mode Flexconnect

Jozef Staruch · ‎09-12-2013

Hi All,

I have WLC and AP with mode Flexconnect with followin VLAN mappings:

At layer 3 switch I have two VLANs:

Vlan427 (used for wirlles scanner ) Vlan499 (native vlan)

At layer 2 switch wich is connected to L3 the port where AP is connected has following config:

interface GigabitEthernet2/0/46

description **** FMO WLAN ****

switchport trunk native vlan 499

switchport trunk allowed vlan 427,499

I am wondering if a config Vlan mappings is corret and if there should not be VLAN 427 which is used for scanners... main problems is that scanners connect but did not get IP address

Thank you for help

Rasika Nayanajith · ‎09-12-2013

Where is the DHCP pool defined for Vlan 427 ? Does AP get an IP from vlan 499, When you mapping vlans, you need to specify vlan 499 as native vlan.

Also you need to map vlan 427 for the wlan 12 (scannernet) in here. Provide the following output to see what's missing

"show wlan 12" & "show interface detail "

HTH

Rasika

Jozef Staruch · ‎09-16-2013

Hi Rasika,

Here are commands.. I am confused litlle bit... For DHCP we use external DHCP server (QIP). Each VLAN has deffined scope from which AP clients should get IP address..

(Cisco Controller) >show wlan 12

WLAN Identifier.................................. 12

Profile Name..................................... Scannernet-Valora

Network Name (SSID).............................. scannernet

Status........................................... Enabled

MAC Filtering.................................... Disabled

Broadcast SSID................................... Enabled

AAA Policy Override.............................. Disabled

Network Admission Control

Client Profiling Status ....................... Disabled

Radius-NAC State............................... Disabled

SNMP-NAC State................................. Disabled

Quarantine VLAN................................ 0

Maximum number of Associated Clients............. 0

Maximum number of Clients per AP Radio........... 200

Number of Active Clients......................... 2

Exclusionlist.................................... Disabled

Session Timeout.................................. 1800 seconds

CHD per WLAN..................................... Enabled

Webauth DHCP exclusion........................... Disabled

Interface........................................ management

--More-- or (q)uit

Multicast Interface.............................. Not Configured

WLAN IPv4 ACL.................................... unconfigured

WLAN IPv6 ACL.................................... unconfigured

DHCP Server...................................... Default

DHCP Address Assignment Required................. Disabled

Static IP client tunneling....................... Disabled

Quality of Service............................... Silver

Scan Defer Priority.............................. 4,5,6

Scan Defer Time.................................. 100 milliseconds

WMM.............................................. Allowed

WMM UAPSD Compliant Client Support............... Disabled

Media Stream Multicast-direct.................... Disabled

CCX - AironetIe Support.......................... Disabled

CCX - Gratuitous ProbeResponse (GPR)............. Disabled

CCX - Diagnostics Channel Capability............. Disabled

Dot11-Phone Mode (7920).......................... Disabled

Wired Protocol................................... None

Passive Client Feature........................... Disabled

Peer-to-Peer Blocking Action..................... Disabled

Radio Policy..................................... All

DTIM period for 802.11a radio.................... 1

DTIM period for 802.11b radio.................... 1

Radius Servers

--More-- or (q)uit

Authentication................................ Disabled

Accounting.................................... Disabled

Dynamic Interface............................. Disabled

Local EAP Authentication......................... Disabled

Security

802.11 Authentication:........................ Open System

FT Support.................................... Disabled

Static WEP Keys............................... Disabled

802.1X........................................ Disabled

Wi-Fi Protected Access (WPA/WPA2)............. Enabled

WPA (SSN IE)............................... Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Disabled

WPA2 (RSN IE).............................. Enabled

TKIP Cipher............................. Enabled

AES Cipher.............................. Disabled

Auth Key Management

802.1x.................................. Disabled

PSK..................................... Enabled

CCKM.................................... Disabled

FT-1X(802.11r).......................... Disabled

FT-PSK(802.11r)......................... Disabled

--More-- or (q)uit

FT Reassociation Timeout................... 20

FT Over-The-DS mode........................ Disabled

GTK Randomization.......................... Disabled

SKC Cache Support.......................... Disabled

CCKM TSF Tolerance......................... 1000

Wi-Fi Direct policy configured................ Disabled

EAP-Passthrough............................... Disabled

CKIP ......................................... Disabled

Web Based Authentication...................... Disabled

Web-Passthrough............................... Disabled

Conditional Web Redirect...................... Disabled

Splash-Page Web Redirect...................... Disabled

Auto Anchor................................... Disabled

FlexConnect Local Switching................... Enabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Client MFP.................................... Optional

