Tags
In this post, let’s look at basic FlexConnect configurations with Cisco 9800. If you are familiar with the Cisco 9800 configuration model (Policy, Site & RF tags), then you have to have a Flex Profile under Site Tag for FlexConnect-specific configurations. Here is my basic test topology where AP2 deploys in the FlexConnect environment and AP4 deploys in a local mode setup. Two WLANs (MRNX – Local Switch, QoS-PSK – Central Switch)
In 9800, Policy, Site & RF tags determine all configurations WLC pushes down to AP. In a local mode deployment, all your WiFi traffic (Ctrl + Data) goes to WLC via the CAPWAP tunnel. I have defined two policy profiles (MRNH-Central & MRNH-Flex) that maps to VLAN 99 & VLAN 129 respectively. Please note VLAN 129 is only available in H-SW1 (Remote site) not on the DC-SW.
For FlexConnect deployment, you need to define a Flex Profile, typically that you configure all FlexConnect-related configurations. In my example, I have simply configured “MRNH-Flex” Flex profile with native VLAN 130 (for AP Management) and two other VLANs (129-DATA & 131-VOIP) for wireless users. Note that all these VLANs are only available on SW1 in the remote site. Here is the Flex Profile config in GUI (Configurations > Tags & Profile > Flex)
If you like to do it in CLI, here are the equivalent commands (SW1 vlans numbers/name used even though these are not available on 9800 WLC)
wireless profile flex MRNH-Flex native-vlan-id 130 vlan-name DATA vlan-id 129 vlan-name VOIP vlan-id 131 ! C9800-1#sh vlan brief VLAN Name Status ---- -------------------------------- ------- 1 default active 97 WiFi_V97 active 98 Rockstar_WiFi active 99 VL99 active 100 MGMT active SW1#sh vlan brief VLAN Name Status ---- -------------------------------- --------- 1 default active 129 DATA active 130 MGMT active 131 VOIP active
You have to configure a Policy Profile and a WLAN Profile that maps to the “Policy Tag”. In my case, I have defined “MRNH-Central” Policy Profile where VLAN 99 is assigned. Note that by default, Central Switching, Central Auth & Central DHCP are all enabled on your policy profile. This is a VLAN available on 9800 & trunk to DC-SW for clients to get IP for any WLAN that maps to “MRNH-Central” Policy. I have enabled DHCP & AAA-Override for this policy under Advanced Tab (not shown in the screenshot)
Here are equivalent CLI commands.
wireless profile policy MRNH-Central aaa-override ipv4 dhcp required vlan VL99 no shutdown
I have configured “MRNH-Flex” policy profile (It is a good idea if you can use a unique name even though I have configured the same name for Policy Profile & Flex Profile) that maps VLAN 129 (where VLAN is only available on remote site switch – SW1). In that policy profile”Central Switching” & “Central DHCP” has disabled as I need the traffic to locally switch if I assign that policy profile. Only “Central Authentication” has been enabled.
Here are the CLI commands for configuring Flex Profile
wireless profile policy MRNH-Flex no central association no central dhcp no central switching ipv4 dhcp required ipv4 dhcp server 192.168.129.1 vlan 129 no shutdown
Now if you want all your traffic to switch centrally (Local Mode deployment), you can define a “Policy Tag” that maps all your WLAN profiles with “MRNH-Central” policy. In GUI Configurations > Tags & Profiles > Tags > Policy.
For local mode deployment, you need a Site_Tag that does not have any FlexProfile associated with it. By default “Enable Local Site” is enabled when configuring a site tag that does not show the Flex Profile config option.
Here are equivalent CLI commands.
wireless tag policy pt1-mrn-lab wlan MRNX policy MRNH-Central wlan PSK_Profile policy MRNH-Central ! wireless tag site st1-mrn-au ap-profile apj1-au
If you want to configure all your SSID traffic to Local Switch, then you can use the previously defined “MRNH-Flex” Policy profile when you configure Policy Tag as shown below. GUI Configurations > Tags & Profiles > Tags > Policy.
