Tags

, ,

In this post, let’s look at basic FlexConnect configurations with Cisco 9800. If you are familiar with the Cisco 9800 configuration model (Policy, Site & RF tags), then you have to have a Flex Profile under Site Tag for FlexConnect-specific configurations. Here is my basic test topology where AP2 deploys in the FlexConnect environment and AP4 deploys in a local mode setup. Two WLANs (MRNX – Local Switch, QoS-PSK – Central Switch)

In 9800, Policy, Site & RF tags determine all configurations WLC pushes down to AP. In a local mode deployment, all your WiFi traffic (Ctrl + Data) goes to WLC via the CAPWAP tunnel. I have defined two policy profiles (MRNH-Central & MRNH-Flex) that maps to VLAN 99 & VLAN 129 respectively. Please note VLAN 129 is only available in H-SW1 (Remote site) not on the DC-SW.

For FlexConnect deployment, you need to define a Flex Profile, typically that you configure all FlexConnect-related configurations. In my example, I have simply configured “MRNH-Flex” Flex profile with native VLAN 130 (for AP Management) and two other VLANs (129-DATA & 131-VOIP) for wireless users. Note that all these VLANs are only available on SW1 in the remote site. Here is the Flex Profile config in GUI (Configurations > Tags & Profile > Flex)

If you like to do it in CLI, here are the equivalent commands (SW1 vlans numbers/name used even though these are not available on 9800 WLC)

wireless profile flex MRNH-Flex
 native-vlan-id 130
 vlan-name DATA
  vlan-id 129
 vlan-name VOIP
  vlan-id 131
!
C9800-1#sh vlan brief

VLAN Name                             Status 
---- -------------------------------- -------
1    default                          active 
97   WiFi_V97                         active 
98   Rockstar_WiFi                    active 
99   VL99                             active 
100  MGMT                             active 

SW1#sh vlan brief 

VLAN Name                             Status    
---- -------------------------------- --------- 
1    default                          active    
129  DATA                             active    
130  MGMT                             active    
131  VOIP                             active    

You have to configure a Policy Profile and a WLAN Profile that maps to the “Policy Tag”. In my case, I have defined “MRNH-Central” Policy Profile where VLAN 99 is assigned. Note that by default, Central Switching, Central Auth & Central DHCP are all enabled on your policy profile. This is a VLAN available on 9800 & trunk to DC-SW for clients to get IP for any WLAN that maps to “MRNH-Central” Policy. I have enabled DHCP & AAA-Override for this policy under Advanced Tab (not shown in the screenshot)

Here are equivalent CLI commands.

wireless profile policy MRNH-Central
 aaa-override
 ipv4 dhcp required
 vlan VL99
 no shutdown

I have configured “MRNH-Flex” policy profile (It is a good idea if you can use a unique name even though I have configured the same name for Policy Profile & Flex Profile) that maps VLAN 129 (where VLAN is only available on remote site switch – SW1). In that policy profile”Central Switching” & “Central DHCP” has disabled as I need the traffic to locally switch if I assign that policy profile. Only “Central Authentication” has been enabled.

Here are the CLI commands for configuring Flex Profile

wireless profile policy MRNH-Flex
 no central association
 no central dhcp
 no central switching
 ipv4 dhcp required
 ipv4 dhcp server 192.168.129.1
 vlan 129
 no shutdown

Now if you want all your traffic to switch centrally (Local Mode deployment), you can define a “Policy Tag” that maps all your WLAN profiles with “MRNH-Central” policy. In GUI Configurations > Tags & Profiles > Tags > Policy.

For local mode deployment, you need a Site_Tag that does not have any FlexProfile associated with it. By default “Enable Local Site” is enabled when configuring a site tag that does not show the Flex Profile config option.

Here are equivalent CLI commands.

wireless tag policy pt1-mrn-lab
 wlan MRNX policy MRNH-Central
 wlan PSK_Profile policy MRNH-Central
!
wireless tag site st1-mrn-au
 ap-profile apj1-au

If you want to configure all your SSID traffic to Local Switch, then you can use the previously defined “MRNH-Flex” Policy profile when you configure Policy Tag as shown below. GUI Configurations > Tags & Profiles > Tags > Policy.

