VWLC and Flexconnect

Similar Messages

• VWLC and Apple TV

  Hello,
  I'm using a Cisco Virtual Wireless Controller in version 7.4.110.0 with 2602 access points in FlexConnect mode.
  I'm using only one WLAN with 802.1x authtication and dynamic VLAN assignation.
  I have 13 wired Apple TV (v3).  In controller configuration I enabled mDNS and AirTunes service.  In Controller\mDNS\Domain names, I can see all my 13 Apple TV.
  On wireless devices, the list of available Apple TV change.  Sometimes I see 1 available Apple TV, sometime I see 5...  In same time, on two devices, available Apple TV are not sames.
  Do you have any idea about wich missconfiguration can create this confusion?
  Thanks!

  Yes, to work with vWLC you need to keep AP in FlexConnect mode.
  In FlexConnect, you can have central switching or local switching. If you are doing Flexconnect Central Switching (where all traffic tunnel back to your WLC) it should work. Only concern is you are using vWLC.
  Here is what I have done with 5508 (with wired Apple TV) & local mode AP, set up works fine
  http://mrncciew.com/2013/03/27/configuring-mdns-on-wlc-7-4/
  If not working, confirm this from Cisco TAC (ie mDNS is works fine with vWLC in FlexConnect-Central Switching mode)
  HTH
  Rasika
  **** Pls rate all useful responses ****

• MDNS and FlexConnect

  Hello,
  I know that it is not possible to enable mDNS snooping and FlexConnect local switching on a WLAN at the same time. Is there anyway around this if you have FlexConnect AP's and want to alos have mDNS on your (non-flexconnect) local AP's?? Do I have to create a separate WLAN just for my FlexConnect AP's??
  Thanks!

  one mDNS profile per WLAN
  http://www.cisco.com/c/en/us/td/docs/wireless/technology/bonjour/7-5/Bonjour_Gateway_Phase-2_WLC_software_release_7-5.html
  Cheers

• Same SSID both on Local and FlexConnect sites

  Hi guys,
  I need to deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.
  First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?
  Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

  When creating a WLAN with the same SSID,
  follow these guidelines and requirements:
  You must create a unique profile name for each WLAN.
  When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a
  unique Layer 2 security policy so that clients can safely select between them.
  WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
  WLAN selection based on information advertised in
  beacon and probe responses. The available Layer 2
  security policies are as follows:
  None (open WLAN)
  Static WEP or 802.1X
  Note
  Because static WEP and 802.1X are both advertised by the same bit in beacon and probe
  responses, they cannot be differ
  entiated by clients. Therefore,
  they cannot both be used by
  multiple WLANs with the same SSID.
  CKIP
  WPA/WPA2
  Note
  Although WPA and WPA2 cannot be used by mul
  tiple WLANs with the same SSID, you can
  configure two WLANs with the same SSID with WPA/TKIP with PSK and WPA (Wi-Fi
  Protected Access) /TKIP (Temporal Key Integrity Protocol) with 802.1X, respectively, or
  with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.

• Cisco vWLC and Central Web Authetication ISE Issue

  Hello!
  I have an issue with Wireless Central Web Authentication. Wired CWA woking fine.
  My APs woking in FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with guest portal in not opening, but I see, that redirect is working...
  When I try to ping ISE, and have a strange result:
  y@5733Z:~$ ping 10.10.2.47
  PING 10.10.2.47 (10.10.2.47) 56(84) bytes of data.
  64 bytes from 10.10.2.47: icmp_seq=5 ttl=63 time=1.45 ms
  64 bytes from 10.10.2.47: icmp_seq=8 ttl=63 time=2.22 ms
  64 bytes from 10.10.2.47: icmp_seq=10 ttl=63 time=1.43 ms
  ^C
  --- 10.10.2.47 ping statistics ---
  21 packets transmitted, 3 received, 85% packet loss, time 20106ms
  rtt min/avg/max/mdev = 1.430/1.703/2.223/0.367 ms
  When I change the security method on the WLAN to open or any other, ping to ISE working fine. Please help!

  Central Web Auth (CWA) works different on controllers/APs running in FlexConnect mode. Please check this guide and confirm that you have similar setup. 
  http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  If so, please post screen shots with your configs (Redirect ACLs, policies in ISE and the WLC SSD settings). 
  Also, the version of code that you are running in ISE and your controller. 
  Thank you for rating helpful posts!

