CCIE Wireless v3.1 Lab- FlexConnect AAA Overrides and VLAN Based Central Switching
Вставка
- Опубліковано 7 січ 2019
- This video is a part of Network Dojo's CCIE Wireless v3.1 Lab Video Series 1. The videos in this series are meant to teach about the technologies covered in the lab as a part of building a foundation for more advanced topics. This series will introduce technologies, explain how they work, show how to configure them, and show how to verify them.
If you'd like to get more information about this video series, you can find out more at networkdojo.com/ccie-wireless....
I’d like to say it’s the best tutorial I’ve ever seen.
Hey Jeff, this is a fan here, Just want to thank you for this video, you're one of the best teacher on UA-cam, probably the best one. You presentation and focus on minor but important details are just worth a praise, no one can make a complicated topic as simple as you can. Thanks again!
Hi Jeff,
Thanks for this video. Awesome summary of this topic you covered 👌👌
Hello Jeff, awesome summary of this topic!
I was researching and testing it for the last few hours. At the beginning my tests failed, because I didn't define the VLAN on the AP. I only defined the VLAN template. Therefore the solution was to define the VLAN under "AAA VLAN-ACL mapping".
Next time I will check your UA-cam channel, before I waste time on google or with user guides. ;-)
Thanks and best Regards
Hi Jeff,
you are doing really amazing tutorials;)
I have one question regarding FlexConnect AAA Overrides and VLAN Based Central Switching: what will happen if ISE will send a VLAN name that exists in FC VLAN Template as mapping (let's say to 10) but this VLAN doesn't exist at AP? Can we expect central switching to VLAN assigned to WLAN?
Or maybe this name will be ignored and will happen mapping to default VLAN for WLAN but local switched?
I haven't tried that particular scenario. It won't locally switch without the VLAN being defined outside of the template. So if I were to guess, it would centrally switch. Hopefully it would attempt to land on VLAN 10 on the WLC.
@@Networkdojothank you for fas answer.
I have checked such a scenario in my "lab" and looks like that the unknown name (doesn't matter if is mapped in the VLAN template or not) is treated as "no answer" from ISE -> client is put into local switching, default VLAN for particular WLAN.
When ISE sends an unknown (from AP point of view) numeric value (1-4096) of VLAN, then everything works as you have shown in your video. If there is send a VLAN name, then doesn't matter if that name is mapped in the VLAN template or not -> always the client ends in default VLAN for a particular WLAN locally switched.
Do you know maybe how it looks in the latest CISO 9800 WLCs? Are you able to point me to any video/documentation where it is described?
I'm looking for a fallback solution - for unknown clients, which are able to authenticate but aren't correctly tagged.
Have a great day/evening!
/Marek
Hi Jeff, Is it possible to create VLANs for each connection in a AAA device. Can there be 2 option. One define a number of defined connections with username and password in a VLAN and whoever connects using that VLAN will be invicible from others. Other option is create VLANs on the fly. Is both possible on any AAA device?
I'm not sure I 100% understand what you are asking. But here are some things I hope will give you answers.
Each client on a WLAN can have a AAA override to any VLAN supported on the AP, which I believe is limited to a maximum of 16 VLANs. VLANs need to be pre-defined on the AP, which is usually done through the FlexConnect group.
You can use peer-to-peer blocking to stop wireless-to-wireless communications. This will impact all clients on the same WLAN, same AP in a local switching setup. ACLs can be used to stop clients in the same subnet/VLAN from talking to each other across APs (either wireless or wired ACLs). You could also look into private VLANs if you want to control peer-to-peer communications at the wired level per VLAN.