HREAP APs lose local VLAN mappings

Similar Messages

• HREAP vs AP local mode

  Hello,
  Could someone explain the advantages or differences in using HREAP (when the traffic is centrally switched), to just using the APs in local mode with a centralized WLC?
  Scenario- 1 HQ and several branch offices. All resources are at the HQ including DHCP and internet break-out.
  Thanks

  Well it depends if the lwapp traffic takes up too much of your WAN bandwidth. If not, then run local.... I have clients that have gig connections to their branch offices that run every ap in local mode. I also have clients that run the branch office ap's in h-reap due to bandwidth constraints. Even though traffic will end up back in the central site doesn't mean you can't run the ap's in h-reap. The good thing with h-reap is that if the wlc becomes unreachable for some reason, the ap's will still be up and running. Encryption that can be run in local mode can still be ran in h-reap. The senerio that is in alot of docs is that if your wan goes down, users who need to authenticate back to a radius server in the central site will fail.... that is because the wan is down. Again, you can run locally first and see how that works.

• FlexConnect VLAN Mappings Inheritance

  Hi guys,
  I have 3 APs, which joined the vWLC some time ago (FlexConnect mode). I setup the VLAN Mappings, add them to an AP Group and all went well.
  After some time I started to use FlexConnect Groups. I have created a group for these three and add each to the group.
  Trouble is, even after adding each AP to the FlexConnect Group the VLAN Mappings Inheritance stays on AP-Specific instead of Group-Specific.
  I tried Remove AP Specific option, but I receive an error message I have attached.
  Thanks in advance for any hint/tip.

  Yes... If your ap and users are going to be put in the data Vlan, you can just leave the port to an access port and you don't have to setup any native val. Or Vlan mapping in the FlexConnect AP. If you decide you want to map users to the voice Vlan, then you need to trunk it.
  If you want to trunk it anyways, then you can map a WLAN to the data Vlan too.
  Sent from Cisco Technical Support iPhone App

• ISE 1.1.1 (Fallback to local Vlan if radius server is found to be dead) not working

  We have configured following commands on switch to fallback to local Vlan if both radius server (policy persona's) is found dead. For test purpose we shutdown both servers (policy persona's) but fallback didn't work. We have 3750 switch running image 12.2(55)SE6 having following configuration.
  We do not know whether we configured switch in proper way or do we need to modify it.
  aaa new-model
  aaa authentication dot1x default group radius
  aaa authorization network default group radius
  aaa authorization auth-proxy default group radius
  aaa accounting update periodic 5
  aaa accounting auth-proxy default start-stop group radius
  aaa accounting dot1x default start-stop group radius
  aaa accounting system default start-stop group radius
  aaa server radius dynamic-author
  client 10.10.10.10 server-key 7 12345678 (Policy Persona 1)
  client 10.10.10.11 server-key 7 12345678 (Policy Persona 2)
  server-key 7 12345678
  ip device tracking
  epm logging
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 30 tries 3
  radius-server host 10.10.10.10 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 1)
  radius-server host 10.10.10.11 auth-port 1812 acct-port 1813 key 7 12345678 (Policy Persona 2)
  radius-server vsa send accounting
  radius-server vsa send authentication
  Port Configuration
  interface GigabitEthernet0/1
  switchport access vlan 305
  switchport mode access
  ip access-group ACL-DEFAULT in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 305
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order mab dot1x
  authentication priority dot1x mab
  authentication port-control auto
  authentication periodic
  authentication timer reauthenticate server
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  Please help....
  Thanks

  Tabish-
  The pre-auth ACL that you have on your port is used for what's called a "Low-Impact" mode type of setup. With Low-Impact mode you are allowing services defined in the pre-auth ACL until the user/devices is authenticated. Once authenticated the pre-auth ACL gets replaced with the dACL/authorization policy that you have defined in the authorization profile. As a result, it is not possible to use "fail-open" configuration with low-impact as there is nothing to replace that pre-auth ACL since your NAD device(s) are unavailable.
  If you want to use the "fail-open" features you will have to use the "High Securty/Closed Mode." In that mode you cannot utilize the pre-auth ACL and essentially only EPoL traffic is allowed on port until authenticated.
  For more info you should reference the TrustSec design guide located at:
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html
  Thank you for rating!

