12-28-2023 01:20 AM
Hey All,
We are running one cluster of 9800 that is located in the campus central DC location.
Then we have several distributions that are termination points of L3 subnets.
Each site within the campus is connected to one of the distribution and then routed through the core switches/routers.
All SSIDs that we have are using flexconnect local switching, and we are breaking out the user traffic into Vlans directly from the AP to the distribution network. We are using AAA override SSID with ISE that sends out VLAN name and user is then locally bridged to the correct VLAN.
For this purpose on the AirOS we have been using Flexconnect Vlan Templates where we defined the Vlan name to ID mappings.
The thing is that we have over 18 Vlans at the moment that are needed to be locally bridged. And this will possibly grow in the future, since each technology that is used around on the site is segmented into its own l2 vlan / l3 subnet.
Now we're trying to migrate to 9800 WLC and i found out the hard way, that there is no way to configure more than 16 VLANs on the Flexconnect profile VLAN mappings. After doing some more research i have found out that Flexconnect only supports 16 VLANs to be locally bridged.
This was possible to be configured in the AirOS, since there you'd have to create blank ACLs in the flexconnect group for the AAA override Vlans, and there it never complained about it. But in 9800 it just wont let you do it.
Is there any way why is there this limitation? Is there any way to have possibility to locally break out more VLANs from the Flexconnect AP?
I know the better solution would be to have a 9800 WLC in each of the distribution block and centrally switch, but that is not possible at the moment, cause that would mean buying maybe 10+ WLCs which is too expensive.
i was wondering why is there enforced limit of 16 VLANs that we are possible to locally break out of the AP using the FlexConnect mode ? And is there any way to work around it ? Cause it is almost with 100% certainty that new technologies will be deployed in the future that will require their own subnets/vlans and we will run in this limit also for other sites within the campus.
thx
12-28-2023 07:20 AM
Couldn't find this search result for later releases then 17.9.x , you may want to test with higher version(s)
M.
01-06-2024 03:26 AM
It's still there in later versions - just more difficult to find!
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m-sniffer-cg.html
FlexConnect mode can support only 16 VLANs per AP.
But I don't think it's essential to define every VLAN anyway - if you use VLAN ID (number) instead of name then it should work either way.
Can you split them up into different flex profiles? This is one of many things where the limits on 9800 are significantly smaller than on AireOS. I suspect the devs were simply thinking no need for more VLANs than that when there should never be more SSID than that on the AP, not thinking of your use case.
01-09-2024 03:38 AM - edited 01-09-2024 03:39 AM
Hey Rich,
thanks for the answer:)
More Flexprofiles / Site tags is not really an option since all APs in this particular location need to be aware of 18+ VLANs because of the segmentation. So i cant split half of the APs to bridge lets say 10 VLANs and rest the other 10 VLANs, since all of them are needed in this particular geographical location
I was thinking about having ISE to send out VLAN number instead of name. But i think it wouldnt be different since the AP in Flexconenct mode only supports 16 VLANs, hence it wont be able to create more subinterfaces than 16.
Lets say If for example we're indeed sending the direct Vlan ID (number) from the ISE, rather than Name, how would AP know about that particular VLAN if it isnt defined anywhere in the Flexconnect profile.
Will it able to locally bridge and correctly tag the frame into the distribution network, even if the Vlan is not locally defined on the AP in the FlexProfile ?
Maybe i should spin up an ISE in my lab and try this out.
01-09-2024 03:58 AM
Yes I'd suggest testing it in lab - I recently discovered we had one SSID working even though the VLAN hadn't been defined so I suspect the AP is simply tagging the traffic for the client. That was with static VLAN on SSID profile not dynamic from ISE so might not be the same but I think it might work the same way anyway. (and we've never tried going over 16 VLANs <smile>)
01-22-2024 12:59 PM - edited 01-22-2024 12:59 PM
Hey Rich,
just to follow back
I was able to spin up an ISE in my lab and hook it up to an SSID on my virutal 9800 cluster.
So the result of the test for Flexconnect SSID:
If there is a policy profile with vlan ID, and it is not defined in Flexconnect profile, then it works fine like you mentioned. It is able to locally bridge the user connecting to that SSID to correct VLAN, even when it is not defined in the Flexconnect Profile VLAN mapping.
However when trying out with Policy profile that is using "DUMMY/BLACKHOLE" VLAN for AAA override, and ISE sends out the VLAN ID based upon the authorization result with access accept attributes where XX is VLAN number
Tunnel-Private-Group-ID = XX:XX
Tunnel-Type = XX:13
Tunnel-Medium-Type = XX:6
Then it does not work and user is placed on the "BLACKHOLE" VLAN.
This was tested on
17.9.4a 9800 virutal WLC cluster
3.2.0.542 virtual ISE
Catalyst 9136i, and 9164i APs
01-22-2024 04:38 PM
Good to know - thanks for the feedback
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide