Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3086
Views
5
Helpful
7
Replies

FlexConnect VLAN Based Central Switching - WLC 5500

Go to solution
husam.hasan
Level 1
Level 1

‎11-13-2018 01:59 PM - edited ‎07-05-2021 09:26 AM

Hey guys,

 

I got dot1x wireless deployment of  Cisco WLC 5500 and ISE. Currently we have centrally switched WLAN with 2 VLANs Data and Remediation and all work fine. we need to make the Data VLAN local breakout while keeping the Remediation VLAN centrally switched.Based on the "FlexConnect VLAN Based Central Switching" that should work fine. But what happening is below

 

If  both Data and Remediation are locally switched ( both VLAN are presented on the AP) then all good also if both are centrally switched ( flexconnect local switching not active on the WLAN )  but when I try to do the remediation centrally (VLAN not presented on the AP) and Data locally ( VLAN presented on the AP) then the AP is ignoring the VLAN tag coming from Cisco ISE for the remediation and put the client direct into Data ( default) VLAN locally . it behaves like before the "VLAN Based Central Switching" feature has been introduced!!!

 

I had version 8.3 then upgraded to latest version 8.5 but still no joy

 

thought please!! is it a bug somewhere or am I missing something ?

 

Thanks,

Sam

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
husam.hasan
Level 1
Level 1
In response to husam.hasan

‎11-21-2018 08:21 PM

It has been solved by sending VLAN ID# from ISE not the VLAN-name despite the VLAN is defined in "FlexConnect VLAN Template"  while it is fine to send the VLAN name for the VLAN's that are presented on the AP

 

Do not know what is the sense of this special case in  FlexConnect VLAN Based Central Switching

 

Cheers,

Sam

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jurgens L
Level 3
Level 3

‎11-13-2018 05:04 PM

Just to clarify, are you trying to do this on the same SSID?
0 Helpful

Go to solution
husam.hasan
Level 1
Level 1
In response to Jurgens L

‎11-13-2018 05:11 PM

Yes it is the same SSID and it got AAA override enable to get the VLAN name for ISE
0 Helpful

Go to solution
husam.hasan
Level 1
Level 1
In response to husam.hasan

‎11-13-2018 05:14 PM

it is working fine if both VLANs (Data and Remediation) are centrally switched and if both are locally switched. but not when I try to use the "VLAN Based Central Switching" to switch the remediation centrally by not presenting this VLAN on the AP
0 Helpful

Go to solution
Jurgens L
Level 3
Level 3
In response to husam.hasan

‎11-13-2018 05:57 PM

So that will happen and the reason for this is because your SSID can't do local switching and central switching at the same time.
You will have to look at getting an onboard SSID that is centrally switched and configure your end device to configure to another SSID that supports local switching.
0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to husam.hasan

‎11-13-2018 08:04 PM - edited ‎11-13-2018 08:05 PM

Here is the traffic flow when that feature enabled on FlexConnect local switching WLAN. In your scenario, I hope that remediation vlan is trunk to WLC (In that case, behavior should similar to step 1). As far as I understand, you see behavior described in step 2. Pls clarify if I understood it wrongly.

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html

 

Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:

  • If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
  • If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
  • If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
  • If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.

Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:

  • If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
  • If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
  • If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.

HTH

Rasika

*** Pls rate all useful responses ***

Go to solution
husam.hasan
Level 1
Level 1
In response to Rasika Nayanajith

‎11-15-2018 04:02 PM - edited ‎11-15-2018 04:16 PM

Hi Rasika,

It has to behave like described in step 1 as the VLAN is presented on the WLC but not on the AP and this feature is enabled. But what is happening that it is being switched locally using the default VLAN (data) presented on the AP.  So it is something similar to step 2 but locally not Centrally so it behaves like the feature is not enabled. 

 

To make sure that there is no issue with the VLAN/interface (Remediation) on the WLC, I have changed the WLAN to central switching then both VLANs ( Remediation and Data) work fine centrally.

 

Also to make sure that ISE is returning the VLAN attribute when it is local breakout (so it is not something like in step 4) I tried to make both VLANs local breakout (both presented on the AP and available locally in the remote site ) then both VLANs worked fine local breakout (as described in step 3 above)

 

But when the WLAN is local breakout and the Remediation VLAN is not presented on the AP, it is ignoring this feature and breakout locally to the default VLAN presented on the AP

 

thought!
Thanks,
Sam

0 Helpful

Go to solution
husam.hasan
Level 1
Level 1
In response to husam.hasan

‎11-21-2018 08:21 PM

It has been solved by sending VLAN ID# from ISE not the VLAN-name despite the VLAN is defined in "FlexConnect VLAN Template"  while it is fine to send the VLAN name for the VLAN's that are presented on the AP

 

Do not know what is the sense of this special case in  FlexConnect VLAN Based Central Switching

 

Cheers,

Sam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card