Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7938
Views
19
Helpful
13
Replies

Same SSID both on Local and FlexConnect sites

Go to solution
Florin Barhala
Level 6
Level 6

‎06-20-2014 05:44 AM - edited ‎07-05-2021 01:03 AM

Hi guys,

I need to deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?

 

Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jordanburnett
Level 4
Level 4

‎09-16-2014 07:17 PM

First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?

No. It may make the SSID unavailable for a few seconds but will not cause any issues. 

Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

The only thing you should have to do is enable Flexconnect local switching on the WLAN and enable the Flexconnect APs for local switching as well. There is no need for a second WLAN. 

Enabling local switching on a WLAN does not affect APs that are in local mode--it only allows the SSID to be locally switched by the APs that are configured for it. 

You will need to go to either the flexconnect group or the AP itself and enable VLAN support. This allows the AP to perform VLAN tagging on its local interface so that the traffic can be switched locally (i.e. not tunneled back to the controller as in local mode). 

View solution in original post

13 Replies 13

Go to solution
sreejith_r
Level 1
Level 1

‎06-23-2014 02:51 PM

If you change any settings on the SSID there will be  a disconnection on the SSID for 5 seconds.

 

There is no issues on using the same SSID name and authentication settings for both AP Modes

 

 

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to sreejith_r

‎06-29-2014 11:49 PM

Unfortunately it turned things run differently: two SSIDs with same name, same Security methods, but DIFFERENT wlan profile won't work. When creating the 2nd SSID I receive the error of having "two SSIDs with same Wlan_name and same Security methods.

Any thoughts?

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee
In response to Florin Barhala

‎06-30-2014 02:30 AM

When creating a WLAN with the same SSID,
follow these guidelines and requirements:
You must create a unique profile name for each WLAN.
When multiple WLANs with the same SSID get assigned to the same AP radio, you must have a
unique Layer 2 security policy so that clients can safely select between them.
WLANs with the same SSID must have unique Layer 2 security policies so that clients can make a
WLAN selection based on information advertised in
beacon and probe responses. The available Layer 2
security policies are as follows:
None (open WLAN)
Static WEP or 802.1X
Note
Because static WEP and 802.1X are both advertised by the same bit in beacon and probe
responses, they cannot be differ
entiated by clients. Therefore,
they cannot both be used by
multiple WLANs with the same SSID.
CKIP
WPA/WPA2
Note
Although WPA and WPA2 cannot be used by mul
tiple WLANs with the same SSID, you can
configure two WLANs with the same SSID with WPA/TKIP with PSK and WPA (Wi-Fi
Protected Access) /TKIP (Temporal Key Integrity Protocol) with 802.1X, respectively, or
with WPA/TKIP with 802.1X or WPA/AES with 802.1X, respectively.

Go to solution
Florin Barhala
Level 6
Level 6
In response to mohanak

‎07-02-2014 12:28 AM

Hi mate,

Thanks for the input, still I need to deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs. This comes as natural request: there is one WLC that controls both local and remote APs and we need a global SSID on all locations.

Is there any way I can achieve this?

0 Helpful

Go to solution
marioderosa2008
Level 1
Level 1
In response to mohanak

‎08-12-2014 06:39 AM

Hi, sorry for hijacking this thread but if i understand you correctly... can I achieve the following?

Same SSID used at HQ & all branch sites

AP's at HQ are in local mode

AP's on branches are in FlexConnect mode

SSID is configured to allow Flex Connect Local Switching

Layer 2 auth on SSID is WPA2-AES with EAP-TLS.

Can i do the above?

thanks

Mario

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6
In response to marioderosa2008

‎08-12-2014 06:54 AM

If you are using PSK it might work; if you switch to 802.1x auth it cannot be achieved.

0 Helpful

Go to solution
marioderosa2008
Level 1
Level 1
In response to sreejith_r

‎08-15-2014 08:31 AM

Hi there,

is it possible to briefly explain how I would achieve same SSID name and auth settings for both AP modes?

Could i create a new WLAN with the same SSID and authentication settings but then just enable flexconnect local switching?

That way I should be able to apply authZ policies in ISE based on the WLAN ID no?

Any help is appreciated.

Mario

0 Helpful

Go to solution
gdamron
Level 1
Level 1

‎09-16-2014 11:53 AM

I was able make this work in a lab environment. I used the same WLAN for local and FlexConnect.

 

() In the WLAN I checked "FlexConnect Local Switching"

() I used two different AP Groups under the WLAN tab for local and flex. I'm not sure this is need...

() I changed the AP Mode of the APs that I want to be FlexConnect and left the others on local.

() Then added the Flex APs to a FlexConnect Group and did the WLAN VLAN mapping there.

 

The local and Flex APs are working as they should and they are using the proper auth. 

I hope to roll this out on our current network, does anyone see a problem with this?

0 Helpful

Go to solution
Doug Engel
Level 1
Level 1
In response to gdamron

‎12-07-2015 10:43 AM

Did this end up working? I need to set up this identical situation.  Thanks

0 Helpful

Go to solution
Derrick Hurley
Level 1
Level 1
In response to Doug Engel

‎12-08-2015 09:07 AM

This would work just fine.  By enabling Flexconnect Local Switching on the WLAN you're not saying everything on the WLAN is in Flexconnect mode.  You're just saying that APs in Flexconnect mode will treat this as a locally switched WLAN instead of passing the traffic back over the tunnel to the controller.

0 Helpful

Go to solution
Doug Engel
Level 1
Level 1
In response to Derrick Hurley

‎12-08-2015 09:31 AM

My big obstacle is/was DHCP for each site.  I think I have overcome it, although I have not had a chance to move an AP to a remote site to test.  Between your design and this doc, I'm hoping its solved.

https://supportforums.cisco.com/document/98646/wireless-lan-flexconnect-configuration-example

Thanks

0 Helpful

Go to solution
Derrick Hurley
Level 1
Level 1
In response to Doug Engel

‎12-08-2015 09:57 AM

Easiest option for DHCP is probably going to be to just have an IP helper address on the VLANs that the APs are using in FlexConnect mode.  They'll get IP addresses appropriate to their site then.

0 Helpful

Go to solution
jordanburnett
Level 4
Level 4

‎09-16-2014 07:17 PM

First question would be: if I enable FlexConnect Local Switching on an "in production" SSID used on Local-mode APs would this generate any issues?

No. It may make the SSID unavailable for a few seconds but will not cause any issues. 

Based on the answer receive what are your recommendations to accommodate this request: deploy identical SSID name and Security mechanism (802.1x with PEAP) on both on Local-mode and FlexConnect APs.

The only thing you should have to do is enable Flexconnect local switching on the WLAN and enable the Flexconnect APs for local switching as well. There is no need for a second WLAN. 

Enabling local switching on a WLAN does not affect APs that are in local mode--it only allows the SSID to be locally switched by the APs that are configured for it. 

You will need to go to either the flexconnect group or the AP itself and enable VLAN support. This allows the AP to perform VLAN tagging on its local interface so that the traffic can be switched locally (i.e. not tunneled back to the controller as in local mode). 

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card