MDNS cannot be configured when FlexConnect Local Switching is enabled

Similar Messages

• Flexconnect Local Switching Hosts Do Not Receive IP Addresses

  Hello,
  My WLC software version is 7.4.110.0. I have a branch office in my lab. The AP in my branch is configured as flexconnect with native VLAN of 700. The SSID that I have in the branch office is configured to do local switching. The show wlan is added below.
  My tunneled SSID still working and I can still receive IP addresses from it. My issue is last week I have the Flexconnect working with no problem, then this morning I can connect to the SSID, but I'm not receiving IP addresses for my test wireless clients.
  Thanks
  [code]
  WLAN Identifier.................................. 2
  Profile Name..................................... ACS Guest
  Network Name (SSID).............................. RMTGuest
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
    Client Profiling Status ....................... Disabled
     DHCP ......................................... Disabled
     HTTP ......................................... Disabled
    Radius-NAC State............................... Disabled
    SNMP-NAC State................................. Disabled
    Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Maximum number of Clients per AP Radio........... 200
  Number of Active Clients......................... 0
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  User Idle Timeout................................ 300 seconds
  --More-- or (q)uit
  User Idle Threshold.............................. 0 Bytes
  NAS-identifier................................... RK2WLC5508-01
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ management
  Multicast Interface.............................. Not Configured
  WLAN IPv4 ACL.................................... unconfigured
  WLAN IPv6 ACL.................................... unconfigured
  mDNS Status...................................... Disabled
  mDNS Profile Name................................ unconfigured
  DHCP Server...................................... 172.28.27.130
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  PMIPv6 Mobility Type............................. none
  Quality of Service............................... Silver
  Per-SSID Rate Limits............................. Upstream          Downstream
  Average Data Rate................................   0                      0
  Average Realtime Data Rate.......................   0                      0
  Burst Data Rate..................................   0                      0
  Burst Realtime Data Rate.........................   0                      0
  Per-Client Rate Limits........................... Upstream          Downstream
  Average Data Rate................................   0                      0
  Average Realtime Data Rate.......................   0                      0
  --More-- or (q)uit
  Burst Data Rate..................................   0                      0
  Burst Realtime Data Rate.........................   0                      0
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Disabled
     Accounting.................................... Disabled
     Dynamic Interface............................. Disabled
     Dynamic Interface Priority.................... wlan
  Local EAP Authentication......................... Disabled
  --More-- or (q)uit
  Security
     802.11 Authentication:........................ Open System
     FT Support.................................... Disabled
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Enabled
        WPA (SSN IE)............................... Disabled
        WPA2 (RSN IE).............................. Enabled
           TKIP Cipher............................. Disabled
           AES Cipher.............................. Enabled
                                                                 Auth Key Management
           802.1x.................................. Disabled
           PSK..................................... Enabled
           CCKM.................................... Disabled
           FT-1X(802.11r).......................... Disabled
           FT-PSK(802.11r)......................... Disabled
           PMF-1X(802.11w)......................... Disabled
           PMF-PSK(802.11w)........................ Disabled
        FT Reassociation Timeout................... 20
        FT Over-The-DS mode........................ Enabled
        GTK Randomization.......................... Disabled
        SKC Cache Support.......................... Disabled
  --More-- or (q)uit
        CCKM TSF Tolerance......................... 1000
     WAPI.......................................... Disabled
     Wi-Fi Direct policy configured................ Disabled
     EAP-Passthrough............................... Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Disabled
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     FlexConnect Local Switching................... Enabled
     flexconnect Central Dhcp Flag................. Disabled
     flexconnect nat-pat Flag...................... Disabled
     flexconnect Dns Override Flag................. Disabled
     FlexConnect Vlan based Central Switching ..... Disabled
     FlexConnect Local Authentication.............. Disabled
     FlexConnect Learn IP Address.................. Enabled
     Client MFP.................................... Optional
     PMF........................................... Disabled
     PMF Association Comeback Time................. 1
     PMF SA Query RetryTimeout..................... 200
     Tkip MIC Countermeasure Hold-down Timer....... 60
  AVC Visibilty.................................... Disabled
  --More-- or (q)uit
  AVC Profile Name................................. None
  Flow Monitor Name................................ None
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  KTS based CAC Policy............................. Disabled
  Assisted Roaming Prediction Optimization......... Disabled
  802.11k Neighbor List............................ Disabled
  802.11k Neighbor List Dual Band.................. Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Multicast Buffer................................. Disabled
  Mobility Anchor List
  WLAN ID     IP Address            Status
  802.11u........................................ Disabled
  MSAP Services.................................. Disabled
  [/code]

  is the VLAN still mapped on the AP, and allowed across the trunk?
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• WebAuth on FlexConnect Local Switched SSID

