Wireless FlexConnect Group

Hi folks,
due wifi 802.1x implementation our customer decided to implement CCKM for fast roaming of cisco 7925 wifi phones.
At the same time customer have an Headquarter, and about 300 remote sites all of them implement FlexConnet tecnology with local switching.
For every sites he got a 5508 WLC with ver 7.4, and a 5508 in Headquarter as well acting as a backup WLC for remote sites.
Using FlexConnect and CCKM for remote sites requires FlexConnect Grouping.
From Release Notes
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#wp1241304
I've noted there is some limit for this configuration that I'd like to be confirmed:
1) 25 APs for FlexConnect group -> true for 5508 WLC?
2) 100 FC Group for 5508 -> is still true in ver 7.4 or higher?
Third question:
I'd like to implement PMK/OKC instead CCKM. How can I do it? I'm missing configuration in GUI menus.
Last question: How can I resolve the FlexConnect Group Limit in my Headquarter due the fact I got more than 100 Groups to create? Is really necessary to add new 5508? No other way?
Thanks a lot

Hi
Typically FlexConnect design is for a branch wireless where you DO NOT have a local WLC to terminate CAPWAP.
If you have a WLC at branch & still you deploy FlexConnect at that branch then it is a waste of WLC resource.
Here is my feedback for your points
1) allowing WAN QoS for Voice/Data wifi client. Local switching allows voice packet to follow same routing and QoS of wired IP Phone. Analogue reason for PC data traffic. And is more useful when in backup/centralized auth mode. Encapsulate all traffic in CAPWAP tunnel doesn't allow us QoS implementation.
I understand Wireless QoS is tricky to implement & you will never get same policy for wired/wireless  (that's where Unified Access or Converged Access design come onto play-by the way I am not telling you have to go for CA ) You need to assess pros & cons of going for FlexConnect design & I am not sure this QoS is purely justifying go for it.
2) now 5508 are present for 80 sites but could growing. All remaining sites are managed by old 2106 WLC. For this purpose in next plan maybe we'll decide for a Centralized WLC. No plan at this moment.
My view is
All sites you have WLC - Deploy local mode AP with primary WLC as branch & back  up as HQ WLC.
All sites you do not have a WLC - Deploy FlexConnect local switching mode with Central Auth where HQ WLC used.
3) so, what's the limit for FC Group in 5508 WLC?
100 (refer the given Ciscolive presentation)
4) OKC allows PKI AP cache as well CCKM. But OKC release fast roaming between different Flexconnect Groups while CCKM not. For sites with more than 30 APs should be very usuful, expecially considering 7925 phones.
When it comes to fast roaming CCKM is the best if it is CCX clients, otherwise 802.11r which is IEEE standard & supported by multivendor  clients. OKC is  a way vendors implemented prior to 802.11r ratified  as a way of fast roaming. So you should not look at OKC  over 802.11r or CCKM(if it is for cisco clients)
I think since you are lock-down to this FlexConnect design, you try to overcome the limitations of that design, rather look at high level to see "flexconnect is the best way to go or not" . In my view if it is fastroaming 802.11r is the way forward (CCKM is must if you are 100% cisco clients)
Refer this Ciscolive material for FlexConnect design
BRKEWN-2016 Architecting Network for Branch with Cisco Unified Wireless
Do not forget to rate our responses if that is useful.
HTH
Rasika

Similar Messages

  • List accesspoints flexconnect groups from a WLC

    Hi!
    Is it possible for all accesspoints that is configured as lightweight from a WLC to LIST all accesspoints that is not assigned to a flexconnect group? I would actually love to know if its possble both from the GUI Prime / WLC and the CLI.
    I've tried to figure this one out myself, however I'm stuck. Its not hard to setup groups etc, its just the list AP that isn't assigned to a flexconnect group that I find troublesome.
    Anyone? :)

