Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1469
Views
6
Helpful
1
Replies

Flex Connect Configuration on C9800

BASILISGKOGKOS7311
Level 1
Level 1

‎11-04-2020 11:50 PM - edited ‎07-05-2021 12:45 PM

Hello. 

We are planning to move from C8500 controllers to C9800. I want to configure Flex connect Groups the same as the old ones. I want to ask how to configure  Central Switching for the  Policy Profiles for WLAN's?

The old controller has the below configuration for the WLAN-VLAN association (Where VLAN 666 is the native VLAN and VLAN 321,322 and 323 are VLANs that steer traffic to Central HO via MPLS)

FLEX1.png

I have done the below configuration to C9800.

FLEX 2.png

 The configuration for the other WLAN's is the same regarding Central Switching. Is this configuration right?

Thank you in advance

 

 

 

0 Helpful
1 Reply 1

Grendizer
Cisco Employee
Cisco Employee

‎11-10-2020 12:51 PM

I can see that you have different WLANs with different VLAN numbers, the AP will drop those clients based on what you configured, 9800 WLC has different config from AireOS, how?

Say you need to support those WLANs as Central switching for some sites like for example corp offices and local switching for other remote sites or branches, and to have more complexity, you will need to support different VLANs per those remote site (not common scenario but it’s definitely supported), what you can do is:

create two policy profiles per WLAN, one configured as local switching (with named VLAN assigned and you will see why this is a good practice) and second configured as central switching and then you tag APs based on the use case, for example:

AP1 to AP20 in remotesite1 will be in FlexConnect Mode and have policy tag as WLAN xyz with policy profile that is configured as local switching and site tag with flex profile, and that flex profile has been configured with the native vlan and all other data vlans needed (VLAN Name to VLAN id per WLAN) if you have more than one WLAN for those sites.

AP1 to AP20 in Corp Office 1 will be in Local Mode and have policy tag as WLAN xyz “same WLAN” with different policy profile that is configured as central switching and site tag without flex profile (Enable Local Site checked)

It’s good practice to call those VLANs by name when configuring the policy profile, and then from the flex profile you can assign the VLAN name to different VLAN number, this way you can have one policy profile per WLAN for all remote sites but each remote site has different VLAN mapping based on the site requirements.

And obviously if you go this route of naming the VLAN then you need to configure that from the 9800 as layer 2 VLAN without SVI and without even allowing that in the trunk to the connected switch (9800 to switch)

Or you can use very hard way by calling just the VLAN number from the policy profile (even if that VLAN ID is not configured in 9800) and you don’t have to configure from the flex profile (VLAN Name to VLAN id) but in that case you will need to have two policy profiles per WLAN per site assuming you need different VLAN per site.

In short for best practices:

1-Always use named VLAN when configuring the policy profiles (local or central switching) also it is required if you’re using AAA VLAN override.

2-For remote site, configure fake or real VLAN number and name from the 9800 but don’t configure it from the connected switch or in the WLC to switch trunk.

3-Use custom Flex Profile and don’t use the default flex profile.

Other Notes:

Note1: if you need “DHCP required” feature to be used with local switching and “local DHCP” then you need to:

1-Enable “IPv4 DHCP required” from the policy profile

2-Use any flex profile other than the default flex profile

3- and use 17.2.1 code or after, 17.3.2a is better.

The clients that have static IP address will stuck in (IPLEARN_PENDING) from the AP and you can check that by (sh flex client)

Note2: The local auth internal server for the FlexConnect AP will work fine with PSK with wave-2 and AX APs but not with Wave-1 APs, for other types of auth like PEAP, EAP-TLS will not work BUT will work with external RADIUS (FlexConnect AP sending the auth to the RADIUS Server).

Note3: the attached config is correct, the (Central Authentication) means that the client will always try to authenticate using the WLC, but this will work even if (Central Authentication) disabled in case you will use PSK or Flex local auth with external RADIUS server.

Note4: If you need to support overlapping IPs on Different FlexConnect Sites then you need to:

1)Run 17.3.2a for now until 17.4.1 will be available and check the (IP Overlap) from the flex profile.

2)Use different site tag for each branch.

Because without it, the 9800 will detect two devices with the same IP address as IP Theft

Always, Always, Always use different custom site tag for different sites even without using FlexConnect deployment. Do NOT use the default-site-tag.

Hope that helpful…

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card