topic Re: FlexConnect VLAN Based Central Switching - WLC 5500 in Wireless

FlexConnect VLAN Based Central Switching - WLC 5500

husam.hasan — Mon, 05 Jul 2021 16:26:47 GMT

Hey guys,

I got dot1x wireless deployment of Cisco WLC 5500 and ISE. Currently we have centrally switched WLAN with 2 VLANs Data and Remediation and all work fine. we need to make the Data VLAN local breakout while keeping the Remediation VLAN centrally switched.Based on the "FlexConnect VLAN Based Central Switching" that should work fine. But what happening is below

If both Data and Remediation are locally switched ( both VLAN are presented on the AP) then all good also if both are centrally switched ( flexconnect local switching not active on the WLAN ) but when I try to do the remediation centrally (VLAN not presented on the AP) and Data locally ( VLAN presented on the AP) then the AP is ignoring the VLAN tag coming from Cisco ISE for the remediation and put the client direct into Data ( default) VLAN locally . it behaves like before the "VLAN Based Central Switching" feature has been introduced!!!

I had version 8.3 then upgraded to latest version 8.5 but still no joy 😞

thought please!! is it a bug somewhere or am I missing something ?

Thanks,

Sam

Re: FlexConnect VLAN Based Central Switching - WLC 5500

Jurgens L — Wed, 14 Nov 2018 01:04:02 GMT

Just to clarify, are you trying to do this on the same SSID?

Re: FlexConnect VLAN Based Central Switching - WLC 5500

husam.hasan — Wed, 14 Nov 2018 01:11:50 GMT

Yes it is the same SSID and it got AAA override enable to get the VLAN name for ISE

Re: FlexConnect VLAN Based Central Switching - WLC 5500

husam.hasan — Wed, 14 Nov 2018 01:14:26 GMT

it is working fine if both VLANs (Data and Remediation) are centrally switched and if both are locally switched. but not when I try to use the "VLAN Based Central Switching" to switch the remediation centrally by not presenting this VLAN on the AP

Re: FlexConnect VLAN Based Central Switching - WLC 5500

Jurgens L — Wed, 14 Nov 2018 01:57:27 GMT

So that will happen and the reason for this is because your SSID can't do local switching and central switching at the same time.
You will have to look at getting an onboard SSID that is centrally switched and configure your end device to configure to another SSID that supports local switching.

Re: FlexConnect VLAN Based Central Switching - WLC 5500

Rasika Nayanajith — Wed, 14 Nov 2018 04:05:20 GMT

Here is the traffic flow when that feature enabled on FlexConnect local switching WLAN. In your scenario, I hope that remediation vlan is trunk to WLC (In that case, behavior should similar to step 1). As far as I understand, you see behavior described in step 2. Pls clarify if I understood it wrongly.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-5/Enterprise-Mobility-8-5-Design-Guide/Enterprise_Mobility_8-5_Deployment_Guide/ch7_HREA.html

Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:

If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.
If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.
If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.
If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.

Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:

If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.
If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.
If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.

HTH

Rasika

*** Pls rate all useful responses ***

Re: FlexConnect VLAN Based Central Switching - WLC 5500

husam.hasan — Fri, 16 Nov 2018 00:16:18 GMT

Hi Rasika,

It has to behave like described in step 1 as the VLAN is presented on the WLC but not on the AP and this feature is enabled. But what is happening that it is being switched locally using the default VLAN (data) presented on the AP. So it is something similar to step 2 but locally not Centrally so it behaves like the feature is not enabled.

To make sure that there is no issue with the VLAN/interface (Remediation) on the WLC, I have changed the WLAN to central switching then both VLANs ( Remediation and Data) work fine centrally.

Also to make sure that ISE is returning the VLAN attribute when it is local breakout (so it is not something like in step 4) I tried to make both VLANs local breakout (both presented on the AP and available locally in the remote site ) then both VLANs worked fine local breakout (as described in step 3 above)

But when the WLAN is local breakout and the Remediation VLAN is not presented on the AP, it is ignoring this feature and breakout locally to the default VLAN presented on the AP

thought!
Thanks,
Sam

Re: FlexConnect VLAN Based Central Switching - WLC 5500

husam.hasan — Thu, 22 Nov 2018 04:21:40 GMT

It has been solved by sending VLAN ID# from ISE not the VLAN-name despite the VLAN is defined in "FlexConnect VLAN Template" while it is fine to send the VLAN name for the VLAN's that are presented on the AP

Do not know what is the sense of this special case in FlexConnect VLAN Based Central Switching

Cheers,

Sam