    Configuring FlexConnect Groups (GUI)
    Step 1 Choose Wireless > FlexConnect Groups to open the FlexConnect Groups page.
    Figure 15-6 FlexConnect Groups Page
    This page lists any FlexConnect groups that have already been created.
    Note If you want to delete an existing group, hover your cursor over the blue drop-down arrow for that group and choose Remove.
    http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#wp1226724

  • Roaming between Flexconnect groups for scaling

    I have a customer that needs flexconnect at each of his 10 locations to access local servers and printers. The customer has a pair of 5508 WLCs running 7.6.130.0.
    While the customer currently has 25 and under AP count per site, they are considering an expansion to 50 - 60 per site.
    We are considering the mobility agent on 3650/3850/4500 switches, but the multi-hop restriction will drive the cost too high.
    What is the downside for defining multiple flexconnect groups per site?
    The customer is also considering Unified Communications. For example, would the voice RTP stream on a wireless IP phone roaming between APs on different flexconnect groups appear to be seamless?

    If you plan on utilizing any real-time applications such as voice, you would not want these devices to be roaming between FlexConnect Groups.  There will be a full re-authentication of the client; with the exception of OKC capable machines, which "may" roam more cleanly.  This means some standard data clients may perform a fast roam, or at least not notice much of a hiccup even with a full re-auth. 
    In either scenario, you would want to make sure this is NOT a L3 mobility roam (ie. FlexConnect WLAN/VLAN mapping to different networks).  This will cause major problems for all your clients as they will most likely end up talking on the new VLAN with their old IP address.
    Mobility / Roaming Scenarios
    WLAN Configuration
    Local Switching
    Central Switching
    CCKM
    PMK (OKC)
    Others
    CCKM
    PMK (OKC)
    Others
    Mobility Between Same Flex Group
    Fast Roam(1)
    Fast Roam(1)
    Full Auth(1)
    Fast Roam
    Fast Roam
    Full Auth
    Mobility Between Different Flex Group
    Full Auth(1)
    Fast Roam(1)
    Full Auth(1)
    Full Auth
    Fast Roam
    Full Auth
    Inter Controller Mobility
    N/A
    N/A
    N/A
    Full Auth
    Fast Roam
    Full Auth
    (1) Provided WLAN is mapped to the same VLAN (same subnet).

  • What is the advantages of using Flexconnect groups

    what is the advantages of using Flexconnect groups in WLC?
    Reg,
    Ezra.

    Pls refer this document for more detail about these features
    http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html#wp1091114
    FlexConnect is one mode an AP can operate, typically deployed in Branch setup where you do not have a controller at branch site. Those AP can register to a controller at your HQ or main site. So traffic will terminate at your branch switch instead of tunnel back to HQ-WLC.
    If you want roaming within your branch FlexConnect AP then you have to put those AP into a FlexConnect Group. Then only key information shared among those AP to facilitate fast roaming.
    Pls do not forget to rate our responses if you find them useful.
    HTH
    Rasika

  • ISE AuthZ policy based on FlexConnect Group

    Hi all,
    I understand that it is possible to have the WLC send different NAS-ID attributes to the CIsco ISE so that I can create specific AuthZ policies based on that NAS-ID attribute.
    The only thing is that I cannot see anywhere in the FlexConnect AP Group config that allows me to choose the format for the RADIUS request. I can only see it when adding a RADIUS server in Global Configuration.
    So how can I define the attribute that is sent to the ISE?
    Thanks
    Mario

    I don't remember there being a NAS-ID attribute for FlexConnect groups. There is one for AP Group and WLAN.

  • Flexconnect - Number of AP pr. Flexconnect Group ?

    Hi All
    I was searching for this question.
    How many APs can you put into a single Flexconnect Group ?
    I know that this varies by platform and software release, but I cannot find the numbers anywhere.
    In the relase notes it is only mentioned that the number of groups have increased (7.2).
    In the configuration guide (7.2), it only says how many APs you can join to a group on the 7500, not any of the other platforms.
    Is there a "FlexConnect Feature Matrix" like page where this information is available ?

