If you ever wonder how to configure “vlan select” or “interface group” feature in a Converged Access (3850/3650/5760) setup, here how you do it. (I am using IOS-XE 3.6E for this post). This feature is known as “Vlan Group” in IOS based controller(In GUI of these controller you still see it as interface group for familiarity). Here is my topology for the post.
In my topology 5760 acting as MC & 3850 stacks acting as MA.In this post I have configured “vlan group” on 3850-2 MA. Let’s say you have four different subnets to be assigned to a single WLAN.
Vlan 1360- x.x.110.0/24
Vlan 1361-x.x.16.0/23
Vlan 1362-x.x.228.0/23
Vlan 1363-x.x.241.0/24
This post is assumed you are doing this on Layer 2 Access topology (not Routed -L3 Access) where all your vlans SVI define on your distribution layer. In my case all SVI defined on DR01 switch. So on my 3850-2, only two SVI, one for Switch Management (vlan1600) & other for Wireless Management (vlan 1610)
3850-2#sh ip int bri | ex un Interface IP-Address OK? Method Status Protocol Vlan1600 x.160.x.22 YES NVRAM up up Vlan1610 x.161.x.22 YES NVRAM up up
Since you do not have L3 interface of user vlans (1360-1363) on your 3850 switches,you have to enable DHCP snooping for vlan 1360-1363 in order to wireless client to get IP from a DHCP server. Refer Understanding DHCP Snooping post for more detail about this feature. Also you have to trust your uplink ports towards your DHCP server (G1/0/48 in this example)
ip dhcp snooping ip dhcp snooping vlan 1360-1363 no ip dhcp snooping information option ip dhcp snooping wireless bootp-broadcast enable ! int g1/0/48 ip dhcp snooping trust
“Vlan Group” configuration is a very straight forward configuration in CLI (one CLI entry). In Converged Access wireless users CAPWAP traffic will be terminating at your access layer. So your access layer switch should have those user vlans defined like any other wired vlans. Unless you have Routed-Access, all your vlans SVI are defined on your distribution switch where these access switches are connected.
Now we have to create a “Vlan Group” (let’s say STUDENT-INTGRP) & map vlans 1360-1363 on to this group. Later on we will add this interface group to the WLAN
3850-2(config)#vlan ? WORD ISL VLAN IDs 1-4094 access-map Create vlan access-map or enter vlan access-map command mode configuration vlan feature configuration mode dot1q dot1q parameters filter Apply a VLAN Map group Create a vlan group internal internal VLAN 3850-2(config)#vlan group ? WORD Group name starts with alphabet 3850-2(config)#vlan group STUDENT-INTGRP ? vlan-list List of vlans in this group 3850-2(config)#vlan group STUDENT-INTGRP vlan-list ? <1-4094> VLAN id 3850-2(config)#vlan group STUDENT-INTGRP vlan-list 1360-1363
Now when you are defining “client vlan x ” under WLAN configuration, you can give the “Vlan Group” name instead of a single vlan ID. Here is a sample configuration of a 802.1X SSID where clients are map to defined vlan group (Refer WLAN Config with 3850 for full configuration including RADIUS) . So when connecting to this SSID, users will get IP from those 4 different subnets in vlan 1360-1363. Remember that you have to configure this under AP-Group -> WLAN if you are using any AP-Groups.
wlan DATA 22 DATA aaa-override accounting-list TEST-RAD band-select client vlan STUDENT-INTGRP ip dhcp required ip flow monitor wireless-avc-basic input ip flow monitor wireless-avc-basic output security dot1x authentication-list TEST-RAD service-policy input platinum-up service-policy output platinum wmm require no shutdown ! ap group TEST-APG wlan DATA vlan STUDENT-INTGRP
You can verify using “show ap groups” command to see correct interface group/vlan group is mapped to your WLAN.
3850-2#show ap groups Site Name: TEST-APG Site Description: WLAN ID WLAN Name Interface ----------------------------------------------------- 22 DATA STUDENT-INTGRP AP Name Ethernet MAC Location ----------------------------------------------------------- 3702-1 b838.617f.eb88 default locatio
Now you can test this by connecting multiple clients to see whether they are getting different subnet IP. You can use “show wireless client summary” & “show wcdb database all” commands to verify that your client connecting to WLAN ID 22 are getting IP addresses from different subnets across vlan 1360-1363.
3850-2#show wcdb database all | in 136 c8e0.ebdd.63bd 1362 x.x.229.18 0x00C6ED40000001C2 RUN LOCAL c4d9.8767.90e9 1361 x.x.17.232 0x00C6ED40000001C2 RUN LOCAL cc08.e0cf.499f 1362 x.x.229.14 0x00C6ED40000001C2 RUN LOCAL 74e2.f558.5a82 1360 x.x.156.63 0x00C6ED40000001C2 RUN LOCAL 78a3.e493.bc5f 1363 x.x.241.114 0x00C6ED40000001C2 RUN LOCAL ! 3850-2#show wireless client summary | in 5a82|63bd|499f|90e9|bcbf 74e2.f558.5a82 3702-1 22 UP 11n(2.4) c4d9.8767.90e9 3702-1 22 UP 11n(2.4) cc08.e0cf.499f 3702-1 22 UP 11n(2.4) c8e0.ebdd.63bd 3702-1 22 AUTHENTICATING 11g 78a3.e493.bc5f 3702-1 22 UP 11n(2.4)
If you want to do this via GUI, you can do the same. Here is the steps to do this (I would not think anyone like to define L2 switch configs via GUI :shock: but option is there for anyone willing to go in that path as well ). You have to go “Controller -> Configuration -> VLAN” section & add your required vlans to the switch & then group them.
Then you can go to “Wireless -> WLAN -> Select Your WLAN -> General -> Interface/Interface Group” field to bind vlan group to WLAN.
Reference
IOS XE Release 3E – VLAN Configuration Guide
Related Posts
1.
2.
