cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
571
Views
0
Helpful
1
Replies

Flexconnect ISSUE WLC3540 exit to internet

lorenzo.fatati1
Level 1
Level 1

Hi all,

I'm implementing flexconnect for a customer and I would kindly need your support, as we have a problem with internet reachability from clients. I'd like to point out that this is not a branch office but it's their only office, so from the beginning it's not a best practice to implement flexconnect, in fact at first we opted to configure the AP in local mode (the standard one) and everything work

The architecture currently consists of 2 distribution cores (9500) that are directly connected to perimeter switch which in turn is connected the Huawei cpe (of service provider) . The only routing is a default route versus CPE.

WLC 3540 (in SSO mode) are connected to 2 access switches because the customer is not yet in possession of the transceivers to connect them to the CORE (even this thing is not a best practice).

Today doing some tests and enabling the flexconnect as Cisco guide and with Central DHCP (so we don't have to create the pools on the access switches), we had problems with the traffic to the internet; first of all the ip is released correctly but, from a traceroute we saw that the packets get stuck to the CORE, which it didn't do in the local mode (in fact before it was released correctly on the internet). As for the internal traffic, even between different vlan, the flexconnect works correctly not passing through the WLC.

is it possible that the NAT-PAT option of the DHCP central does a weird NAT and my client presents itself with another ip that is then blocked by the perimeter switch with an ACL? (customer doesn't have any Firewall yet). I don't have privilige to access in this switch because is managed by service provider.

The Flexconnect configuration is done as standard: I configured the port of the switch where the ap is connected with the native management vlan and the other vlan in allowed; I did the vlan mapping on the ap and enabled the flexconnect local switching under the WLAN.

Someone has some suggestions.

Thanks to everyone for the support

1 Reply 1

Scott Fella
Hall of Fame
Hall of Fame
I don’t understand why you have SSO with FlexConnect with one building, what is the use case for this design?
Anyways, there is a difference when FlexConnect is enabled as you can have centrally switched or locally switched. Then it also depends on how your FlexConnect groups are defined. Once you understand your current design, look at how the traffic egress out so you know where the issue might be. If local connectivity if fine, then I don’t see any issue with the wireless. If the issue is with internet, then look at your NAT and make sure that is not an issue.
-Scott
*** Please rate helpful posts ***
Review Cisco Networking for a $25 gift card