    From the 8.0 Configuration guide :
    The number of FlexConnect groups and access point support depends on the platform that you are using. You can configure the following:
    Up to 100 FlexConnect groups and 25 access points per group for a Cisco 5500 Series Controller.
    Up to 1000 FlexConnect groups and 50 access points per group for a Cisco Flex 7500 Series Controller in the 7.2 release.
    Up to 2000 FlexConnect groups and 100 access points per group for Cisco Flex 7500 and Cisco 8500 Series Controllers in the 7.3 release.
    Up to 20 FlexConnect groups and up to 25 access points per group for the remaining platforms
    No mention of WiSM2 or 2504 (but i guess that those numbers are the same as 5508 since they share software).
    The vWLCs numbers are : Supports up to 200 Cisco FlexConnect groups and 100 access points in each FlexConnect group. <- Taken from the vWLC datasheet.

  • FlexConnect Groups

    I have several 2602 AP's that I want to operate in FlexConnect mode.  The WLC is at a central HQ and the Ap's are remote.  There are central radius servers at the HQ for the wlans.  At the remote lcoation, there is a local radius server we want to use for the primary radius server for these AP's.   This radius server has been added to the WLC.  I have setup a FlexConnect Group, designated the the primary and secondary servers, and then added the AP's to the group.  It does not look like radius requests are being sent to the local controller.
    For this to work, do we have to check the box under the wlan for FlexConnect Local Auth?  Currently, we only have FlexConnect local switching selected.