• VWLC and Guest Wired

  Ciao,
  we are going to test the Guest capabilities of the vWLC (version 7.4.121.0) with no anchor.
  The WiFi Guest and authentication works well.
  The Wired Guest seems to have problems:
  - ip to client is assigned (ok)
  - then no packets seems to leave the vWLC (no dns request exit the vWLC for example) nor the auth page comes up
  For the last point I was on the ASA and no packets arrives.
  On vWLC: ingress interface is the L2 vlan, while the egress interface is the L3 vlan (with ASA as gateway)
  Any suggestion ?
  Cheers,
  L.

  Restrictions for Configuring Wired Guest Access
  Wired guest access interfaces must be tagged.
  Wired guest access ports must be in the same Layer 2 network as the foreign controller.
  Up to five wired guest access LANs can be configured on a controller. Also in a wired guest access LAN, multiple anchors are supported.
  Layer 3 web authentication and web passthrough are supported for wired guest access clients. Layer 2 security is not supported.
  Do not trunk a wired guest VLAN to multiple foreign controllers, as it might produce unpredictable results.

• WLC 7.4 and Flexconnect AP support

  Hi all,
  Forgive me for not finding it on my own since I am sure it exists. Does anyone have a link to a support chart that shows where support for APs stops on WLC 7.4 code? Specifically, while running APs in Flexconnect mode? Thanks in advance

  Sure, it's always in the release notes.
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn74.html#wp1029587
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• VWLC and dhcp problem

  Hi, I have some problems with dhcp.I have 8.0.100.0 vWLC. My ap joined to the controller. Clients connected, but cannot receive ip address. I know, what are exist some methods to receive address, with DHCP Proxy Mode and without, then you just need to prescribe ip helper-address on int vlan. I try both of them, but nothing helps. 

  You are using the vWLC, which means that all your access-points should be in "flex-connect" mode. My advise is to make your SSID's "local switched" so that the client traffic gets bridged on the switchport (dot1Q trunk) directly. Than you need to configure the VLAN ID's on the access-point or flex-connect group in the WLC. If you have all the this configuration in place, you need to configure some DHCP relaying on your SVI (vlan interfaces) so the the client can actually gets an IPv4 address. I recommend to uncheck the option "DHCP required" on the SSID on the WLC.
  This should get your network running. If it still does not work I would start troubleshooting on the WLC to see if the client is actually associated and authenticated (if you don't use any L3 security mechanism) if that is the case you should see the clients MAC address on the switchport. If the client by then still does not receive an IPv4 address, you need to troubleshoot the DHCP / SVI configuration on the switch/router and even maybe on the DHCP server itself.

• VWLC and Default terminal

  Hi All,
  playing with the vWLC, does anyone know how to set the Default Terminal?
  I have this habit of switching screens when things reboot, and once the "press any key to make this the default terminal" option times out, i have to reboot the vWLC again.
  Wondering if anyone has fixed it, or know where the default terminal is?
  Is it the Service Port? or the Serial Port?
  Cheers
  Darren                  

  From vWLC Config Guide http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml
  Console port setup for (5.1ESXi example): http://www.cisco.com/en/US/products/ps12723/products_tech_note09186a0080bd2d04.shtml#port
  This will default your console to the specified telnet://: as described in the example.
  Also
  Note:
  Only one mode of console can be operational at any time, such as a VM console (by key-interrupt at startup) or serial console (physical/network). It is not possible to maintain both at the same time.
  Otherwise; if you don't catch the "press any key" screen, you're stuck without console access until you reboot and try again.

• VWLC and Nexus-1000V

  Hi Experts!
  Does anybody try to install vWLC on ESX with Nexus-1000V as switch?
  All deployment guide are based on standard VMWare vSwitch and I can not find any information about questions:
  1. Is vWLC compatible with Nexus-1000V?
  2. What configuration should be done on Nexus-1000V to vWLC works properly?

  Hi Dave,
  You can access  below URL for nexus 1000v -4.0(4)SV1(3b) docs:
  http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4_0_4_s_v_1_3_b/roadmap/guide/n1000v_roadmap.html
  And
  Nexus5000
  http://www.cisco.com/en/US/products/ps9670/tsd_products_support_series_home.html
  BR,
  John Meng

• AVC, Netflow and Flexconnect APs

  Hi all,
  I have few questions - if anybody was solving the same problem.
  My situation : few branches with Flexconnect APs (in every of them). APs are set for some SSIDs as locally switched (to save WAN connectivity) and some are centrally switched. WLC code 7.4.
  I was very looking forward to implement AVC. AVC works fine but only on centrally switched SSID - this is a big problem.
  Is there any chance how to export traffic info for locally switched SSID?
  I was wondering if LAP can serve as Netflow source (when I'm unable to see AVC data)?
  Any idea?
  Thnx

  HI,
  First: AVC will not work if  you have locally swicthed.
  if you checked the local switching under the SSID, then the AP will handle the traffic on its own, without sending the packets to the WLC, hence the WLC does not know what the users are using.
  2nd : http://mrncciew.com/2013/02/12/configuring-netflow-on-wlc-7-4/
  Reagrds

• Mesh and Flexconnect with WLC5508

  Hi Community.
  A customer have a bad coverage in a corner of his branch office. He like to add a mesh AP (MAP) in the near of that corner.
  I checked allready the documention about Mesh but i'm not sure if Flexconnect and Mesh works togheter. This MAP is in a branch office and the WLC is in the head quarter therefore he likes to uses Flexconnect togheter with Mesh.
  Best regards Patrick

  Oaky, and if the AP is setup as RAP than other wireless clients cant connect to that AP anymore ?
  I have to do Ethernet Bridging and give the Bridge Group a name, right? Set that on the MAP and the RAP.
  I have to set the port on the switch where the RAP is connected to a trunk port, so all 3 WLANs (VLAN) can reach the switch over Wireless.
  But how do i forward these 3 WLAN (VLAN) from the MAP to the RAP and finaly to the switch.

• Port-security MAC address restrictions and flexconnect

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

  Hi - has anyone else seen this issue?
  We use port-security on flexconnect ports limiting the maximum mac addresses to 100. The ports are configured so that the native vlan is the AP management vlan and we tag the wireless client vlan.
  Recently we had an issue where we were seeing MAC address restriction violations on the ports connected to AP's. Although we could not see the violations happen in realtime they were in the switch logs. In Cisco Prime we checked the client counts on the AP's and they were less than 10 at that time the error occurred.
  We then increased the max mac addresses to 200 and still saw the same issue. Removing port-security seemed to fix the problem.
  This was the model and version of the switches.
  WS-C2960X-24PS-L   15.0(2)EX4            C2960X-UNIVERSALK9-M
  Has anyone else had this? 
  Any help much appreciated.

• Multicast and Flexconnect Local Switching

  Hi All,
  Hope you can help with this -
  I have the following:
  A 5508 in a remote datacentre and several sites with AP's running in flexconnect mode, connected to cisco switches.
  I have an ssid on which I want to run some push to talk "phones" which I believe use multicast.
  What do I need to do to enable multicast for this, I have read many documents but I'm a little confused !
  I need to enable multicast on the controller globally ?
  Enable igmp snooping ?
  Does multicast mode need to be multicast or unicast ?
  Do I need a multicast address in this case ?
  Do i need to configure the switches (2960) for any multicast configuration, there is none at present ?
  The phones that do PTT will only need to talk to other phones locally at each site, but each site will have some phones, does this make any difference to anything ?
  hope someone can help, thanks !

  The guidelines for Flexconnect and Multicast are as follows:
  1. Set the AP Multicate mode on the controller to Unicast (Multicast-Unicast Mode) : The wireless controller replicates the multicast packet and sends it to each Access Point in a Unicast CAPWAP Tunnel
  2. L3 routing isn't required on the wired network
  3. There will be high controller and wired network loading
  4. No multicast address is required in multicast-unicast mode
  5. No multicast configuration required on Layer 2 switches as CGMP is enabled  by default

• Local Policies and FlexConnect

  Hello,
  My customer has a traditional guest access desgin with foreign and anchor WLC without an ISE.
  It works fine.
  Now he plans to install a new WLC5508 for remote offices.
  All APs in these remote offices will be in FlexConnect mode connected to the central WLC which is also an foreign WLC.
  The guest traffic is central switched and corporate SSIDs will be local switched.
  Now our problem is, is it possible to limit the guest bandwidth on each remote office with different values?
  Example:
  Office 1: Guest Bandwidth should be 1000k
  Office 2: Guest Bandwidth should be 2000k
  and so on....
  All APs in remote office 1 will be in FlexConnect Group 1 and the APs in remote office 2 in FlexConnect 2.
  Further I will create AP Groups for each remote office and add the belonging APs to this AP Group.
  Then I will create "local policies" and map the decided policy in AP group to the Guest SSID.
  So my question is; is this supported and does it work?
  I've read the config guide for 8.0 and didn't find anything about FlexConnect and local policies, I mean there are no Restrictions for Local Policy Classification
  Or is there another option available?
  thanks
  Martin

  Thanks for your help Scott. I'm not in full agreement with all you say, but you have helped me figure it out.
  You said the article was related only to 802.1x, but the article states that "802.1X is used in the example, but other mechanisms are equally applicable.".
  The article you linked regarding FlexConnect groups also states that central switching is only valid in "connected mode", i.e., when the WAN is up.
  However, I have found the following, which kind of explains the purpose of a central switched FlexConnect deployment
  http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml#central
  Thanks again.