Tkip MIC Countermeasure Hold-down Timer....... 60

Call Snooping.................................... Disabled

Roamed Call Re-Anchor Policy..................... Disabled

SIP CAC Fail Send-486-Busy Policy................ Enabled

SIP CAC Fail Send Dis-Association Policy......... Disabled

KTS based CAC Policy............................. Disabled

--More-- or (q)uit

Band Select...................................... Disabled

Load Balancing................................... Disabled

Multicast Buffer................................. Disabled

Mobility Anchor List

WLAN ID IP Address Status

------- --------------- ------

802.11u........................................ Disabled

Access Network type............................ Not configured

Network Authentication type.................... Not configured

Internet service............................... Disabled

HESSID......................................... 00:00:00:00:00:00

Hotspot 2.0.................................... Disabled

WAN Metrics configuration

Link status.................................. 0

Link symmetry................................ 0

Downlink speed............................... 0

Uplink speed................................. 0

Mobility Services Advertisement Protocol....... Disabled

--More-- or (q)uit

(Cisco Controller) >?

debug Manages system debug options.

help Help

linktest Perform a link test to a specified MAC address.

logout Exit this session. Any unsaved changes are lost.

show Display switch options and settings.

(Cisco Controller) >show interface detailed management

Interface Name................................... management

MAC Address...................................... cc:ef:48:0c:f1:ef

IP Address....................................... 10.32.13.8

IP Netmask....................................... 255.255.255.240

IP Gateway....................................... 10.32.13.1

External NAT IP State............................ Disabled

External NAT IP Address.......................... 0.0.0.0

VLAN............................................. 413

Quarantine-vlan.................................. 0

Active Physical Port............................. LAG (13)

Primary Physical Port............................ LAG (13)

Backup Physical Port............................. Unconfigured

Primary DHCP Server.............................. 10.51.7.253

Secondary DHCP Server............................ Unconfigured

DHCP Option 82................................... Disabled

ACL.............................................. Unconfigured

AP Manager....................................... Yes

Guest Interface.................................. No

L2 Multicast..................................... Disabled

.

(Cisco Controller) >show wlan summary

Number of WLANs.................................. 4

WLAN ID WLAN Profile Name / SSID Status Interface Name

------- ------------------------------------- -------- --------------------

10 Corporate-Valora-Muttenz / valora Enabled dummy-if

11 Guest-Valora-Muttenz / valora-guest Enabled dummy-if

12 Scannernet-Valora / scannernet Enabled management

42 SiteSurvey / valora-survey Disabled dummy-if

(Cisco Controller) >

Rasika Nayanajith · ‎09-16-2013

Hi Jozef,

Thanks for the output, It helps to understand your config. As per the "show wlan 12" output you correctly configure the local switching. So you can ignore my previous commennt talking about wlan 12 need to map vlan 427 (only relevant to central switching- if this is the confusion you can ignore my previous comment on this point)

FlexConnect Local Switching................... Enabled

FlexConnect Local Authentication.............. Disabled

FlexConnect Learn IP Address.................. Enabled

Now I suspect, vlan mapping is not accurate & may be a reason why you are not getting the IP for these devices in local switching mode. Can you do a "show ap config general " to confirm this.

Here is an example for similar output in one of my FlexConnect (in 7.5 code, so you may be see little different in your one). I would expect your output to be similar to indicate vlan 499 as native & 427 for wlan 12 (in my case vlan 20 is native & 130 for wlan 5).

(WLC) >show ap config general OE-AP005-RASIKA

Cisco AP Identifier.............................. 148

Cisco AP Name.................................... OE-AP005-RASIKA

Country code..................................... AU - Australia

Regulatory Domain allowed by Country............. 802.11bg:-A 802.11a:-NZ

AP Country code.................................. AU - Australia

AP Regulatory Domain............................. 802.11bg:-A 802.11a:-N

Switch Port Number .............................. 13

MAC Address...................................... 00:26:0b:63:ca:f4

IP Address Configuration......................... Static IP assigned

IP Address....................................... 192.168.20.201

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 192.168.20.254

Domain...........................................

Primary Cisco Switch Name........................ WLC

Primary Cisco Switch IP Address.................. x.x.x.35

.

Administrative State ............................ ADMIN_ENABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ......................................... FlexConnect

Public Safety ................................... Disabled

AP SubMode ...................................... Not Configured

Remote AP Debug ................................. Disabled

Logging trap severity level ..................... errors

Logging syslog facility ......................... local7

S/W Version .................................... 7.5.102.0

.

AP Model......................................... AIR-LAP1131AG-N-K9

AP Image......................................... C1130-K9W8-M

IOS Version...................................... 12.4(25e)JAN1$

Reset Button..................................... Enabled

AP Serial Number................................. FCW1349V0GP

AP Certificate Type.............................. Manufacture Installed

FlexConnect Vlan mode :.......................... Enabled

Native ID :..................................... 20

WLAN 5 :........................................ 130 (AP-Specific)

HTH

Rasika

Jozef Staruch · ‎09-17-2013

Hi Rasika,

Thank you for helping ,, I added command you requested according the output . the mapping is not good

what do you think?

(Cisco Controller) >show ap config genera vluluksap0001

Cisco AP Identifier.............................. 426

Cisco AP Name.................................... vluluksap0001

Country code..................................... CH - Switzerland

Regulatory Domain allowed by Country............. 802.11bg:-E 802.11a:-E

AP Country code.................................. CH - Switzerland

AP Regulatory Domain............................. 802.11bg:-E 802.11a:-E

Switch Port Number .............................. 13

MAC Address...................................... 10:f3:11:9c:ef:8b

IP Address Configuration......................... DHCP

IP Address....................................... 10.88.99.24

IP NetMask....................................... 255.255.255.0

Gateway IP Addr.................................. 10.88.99.1

NAT External IP Address.......................... None

CAPWAP Path MTU.................................. 1485

Telnet State..................................... Disabled

Ssh State........................................ Disabled

Cisco AP Location................................ Kopfstation Luxemburg

Cisco AP Group Name.............................. KS-LUX-ALL

Primary Cisco Switch Name........................ ch-val-mut-wc0001

Primary Cisco Switch IP Address.................. 10.32.13.8

Secondary Cisco Switch Name...................... ch-val-mut-wc0000

--More-- or (q)uit

Secondary Cisco Switch IP Address................ 10.32.12.8

Tertiary Cisco Switch Name.......................

Tertiary Cisco Switch IP Address................. Not Configured

Administrative State ............................ ADMIN_ENABLED

Operation State ................................. REGISTERED

Mirroring Mode .................................. Disabled

AP Mode ......................................... FlexConnect

Public Safety ................................... Disabled

AP SubMode ...................................... Not Configured

Remote AP Debug ................................. Disabled

Logging trap severity level ..................... informational

Logging syslog facility ......................... kern

S/W Version .................................... 7.2.110.0

Boot Version ................................... 12.4.25.1

Mini IOS Version ................................ 0.0.0.0

Stats Reporting Period .......................... 180

LED State........................................ Enabled

PoE Pre-Standard Switch.......................... Disabled

PoE Power Injector MAC Addr...................... Disabled

Power Type/Mode.................................. Power injector / Normal mode

Number Of Slots.................................. 2

AP Model......................................... AIR-CAP2602I-E-K9

AP Image......................................... C2600-K9W8-M

--More-- or (q)uit

IOS Version...................................... 12.4(25e)JA1$

Reset Button..................................... Enabled

AP Serial Number................................. FGL1710S91S

AP Certificate Type.............................. Manufacture Installed

FlexConnect Vlan mode :.......................... Enabled

Native ID :..................................... 1

WLAN 12 :....................................... 400

FlexConnect VLAN ACL Mappings

Vlan :........................................... 400

Ingress ACL :................................... None

Egress ACL :.................................... None

FlexConnect Group................................ Not a member of any group

Group VLAN ACL Mappings

FlexConnect Backup Auth Radius Servers :

Static Primary Radius Server.................... Disabled

Static Secondary Radius Server.................. Disabled

Group Primary Radius Server..................... Disabled

Group Secondary Radius Server................... Disabled

AP User Mode..................................... AUTOMATIC

AP User Name..................................... Not Configured

AP Dot1x User Mode............................... Not Configured

AP Dot1x User Name............................... Not Configured

--More-- or (q)uit

Cisco AP system logging host..................... 255.255.255.255

AP Up Time....................................... 53 days, 08 h 03 m 30 s

AP LWAPP Up Time................................. 4 days, 02 h 38 m 55 s

Join Date and Time............................... Fri Sep 13 07:19:09 2013

Join Taken Time.................................. 0 days, 00 h 00 m 11 s

Ethernet Port Duplex............................. Auto

Ethernet Port Speed.............................. Auto

AP Link Latency.................................. Disabled

Rogue Detection.................................. Enabled

AP TCP MSS Adjust................................ Disabled

Venue Name....................................... Not configured

Venue Group...................................... Unspecified

Venue Type....................................... Unspecified

Language Code.................................... Not configured

Rasika Nayanajith · ‎09-17-2013

Hi Jozef,

As you figure out, vlan mapping is not correct. You can do this via either GUI or CLI. Here is the CLI commands to run on WLC to enable vlan mapping for the given AP

config ap disable vluluksap0001

config ap flexconnect vlan enable vluluksap0001

config ap flexconnect vlan native 499 vluluksap0001

config ap flexconnect vlan wlan 12 427 vluluksap0001

config ap enable vluluksap0001

As long as vlan427 interface configured with correct helper address to pointing to your DHCP your scanner device should get IP

Refer this config guide for GUI steps (it include CLI as well)

http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1225251

Hope this will work for you. If not let us know

Please rate the response if it is useful to you

Regards

Rasika

Jozef Staruch · ‎09-17-2013

Hi Rasika,

It makes sence thank you ... Just one more question I have another location with simmilar setup which is working. Vlan for scanners is ok but I do not unerstand how native VLAN can work in this case..

DHCP server ---- >router-- > switch -- AP

AP settings:

FlexConnect Vlan mode :.......................... Enabled

Native ID :..................................... 1

WLAN 12 :....................................... 400

FlexConnect VLAN ACL Mappings

Vlan :........................................... 400

Switch port where AP is connected:

interface FastEthernet0/46

description **** FMO TEST-AP ****

switchport trunk native vlan 444

switchport trunk allowed vlan 400,444

switchport mode trunk

switchport nonegotiate

switch: ch-vla-ksmutt-as-01#show interfaces trunk

Port Mode Encapsulation Status Native vlan

Fa0/46 on 802.1q trunking 444

Router:

Vlan400 10.54.38.2 YES manual up up

Vlan444 10.54.39.2 YES manual up up

How it is possible that i do not see any errors even on AP config Flex connect Native VLAN ID is 1

Thanks for explenation

Rasika Nayanajith · ‎09-17-2013

In this case, what is the IP obtained by AP (show cdp nei detail fa0/46 should tells you). In this case you have mapped vlan 400 to WLAN 12 & does client get an IP from vlan 400 ?

In the first scenario you want client to get an IP from vlan 427 & vlan mapping is not reflecting that. It was mapped to vlan 400.

Does this clear ?

Rasika

Jozef Staruch · ‎09-18-2013

Hi Rasika,

It is clear about vlan 427 and this needs to be mapped to WLAN 12... This should be fixed..

if I do show cdp nei detal i see that AP have ip address from native vlan 499

Only think which is now confusing me is that AP has Native VLAN ID 1 but switch has native vlan 499 and AP gets IP address from vlan 499... Does nativ VLAN setting on AP do something?

Rasika Nayanajith · ‎09-18-2013

In this situation can you ping the AP from your network ? theoratically this will result switch to sent vlan 499 traffic un-tagged (ie traffic goes to AP) & AP will send the return-traffic tagged (since native vlan is 1, vlan 499 traffic shoud be tagged).

"show derived-config" on your AP console should give you the configuration pushed by WLC. You can find out the differences it make in that way as well. In my AP I would see something like this (20 native vlan, 130 tagged vlan)

interface FastEthernet0.1

encapsulation dot1Q 20 native

bridge-group 1

!

interface FastEthernet0.2

encapsulation dot1Q 130

bridge-group 2

If you do a wireshark capture of AP connected switch port (using 802.1q capable NIC/OS PC) you can see exactly what's happening.

Pls rate the response if it is useful

HTH

Rasika

mhooper82 · ‎09-15-2013

What is the switch port configuration? Bear in mind that when you're using the AP as flexconnect the port needs to be configured as a trunk port, after that the WLC will see the avaliable VLANS.

Sent from Cisco Technical Support Android App

nikhilcherian · ‎09-17-2013

Connect a client with a static IP in the vlan 427, and see if that can pass traffic,

blenka · ‎10-08-2013

To enable flex connect configuration kindly find on the page 435.

http://www.cisco.com/en/US/docs/wireless/controller/7.5/config_guide/b_cg75.pdf

abwahid · ‎11-20-2014

Hi,

please check flex connect configuration on below link

http://www.cisco.com/c/en/us/td/docs/wireless/ncs/1-1/configuration/guide/NCS11cg/hreap.html