    Sorry I have not got back on this. 
    Can someone please confirm if intermittent high latency from the central location where the WLC is located to the remote site where the Flexconnect AP's are located could cause intermittent issues with client connectivity?  I am noticing that at some of our remote sites that are on a 3MB mpls network, some clients have issues where they cannot access the netowrk.  From the WLC, it appears that the client is authenticated and associated, but they are not getting an IP Address.  I have a debug client when this was happening.  I have attached it below.  Thank you for all of the great input an feedback.
    I did notice that while I was troubleshooting, this location was experiencing higher latency than normal, around 300 to 500ms.
    *apfMsConnTask_5: Apr 15 15:21:19.561: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 Association received from mobile on AP 08:cc:68:0a:55:c0
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 Global 200 Clients are allowed to AP radio
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 Max Client Trap Threshold: 0 cur: 5
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 177
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 Re-applying interface policy for client
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1851)
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
    *apfMsConnTask_3: Apr 15 15:21:26.093: 24:77:03:16:ce:48 In processSsidIE:3937 setting Central switched to FALSE
    *apfMsConnTask_3: Apr 15 15:21:26.094: 24:77:03:16:ce:48 Applying site-specific Local Bridging override for station 24:77:03:16:ce:48 - vapId 1, site 'WPA-LEAP-Remote-1', interface 'remote_wpa_1'
    *apfMsConnTask_3: Apr 15 15:21:26.094: 24:77:03:16:ce:48 Applying Local Bridging Interface Policy for station 24:77:03:16:ce:48 - vlan 177, interface id 17, interface 'remote_wpa_1'
    *apfMsConnTask_3: Apr 15 15:21:26.094: 24:77:03:16:ce:48 Applying site-specific override for station 24:77:03:16:ce:48 - vapId 1, site 'WPA-LEAP-Remote-1', interface 'remote_wpa_1'
    *apfMsConnTask_3: Apr 15 15:21:26.094: 24:77:03:16:ce:48 Applying Interface policy on Mobile, role Local. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 180
    *apfMsConnTask_3: Apr 15 15:21:26.094: 24:77:03:16:ce:48 Re-applying interface policy for client
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1851)
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2018)
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 processSsidIE statusCode is 0 and status is 0
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 processSsidIE ssid_done_flag is 0 finish_flag is 0
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 STA - rates (8): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 suppRates statusCode is 0 and gotSuppRatesElement is 1
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 extSuppRates statusCode is 0 and gotExtSuppRatesElement is 1
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 Processing RSN IE type 48, length 22 for mobile 24:77:03:16:ce:48
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 Received RSN IE with 0 PMKIDs from mobile 24:77:03:16:ce:48
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 Found an cache entry for BSSID 70:10:5c:e6:4a:10 in PMKID cache at index 0 of station 24:77:03:16:ce:48
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 Removing BSSID 70:10:5c:e6:4a:10 from PMKID cache of station 24:77:03:16:ce:48
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 Resetting MSCB PMK Cache Entry 0 for station 24:77:03:16:ce:48
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 Setting active key cache index 0 ---> 8
    *apfMsConnTask_3: Apr 15 15:21:26.095: 24:77:03:16:ce:48 unsetting PmkIdValidatedByAp
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 pemApfDeleteMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Deleted mobile LWAPP rule on AP [70:10:5c:e6:4a:10]
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 Updated location for station old AP 70:10:5c:e6:4a:10-0, new AP 08:cc:68:0a:55:c0-0
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 apfMsRunStateDec
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 apfMs1xStateDec
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Change state to START (0) last state RUN (20)
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 pemApfAddMobileStation2: APF_MS_PEM_WAIT_L2_AUTH_COMPLETE = 0.
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 START (0) Initializing policy
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 START (0) Change state to AUTHCHECK (2) last state START (0)
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 AUTHCHECK (2) Change state to 8021X_REQD (3) last state AUTHCHECK (2)
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 8021X_REQD (3) DHCP required on AP 08:cc:68:0a:55:c0 vapId 1 apVapId 1for this client
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 Not Using WMM Compliance code qosCap 00
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 172.29.72.15 8021X_REQD (3) Plumbed mobile LWAPP rule on AP 08:cc:68:0a:55:c0 vapId 1 apVapId 1 flex-acl-name:
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 apfPemAddUser2 (apf_policy.c:273) Changing state for mobile 24:77:03:16:ce:48 on AP 08:cc:68:0a:55:c0 from Associated to Associated
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 Stopping deletion of Mobile Station: (callerId: 48)
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 Func: apfPemAddUser2, Ms Timeout = 0, Session Timeout = 0
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 Sending Assoc Response to station on BSSID 08:cc:68:0a:55:c0 (status 0) ApVapId 1 Slot 0
    *apfMsConnTask_3: Apr 15 15:21:26.096: 24:77:03:16:ce:48 apfProcessAssocReq (apf_80211.c:6719) Changing state for mobile 24:77:03:16:ce:48 on AP 08:cc:68:0a:55:c0 from Associated to Associated
    *apfMsConnTask_3: Apr 15 15:21:26.145: 24:77:03:16:ce:48 Updating AID for REAP AP Client 08:cc:68:0a:55:c0 - AID ===> 3
    *dot1xMsgTask: Apr 15 15:21:26.146: 24:77:03:16:ce:48 Disable re-auth, use PMK lifetime.
    *dot1xMsgTask: Apr 15 15:21:26.146: 24:77:03:16:ce:48 dot1x - moving mobile 24:77:03:16:ce:48 into Connecting state
    *dot1xMsgTask: Apr 15 15:21:26.146: 24:77:03:16:ce:48 Sending EAP-Request/Identity to mobile 24:77:03:16:ce:48 (EAP Id 1)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.260: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.260: 24:77:03:16:ce:48 Received Identity Response (count=1) from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.260: 24:77:03:16:ce:48 EAP State update from Connecting to Authenticating for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.260: 24:77:03:16:ce:48 dot1x - moving mobile 24:77:03:16:ce:48 into Authenticating state
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.260: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.265: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.265: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=2) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.265: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 2)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.404: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.404: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 2, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.404: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.405: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.405: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=3) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.405: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 3)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.464: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.464: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 3, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.464: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.465: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.465: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=4) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.465: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 