the VLAN mapping when failing from one WLC to another?
  Thanks!

  Shawn,
  I went back and reviewed everything and everything was duplicated , Except... WLAN_ID. The Wlan ID tags were different. I created a test and failled my two test AP's and they both came up on the backup controller with the proper vlan ID. now I know. When it was working for everyone else I was begining to wonder if I found a new bug or it was my config. This is one I wont forget ..
  Thank you

• Problem switching from AP-specific to Group-specific VLAN mapping

  Hello.
  Some days ago, I updated our 5508 WLC to software version 7.5.102.0.
  With that version, it should be possible to have a VLAN mapping specific for a Flexconnect group that is set within Flexconnect Group settings.
  I did that for all my Flexconnect groups and it works fine with new access point.
  For existing access point, which already have an AP-specific VLAN mapping, it is not possible to switch to Group-specific.
  When I mark the WLAN in Flexconnect setting of the AP and select "Remove AP specific", I get the error message "Request failed: Vlan is not enabled on this flexconnect".
  I wonder what the problem could be, because for newly installed access points, it works fine. Did I miss some settings?
  Regards,
  Sven Lindeke

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message

• Flex Connect Groups - WLAN to VLAN mapping

  I have a question about configuring WLAN to VLAN mapping on FlexConnect Groups.
  Do the mappings that are configured in the FC Group get inherited by the APs when they are placed in the group?
  It seems like they do not.
  I am playing around in a lab with a virtual WLC running 7.5 and an old 1131 AP.
  If I configure the WLAN to VLAN mapping on the individual AP, it works as expected.
  If I configure the WLAN to VLAN mapping within the FC group and add the AP to the group, it does not.
  The AP does not inherit the settings from the Group.
  I am wondering how you would deploy a lot of APs without having to configure each AP individually.
  Thanks

  Yes, you are correct. It is not like normal AP groups where it will map WLAN to AP belong to that AP group.
  Anyway since you have to convert each AP manually to FlexConnect mode, you should do the WLAN mapping at that point as additional step.
  FlexConnect Group is mainly to give fast roaming feature for FC APs in brach deployment solution (typically not so many APs). Also keep in mind you can have maximum  25 APs in FlexConnect AP group for WiSM2 or 5508 & you can go upto 100 in 7500 WLC. (see table 7.3 in below link)
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1108090
  HTH
  Rasika
  **** Pls rate all useful responses *****

• Vlan mapping lost when fail to secondary WLC

  Hello
  I have two WLCs,The primary WLC mode 5508 ,running code is 7.4.100.60, The secondary WLC mode 4402,running code is 7.0.230.0.
  When ap working on 5508 wlc,it use flexconnect mode, when ap working on 4402, it will h-reap mode
  ap mode:1242、1142.
  question:
  When ap fail to secondary WLC(4402),some ap will lost their vlan mapping information.not all of ap.  during fail over, ap will doanloading firmware.
  is there any way to solve? thanks!

  I understand. Two controllers, two different code levels. 4400 is locked in at 7.0 code and you need 7.4 for the 2600 ap.
  In your orginal post you state when aps fail over from one controller to the other you lose vlans and aps code upgrade/down grade. This is not a support deisgn. You cant properly failover betwen different code versions.
  If you want them to stop failing over and clients dont roam from aps on controler to 1 to aps on controller 2, simple remove the controllers from the shared mobility group and put the controllers in their own group.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

• AP-Specific WLAN-VLAN Mapping audit

  Is there anyway to audit the access points in FC mode to determine the WLAN-VLAN mapping and if it is AP or WLAN specific?
  or
  Is there a script that I can run to make the WLAN-VLAN mappings on all FC mode APs AP-Specific?

  Thanks for the fast reply.
  Here are the screen shots:
  Settings "Flexconnect group"
  Settings "Access Point"
  Error message

• Lost VLAN Mapping on WLC 5508 (Flexconnect)

  Hi guys, I have a WLC 5508 and some AIR-LAP1131AG-T-K9 all in flexconnect configuration.
  The problem is that 1130 Access Points lost the VLAN Mapping configuration without reason, simple change the vlan mapping to 999 and I need to reconfigure that.
  I search in some documents on cisco.com but I can't find anything about this issue.
  Could you help me please?
  Thanks guys.