• NCS Prime 1.4 does not display previous AP WLAN-VLAN mappings

  Hi,
  Just wondering if others have experienced this issue. I upgrade our Prime NCS from 1.3 to 1.4 last night. Upgrade appeared successful but today when looking through the web interface for testing I noticed that the  'Access Point Details' (Configure > Access Points > Access point details" no longer displays the flex connect vlan mappings which previously were shown in 1.3.
  When clicking on the WLAN-VLAN Mappings tab nothing appears there too? I tried to apply the wireless configuration template again but received an error.
  Has anyone had this issue? On the WLC, these configurations are still intact with the correct vlan-mappings so it only appears to be NCS that is having the issues.
  Only thing I can see from the release notes regarding NCS 1.4 Flexconnect VLAN mappings is CSCug17718. But this caveat is under the resolved section.
  Cheers,
  Wil

  Cheers thanks for the reply.
  I figured out what the problem was. Appears that Audit status has mismatches but once another audit is done it appears to display vlan mappings with at the access point detail page.
  Now... to figure out how to perfect bulk audits..
  Anyways thanks for your advice.

• How many Meraki APs per subnet/vlan

  I am trying to cover a 90-story building.  Voice is not a requirement, but I would like to be able to seamlessly roam across the infrastructure.  How large can I build a flat network, and if I need to cross a threshold, what do I have to do to enable Layer 3 roaming?

  The only reason I can thing of why that "soft limit" of 60 Cisco AP's per VLAN exists is the default logging configuration of the AP's. This is the broadcast address so every other AP receives all those messages also, once you configure an syslog destination that is no longer the case. I don't have much experience with Meraki, but I think that they don't work with an external syslog server at all.
  I hope that all the other devices are being segment it on a per floor basis? If not, please investigate if you can segment at least some floors together with there own set of "local" VLAN's. You don't want network traffic being switched in "global" VLAN's all throughout the building on a scale like that.

• ACL or VLAN Mappings

  Good afternoon,
  We have several VLANs and would like to restrict traffic on some of them.
  For one VLAN, lets say vlan 140 we would it to drop all packets except for traffic going to / from 172.30.0.49. Is this possible? If so how? Also, would users be able to obtain DHCP / DNS queries if this rule was in place?
  Just like to get an understanding on how this can be done on our core using either ACL or vlan mappings.
  Regards,
  Mark

  Yes, the main advantages are performance and usability.
  With ACLs each document can have different security settings.
  As for performance, if you enter a query like "what document can a user read?" it requires to check all ACLs (not sure if it is still true, but I think in earlier versions ACLs were implemented as comma-separated strings, so this query was quite costly). With accounts, or security groups, the logic is much closer to relational database, so even though the queries require few OUTER JOINs, in the end they are much faster.
  As for usability, imagine a scenario like "I want to replace a person X with a person Y" - with accounts you do it in one place, with ACLs I do not know (not sure if there is anything like "mass ACL update" available).
  Note that "a large number of WLS group" should be auto-generated, ideally, in cooperation with an IDM solution.
  In general, I'd recommend ACLs only for very specific situations - namely, if security settings change during items lifetime (in 10g, they were a part of a component called Collaboration Manager, and it meant that a user might be granted access to an item only for the sake of a workflow, which is something you cannot do with accounts/security groups - or to be precise, you cannot do it easily).
  I have also heard, with no further details, that recently ACLs were redesigned, so some statements above might become obsolete.

• How to failover APs from local to remote controller (Local/Hreap mode) query

  Hi,
  I have a situation where my office has a local WLC and 15 3500 series APs connected to it on local mode.
  For redundancy we have a WLC in the Datacenter somewhere, accessible via MPLS cloud.
  I would like the APs to be in local mode when they are managed by the local WLC, but, when the local WLC fails... and the APs shift over to the remote WLC, their mode should change to Flex Connect... so that I can have local switching, also it helps as the users will get IP from the local addresses pool.
  Can this be achieved?
  I am running 7.2.110 code on the 5508s.

  Ah, I imagined.
  For teh sake of arguement - suppose there are users on wireless net with DHCP mac bound IPs. Some of these users might have  some special previleges via FWs and such. Now, if local  WLC fails and  they start getting IP from a remote controller's network  (non-HREAP). This would be an issue.
  However, it can be easily  solved if the APs are always in Flex mode. If they are attached to the  local WLC - no problem. If they go and attach to remote WLC - no  problem!