  Hi All
  I'm working on getting internal WebAuth to work on a FlexConnect local switched SSID. From what I've been reading, it's possible but apparently not very straight forward. 
  FlexConnect AP - if the SSID isn't local switch, WebAuth of course works fine.
  Once I set it to local switching, WebAuth breaks. Any way around that in 7.6?
  Thanks

  Figured it out just now. When using the WLC as a DHCP server(this is just a lab), selecting the Central DHCP Processing for use when in Local Switching also selects a box for NAT-PAT. Unselecting the NAT-PAT box fixed the broken WebAuth. 
  Going to have to figure out what that does.

• Flexconnect - local-switching - Interface Groups - multiple subnets/vlans

  So I'm trying to setup an "interface-group-like" configuration on some Flexconnect APs with local switching enabled in order to support multiple subnets/VLANs linked to a single SSID.
  Does anyone know if this is possible or have any suggestions?
  I've tried:
  AP Groups - One SSID which would require central switching for it to be of use (I think).
  AP Groups - Creating an additional SSID and then placing the APs in a group per site. This works but is going to be difficult to manage if I have 400+ sites running this sort of setup.
  For reference, my end goal is to have multiple (400+) branch sites with the same WLAN mapped to 3 or 4 different VLANs in order to split the subnets up into smaller chunks (/23s or /24s). These VLANs are all switched locally and are uniform in numbering across all the sites from a layer 2 perspective.
  Thanks,
  Ric

  Interface groups is not an available feature on FlexConnect. FlexConnect doesn't support layer 3 roaming if devices roam from one FlexConnect ap to another and the wlan to vlan mappings are different. This is a limitation to FlexConnect along with a few others listed in the FlexConnect deployment guide.
  -Scott

• Flexconnect - Local Switching and DHCP Server Location

  Hello Friends, It is again a conceptual question.
  In Flex-connect Local Switching mode if the Client has to be get the IP address using DHCP, the DHCP server has to be local to the remote site and not centralized location. Though i know, Local switching means that the client traffic is bridged to the local network directly by the AP on the locally connected switch and does not pass through the controller, what does it mean to DHCP server location.
  For example, If I have 2 different WLANs (VLAN 2 and VLAN 3) configured Local Switching and its corresponding VLAN SVIs are configured in the Local L3 Switch and if the DHCP server is centrally located with the scopes for VLAN 2 and VLAN 3, will it have troubles?
  I see in my infrastructure we are working in that way [Local switching with centralized server]
  Thanks in advance
  SAIRAM

  It would be good to have DHCP server at local site.

• Multicast and Flexconnect Local Switching

  Hi All,
  Hope you can help with this -
  I have the following:
  A 5508 in a remote datacentre and several sites with AP's running in flexconnect mode, connected to cisco switches.
  I have an ssid on which I want to run some push to talk "phones" which I believe use multicast.
  What do I need to do to enable multicast for this, I have read many documents but I'm a little confused !
  I need to enable multicast on the controller globally ?
  Enable igmp snooping ?
  Does multicast mode need to be multicast or unicast ?
  Do I need a multicast address in this case ?
  Do i need to configure the switches (2960) for any multicast configuration, there is none at present ?
  The phones that do PTT will only need to talk to other phones locally at each site, but each site will have some phones, does this make any difference to anything ?
  hope someone can help, thanks !

  The guidelines for Flexconnect and Multicast are as follows:
  1. Set the AP Multicate mode on the controller to Unicast (Multicast-Unicast Mode) : The wireless controller replicates the multicast packet and sends it to each Access Point in a Unicast CAPWAP Tunnel
  2. L3 routing isn't required on the wired network
  3. There will be high controller and wired network loading
  4. No multicast address is required in multicast-unicast mode
  5. No multicast configuration required on Layer 2 switches as CGMP is enabled  by default

• Flexconnect AP(Local Switching) Wireless clients are not able communicate eachother