4)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.532: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.532: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 4, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.532: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.533: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.533: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=5) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.533: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 5)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.590: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.590: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 5, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.590: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.591: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.592: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=6) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.592: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 6)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.687: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.687: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 6, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.687: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.689: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.689: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=7) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.689: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 7)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.737: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.737: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 7, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.737: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.738: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.738: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=8) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.739: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 8)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.802: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.802: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 8, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.802: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.813: 24:77:03:16:ce:48 Processing Access-Challenge for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.813: 24:77:03:16:ce:48 Entering Backend Auth Req state (id=9) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.813: 24:77:03:16:ce:48 Sending EAP Request from AAA to mobile 24:77:03:16:ce:48 (EAP Id 9)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.876: 24:77:03:16:ce:48 Received EAPOL EAPPKT from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.876: 24:77:03:16:ce:48 Received EAP Response from mobile 24:77:03:16:ce:48 (EAP Id 9, EAP Type 13)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.876: 24:77:03:16:ce:48 Entering Backend Auth Response state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.877: 24:77:03:16:ce:48 Processing Access-Accept for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.877: 24:77:03:16:ce:48 Resetting web IPv4 acl from 255 to 255
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.877: 24:77:03:16:ce:48 Resetting web IPv4 Flex acl from 65535 to 65535
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.877: 24:77:03:16:ce:48 Setting re-auth timeout to 1800 seconds, got from WLAN config.
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.877: 24:77:03:16:ce:48 Station 24:77:03:16:ce:48 setting dot1x reauth timeout = 1800
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.877: 24:77:03:16:ce:48 Creating a PKC PMKID Cache entry for station 24:77:03:16:ce:48 (RSN 2)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Resetting MSCB PMK Cache Entry 0 for station 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Setting active key cache index 8 ---> 8
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Setting active key cache index 8 ---> 0
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Adding BSSID 08:cc:68:0a:55:c0 to PMKID cache at index 0 for station 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: New PMKID: (16)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: [0000] 00 b9 ff 20 8f eb 43 b2 6f 20 50 a1 29 99 85 a3
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Disabling re-auth since PMK lifetime can take care of same.
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 unsetting PmkIdValidatedByAp
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 PMK sent to mobility group
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Sending EAP-Success to mobile 24:77:03:16:ce:48 (EAP Id 9)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Found an cache entry for BSSID 08:cc:68:0a:55:c0 in PMKID cache at index 0 of station 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Found an cache entry for BSSID 08:cc:68:0a:55:c0 in PMKID cache at index 0 of station 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: Including PMKID in M1 (16)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: [0000] 00 b9 ff 20 8f eb 43 b2 6f 20 50 a1 29 99 85 a3
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Starting key exchange to mobile 24:77:03:16:ce:48, data packets will be dropped
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Sending EAPOL-Key Message to mobile 24:77:03:16:ce:48
    state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.878: 24:77:03:16:ce:48 Entering Backend Auth Success state (id=9) for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.879: 24:77:03:16:ce:48 Received Auth Success while in Authenticating state for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.879: 24:77:03:16:ce:48 dot1x - moving mobile 24:77:03:16:ce:48 into Authenticated state
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.937: 24:77:03:16:ce:48 Received EAPOL-Key from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.937: 24:77:03:16:ce:48 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.937: 24:77:03:16:ce:48 Received EAPOL-key in PTK_START state (message 2) from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.937: 24:77:03:16:ce:48 PMK: Sending cache add
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.937: 24:77:03:16:ce:48 Stopping retransmission timer for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.937: 24:77:03:16:ce:48 Sending EAPOL-Key Message to mobile 24:77:03:16:ce:48
    state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 Received EAPOL-Key from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 Ignoring invalid EAPOL version (1) in EAPOL-key message from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 Stopping retransmission timer for mobile 24:77:03:16:ce:48
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 apfMs1xStateInc
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 172.29.72.15 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state 8021X_REQD (3)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 172.29.72.15 L2AUTHCOMPLETE (4) DHCP required on AP 08:cc:68:0a:55:c0 vapId 1 apVapId 1for this client
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 Not Using WMM Compliance code qosCap 00
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 172.29.72.15 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:cc:68:0a:55:c0 vapId 1 apVapId 1 flex-acl-name:
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 apfMsRunStateInc
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.987: 24:77:03:16:ce:48 172.29.72.15 L2AUTHCOMPLETE (4) Change state to RUN (20) last state L2AUTHCOMPLETE (4)
    *Dot1x_NW_MsgTask_0: Apr 15 15:21:26.989: 24:77:03:16:ce:48 172.29.72.15 RUN (20) Reached PLUMBFASTPATH: from line 5982
    *apfMsConnTask_1: Apr 15 15:21:30.000: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_7: Apr 15 15:22:28.508: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_0: Apr 15 15:22:52.690: Association request from the P2P Client Process P2P Ie and Upadte CB
    *apfMsConnTask_5: Apr 15 15:23:00.276: Association request from the P2P Client Process P2P Ie and Upadte CB

