Re: Locally switched VLANs on 9130 - 9800-CL 17.07.01

GioacchinoInfanti · ‎01-24-2022

Hi folks,

I'm really puzzled.

I followed the many-times-cited guides shown below

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

https://www3-realm.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/217043-configure-dynamic-vlan-assignment-with-c.pdf

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213921-flexconnect-configuration-with-central-a.pdf

but I cannot get wireless clients dinamically assigned to locally switched VLANs.

Debugs on the AP

(debug flexconnect wlan-vlan,

debug flexconnect event,

debug flexconnect pmk)

show, among many things, the following:

Jan 24 15:45:28 kernel: [*01/24/2022 15:45:28.6321] chatter: pmk_tracker :: PMKTracker: add pmk entry with life_time 1643040928, created_at 1643039128, group_name , vlanOverride 104, aclOverride , IPv6aclOverride , qosOverride 0, acct-session-id 00000000-00000000, auth_server_ip_addr , username
Jan 24 15:45:28 kernel: [*01/24/2022 15:45:28.6476] chatter: Client with mac B8:27:EB:35:BB:6A centrally switched

So the AP gets the right vlan 104 set up for the client on the RADIUS (FreeRadius), the default VLAN configured on the policy is the 103, but then the client is centrally switched, why??

Central switch is disabled

Central authentication is ENABLED

Central DHCP is disabled

Flex NAT/PAT is disabled

AAA override is ENABLED.

The VLAN 103 and 104 are defined on the FlexProfile (vlan-name and vlan-id are the same, namely a string "103 and "104")

AP#show flexconnect vlan-name
vlan-name vlan-id
      103     103
      104     104

The same VLAN are configured on the controller, I have even configured the SVI with an IP within the subnet handled by the external DHCP server.

QUESTIONS:

- do you know what should I see on the AP's debugs when the the client is locally switched?

- how to configure local switch with central switch fallback beyind the 16 VLAN limit (*)

(*) still I don't understand this limit, maybe it comes from the old days where there was one VLAN per SSID and the SSIDs were limited to 16, hence there was no need for more than 16 VLANS but now with dinamically assigned VLANs such upper limit should be increased. Other vendors go up to 128, a much more reasonable capacity, IMO.

TIA,

Gio

Scott Fella · ‎01-24-2022

How I have tested this in the past, because you are using a vlan in both the local site and the remote site. Create a new vlan if possible that is only on the remote site (local switching) and then test. See if the client gets placed on the vlan or not.

You can also look at the client detail on the 9800 and see what vlan the client is placed on. That will confirm that the radius sent the vlan info and as long as you have aaa override define on the tag, that vlan should show up on the client details. You should also see that dhcp being offered from your dhcp server.

-Scott
*** Please rate helpful posts ***

GioacchinoInfanti · ‎01-25-2022

I started that way at the beginning, meaning by defining in the avpair a VLAN that was not present on the controller.

Let me do it again just to be sure.

Gio

Scott Fella · ‎01-25-2022

You should not see centrally switched if your FlexConnect configuration is correct. That means the ap is in FlexConnect mode and trunked and the ssid is configured properly and tagged.
You are using free radius, so not really sure how to troubleshoot that, but hopefully there is a long that shows it is sending the vlan id.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-24-2022

Check your Policy Profile like in the screen shot.

-Scott
*** Please rate helpful posts ***

GioacchinoInfanti · ‎01-25-2022

Hi Scott,

as I wrote indeed it is enabled.

Gio

GioacchinoInfanti · ‎01-28-2022

Indeed my case was sort of different compared to the documents I read.
So far I have discovered that to have AAA override work the VLAN id that the controller receives from the RADIUS and that passes onto the AP must be present in the FlexConnect's VLAN list.

Other vendors don't force AP to know the VLANs passed by the RADIUS upfront. Is that normal?

TIA, Gio

Scott Fella · ‎01-28-2022

Never compare other vendors, that will get you in trouble and you will be pulling out your hair. On Cisco wireless, yes you need to have the vlans defined on the AP so that it can bridge that traffic correctly. This is a standard configuration from the AireOS controllers 10+ years ago.

-Scott
*** Please rate helpful posts ***

GioacchinoInfanti · ‎01-28-2022

Thanks Scott for confirming that.
It's my first time with such a topic (btw I modified the subject of this thread) and I wanted to stick to IOS-XE docs.
As I'm in a pre-sales evaluation, I will now try delegate even more tasks to the AP.

I guess this thread can be stopped here but I hope you can help me for the last question about the scenario where the AP authenticates clients directly to the RADIUS.

In such a case, can we have overlapping clients' IP address (say 192.168.43.68/26 and 192.168.43.68/23) on two different dynamic VLANs managed by one single AP? Such VLANs belong to two completely systems and they will never ever talk one another.

In such case, is there any restriction imposed by the controller? For instance to prevent IP theft or similar security features.

Thanks,

Gio

Locally switched dynamic VLANs on 9130 - 9800-CL 17.07.01