  Hi,
    Scenario :  We are deployed the WLC in Corparate Office and Access Points are placed in Branch Office with FlexConnect Local Switching mode.
  In this case, I am not able to Ping the Wireless clients eachother . Peer to Peer Block Option also Disabled.
  Some time Wireless clients Ping eachother & some times not. Both Wireless clients  are associated with Same AP & Same WLAN SSID.
  Please help me urgent ..
  Devices :
  1)WLC 2500 series , Software 7.2
  2)Cisco 1400 series APs
  3)CISCO ACS server for AAA authentication
  Regards,
  Shanmugam Nachimuthu

  Hi Shanmugam,
  Please apply following steps to configure P2P setting for WLAN:
  Step 1 Choose WLANs to open the WLANs page.
  Step 2 Click the ID number of the WLAN for which you want to configure peer-to-peer blocking.
  Step 3 Choose the Advanced tab to open the WLANs > Edit (Advanced) page.
  Step 4 Choose one of the following options from the P2P Blocking drop-down list:
  • Disabled — Disables peer-to-peer blocking and bridges traffic locally within the controller whenever possible. This is the default value.
  NOTE: Traffic is never bridged across VLANs in the controller.
  • Drop—Causes the controller to discard the packets.
  • Forward - Upstream — causes the packets to be forwarded on the upstream VLAN. The device above the controller decides what action to take regarding the packets.
  NOTE: To enable peer-to-peer blocking on a WLAN configured for FlexConnect local switching, select Drop from the P2P Blocking drop-down list and select the FlexConnect Local Switching check box.
  Step 5 Click Apply to commit your changes.
  Step 6 Click Save Configuration to save your changes.
  Thanks,
  Prashant Gondaliya

• Local Switching, mDNS Snooping and Chromecast

  Hello everyone,
  we have a Cisco WiFi setup at our company constisting of one WLC (2504) and 5 access points, 4 of which are in the main office and one at a remote location (connected via an IPsec tunnel). The remote AP is configured to FlexConnect mode, and we have set up a staff WLAN using 802.1X auth and local switching. So far, everything works perfect.
  However, we now want to support Chromecast devices in our wireless network. I have setup a new WLAN with WPA2-PSK authentication for those devices, added the "Googlecast" entries to the mDNS profile and activated mDNS Snooping on this WLAN. This appears to be working as well, at least I can see the corresponding entries in the mDNS -> Domain Names tab (Chromecast switched from multicast/SSDP to mDNS recently).
  However, clients in the staff WLAN are not able to see the devices. My guess is that I would need to also activate mDNS snooping on the staff WLAN, but of course this is not possible because of local switching being enabled.
  I tried to create two different AP groups, one for the local APs and another for the remote one. Then I duplicated the staff WLAN, with the idea of deploying one copy on the local AP group with local switching disabled and mDNS snooping enabled and the other copy on the remote AP group, enabling local switching and disabling mDNS snooping. My idea was that this would allow the employees at the local office to use the Chromecast devices, but unfortunately it's not possible to configure two WLANs with the same SSID and L2 security, even if they're not on the same AP / AP group.
  Another solution would just be to create a separate WLAN for the remote AP, but that would require to push another profile and inevitably result in confused employees when they first visit the remote branch.
  Is there any way to make our Chromecasts work while still using the same WLAN for both locations? Any pointers are greatly appreciated.

  I'm not 100%sure about the details and why that works this way. But u can create two SSID as long as u use an ID higher than 16. So start at 17 and it works, maybe that has something to do with the default group they will not belong to..
  comming back to your 2504...I see no way to use an ID above 16 because that's the max it supports.
  So, please have a look at that Guide for Chromcast, as I run through i see that it hase maybe nothing to do with mDNS..
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-6/chromecastDG76/ChromecastDG76.html
  Br,
  Sebastian
  pls. rate if helpful

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• HREAP - Local switching

  Hi All,
  I have a working WLC with several HREAP AP's all Woking as they should, my question is what happens to dhcp requests when an AP is configured for HREAP local switching with no VLan support enabled ( connected to an access port not a trunk)? The local VLan has a dhcp helper address configured for an external DHCP server When a wireless client connects does all the traffic get dropped directly onto the local VLAN (in my case VLAN 10) or does any traffic transverse through the controller? I ask this because on the advanced setting page of the WLAN I have ticked DHCP REQ, how does the controller determine if the wireless client has a valid IP if the DHCP request is being supplied by the local VLAN.
  I was under the impression that the control and data planes are separated?
  Thanks in advance for any replies.
  Sent from Cisco Technical Support iPhone App

  You are correct, it gets dumpped on your vlan 10. As for your very specific question, thats a great question and I dont know that I have the anwser. Perhaps someone else like Steve, Leo or Scott can reply if they tested it.
  Im going to take a stab in the dark and say perhaps the ap makes sure it sees a dhcp req packet come in before it allows the client to get into the run state.
  OR, its doesnt work.
  OR, if that check box is marked, perhaps the ap relays some type of response back to the WCL ...
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

• Same wlan both locally switched and centrally switched

  Scenario:
  1 virtual wireless controller
  50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
  Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
  I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
  I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
  Regards,
  Massimo. 

  Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
  I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
  Regards
  Rasika
  **** Pls rate all useful responses ****

• FlexConnect Central Switching for GuestWLAN

  Hi All,
  I plan on setting up a new WLAN network.
  5 office locations, a single WLC in the primary DC at the moment. Each 5 office location is routed over a L3 link
  If I have a guest WLAN (vlan 30) that it available at each site and want to centrally switch it, do I set the WLC DHCP server on the WLC 'vlan30 interface' to that of the 'management' interface if I have the DHCP setup locally on the WLC? I assume because this guest network is centrally switched, the actual assigned IP of the guest network does not matter if it not in the same supernet of the remote site?
  For regular business WLANs (data/voice) that are set for local switching, is there any DHCP settings that need to be setup on the WLC, or does the client automatically get a IP based on the local subnet (using the ip-helper on that L3 interface?) assuming the AP is setup as trunk at the remote (with native vlan set as management vlan).

  do I set the WLC DHCP server on the WLC 'vlan30 interface' to that of the 'management' interface if I have the DHCP setup locally on the WLC?
  Yes, if you use WLC as your  DHCP server for guest users, you have to use WLC management IP as DHCP server address on vlan 30 (assuming it is for guest)
  For regular business WLANs (data/voice) that are set for local switching, is there any DHCP settings that need to be setup on the WLC, or does the client automatically get a IP based on the local subnet (using the ip-helper on that L3 interface?) assuming the AP is setup as trunk at the remote (with native vlan set as management vlan).
  As long as you do FlexConnect local switching with required vlan mapping in each WLAN, you do not required DHCP server setting on WLC interface where that WLAN assign to. All traffic locally switched & use helper address configured under SVI of that locally switched vlan.
  Refer this configuration guide for more details
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010001000.html
  HTH
  Rasika
  **** Pls rate all useful responses ****

• Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

  Hello Experts
  We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
  My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
  Questions:
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Thanks.

  Hi
  The LAN subnet is same for both Buildings connected via a dark fiber.
  If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
  Anyway if you want to do this & here is the answer for your specific queries.
  1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
  You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
  2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
  No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
  3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
  This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
  4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
  Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
  This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
  BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
  HTH
  Rasika
  **** Pls rate all useful responses ****

• FlexConnect local/central switched and Access-Accept Packets

  For our branch offices’s wireless access, we would like to use FlexConnect with one SSID and two distinct user profiles:
  •  Full network access, local switched.
  •  Limited network access, central switched:
  ◦       To isolate traffic from the branch’s LAN.
  ◦       To force traffic through a firewall at the central site.
  ▪       To ease access rules management.
  ◦       Internet access only by default.
  ▪       Internet access is located at the central site.
  ▪       We expect to manage some exceptions to the rule.
  We know that it’s not possible to switch from local to central switched using the same SSID with FlexConnect and AAA Override.
  However, we found an interesting bit in the documentation pages regarding RADIUS attributes:
  Authentication Attributes Honored in Access-Accept Packets (Airespace)
  VAP ID
  This attribute indicates the WLAN ID of the WLAN to which the client should belong. When the WLAN-ID attribute is present in the RADIUS Access Accept, the system applies the WLAN-ID (SSID) to the client station after it authenticates. [...]
  Source:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-6/configuration/guide/b_cg76/b_cg76_chapter_0101000.html#reference_327F94A40AAE46E48153B265E521DDCF
  We then made an assumption that the following was possible:
  •  Create a second SSID
  ◦       Broadcast not enabled
  ◦       Central Switched
  •  Users would authenticate using the first SSID
  •  In it’s access-accept packet, the RADIUS server would return an
  Airespace-WLAN-Id attribute with the value of the second SSID.
  •      The WLC would then assign the second SSID to the users so they’re central switched and forwarded through the firewall at the main site.
  So far, our tests showed no results.
  •  Is that solution achievable at all? It seemed so from the documentation, but we haven’t found any documented evidence that someone actually tried it.
  •  If not, what would you recommend?
  For RADIUS, we are using Microsoft 2012r2 NPS servers. Everything’s been working fine with them so far. We can do AAA vlan override for our main site and with FlexConnect also, without any problems. What’s not working is the local/central switched scenario we’re trying to pull off. The RADIUS server sends the Airespace-WLAN-Id attribute from what I see with Wireshark, but the WLC does not seem to react to it like I thought it would. I couldn’t find a debug command that would tell me what the WLC does with the attributes from the access-accept packet. Maybe the behaviour I’m experiencing is to be expected, that’s what I would like to know.
  Thank you very much,