  • Clients can't connect to AP in flexconnect group

    we are converting a large number of AP's from autonomous to lightweight and will be using flexconnect groups on a 7510.  The flexconnect groups also have flexconnect ACL's which we are using for redirecting NAC & posture traffic.  We have tried pre-staging the AP mac's into the flexconnect groups using the command "config flexconnect group_name ap add ap_mac".  We then convert the AP to unified mode and it joins the WLC.  That all appears to work fine.  We see the AP on the WLC and in the flexconnect group.  It says Joined in the flexconnect group. 
    The issue we have is that clients cannot connect.  The client status will say 'POSTURE_REQD'.   The only solution we found was to remove the AP from the flexconnect group and then re-add it back.  After that, it works fine.  Anyone have any suggestions or insight?

    we are converting a large number of AP's from autonomous to lightweight and will be using flexconnect groups on a 7510.  The flexconnect groups also have flexconnect ACL's which we are using for redirecting NAC & posture traffic.  We have tried pre-staging the AP mac's into the flexconnect groups using the command "config flexconnect group_name ap add ap_mac".  We then convert the AP to unified mode and it joins the WLC.  That all appears to work fine.  We see the AP on the WLC and in the flexconnect group.  It says Joined in the flexconnect group. 
    The issue we have is that clients cannot connect.  The client status will say 'POSTURE_REQD'.   The only solution we found was to remove the AP from the flexconnect group and then re-add it back.  After that, it works fine.  Anyone have any suggestions or insight?

  • Flexconnect Group Name - SNMP OID/MIB

    Hi,
    Does anyone happen to know if an SNMP MIB/OID exists for the Flexconnect configuration on a WLC?  Specifically I'm looking to return the name of the Flexconnect Group that a particular AP is a member of.  I've accomplished this for the AP group, but I can't find a way to return the Flexconnect Group name.
    Appreciate any pointers,
    Thanks
    Peter Moorey.

    Hi,
    Thank you for taking the time to reply.  I found that OID during my research, for some reason it's 'Not Accessible' according to the Cisco documentation.  I don't know why that is the case, but when I issue an SNMP walk it doesn't work, backing up the statement Cisco published online.
    http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=Translate&objectInput=1.3.6.1.4.1.9.9.517.1.3.1.1.1#oidContent 
    Pete.

  • Wireless Mobility Groups - Concerns...

    Hi,
    I recently set up two wireless controllers (2000 series) with a total of 7 access points. The first controller was already running with a total of 5 ap's. I fired up the second controller, and got everything configured and added one access point to it. Everything was running fine yesterday, I had a few clients on the new controller and the rest on the old one. When I got in this morning and checked out the new controller, I saw that all of the access points had moved over to the new controller, and by extension all of the clients. The old controller now has nothing on it as far as ap's or clients. Is this supposed to happen? I didn't know mobility groups shifted over ap's as well? My only concern is that I have one more ap to set up which will make seven and the 2000 only supports 6 ap's. When I fire it up, will one of the ap's move back to it's original controller? Any input is appreciated. Thank you.

