Thank you Rasika, so there is no way to play with radius attributes to do this? So, where can I make a feature request for the next AireOS? ;) Have to think about it again to find another solution for this problem...

Regards,

Christian

Product Enhancement Request (PER) you can make via your Cisco AM.

Having said that, when I went through below presentation, I found you may be able to do that, Pls give it a try and see.

BRKEWN-2016 Branch Office Wireless LAN Design (2014 Melbourne)

Here is the specific slide talking about this. If you override to a vlan where it is not available in Branch side, but it is available in central site, it might  do central switching.(not too sure )

Test this & let us know if you found a way to get it working.

HTH

Rasika

**** Pls rate all useful responses ****

Interesting slide Rasika, but to me it looks like the actual situation, maybe I don't understand it correctly at the moment (it's late ;) ).

At the moment I already override to a vlan which doesn't exist at the branch site and with local switching for this ssid traffic is fowarded to the configured default vlan (as said on this slide at fourth position) like it should, with central switching traffic goes to the correct vlan at the central site - but then also the traffic I want to stay local goes back to the wlc.

If there was a radius attribute where you could say "central/local" for each auth-response this would be nice. But it would also work the other way, if you tell the ap or flexconnect group that the radius vlan-override should be interpreted as "vlan 100 = local switched to vlan 10, vlan 200 = central switched" this would also be enough to solve this problem.

I'll read the presentation you linked tomorrow, thank you so far!

Regards,

Christian

Hi Christian.

This is what 7.3 mobility design document tells about "FlexConnect VLAN Based Central Switching" which is listed in above slide.

"From release 7.3 onwards, traffic from FlexConnect APs can be switched centrally or locally depending on the presence of a VLAN on a FlexConnect AP.

In controller software release 7.2, AAA override of VLAN (Dynamic VLAN assignment) for locally-switched WLANs puts wireless clients on the VLAN provided by the AAA server. If the VLAN provided by the AAA server is not present at the AP, the client is put on a WLAN mapped VLAN on that AP and traffic switches locally on that VLAN. Further, prior to release 7.3, traffic for a particular WLAN from FlexConnect APs can be switched Centrally or Locally depending on the WLAN configuration."

FlexConnect VLAN Central Switching Summary

Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in connected mode are as follows:

•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally and the client is assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.

•If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the FlexConnect AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be assigned a VLAN/Interface mapped to a WLAN on the WLC.

•If the VLAN is returned as one of the AAA attributes and that VLAN is present in the FlexConnect AP database, traffic will switch locally.

•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic is switched locally.

Traffic flow on WLANs configured for Local Switching when FlexConnect APs are in standalone mode are as follows:

•If the VLAN returned by the AAA server is not present in the FlexConnect AP database, the client will be put on a default VLAN (that is, a WLAN mapped VLAN on a FlexConnect AP). When the AP connects back, this client is de-authenticated and will switch traffic centrally.

•If the VLAN returned by the AAA server is present in the FlexConnect AP database, the client is placed into a returned VLAN and traffic will switch locally.

•If the VLAN is not returned from the AAA server, the client is assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.

Enjoy your weekend & I am sure you will be able to get this working.

HTH

Rasika

*** Pls rate all useful responses ****

I think I got it now - maybe we could check the location where the request comes from at the radius server (we know the ap) and then respond with the local vlan 10 (which exists at the branch office, instead of responding with vlan 100 normally) for client a to get local switched and the standard vlan 200 for client b for central switching. I'll test my theory next week and tell you about the details.

Thank you and also have a nice weekend!

Christian

Hi Rasika,

I read the presentation and your quote of the mobility design document and checked some config options, I think it depends if the option "VLAN based local switching" is enabled or not at the WLAN-based FlexConnect settings.

The 7.6 config-guide says: Select or unselect the VLAN based Central Switching check box to enable or disable central switching on a locally switched WLAN based on AAA overridden VLAN.

I'll talk to the radius-guys and hopefully can do some tests this week.

Regards,

Christian

Good news - it works! :) (tested and verified with 7.6.110.0)

Remark: In our setup the radius server matches where the request comes from (ap name) and if it's an ap from the branch it sends another vlan-id for one group of clients than at the central office. If you use the same vlan-ids everywhere this is not necessary.

Now to the functional details:

You have to use a flexconnect group for you branch (didn't have one until now), put all your branch-aps into the branch group(s) and delete the ap-specific vlan-definitions (if you had one before) so that only the group-settings are active. Inside the flexconnect-group go to "ACL Mapping" and just enter the VLAN-IDs you want to switch locally at the branch (these VLANs have to exist and be on the trunk to the ap of course). Now go to the WLAN settings of your ssid, go to the "Advanced" tab and select "Allow AAA override" (of course, without this it makes no sense ;)), "FlexConnect Local Switching" and "Vlan based Central Switching".

How it works:

Client a connects to branch-ap, radius says "VLAN 10" and this vlan exists in the flexconnect-group acl-mappings. Now this clients gets local switched to vlan 10.

Client b connects to branch-ap, radius says "VLAN 200" and this vlan doesn't exist in the flexconnect-group acl-mappings. Now this client gets central switched to vlan 200 at the WLC. If you don't select "Vlan based Central Switching" in the WLAN-settings this client would also get local-switched to VLAN 10 because it's the only vlan (in my scenario) which exists and therefore the default-vlan for this ssid.

Hope this helps someone with similar requirements and thank you Rasika for your inputs to this discussion.

Regards,

Christian

Hi guys, thanks for this post, I am trying to replicate that to cisco 5500 latest version of 8.5 but the AP is ignoring the "Vlan based Central Switching" feature and switching the connection locally to the default VLAN presented on the AP 

Any idea?

Thanks,

Sam

If both Data and Remediation are locally switched ( both VLAN are presented on the AP) then all good also if both are centrally switched ( flexconnect local switching not active on the WLAN ) but when I try to do the remediation centrally (not presented on the AP) and Data locally (presented on the AP) then the AP is ignoring the VLAN tag coming from Cisco ISE for the remediation and put the client direct into Data VLAN locally . it behaves like before the "VLAN Based Central Switching" has been introduced!!!

I had veriosn 8.3 then upgraded to latest version 8.5 but still no joy :(

Hi Christian,

Thank you for the great explanation. Really useful. :-)

Applied in 8.1.111 and It's working perfectly.

Cheers,

Vasco

Hello,

Very nice feature

Thank you for the explanation

Regards

Romain L.

Hi Christian,

I have a similar setup as yours. Just curious, have you enabled "ISE NAC" on the SSID? because I cannot enable this feature If Vlan-Based-Central-Switching is enabled. Is this even necessary?

Thanks,

John