Layer2 Local Switching and SpanningTree

Similar Messages

• Same wlan both locally switched and centrally switched

  Scenario:
  1 virtual wireless controller
  50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
  Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
  I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
  I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
  Regards,
  Massimo. 

  Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
  I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
  Regards
  Rasika
  **** Pls rate all useful responses ****

• Flexconnect - Local Switching and DHCP Server Location

  Hello Friends, It is again a conceptual question.
  In Flex-connect Local Switching mode if the Client has to be get the IP address using DHCP, the DHCP server has to be local to the remote site and not centralized location. Though i know, Local switching means that the client traffic is bridged to the local network directly by the AP on the locally connected switch and does not pass through the controller, what does it mean to DHCP server location.
  For example, If I have 2 different WLANs (VLAN 2 and VLAN 3) configured Local Switching and its corresponding VLAN SVIs are configured in the Local L3 Switch and if the DHCP server is centrally located with the scopes for VLAN 2 and VLAN 3, will it have troubles?
  I see in my infrastructure we are working in that way [Local switching with centralized server]
  Thanks in advance
  SAIRAM

  It would be good to have DHCP server at local site.

• Local Switching, mDNS Snooping and Chromecast

  Hello everyone,
  we have a Cisco WiFi setup at our company constisting of one WLC (2504) and 5 access points, 4 of which are in the main office and one at a remote location (connected via an IPsec tunnel). The remote AP is configured to FlexConnect mode, and we have set up a staff WLAN using 802.1X auth and local switching. So far, everything works perfect.
  However, we now want to support Chromecast devices in our wireless network. I have setup a new WLAN with WPA2-PSK authentication for those devices, added the "Googlecast" entries to the mDNS profile and activated mDNS Snooping on this WLAN. This appears to be working as well, at least I can see the corresponding entries in the mDNS -> Domain Names tab (Chromecast switched from multicast/SSDP to mDNS recently).
  However, clients in the staff WLAN are not able to see the devices. My guess is that I would need to also activate mDNS snooping on the staff WLAN, but of course this is not possible because of local switching being enabled.
  I tried to create two different AP groups, one for the local APs and another for the remote one. Then I duplicated the staff WLAN, with the idea of deploying one copy on the local AP group with local switching disabled and mDNS snooping enabled and the other copy on the remote AP group, enabling local switching and disabling mDNS snooping. My idea was that this would allow the employees at the local office to use the Chromecast devices, but unfortunately it's not possible to configure two WLANs with the same SSID and L2 security, even if they're not on the same AP / AP group.
  Another solution would just be to create a separate WLAN for the remote AP, but that would require to push another profile and inevitably result in confused employees when they first visit the remote branch.
  Is there any way to make our Chromecasts work while still using the same WLAN for both locations? Any pointers are greatly appreciated.

  I'm not 100%sure about the details and why that works this way. But u can create two SSID as long as u use an ID higher than 16. So start at 17 and it works, maybe that has something to do with the default group they will not belong to..
  comming back to your 2504...I see no way to use an ID above 16 because that's the max it supports.
  So, please have a look at that Guide for Chromcast, as I run through i see that it hase maybe nothing to do with mDNS..
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
  Br,
  Sebastian
  pls. rate if helpful

• Locally Switched / Centrally Switched on Flex Connect AP

  Hi All,
  Scenario (is this possible)
  I have HQ Site (Site A) -with the WLC
  I have a remote site (Site B) with one AP.
  Site A has Internet Breakout. Site B doesn't
  Is it possible with this one AP to have Multiple SSIDs, some of which are switched locally at the remote site and some which are switched centrally back at the HQ?
  E.G I want to have SSID for the data vlan at Site B. Any Laptop connecting to this is dropped onto the Data VLAN.
  I also want to have a GUEST SSID for Internet but have this traffic be tunneled back to HQ and use Internet Breakout there.
  Is this possible?
  Thanks

  On the advanced tab of the WLAN you can enable that SSID for FC Local Switching.  The AP then needs to be in Flexconnect mode.  You then go to the FC tab of the AP and define the local VLANs for the locally switched WLANs.  There will be 2 lists of SSIDs, locally switched and centrally switched.  Obviously you don't define VLANs for the centrally switched WLANs.
  Whatever you define on the AP will overwrite the interface on the WLC.
  AP Groups and FC Groups are not needed.

• Nexus M1 Series 32 port 10G Module Local Switching Support ?

  Hi,
  Ive got d 32 port M1 series linecard asic architecture slide below.
  There seems to be a local fabric asic on this M1 series card. Anyone knows whether if this module supports local switching and what is the capacity of local switching ?
  We are all aware that this module sits 80G on the chassis fabric modules.
  Thanks.

  4:1 mux is downstream from replication ASIC which has total 10Gb toward each front panel port-group. So correct you can never put more than 10Gbit/s in/out combined across the ports in one port-group.
  As an example say ports 1,3,5,7 each receive 10Gbit/s unicast for ports 9,11,13,15 (1->9, 3->11, ..) The port-group only has 10Gbit/s upwards so incoming excess is dropped at mux and depending on packet ordering you'd get around 2.5Gbit/s out on each port 9,11,13,15.
  This is why the module has an 80Gb fabric connection, as there is only 80Gb from replication down to front-panel ports the fabric ASIC will never see more than 80Gbit/s so doesn't need any more channels.
  Cheers,
  /Phil

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• IPhone calendar appointments set to local calendar, and need to switch to exchange calendar. Have to edit each appointment one at a time and change to exchange calendar. Is there any method to edit all appoints in my calendar at once?

  iPhone calendar appointments set to local calendar, and need
  to switch to exchange calendar. Have to edit each appointment one at a time and
  change to exchange calendar. Is there any method to edit all appoints in my
  calendar at once and change the calendar setting?