Under Site Tag configuration, You have to attach a Flex Profile in order for AP to get that FlexConnect-specific configuration. Once you uncheck “Enable Local Site” you will get the option to map “Flex Profile” in GUI.

Here are equivalent CLI commands

wireless tag policy pt2-mrn-flex
 wlan MRNX policy MRNH-Flex
 wlan PSK_Profile policy MRNH-Flex
!
wireless tag site st3-mrn-flex
 ap-profile apj1-au
 flex-profile MRNH-Flex
 no local-site

In a FlexConnect deployment, if you want one SSID to Centrally switch and the other on Local Switch, you can simply assign those two different policy profiles under Policy Tag. In my case, QoS_PSK SSID will be centrally switched, where as MRNX SSID will be locally Switched. Policy Tag (pt3-mrn-mixed) configuration should be as shown below.

Here is the switch port (SW1) where the remote site AP is connected. You have to configure it as a trunk port and allow all vlans you require for wireless.

SW1#
 interface GigabitEthernet1/0/10
 description C9130
 switchport trunk allowed vlan 129-131
 switchport trunk native vlan 130
 switchport mode trunk
 spanning-tree portfast edge

I have already configured an RF_Tag (rft1-MRNL) that associates “MRNL-5GHz” & “MRNL-2.4GHz” RF Profiles as shown below.

ap dot11 5ghz rf-profile MRNL-5GHz
 channel chan-width 40
 rate RATE_12M disable
 rate RATE_18M disable
 rate RATE_24M mandatory
 rate RATE_6M disable
 rate RATE_9M disable
 tx-power max 17
 tx-power min 8
 no shutdown
!
ap dot11 24ghz rf-profile MRNL-2.4GHz
 rate RATE_11M disable
 rate RATE_12M mandatory
 rate RATE_1M disable
 rate RATE_24M mandatory
 rate RATE_2M disable
 rate RATE_5_5M disable
 rate RATE_6M disable
 rate RATE_9M disable
 tx-power max 11
 tx-power min 3
 no shutdown
!
wireless tag rf rft1-MRNL
 24ghz-rf-policy MRNL-2.4GHz
 5ghz-rf-policy MRNL-5GHz
 description "MRNL RF Tag"

Once you got all the tags, you can assign those to AP (Configurations > Access Points > AP2-C9130 > ) in GUI as shown below. Though static assignment is not scaling well, it is convenient in lab environments.

Here are CLI commands to achieve the same. Note that the AP Ethernet mac address is used there.”show ap tag summary” CLI can be used to verify.

ap a4b2.3906.0d5c
 policy-tag pt3-mrn-mixed
 rf-tag rft1-MRNL
 site-tag st3-mrn-flex
!

C9800-1#show ap tag summary 
Number of APs: 1

AP Name         AP Mac      Site Tag Name      Policy Tag Name      RF Tag Name     Misconfigured    Tag Source    
-----------------------------------------------------------------------------------------------------------
AP2-C9130     a4b2.3906.0d5c   st3-mrn-flex     pt3-mrn-mixed        rft1-MRNL           No        Static        

Once you do the above configuration, it is ready for testing the clients on those 2 SSIDS. Here is when the client connects to QoS_PSK SSID, traffic is centrally switched & client gets IP from VLAN 99

C9800-1#sh wireless client summary 
Number of Clients: 1

MAC Address    AP Name                Type ID   State             Protocol Method     Role
------------------------------------------------------------------------------------------------
e20f.e9f0.d008 AP2-C9130              WLAN 101  Run               11ax(5)  None       Local      


C9800-1#sh wireless client mac-address e20f.e9f0.d008 detail | in Profile|SSID|AP|Client
Client MAC Address : e20f.e9f0.d008
Client MAC Type : Locally Administered Address
Client DUID: NA
Client IPv4 Address : 192.168.99.151
Client IPv6 Addresses : fe80::e00f:e9ff:fef0:d008
Client Username: N/A
AP MAC Address : 2c57.4153.9be0
AP Name: AP2-C9130
AP slot : 1
Client State : Associated
Policy Profile : MRNH-Central
Flex Profile : N/A
WLAN Profile Name: PSK_Profile
Wireless LAN Network Name (SSID): QoS_PSK
BSSID : 2c57.4153.9bee
Client IIF-ID : 0xa0000003
U-APSD Support : Disabled
Client Active State : Active
Client Join Time:
  Join Time Of Client : 01/14/2023 10:40:42 ADT
Client State Servers : None
Client ACLs : None
Client Entry Create Time : 53 seconds 
EAP Type : Not Applicable
Client Capabilities
Client Statistics:
  Number of Bytes Received from Client : 8599
  Number of Bytes Sent to Client : 7108
  Number of Packets Received from Client : 58
  Number of Packets Sent to Client : 38

Here are the Local switch SSID client connection details. You can see the client got IP from VL129 which is only available in remote sites.

C9800-1#sh wireless client summary 
Number of Clients: 2

MAC Address    AP Name            Type ID   State             Protocol Method     Role
---------------------------------------------------------------------------------------------
e20f.e9f0.d008 AP2-C9130          WLAN 101  Run               11ax(5)  None       Local             
f8e4.e372.6cda AP2-C9130          WLAN 21   Run               11ax(5)  Dot1x      Local 

  

C9800-1#sh wireless client mac-address f8e4.e372.6cda detail | in Profile|SSID|AP|Client       
Client MAC Address : f8e4.e372.6cda
Client MAC Type : Universally Administered Address
Client DUID: NA
Client IPv4 Address : 192.168.129.102
Client Username : dmg
AP MAC Address : 2c57.4153.9be0
AP Name: AP2-C9130
AP slot : 1
Client State : Associated
Policy Profile : MRNH-Flex
Flex Profile : MRNH-Flex
WLAN Profile Name: MRNX
Wireless LAN Network Name (SSID): MRNX
BSSID : 2c57.4153.9bef
Client IIF-ID : 0xa0000004
U-APSD Support : Disabled
Client Active State : Active
Client Join Time:
  Join Time Of Client : 01/14/2023 10:45:58 ADT
Client State Servers : None
Client ACLs : None
Client Entry Create Time : 246 seconds 
EAP Type : PEAP
Client Capabilities
Client Statistics:
  Number of Bytes Received from Client : 1600608
  Number of Bytes Sent to Client : 3491477
  Number of Packets Received from Client : 4010
  Number of Packets Sent to Client : 4641

Since Local switch traffic does not come to WLC, you have to go to AP for any data plane troubleshooting. From AP CLI, you can issue CLI commands to get the output your need. Below shows a few CLI commands that may be useful.

AP2-C9130#show flexconnect 
  calea      Calea Information
  cckm       CCKM Cache Entry Information
  client     Client Information
  dhcp       DHCP Information
  dot11r     802.11r Cache Entry Information
  ewc-ap     EWC AP Configuration
  mcast      Multicast Information
  oeap       Flexconnect OEAP Information
  pmk        OKC/PMK Cache Entry Information
  status     Standalone status
  url-acl    URL for DNS ACL
  vlan-acl   VLAN ACL mapping
  vlan-name  Vlan name ID mapping
  wlan       WLAN Configuration


AP2-C9130#show flexconnect wlan | in UP
Flexconnect WLANs:
Radio Vap    SSID State    Auth Assoc Switching     
    1   0    MRNX    UP Central Local     Local
    1   1 QoS_PSK    UP Central Local   Central

AP2-C9130#sh flexconnect client    
Flexconnect Clients:

              mac radio vap aid state       encr aaa-vlan aaa-acl aaa-ipv6-acl assoc    auth switching key-method    roam key-progmed handshake-sent wgb SGT
F8:E4:E3:72:6C:DA     1   0   1   FWD AES_CCM128     none    none         none Local Central     Local      Other regular          No            Yes  No   0

Hope this post gives you an idea, of what needs to configure to get Basic FlexConnect configurations with the Cisco 9800 environment.

References
1. Understand FlexConnect on Cisco 9800
2. BRKEWN-2016 Branch office Wireless LAN Design -2019 CLUS
2. Cisco 9800 FlexConnect – Video (Rowell Dionecio)