  Your WLAN is defined with as centrally switched or locally switched, AAA override will not chage that value.  AAA attributes can change a users vlan, acl and QoS.  The other attributes are intended to use for rules... example:
  Is the user part of this AD group and is this user on WLAN ID=1.
  You will not be able to go from centrally switched to locally swithed and vice versa.  I don't know how you would be able to achieve what your trying to acomplish with one SSID to be honest.

• High CAPWAP traffic when locally switched

  Hello all,
  We're seeing an ongoing issue where several APs accross multiple sites log the error, "%CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST., 12)", then disassociates from the controller, and reassociates almost immediately.  The issue is the users get disassociated from the AP and call the helpdesk.
  A counter measure at one site was to add the CAPWAP traffic (udp ports 5246 & 5247)  to the controller in our QOS Platinum policy (setting the DSCP bit to 'ef'), but that doesn't seem to help.
  We're using Flexconnect with central authentication, local switching.
  A couple of questions:
  1) The Platinum queue on the QOS is showing over 500 kbps when the only thing put in that queue is the CAPWAP traffic - there aren't any phones.  Why so much bandwidth for authentication and control traffic?
  2) What is happening with the APs that they can't talk to the controller that causes the issue in the first place?  Bandwidth doesn't seem to be an issue.
  Below are some config and outputs:
  AP-1242#show capwap reap status
  AP Mode:         REAP, Connected
  Radar detected on:
  AP-1242#show capwap reap association
  REAP Data Switching: Local
  2960#show int fa0/22
    Hardware is Fast Ethernet
    Full-duplex, 100Mb/s, media type is 10/100BaseTX
    Last input 00:00:22, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 23000 bits/sec, 13 packets/sec
    5 minute output rate 208000 bits/sec, 48 packets/sec
       37478173 packets input, 13839718021 bytes, 0 no buffer
       Received 2818773 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 502342 multicast, 0 pause input
       0 input packets with dribble condition detected
       118634332 packets output, 36491262361 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  2811#show policy-map interface multilink 1
  Service-policy output: MPLS-QOS
      queue stats for all priority classes:
         queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 300637/46124112
      Class-map: PLATINUM (match-any)
        300637 packets, 46124112 bytes
        30 second offered rate 28000 bps, drop rate 0 bps
        Match: ip dscp ef (46)
          300637 packets, 46124112 bytes
          30 second rate 28000 bps
        Priority: 18% (552 kbps), burst bytes 13800, b/w exceed drops: -16
  Any help is appreciated.

  Hi Jeff,
  I think you are hitting a bug (CSCse92856) specific to 1242 AP. Solution given is "Enable Proxy ARP on the default-gateway device of your AP". You can try that & see.
  Even I cannot view detail of this bug as of insufficient access permission.Therefore I do not know more details about this bug fix & which software version affected,etc. Better you contact Cisco TAC & get more information.
  I found this infomration here
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml
  One other reason that H-REAP APs do not join WLCs is if the Proxy ARP is disabled on the gateway for the H-REAP APs. From the AP console, this message is logged:
  *Jul 29 14:04:10.897: LWAPP_CLIENT_ERROR_DEBUG: 
  Retransmission count for packet exceeded more than max(CHANGE_STATE_EVENT , 1)
  This can be caused by Cisco bug ID CSCse92856. This problem applies only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or AP1200.
  This problem occurs when these conditions are met:
  HREAP mode is used in the WLAN. Local mode is not affected by this issue. Native VLAN mapping is required.
  The APs have to be on a different IP subnet than the AP Manager of the WLCs.
  Proxy ARP is disabled on the default gateway for the AP.
  The H-REAP AP gets the default gateway from a DHCP server.
  In order to resolve this issue, enable Proxy ARP on the default gateway router of the AP
  HTH
  Rasika
  *** Pls rate all useful responses ****