    Hi Tate,
    Have a look at this info which may help;
    AP Fail-over Between Different Mobility Groups
    From this good Troubleshooting doc;
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a00806c9e51.shtml#APfail
    Hope this helps!
    Rob

  • Mobility Wireless Domain GROUP

    Hi Everybody,
    I need some of your comment and explanation regarding the configuration of Mobility Group on Wireless Unified Architecture
    I have to WLC both run version 7.0.116.0, i want deploy a unified wireless on the 2 Sites, and the site are on Different network separate by Router
    I want to know if i can setup a Mobility Domain Group for have a common Wireless Environment where my client can have different DHCP Ip, bu the same SSID on Both Site  and permit the Roaming ?
    Bellow is a Poor Design of what i Expected,  just for give you a quick idea 
    Thank you in advanced

    Hey,
    Q: I want to know if i can setup a Mobility Domain Group for have a common Wireless Environment where my client can have different DHCP Ip, bu the same SSID on Both Site  and permit the Roaming ?
    A: Indeed you can.
    You can add each controller to the controller mobility group, for the different IPs the two controllers will make Layer 3 roaming.
    In this case you have WLC1 -> AP1 -> VLAN1   <--> Client 
    this client is connected to SSID and has VLAN1 IP address 
    Now this client has moved to AP2 -> WLC2 -> VLAN 2 (Same SSID) 
    WLC1 will become the anchor and WLC2 will become the foreign. Client entry will remain active in both controller, the client IP will be from VLAN1. 
    This means that the traffic will be sent between the two controller inside the EoIP mobility tunnel and the client had smooth roaming. 
    Cheers,
    Nour

  • Cisco Wireless Discussion Group

    Dear all,
    I would like to invite you into the professional LinkedIn group, where you can find professionals to discuss on real life operations. Wireless systems in real world, tips, knowledge, discussions, news and work opportunities also.
    The group is available on address http://www.linkedin.com/groups/Cisco-Wireless-101641?trk=myg_ugrp_ovr.
    The group is OPEN, but still controlled - your request for joining is waiting for approval. Approval period is up to 24 hours (normally faster).
    Let's meet there!
    Best regards, Kamil Brzak - Cisco Wireless Group owner

    Yes, it is compatible. Make sure AP came with lightweight image & your 2504 is having software code anything above 7.4.100.0
    http://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html
    If this AP is WLC managed, you do not require to do any config on AP, all config doing via WLC.
    Have you configured your 2504 properly ? If so you simply want to put your AP on same vlan as 2504 management vlan, then AP will find WLC via L3 broadcast & it will register to WLC. 
    Here is the 2504 Deployment guide that should helps you
    http://www.cisco.com/c/en/us/support/docs/wireless/2500-series-wireless-controllers/113034-2500-deploy-guide-00.html
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Flexconnect ACLs

    Hi,
    Has anyone gotten Flexconnect ACLs to work properly in 8.x? Here's my test setup:
    One 3700 AP, in flexconnect mode, Part of an AP group that is only broadcasting one test SSID.
    Primary goal of getting this flexconnect AP to drop users on different VLANs based on RADIUS parameters was successful (though I couldn't ever drop anyone on VLAN 1, no matter what the native vlan for the AP was).
    In order for the AP to know the VLANs I had to create a Flexconnect Group and create "AAA VLAN ACL MAPPING"s for all the VLANs I wanted the AP to know about. As mentioned, that part worked fine.
    Next I created a very simple Flexconnect ACL to block any traffic to 8.8.4.4. I applied it to one of the VLANs on the same tab (Wireless>FlexConnect Groups>ACL Mapping>AAA VLAN-ACL mapping). I tried all sorts of combinations of applying the ACL to ingress or egress, disassociating the client, moving client to a different vlan and back etc. I got it working once, on one of the VLANs, but couldn't repeat it. It might have been after removing the AP from the FlexConnect group and putting it back.
    The only result all this had is that I lost web access to the WLC suddenly. As far as I can tell, the WLC ended up rebooting itself and the HA unit took over. A bit scary.
    How are Flexconnect ACLs supposed to work, do they get applied the moment you apply them to the ingress /egress of the VLAN? Does the client have to disassociate and re-associate? Does something else have to happen to trigger the ACLs being applied? 
    From what I could tell in the Flexconnect ACL Debug, all the changes were being pushed to the AP as I made them. However, at one point when checking the VLAN Mappings on the AP, the vlans with ACLs in the Flexconnect group, showed no ACLs on the AP. Another time the VLANs that had the ACLs applied were no longer there at all.
    As I'm writing this, I noticed that I can now crash the WLC, just by clicking the VLAN mappings on that AP....  