  Hi Scott
  Thanks for the answer.
  We have around 350 ap's, in 50 different locations (customers). The WLC is running AirOS 7.3.101.0.
  Every WLAN is configured to a dummy interface, with the vlanID 2222.
  This is the VlanID that the Wlan to vlan mapping got “lost” to.
  Unfortunately, I am not able to see the right join time, because the WLC’s was booted. (After the error occurred). Next time I see this, I will look at the join time.
  Every location (costumers) has two SSID (guest and employee). The employee network has two vlans (PC’s and BYOD). We are using NPS rules to select witch VLAN the device connectes to.
  So in the FlexConnet settings, we do a WLAN to vlan mapping:
  GUEST to vlanID
  PC’ to vlan ID 5
  And in the FlexConnect group we but in the vlan ID for BYOD.
  Do you now if the AP stores this to configurations different (flash or RAM)?

• H-REAP vlan template?

  Is there a way to set-up the locally switched H-REAP vlan(s) via WCS template?
  Thanks!

  Thanks for the screen shots.  I took off early Friday.
  My screen shots would look like your first one.  Unlike your second one, I never see anything in the Profiles box.
  Perhaps I'm shooting myself in the foot using the same SSID at the H-REAP sites as at the centrally switched sites.  The difference being the H-REAP WLANs are mapped to the management interface but with traffic dumped onto a locally routed/switched vlan.  Strange though, not one SSID shows up in the profiles box.
  I would expect to see multiples of the same SSID with differing locally switched vlan numbers corresponding to local vlans at the different H-REAP sites.

• ISE vlan mapping.

  have one query for ISE 1.2
  Is the following scenario is supported with ISE?
  Can we configure ISE VLAN mapping with SSID authentication web auth only.

  Limitations
  No support for  guest clients – posture for guest user is not supported.
  Hreap local switching is not supported -
  No support for wlans without 802.1x support
  Client will go through posture during slow roam – when client is associated used 802.1x (not wpa2 or cckm) then when client roams from one wlc to other – wlc will send new session ID hence client will again go through posture validation process.
  No support for guest tunneling mobility
  Mac auth bypass is not supported
  Vlan pooling is not supported.
  No support for WGB AP
  No support for AP group.
  Kindly find the link information regarding integration is mention.
  https://supportforums.cisco.com/docs/DOC-18121

• Value Mapping Group in PI 7.1

  Hi All,
  In PI 7.1 Integration Directory there is one section as "Value Mapping Group".I suppose that it is used if and only if value mapping is used.But I am not using any kind of value mapping so can I skip that section?
  Thanks in advance.

  Hi Abhishek,
  THanks for the reply.
  I have another query. it is as follows:
  Actually I am having the Process Order coming in the source with 5 to 6 relevant fields.Out of these Process Order fields Status is one of the fields.Based on the the StatuS field the BAPIs will be called at the receiver.So can I skip Integrated Configurations as I am imposing the condition on the data in the payload(Source Structure) as Integrated configuration will not be helpful in my scenerio.?
  Or shall I skip Sender Agreement ,Receiver Agreement?
  Thanks in advance.

• VLAN Map issue

  I have an issue with a VLAN map I am attempting to use to filter traffic. It is a flat Layer 2 LAN so all hosts are in VLAN 1. I have a number of test machines that I want to deny access to live database servers. To do this I tried the following:
  ip access-list extended testboxes
  permit ip host x.x.x.x host x.x.x.x
  vlan access-map denytest 10
  match ip address testboxes
  action drop
  vlan filter denytest vlan-list 1
  Once I apply the VLAN map I lose all connectivity to the switch. Is there something I am missing here?
  Thanks
  Ian

  Unlike regular IOS standard or extended ACLs that are configured on router interfaces only and are applied on routed packets only, VACLs apply to all packets and can be applied to any VLAN. If a VACL is configured for a certain traffic and that traffic does not match the VACL, the default action is deny. Additionally, VACLs have an implicit deny at the end of the map; a packet is denied if it does not match any ACL entry, and at least one ACL is configured for the packet type. Add an additional permit statement allowing telnet/ssh/or web traffic to the switch:
  permit tcp host X.X.X.X host X.X.X.X eq telnet
  Best Regards
  Francisco

• LDAP Authentication Failed :user is not a member in any of the mapped group

  Hi,
  I tried to set up the LDAP Authentication but I failed.
  LDAP Server Configuration Summary seems to be well filled.
  I managed to add a Mapped LDAP member Group: This group appears correctly in the Group list. 
  But itu2019s impossible to create a User. Although this user is a member of the mapped group (checked with LDAP Brower) , an error message is displayed when I tried to create it (There was an error while writing data back to the server: Creation of the user User cannot complete because the user is not a member in any of the mapped groups)
  LDAP Hosts: ldapserverip:389
  LDAP Server Type: Custom
  Base LDAP Distinguished Name: dc=vds,dc=enterprise
  LDAP Server Administration Distinguished Name: CN=myAdminUser,OU=System Accounts,OU=ZZ Group Global,ou=domain1,dc=vds,dc=enterprise
  LDAP Referral Distinguished Name:
  Maximum Referral Hops: 0
  SSL Type: Basic (no SSL)
  Single Sign On Type: None
  CMS Log :
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=vds, dc=enterprise, scope: 2, filter: (samaccountname=KR50162), attribute: dn objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 2453 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  trace message: GetParents from plugin for cn=huh\,chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise.
  trace message: LDAP: De-activating query cache
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: Updating the graph
  trace message: LDAP: Starting Graph Update...
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 89
  trace message: LdapQueryForEntries: incr. retries to 1
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (&(cn=gp-asia)(objectclass=group)(member=cn=huh
  , chen, ou=accounts, ou=users, ou=domain1, dc=vds, dc=enterprise)), attribute: objectclass
  trace message: LDAP: LdapQueryForEntries: QUERY base: , scope: 0, filter: (objectClass=*), attribute: supportedControl
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 0 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 1
  assert failure: (.\ldap_wrapper.cpp:3066). (pSetAttributes : no message).
  trace message: LDAP: No such attribute: supportedControl, assuming no ranging support.
  trace message: LDAP: LdapQueryForEntries: QUERY base: dc=enterprise, scope: 2, filter: (cn=gp-asia), attribute: member objectclass samaccountname cn
  trace message: LDAP: LdapQueryForEntries: QUERY result: 0 took 3109 ms
  trace message: LDAP: LdapQueryForEntries() QUERY number of entries returned: 0
  trace message: LDAP: query for DSE root returned 0
  trace message: Failed to commit user 'KR50162'. Reason: user is not a member in any of the mapped groups.
  trace message: [UID=0;USID=0;ID=79243] Update object in database failed
  trace message: Commit failed.+
  Can you please help?
  Joffrey

  Please do this after you verify all permission settings for all the groups the account is associated with. Also, make sure you check the NTFS folder permissions before doing this as well.
  Since the same result happens on multiple computers, it is not the profile.
  I am recommending you delete the AD account (or rename to backup the account).
  It will not effect the users Exchange account, but you will need to link it back to the new AD user account. 
  You can also delete her profile just to remove it, for the "just in case" scenario.
  Don't forget to mark the post that solved your issue as "Answered." By marking the Answer you are enabling users with similar issues to find what helped you. Lewis Renwick - IT Professional

• XI30 - Value Mapping Group ?