• HREAP and Remote Office VLAN

  We have a corporate office which we have a 5508 WLC and 2 WiSMs (v7.0.116) and WCS (v7.0.172) and rolling out remote offices which will have 2 or 3 APs (1142N).  I setup the first remote office with wireless using HREAP and its working well. Configuring the WLAN for the remote office we select an interface we created with the VLAN at the remote office and now that we are preparing for the next remote office can I use the same VLAN for the second office? For example, we are using local switching for a WLAN using VLAN 6 and will need the same at the second remote office.
  Thanks for any help.
  Jeff

  if you are user FlexConnect, and are on 7.2 or better code on the WLC.
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1247954
  If you are not using FlexConnect, which you said you weren't, the traffic doesn't get locally switched. it all is handeld at the WLC.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• How to cleanly migrate APs from local mode to flex-connect?

  I am working with an existing network where all APs are remote from the WLC at the data center. All APs were configured to run in local mode. I am trying to reconfigure these APs to flex-connect mode and local switching.
  Configuring the APs themselves to flex-connect and reconfiguring the switch ports is not an issue.
  None of the WLANs are currently configured for flex-connect local switching.
  When I configure a WLAN to allow local switching several of the APs cease to service clients.
  I am not permitted to change/add a new WLAN so I have to do this in place. This has to be transparent to the users.
  Any thoughts would be appreciated.

  The AP has been changed to flex-connect mode from local and the native VLAN is set to 10. The switch port is trunked with the native VLAN set to 10. This works fine until I try to change the WLAN to allow local switching.
  This example is a small site and all data clients are assigned to VLAN10.

• Remote APs with multiple vlan / dhcp

  On one of our 5508 controllers we have approx 40 APs, about 20 local and 20 flexiconnect. Until now we have only had one vlan on the flexiconnect APs, but our local APs have several SSIDs connecting to different Vlans and assigned different dhcp addresses correctly.
  We now have the need to have multiple SSIDs on some sites being assigned different IPs.
  I have created the interfaces, with the correct ip and dhcp server, linked with the correct AP group. The SSID is shown and can be connected, but the original ip is being assigned and not the new range.
  I have not yet created any security policies so the new range has full access to the entire network and the controller can ping the new remote vlans.
  If i hard connect to the switch on the new vlan, I am assigned the correct new IP range, so this is working.
  I cannot see why devices connected to the new SSID are not being assigned the correct IP range.

  You need to review the FlexConnect configuration guide. You need to trunk the ap port if more than one vlan is required, you also need to enable FlexConnect local switching in the WLAN, you need to also define the WLAN to vlan mapping on each FlexConnect AP.
  It varies depending if you want to place traffic locally at the site or tunnel it back.
  https://supportforums.cisco.com/docs/DOC-24082
  Sent from Cisco Technical Support iPhone App

• Adaptiva Software Distribution not working with Cisco APs in Local Mode

  A worldwide customer would like to use a new Software distribution system called Adaptiva to replace SCCM within Windows environment. As far as I understand, Adaptiva is designed to work like a snowball system. A single PC at a remote side can be "infected" with new Software and will distribute the package to other PCs within the same IP-subnet, saving WAN bandwidth.
  First tests are showing that it is working well with Cisco WLAN solution as long as we are using Flexconnect WLAN APs.
  Customer locations with Local WLAN AP design create problems for this new software distribution method.
  The WLAN-PCs can be reached from outside, but the establishment of the Client/Server-model between the WLAN Clients is not working. The Port used by this software for communication between clients in each WLAN subnet is UDP Port 34329.
  Our WLCs are running at  7.4.130.0. The problem is appearing independently of AP Multicast settings or Broadcast Forwarding.  Enabling Broadcast forwarding without Reboot did not improve the situation.
  Global Multicast Mode and IGMP Snooping are also of no influence.
  P2P Blocking Action is "Disabled" within the WLAN setup.
  Who has any idea what might cause this communication problem between WLAN clients in Local Mode of APs ?
  Thank You for answers
  Wini

  I can think of two solutions. You could 1: turn the "auto-lock" to never, so that your phone never sleeps. Or, you could 2: jailbreak your iPhone and install "insomnia". I wish we had the Cisco Mobile app. I usually use wifi/insomnia and turn data off at work since we have wireless pretty much everywhere...
  Sent from Cisco Technical Support iPad App

• Using EEM to automatically put APs onto correct VLAN?

  Hi,
  I am stuck in the unfortunate situation of read-only access to my own network until I pass my CCNA.... however, in the interim I've been researching some topics.
  One of the things I came across was using EEM to fire off tclsh progams when events occur on a switch/router, or even using syslog filtering to fire off events based on certain patterns.
  It occurred to me that, using these methods, you could get devices to autoconfigure themselves. For instance, I have a WiSM on site (which yet again I have little control over ...) and although I have very little idea of how the WiSM actually works, fundamentally the problem is that when a new AP is plugged in, it needs placed into a certain VLAN and can then offer wireless access into the network.
  Of course, a Cisco WLAN AP is a CDP aware device and this got me thinking ... if you can either fire off an event using EEM on CDP adjacency changes, or alternatively enable 'debug cdp adjacency' and filter the syslog ... you could take the CDP device's name, capabilities (Trans-Bridge for an AP), and MAC address. Then the Tcl script could, after checking the name and MAC address against a list of known APs, automatically place the AP onto the appropriate vlan (a running-config change).
  Similarly, an event or syslog trap could return the port back to the access VLAN when the AP is disconnected.
  This would enable autoconfiguration of APs as and when they are plugged in.
  Before I reinvent the wheel, has anyone: a) tried this; b) succeeded?
  Thanks,
  M.

  Hmm, that looks very much like what I want.
  No doubt it is very expensive. And tclsh is free...
  Still, looks like my idea is workable - since I'm guessing that SmartPorts is using the same techniques ...
  So, has anyone ever done it for free without paying a lot for SmartPorts?

• Multicast Mroute behavior for local VLAN multicast (with overlap)

  We have a multicast address that exists at various locations but we want to isolate them at each location to a single VLAN.  We run PIM Sparse with anycast RP throughout our Enterprise.  Our original thought was to just turn off PIM on the SVI/VLAN at a campus and isolate that multicast to the VLAN it is in.
  We are still learning the Multicast address via PIM from the other sites we have not turned PIM off yet (since it is an overlapping address).  The question came up that if you disable PIM for that VLAN/SVI would the multicast stay local if the default gateway for that VLAN still has a multicast route it learned via PIM from another site?  Or would that VLAN without PIM still use the mroute table to connect to the Multicast address?

  Paul
  Sorry, i didn't realise this was addressed to me.
  To be honest i have never used this command but reading up on it it would seem you certainly could block the flow of multicast packets between the interface for the group(s) you wanted to so it would be a way of isolating traffic between vlans.
  In terms of the RP announcement messages there is a keyword you can add to the command "filter-autorp" which filters discovery and announcement messages as well. But i wouldn't like to say for sure exactly how it would or wouldn't work without testing ie. do you need to filter the RP announcements before they reach the SVI or would it work applied to the SVI.
  I could see a use for this if you had a number of SVIs that needed to route the multicast stream between themselves but not to other L3 subnets. But the topology would be a little difficult on a L3 switch ie. if half the SVIs need to route the multicast stream but the other half didn't where do you apply the command. It would have to be on each SVI you didn't want to receive the stream.
  It would work better if, for example, you had a L3 switch connected to a router with L3 routed ports and all the SVIs should route the multicast stream but it should stay local to the L3 switch so it is blocked on the L3 uplink (and other potential streams from the router to the L3 switch blocked as well).
  Hope that made some sense. It's sometimes difficult to explain things without a diagram
  Jon

• 51 APs on voice vlan with 110 802.11 Handsets and 300 VoIP handsets?

  There are 51 APs with 110 Symbol 802.11 voip handsets, along with 400+ Mitel VoIP Handsets on one vlan..using mask 255.255.240.0 should I be asking if this is excessive multicast traffic ?
  Anyone used the IAPP with Aeronet? Any drawbacks, feedback? Should the APs/802.11 VoIP Phones be on their own vlan rather than the voice vlan?

  Jason,
  Let me answer your question with another question - RTP streams from your phones would be unicast, unless you were using applications like multicast paging or multicast MOH. Are there any of these applications present?
  For seamless roaming, you will want the APs to be located on the same VLAN and use the same SSIDs and addressing scheme across your wireless infrastructure. You could separate it from your voice VLAN for segmentation purposes, so long as DHCP services and QoS is present on your APs and distribution switches on the wireless VLAN.
  A quick estimation of the traffic involved is 7.04Mb/s if every phone was being used simultaneously with a G.711 codec. Bandwidth would generally not be an issue, but latency and jitter are your priorities. Depending on how your wireless network is laid out, you shouldn't have more then 8-12 phones associated to a single AP or jitter, latency and retransmissions will become an issue.
  Hope this helps.
  Pat