If you ever wonder how to configure “vlan select” or “interface group” feature in a Converged Access (3850/3650/5760) setup, here how you do it. (I am using IOS-XE 3.6E for this post). This feature is known as “Vlan Group” in IOS based controller(In GUI of these controller you still see it as interface group for familiarity). Here is my topology for the post.

5760-VLGRP-00In my topology 5760 acting as MC & 3850 stacks acting as MA.In this post I have configured “vlan group” on 3850-2 MA. Let’s say you have four different subnets to be assigned to a single WLAN.

Vlan 1360- x.x.110.0/24
Vlan 1361-x.x.16.0/23
Vlan 1362-x.x.228.0/23
Vlan 1363-x.x.241.0/24

This post is assumed you are doing this on Layer 2 Access topology (not Routed -L3 Access) where all your vlans SVI define on your distribution layer. In my case all SVI defined on DR01 switch. So on my 3850-2, only two SVI, one for Switch Management (vlan1600) & other for Wireless Management (vlan 1610)

3850-2#sh ip int bri | ex un
Interface              IP-Address      OK? Method Status                Protocol
Vlan1600               x.160.x.22    YES NVRAM  up                    up      
Vlan1610               x.161.x.22    YES NVRAM  up                    up

Since you do not have L3 interface of user vlans (1360-1363) on your 3850 switches,you have to enable DHCP snooping for vlan 1360-1363 in order to wireless client to get IP from a DHCP server. Refer Understanding DHCP Snooping post for more detail about this feature. Also you have to trust your uplink ports towards your DHCP server (G1/0/48 in this example)

ip dhcp snooping
ip dhcp snooping vlan 1360-1363
no ip dhcp snooping information option
ip dhcp snooping wireless bootp-broadcast enable
int g1/0/48
 ip dhcp snooping trust

“Vlan Group” configuration is a very straight forward configuration in CLI (one CLI entry). In Converged Access wireless users CAPWAP traffic will be terminating at your access layer. So your access layer switch should have those user vlans defined like any other wired vlans. Unless you have Routed-Access, all your vlans SVI are defined on your distribution switch where these access switches are connected.

Now we have to create a “Vlan Group” (let’s say STUDENT-INTGRP) & map vlans 1360-1363 on to this group. Later on we will add this interface group to the WLAN

3850-2(config)#vlan ?
  WORD           ISL VLAN IDs 1-4094
  access-map     Create vlan access-map or enter vlan access-map command mode
  configuration  vlan feature configuration mode
  dot1q          dot1q parameters
  filter         Apply a VLAN Map
  group          Create a vlan group
  internal       internal VLAN

3850-2(config)#vlan group ?
  WORD  Group name starts with alphabet

3850-2(config)#vlan group STUDENT-INTGRP ?
  vlan-list  List of vlans in this group

3850-2(config)#vlan group STUDENT-INTGRP vlan-list ?
  <1-4094>  VLAN id

3850-2(config)#vlan group STUDENT-INTGRP vlan-list 1360-1363

Now when you are defining “client vlan x ” under WLAN configuration, you can give the “Vlan Group” name instead of a single vlan ID. Here is a sample configuration of a 802.1X SSID where clients are map to defined vlan group (Refer WLAN Config with 3850 for full configuration including RADIUS) . So when connecting to this SSID, users will get IP from those 4 different subnets in vlan 1360-1363. Remember that you have to configure this under AP-Group -> WLAN if you are using any AP-Groups.

wlan DATA 22 DATA
 accounting-list TEST-RAD
 client vlan STUDENT-INTGRP
 ip dhcp required
 ip flow monitor wireless-avc-basic input
 ip flow monitor wireless-avc-basic output
 security dot1x authentication-list TEST-RAD
 service-policy input platinum-up
 service-policy output platinum
 wmm require
 no shutdown
ap group TEST-APG 
 wlan DATA

You can verify using “show ap groups” command to see correct interface group/vlan group is mapped to your WLAN.

3850-2#show ap groups  
Site Name: TEST-APG
Site Description: 

WLAN ID   WLAN Name                        Interface
22        DATA                     STUDENT-INTGRP 

AP Name                         Ethernet MAC      Location
3702-1                           b838.617f.eb88 default locatio

Now you can test this by connecting multiple clients to see whether they are getting different subnet IP. You can use “show wireless client summary” & “show wcdb database all” commands to verify that your client connecting to WLAN ID 22 are getting IP addresses from different subnets across vlan 1360-1363.

3850-2#show wcdb database all | in 136
c8e0.ebdd.63bd   1362 x.x.229.18  0x00C6ED40000001C2 RUN      LOCAL   
c4d9.8767.90e9   1361 x.x.17.232  0x00C6ED40000001C2 RUN      LOCAL   
cc08.e0cf.499f   1362 x.x.229.14  0x00C6ED40000001C2 RUN      LOCAL   
74e2.f558.5a82   1360 x.x.156.63  0x00C6ED40000001C2 RUN      LOCAL 
78a3.e493.bc5f   1363 x.x.241.114 0x00C6ED40000001C2 RUN      LOCAL   
3850-2#show wireless client summary | in 5a82|63bd|499f|90e9|bcbf
74e2.f558.5a82 3702-1                           22   UP                 11n(2.4) 
c4d9.8767.90e9 3702-1                           22   UP                 11n(2.4) 
cc08.e0cf.499f 3702-1                           22   UP                 11n(2.4) 
c8e0.ebdd.63bd 3702-1                           22   AUTHENTICATING     11g  
78a3.e493.bc5f 3702-1                           22   UP                 11n(2.4)

If you want to do this via GUI, you can do the same. Here is the steps to do this (I would not think anyone like to define L2 switch configs via GUI 😯 but option is there for anyone willing to go in that path as well ). You have to go “Controller -> Configuration -> VLAN” section & add your required vlans to the switch & then group them.


5760-VLGRP-01Then you can go to “Wireless -> WLAN -> Select Your WLAN -> General -> Interface/Interface Group”  field to bind vlan group to WLAN.


IOS XE Release 3E – VLAN Configuration Guide

Related Posts