  Not sure this will work but if you go into the Keyboard preferences, then click the Keyboad Shortcuts tab, and then the '+', you can add your own shortcuts for any application.  I am not sure what happens if you try to override an existing shortcut since I haven't tried using this.
  Edit/Update:
  Probably against my better judgement I'll also throw this out there - there's an Unsanity haxie called Menumaster which might also allow you to do what you want.  Against my better judgement because personally I stay clear of haxies.  It's (all haxies) probably almost certain to break in Lion.  They always do with each major release.

• Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

  Hello Experts
  We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
  My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
  Questions:
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Thanks.

  Hi
  The LAN subnet is same for both Buildings connected via a dark fiber.
  If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
  Anyway if you want to do this & here is the answer for your specific queries.
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
  This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
  BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
  HTH
  Rasika
  **** Pls rate all useful responses ****

• FlexConnect local/central switched and Access-Accept Packets

  For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
  •  Full network access, local switched.
  •  Limited network access, central switched:
  ◦       To isolate traffic from the branch’s LAN.
  ◦       To force traffic through a firewall at the central site.
  ▪       To ease access rules management.
  ◦       Internet access only by default.
  ▪       Internet access is located at the central site.
  ▪       We expect to manage some exceptions to the rule.
  We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
  However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
  Authentication Attributes Honored in Access-Accept Packets (Airespace)
  VAP ID
  This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
  Source:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
  We then made an assumption that the following was possible:
  •  Create a second SSID
  ◦       Broadcast not enabled
  ◦       Central Switched
  •  Users would authenticate using the first SSID
  •  In it’s access-accept packet, the RADIUS server would return an
  Airespace-WLAN-Id attribute with the value of the second SSID.
  •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
  So far, our tests showed no results.
  •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
  •  If not, what would you recommend?
  For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
  Thank you very much,

  Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
  Is the user part of this AD group and is this user on WLAN ID=1.
  You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

• IOS XR Layer 2 internetworking and layer 2 local switching

  I have 12410 with iox 3.6.1 and sip 501 with spa-5GE I want to configure layer 2 vpns for internetworking and layer 2 local switching. I search in the command reference and I didnt find the connect command nor internetwork ip under the PW class. can any one tell me how to configure it

  Hi,
  Here is an example for local switching:
  RP/0/1/CPU0:router(config-if)#l2vpn
  RP/0/1/CPU0:router(config-l2vpn)#xconnect group local
  RP/0/1/CPU0:router(config-l2vpn-xc)#p2p ac1
  RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#interface gi0/3/0/0
  RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#interface gi0/3/0/1
  RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#commit
  RP/0/1/CPU0:router(config-l2vpn-xc-p2p)#end
  Any-2-Any connection type required 3.8
  HTH
  Laurent.

• Centrally Switched and Flex Local Switched WLAN - same SSID

  Hi All
  I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
  We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
  My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
  *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
  My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
  If someone can verify the above I'd be very grateful.
  Many thanks in advance
  Mark

  Hi Mark
  My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
  When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
  Pls do not forget to rate our responses if that is useful to you
  HTH
  Rasika

• Could I configure local switching between sub-interface and global interface on ASR9k?

  Could I configure local switching between sub-interface and global interface on ASR9k?

  For 2 interfaces it is probably best to use an xconnect. It is faster and saves system resources (eg mac learning doesnt apply to xconnect).
  Config example:
  l2vpn
   xconnect group link
    p2p link
     interface Bundle-Ether100.4321
     interface Bundle-Ether500.4321
  EFP config:
  interface Bundle-Ether100.4321 l2transport
   encapsulation dot1q 4000
   rewrite ingress tag pop 1 symmetric
  interface Bundle-Ether500.4321 l2transport
   encapsulation dot1q 2000
   rewrite ingress tag pop 1 symmetric
  This example shows that you can link 2 EFP's with different vlan's together if you'd pop the tags.
  If the EFP's are of the same vlan, then popping the tag can be done but not a must. In general it is recommended to always pop vlan tags so there is a standard EFP design, but not for any technical reasons.
  When you use a bridge domain and using a BVI, you MUST pop the tags as the BVI has no notion of a vlan tag and wants to see "plain ethernet".
  regards
  xander

• TACACS login 1st attend fail and prompt for local switch password

  Hi,
  The switch will prompt us the local switch password after we key in wrong username and password when prompt by the switch. We are wondering is this behave correct or normal?
  This is because any hacker can just try on first the login which is prompt by TACACS then they can try hacking to the switch using the switch local password.
  This there any work around that each attend is prompts for TACACS login? Only when TACACS server is down will be prompt by the switch local login?

  Hi Farrukh,
  Here is the tacacs-server setting:
  tacacs-server host 10.130.209.23
  tacacs-server host 10.130.209.24
  tacacs-server directed-request
  tacacs-server key xxx
  Result is the same even I have remove those two commands.
  I ahve attached the debug result obtain from the switch without those two commands.
  And below is the scenario on the login when the debug is turn on:
  Username: ivan
  Password:
  Password:
  % Authentication failed
  User Access Verification
  Username: TanCH
  Password:
  Password:
  % Authentication failed
  User Access Verification
  Username: siah
  Password:
  Password:
  % Authentication failed
  =---------------------------------------------------------------=
  All Access to this system will be LOGGED.
  All UNAUTHORISED access is PROHIBITED and will be dealt with seriously.
  =---------------------------------------------------------------=
  User Access Verification
  Username: ivancheng
  Password:
  SWB1111>exit

• HREAP, Local Switched WLAN and DHCP Address required

  Hi All,
  if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
  Any Help Welcome.
  Regards, Michael

  I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
  http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html