Under Site Tag configuration, You have to attach a Flex Profile in order for AP to get that FlexConnect-specific configuration. Once you uncheck “Enable Local Site” you will get the option to map “Flex Profile” in GUI.
Here are equivalent CLI commands
wireless tag policy pt2-mrn-flex wlan MRNX policy MRNH-Flex wlan PSK_Profile policy MRNH-Flex ! wireless tag site st3-mrn-flex ap-profile apj1-au flex-profile MRNH-Flex no local-site
In a FlexConnect deployment, if you want one SSID to Centrally switch and the other on Local Switch, you can simply assign those two different policy profiles under Policy Tag. In my case, QoS_PSK SSID will be centrally switched, where as MRNX SSID will be locally Switched. Policy Tag (pt3-mrn-mixed) configuration should be as shown below.
Here is the switch port (SW1) where the remote site AP is connected. You have to configure it as a trunk port and allow all vlans you require for wireless.
SW1# interface GigabitEthernet1/0/10 description C9130 switchport trunk allowed vlan 129-131 switchport trunk native vlan 130 switchport mode trunk spanning-tree portfast edge
I have already configured an RF_Tag (rft1-MRNL) that associates “MRNL-5GHz” & “MRNL-2.4GHz” RF Profiles as shown below.
ap dot11 5ghz rf-profile MRNL-5GHz channel chan-width 40 rate RATE_12M disable rate RATE_18M disable rate RATE_24M mandatory rate RATE_6M disable rate RATE_9M disable tx-power max 17 tx-power min 8 no shutdown ! ap dot11 24ghz rf-profile MRNL-2.4GHz rate RATE_11M disable rate RATE_12M mandatory rate RATE_1M disable rate RATE_24M mandatory rate RATE_2M disable rate RATE_5_5M disable rate RATE_6M disable rate RATE_9M disable tx-power max 11 tx-power min 3 no shutdown ! wireless tag rf rft1-MRNL 24ghz-rf-policy MRNL-2.4GHz 5ghz-rf-policy MRNL-5GHz description "MRNL RF Tag"
Once you got all the tags, you can assign those to AP (Configurations > Access Points > AP2-C9130 > ) in GUI as shown below. Though static assignment is not scaling well, it is convenient in lab environments.
Here are CLI commands to achieve the same. Note that the AP Ethernet mac address is used there.”show ap tag summary” CLI can be used to verify.
ap a4b2.3906.0d5c policy-tag pt3-mrn-mixed rf-tag rft1-MRNL site-tag st3-mrn-flex ! C9800-1#show ap tag summary Number of APs: 1 AP Name AP Mac Site Tag Name Policy Tag Name RF Tag Name Misconfigured Tag Source ----------------------------------------------------------------------------------------------------------- AP2-C9130 a4b2.3906.0d5c st3-mrn-flex pt3-mrn-mixed rft1-MRNL No Static
Once you do the above configuration, it is ready for testing the clients on those 2 SSIDS. Here is when the client connects to QoS_PSK SSID, traffic is centrally switched & client gets IP from VLAN 99
C9800-1#sh wireless client summary Number of Clients: 1 MAC Address AP Name Type ID State Protocol Method Role ------------------------------------------------------------------------------------------------ e20f.e9f0.d008 AP2-C9130 WLAN 101 Run 11ax(5) None Local C9800-1#sh wireless client mac-address e20f.e9f0.d008 detail | in Profile|SSID|AP|Client Client MAC Address : e20f.e9f0.d008 Client MAC Type : Locally Administered Address Client DUID: NA Client IPv4 Address : 192.168.99.151 Client IPv6 Addresses : fe80::e00f:e9ff:fef0:d008 Client Username: N/A AP MAC Address : 2c57.4153.9be0 AP Name: AP2-C9130 AP slot : 1 Client State : Associated Policy Profile : MRNH-Central Flex Profile : N/A WLAN Profile Name: PSK_Profile Wireless LAN Network Name (SSID): QoS_PSK BSSID : 2c57.4153.9bee Client IIF-ID : 0xa0000003 U-APSD Support : Disabled Client Active State : Active Client Join Time: Join Time Of Client : 01/14/2023 10:40:42 ADT Client State Servers : None Client ACLs : None Client Entry Create Time : 53 seconds EAP Type : Not Applicable Client Capabilities Client Statistics: Number of Bytes Received from Client : 8599 Number of Bytes Sent to Client : 7108 Number of Packets Received from Client : 58 Number of Packets Sent to Client : 38
Here are the Local switch SSID client connection details. You can see the client got IP from VL129 which is only available in remote sites.
C9800-1#sh wireless client summary Number of Clients: 2 MAC Address AP Name Type ID State Protocol Method Role --------------------------------------------------------------------------------------------- e20f.e9f0.d008 AP2-C9130 WLAN 101 Run 11ax(5) None Local f8e4.e372.6cda AP2-C9130 WLAN 21 Run 11ax(5) Dot1x Local C9800-1#sh wireless client mac-address f8e4.e372.6cda detail | in Profile|SSID|AP|Client Client MAC Address : f8e4.e372.6cda Client MAC Type : Universally Administered Address Client DUID: NA Client IPv4 Address : 192.168.129.102 Client Username : dmg AP MAC Address : 2c57.4153.9be0 AP Name: AP2-C9130 AP slot : 1 Client State : Associated Policy Profile : MRNH-Flex Flex Profile : MRNH-Flex WLAN Profile Name: MRNX Wireless LAN Network Name (SSID): MRNX BSSID : 2c57.4153.9bef Client IIF-ID : 0xa0000004 U-APSD Support : Disabled Client Active State : Active Client Join Time: Join Time Of Client : 01/14/2023 10:45:58 ADT Client State Servers : None Client ACLs : None Client Entry Create Time : 246 seconds EAP Type : PEAP Client Capabilities Client Statistics: Number of Bytes Received from Client : 1600608 Number of Bytes Sent to Client : 3491477 Number of Packets Received from Client : 4010 Number of Packets Sent to Client : 4641
Since Local switch traffic does not come to WLC, you have to go to AP for any data plane troubleshooting. From AP CLI, you can issue CLI commands to get the output your need. Below shows a few CLI commands that may be useful.
AP2-C9130#show flexconnect
calea Calea Information
cckm CCKM Cache Entry Information
client Client Information
dhcp DHCP Information
dot11r 802.11r Cache Entry Information
ewc-ap EWC AP Configuration
mcast Multicast Information
oeap Flexconnect OEAP Information
pmk OKC/PMK Cache Entry Information
status Standalone status
url-acl URL for DNS ACL
vlan-acl VLAN ACL mapping
vlan-name Vlan name ID mapping
wlan WLAN Configuration
AP2-C9130#show flexconnect wlan | in UP
Flexconnect WLANs:
Radio Vap SSID State Auth Assoc Switching
1 0 MRNX UP Central Local Local
1 1 QoS_PSK UP Central Local Central
AP2-C9130#sh flexconnect client
Flexconnect Clients:
mac radio vap aid state encr aaa-vlan aaa-acl aaa-ipv6-acl assoc auth switching key-method roam key-progmed handshake-sent wgb SGT
F8:E4:E3:72:6C:DA 1 0 1 FWD AES_CCM128 none none none Local Central Local Other regular No Yes No 0
Hope this post gives you an idea, of what needs to configure to get Basic FlexConnect configurations with the Cisco 9800 environment.
References
1. Understand FlexConnect on Cisco 9800
2. BRKEWN-2016 Branch office Wireless LAN Design -2019 CLUS
2. Cisco 9800 FlexConnect – Video (Rowell Dionecio)
mrn-cciew 