Hello Arshad,

But will VLAN=1 configured in Policy Profile reflect always the right Native VLAN in the FLEX profile? As not always it is VLAN1 on site where the "flat" design is in place. There are locations where vlan is 1 but also other locations where it is 2 or 130 or 510 etc.

So If I keep Policy Profile with VLAN 1, and it is assigned to the AP which has flex profile with Native VLAN = 130, does it mean that clients connected to such WLAN will be really on native VLAN even though PolicyProfile has 1?

Obviously it would be best to have AP Management VLAN (no doubt and I would love to achieve that...) however it is not always an easy task to reconfigure hundreds of locations....

Thank you

Martin

So If I keep Policy Profile with VLAN 1, and it is assigned to the AP which has flex profile with Native VLAN = 130, does it mean that clients connected to such WLAN will be really on native VLAN even though PolicyProfile has 1?

Yes, last time I checked was on 16.12.4a. I can confirm it worked there. If you in any new version I would recommend you test it in a lab environment first.

Hi Arshadaf,

Nope this is not the case with release 17.3.x (17.3.3 to be precise). If you have Flex profile with defined Native VLAN 1 and then Policy Profile which says clients are in VLAN 100 (obviously AP mode = Flex mode and there are some centrally and also locally switched WLANs), then such clients are not able to connect to locally switched WLAN while switch port is configured as access port.

Issue is with actual traffic as clients won't get an IP address because AP assume clients are in VLAN 100 but port is access port in VLAN 1.

With AireOS you just simply disabled "VLAN Support" on the AP level and it worked even though you had WLAN configured for clients to be in VLAN 100.

It seems it not anymore available to have it "that" simple.

Hi Jesus,

Does VLAN Name must be the same on local site at switch AP is connected to? I suppose not.

Using Flex profiles with different WLAN-2-VLAN mapping means that each of such Flex profile you have to assign to an AP by Site Tag (which basically applies Flex). Then such site tags you should keep a tag per location to prevent unnecessary data being transferred between more sites and APs (hard rule which can be easily misused). Therefore ideally you need a site tag per location which might not be easily maintained if you have 1000+ locations.

However if you are utilizing TAG assignment with  Filters (based on regex) there is also a limitation of 1024 filters in total...Which might be tough if you have more locations to always assign right site tags containing correct Flex profile etc.

With disabled "VLAN Support" I saw it was fairly easy to e maintained.

I will try to look into your idea, but kind of tend to believe it might be again unnecessary complicated from global scale perspective.

But thanks for your idea how you have achieved that.

Just let me know if in your case usage of VLAN Name instead of VLAN ID has some relation to the real VLAN name onsite (location where AP is connected to).

Thanks a lot

Martin 

Hi @Martin Jelinek ,

Your guess is right, VLAN name under c9800 does not have to match VLAN name on the switch side, it's only a local way to reference that.

And again, your guess is right with regards of the multiple sites associated to different Site tags (which applies to Flex profiles). For this approach, and for small sites, I'm using Flex/Sites per Country or Region. For example, all small sites with less than 2 APs in a country are using the same Flex/Site config, hence I have between 5 to 50+ sites sharing the same one "FRANCE-CLIENT-FLEX" / "FRANCE-CLIENT-SITE", thus minimising the administative task as they all have the same topology (VLAN 100) for locally forwarded WLAN.

The side effect of this approach is that all APs under the same Site tag share their cached credentials, and they download the new firmware from one of them when using ap image pre-download feature. Nothing to worry about I hope.

HTH
-Jesus
*** Please rate helpful responses ***

Hi @JPavonM 

Thanks for further info. Looks you are lucky to have even all small sites the very same topology. In our case if might not always be ideal and even in the country more small locations might have different VLAN used in the flat design.

And in combination to automate or to make deployment as easy as possible with 9800 we are trying to utilize Filter TAG assgnment based on AP hostname regular expression. Which can be done very easily if proper naming standard is in place. But just the "stupid" limitation for max. number of filters be 1024 (because of priorities) which I do hope will be fixed of extended in future releases at least.

I will try to look into this as you suggest, just still hoped for VLAN Support be disabled option which seems is not in there...

Thank you!

@Martin Jelinek it has been a lot of work to standardise all the deployment with a common VLAN for small sites, and same VLANs for every service in bigger ones, but that work allowed us to unify not only wireless configurations but also other services such as security.

With regards of your small and plain sites, you can also use this approach to create just one Flex profile for all of them. The only thing you need to do is to use the same Native VLAN Id than the WLAN-2-VLAN Id. Remember that in this case the AP forward the traffic without any VLAN tag so you can configure the switchport of the AP in access mode to receive untagged packets in whatever VLAN, so allowing you to aggregate all those APs under the same Flex profile.

HTH
-Jesus
*** Please rate helpful responses ***

@JPavonM 

Thanks, I will try to look into this and do some testing as well.

Certainly it is a hint worth to give a try in our case if that can at least simplify something.

Thank you 

Martin

There is always a time when you have to assess how the network is designed and determine if things need to change.  It seems like you can start to standardize and simplify the environment, but it comes down to planning and execution.  I have worked on many migrations because of old designs that do not scale well.  All it takes is starting small and migrating one site at a time.  Eventually all the sites will get migrated and standardized and life will be easier.  Always look at what can be improved and figure out how to get there.

Agree Just for migration time is needed and since we are undergo the migration from WLC (AireOS 8.5) > Catalyst 9800 it's quite messy at the moment due to issues with VLANs and not an easy way to achieve the very same as with AireOS (simply to disable VLAN Support).

Therefore migration is ongoing and site standardization as well, just this one will take about a year to be finalized, while migration must be completed much sooner.

However that is true it must be done and will be...one day.

Thanks

I know… I’ve been in that position and you just focus on migrating wireless one site at a time which makes your configuration complex. Then it’s the migration after the fact when the subnets gets migrated and you now how to create a new configuration, but hopefully a simple config that you can migrate site aps to.