    After two failovers that seemed to be triggered by me making changes in the Flexconnect Group config, one controller hung up completely (no response anywhere including console). I had to power cycle it.
    After that, the flexconnect ACLs seemed to work just as expected. Changes in the ACLs would immediately reflect on the client connected to the AP without having to re-associate the client (something that definitely wasn't working before).

  • EAP-FAST - WLC 7.4 Roaming between different FlexConnect (FC) Group

    Dear all,
    WLC 7.4 Release Notes states that with both Local/Central Switching:
    - Mobility in the same Flex Group with CCKM is Fast Roaming if WLAN is mapped to same VLAN
    - Mobility between different Flex Group with CCKM cause a Full Auth
    Using CCK with EAP-Fast during a call with Cisco IP Phone 7921G and 7925G we notice a gap when roaming from an AP belonging to FC GroupA to an AP belonging to FC Group B...so the only solution to do Fast Romaing is to use PMK(OKC) since CCKM will do a complete authentication each time moving from FC Group.
    Where do we enable OKC for a specific WLAN? In the FlexConnect Group Menu?
    Thanks a lot for sharing answer and suggestion
    BR
    O.G.

    Hello Scott,
    thanks for the explanation...
    So if in 7.4.121 OKC is enabled by default I don't understand why I'm having a full Authentication when roaming from AP of FC Group A to AP to FC Group B instead of Fast-Roaming...and this is happening in all FC Group configured (6x).
    Should I disable CCKM flag in the WLAN definition?!?!
    FC Groups and Mobility
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc13
    O.G

  • FlexConnect & Interface Groups

    I have a WLC 5508 running 7.4.121.0 where several sites  have APs in FlexConnect mode.
    For those sites I also have interface groups (this is just an example, i have more than one group)
    Site 1 - Group 1 - vlan 110 (faculty) and vlan 112 (students)
    Site 2 - Group 2 - vlan 210 (faculty) and vlan 212 (students)
    Under WLAN -> Advanced -> AP Groups
    I select Site 1 Group Name and add a new WLAN SSID to Interface/Interface Group mapping.
    When I go to Wireless and select a FlexConnect AP from Site 1 and then go to the FlexConnect Tab -> VLAN Mappins the VLAN ID is wrong (neither 110 or 112). I can of course manually change it to 110 but then any clients on vlan 112 on that SSID can't connect to the network. 
    Is there a way to specific a VLAN ID when using Interface group and Flexconnect?

    Do you have configured local switching and use AAA overide to asign the VLAN for faculty and students? Else can you give some more information about the configuration.
    With local switching and VLAN AAA overide you need to create sub-interfaces on the AP's. You can do this in the Flexconnect group (one per site). Then go tho VLAN-ACL mapping and add the VLAN's you need on this site .

Maybe you are looking for

  • Safari will not open CNN at all

    Yesterday I noticed that Safari will not open CNN.com it just times out and gives me the following error message. Safari can't open the page "http://www.cnn.com/". The error was: "lost network connection" (NSURLErrorDomain:-1005 I tried Internet Expl

  • How to restore contacts

    How do you restore contacts for windows 8 with outlook contacts? I lost my contacts and icon.

  • My built in isight shows a black screen please help me

    hey guys well wherever i go to check the video, for example photo booth, i see the green light that the isgight is on but the video is just a black screen, i think i saw someone with a similar problem but i cant find the thread

  • Question mark in folder window

    Just noticed this, I see a question mark next to the search bar on the top right corner inside any window folder I open. any help? rd

  • Read dynamic file format

    I have a requirement wherein , the source is in the form of .txt files containing data.As per the definition, it is fixed-width file. The first field in the data is 'Type'.Based on the value in this field,the file format has to be defined. Please hel