Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Question about Vlan Pooling and Interface grouping.

I was reading this document about vlan pooling and interface group; http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml

However, if I'm already using a single SSID for multiple types of devices and assigning those devices to particuler interface dynamicaly by a radius server, can I through an interface group in there instead?  I have some vlan's that have 700+ devices in them and would love to split them up, but how do I do that with a radius server involved and using this method?

Thanks,

Raun

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

I saw a post seeing if this dirty algorithm can be tweaked and the answer was no. You might want to talk to your local Cisco SE and maybe see if there will be an option later or not.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
11 REPLIES
Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

You can still use vlan pooling/interface groups with radius. Since your WLAN has AAA override and you are defining what vlan a user should be put on, thoses users will still be placed on the subnet you specify on the radius attribute.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Question about Vlan Pooling and Interface grouping.

Scott,

I guess what I'm asking is if there is away to assign the interface group via radius.  Say I have a single SSID with multiple device types connecting to it, thereby I group them via radius and my eap authentication.  However, forever a specific device I want to keep segregated and I have about 700 to 1000 of and to minimize the subnet size, could I assign a group interface to that device's group in radius?  To me, this would be the best of both worlds.

I'm assuming the answer is no considering I don't see an attribute for it, but curious of a work around.

Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

No you can't. Radius attribute only specifies the vlan id not a wlc interface or interface group.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: Question about Vlan Pooling and Interface grouping.

Scott, just to give you an update for your tool box.  My ACS 4.2.15 patch 8 version has interface name as an attribute so I was wondering if it would work.  I found this document: 

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bb4900.shtml

which shows it to be a feature set of 7.2 to specify the interface group name in this attribute.  Partially tested this last night at the house and it did assign me to an interface specified in the group.  Unfortunately,  my other wireless device decided to be a pita so I could not test the round robin portion fully.  I'll work on that tomorrow.

Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

If the attribute passes the airspace attribute that might work. One way of seeing of the attribute is being passes is the radius pass logs. Now ACS 4.x doesn't have the best logging compared to ACS 5.x or ISE. In 7.2 the algorithm will keep the mac address on the same interface unless the interface is tagged as dirty.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

Here is a screen shot for ACS 5.3, I know the other Airespace attributes work, but have not yet tested the interface attribute.

-Scott
*** Please rate helpful posts ***
New Member

Re: Question about Vlan Pooling and Interface grouping.

An update on this.

Started testing with an interface group: ivpump that contained 3 vlans I had previously built with no clients on them.  I set their range in dhcp down to 2 ip's per vlan to test with.  In ACS, I added the group name of ivpump to the attribute:

[14179\005] Aire-Interface-Name  and proceed to test with 3 laptops and an ipad.   The first to laptops, both HP's with Intel 6205 cards connected with out issue to this PEAP +MAC Filtering network with out issue and received an IP address off of the 2nd Interface in the group.  This ment that the DHCP pool was full for that group should allow the next client to receive an IP from a different vlan interface inside the group.  The next device that I tried to attach was a Toshiba Toughbook with an Intel 6205 card and through it authenticated, it would not get an IP address even if forced to release and renew (windows 7) however, the Ipad2 device was able to connect and recieved an IP address from Interface 1 in the group right away with out issue.  Will review debugs after lunch.

New Member

Question about Vlan Pooling and Interface grouping.

Being this is my first experience with this feature, I didn't expect this but after I came back from lunch I found the laptop device had received an IP from a different interface.  Throwing debug client and starting over, I saw where the device attempted to get an ip several times and it would not from the initial interface offering due to the scope being full (expected) however, the amount of time it took for the wlc to determine the interface was 'dirty' before pushing the client(windows7) to another interface took so long that initially the client went to a link local/self address '169.254.0.0/16' address.  Has anyone found a way as to yet tweak this 'dirty time out' period?

Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

I saw a post seeing if this dirty algorithm can be tweaked and the answer was no. You might want to talk to your local Cisco SE and maybe see if there will be an option later or not.

Thanks,

Scott Fella

Sent from my iPhone

-Scott
*** Please rate helpful posts ***
New Member

Re: Question about Vlan Pooling and Interface grouping.

By the way Scott, thanks for all your help.

Hall of Fame Super Silver

Re: Question about Vlan Pooling and Interface grouping.

No problem... Keep us posted if you fund this feature to work well or not in your environment. That would be good info to know.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
2060
Views
5
Helpful
11
Replies
CreatePlease login to create content