  Hi,
  Inside XI, I need to create several conversions.
  I want to use a "Value Mapping" and not a "FixValue".
  I succeed with a simple test with a value mapping...
  But as I need to create about 30 value mappings, I need to know exactly what is a "value mapping group" in order to integrate it correctly?
  <u>Example of conversion table</u>: UnitMeasurement (like table T006B of R/3)
    <u>Source | Target</u>
     Unit1 |  U1
     Unit2 |  U2
     ...   |   ...
     Unitn |  Un
  Currently inside XI30, I have created this value mapping:
    Source Agency: BS_PC (Business System for PC)
    Source Scheme: UnitMeasurement
    Target Agency: BS_R3 (Business System for R/3)
    Target Scheme: UnitMeasurement
    <u>Source Value | Target value |  Group name</u>
     Unit1       | U1  |
     Unit2       | U2  |
     ...         | ... |
     Unitn       | Un  |
  Thanks.

  A Value Mapping Group helps you to keep values of different systems together and it is useful, when you want to maintain values for three or more business systems.
  Example: You have three business systems A B C and have different values for Company Code in each system
  A    B    C
  0001 T100 A-01
  0002 T200 A-02
  0003 T300 A-03
  Now you can maintain the values as pair of agencies:
  A    B    Group Name
  0001 T100 T100
  0002 T200 T200
  0003 T300 T300
  And you can maintain the values belonging to the same group:
  A 0001
  B T100
  C A-01
  You need not maintain values for groups, so leave it empty, when you have only two different columns of values.
  Regards
  Stefan

• VLAN Map

  Does anyone know if VLAN Maps are supported in CAT OS? I have found that they are supported in the 3550, 4500, and 6509 running IOS but would like to know ALL of the devices they are supported in.
  Thanks for the help,
  Brian

  I don't think vlan maps are availble on Catalyst OS Switches. On Catalyst IOS Switches, the vlan access-map global configuration command is used on the switch stack or on a standalone switch to create or modify a VLAN map entry for VLAN packet filtering. This entry changes the mode to the VLAN access-map configuration. The vlan filter interface configuration command is used to apply a VLAN map to one or more VLANs.
  on Catalyst OS Switches, the set vlan mapping command is used to map 802.1Q VLANs to ISL VLANs.

• HREAP VLAN Mapping

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  Hi,
  I've searched around to see if someone else has experienced the same issue regarding HREAP AP's losing their VLAN mappings; however I could not find any related topics.
  Scenario
  I've got a 5508 WLC running ver 7.0 with local VLANs assigned as follow:
  VLAN 241 - Data Users
  VLAN 253 - Voice Users
  The HREAP AP's (Cisco 1242AG) running at the remote branches is mapped to the following:
  VLAN 2 - Data Users
  VLAN 253 - Voice
  The Problem...
  HREAP works perfect; users get the local DHCP addresses at the branch office and have no issues with connectivity. Once and a while some of the HREAP AP's will lose the VLAN mapping I've assigned to them. In this case I've mapped VLAN 2 to the SSID for the Data Users, I will get complaints that users can't connect to the network when I go check the HREAP AP's VLAN mapping it defaulted back to VLAN 241 (the same VLAN the local AP's at head office use for the same SSID). Of course with the Voice SSID I don't have this problem as it's using the same VLAN ID as head office.
  Once I've corrected the mapping everything works perfect.
  Why...
  I just want to know why this happens, I've rebooted the AP's to see if they retain the mappings and they did. I've seen in the HREAP design deployment that it is preferred to use the same VLAN ID's of the head office where the WLC is located as for the same to the branch offices where the HREAP AP's are located.
  I can see why as this will resolve my problem, however this network was designed without the knowledge of HREAP being deployed to the remote sites and I would like to minimize change from a LAN perspective.
  Will this be my only solution by standardizing the branch office VLAN ID's the same as the head office network or should I be able to use different VLAN ID's for the branch offices?
  Thanks for your time reading this and for your input. If you know any discussion regarding this, please add the url.
  Regards
  Jurgens

  Hi,
  I'm having the same problem. And I have two WLCs (WISM) with 7.0.220 version.
  I think because of this BUG: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
  Anyone knows how can I solve this problem?
  I Have 42 HREAP APs, and when I have some link problem on the remote Branch and the AP lose for a few seconds Connectivity to the 1º Controller its loses the VLAN Mappings (all turned to the Native VLAN).