Single SSID - Multi VLAN - FlexConnect

An configuration example that I feel is under documented and not particularly clear is how to deploy a single SSID on a cisco WLC with ISE authentication on multiple VLANs based on authorization profiles.

It is actually very simple.

1st:

You build out you ISE policies just as you would for Wired.1x or Wireless.1x and make sure to add the VLAN assignment to the authorization result that you match.

2nd:

On your WLC, make sure that your SSID has the box for Flexconnect local switching checked and AAA override checked on the advanced tab.  

Make sure that you AP has VLAN support turned on and a local VLAN (Native) configured.

3rd:

Create a flexconnect group on your WLC from the wireless tab and add your APs to that group.

From the AAA VLAN-ACL mapping tab, create all of the VLANs that you will need to add users to from dynamic ISE assignments. 

This will cause sub-interfaces to be auto-generated on all of your APs in that flexconnect group.

Finally:

Test a user/device that ISE will assign to one of the VLANs and verify that they are authenticated and placed into the desired VLAN.  If everything connects you are good to go.

ISE

WLC

TIPS:

Make sure your VLANs are extended to the switch that the AP is connected to.

Make sure the WLC is running code level 7.4 or higher.

Network Engineers need Linux

Although I am my no means an expert in Linux (yet), I have done the swap.  I have dropped Windows for a Mint 17.3 Linux.  Since I work in the network consulting realm, it does make things (some things) a little simpler.  I am a fan of Windows 10, but the good about Linux far out weighs the good about Windows.

Benefits:

• Become more familiar with commands that are regularly used to install and troubleshoot Cisco and other vendor appliances
• terminal services are much more fluid and many variants are available
• VIRL and GNS3, in my opinion, run much more efficiently on Linux.
• Over all performance increase 
• Less bloat in my OS
• The new Linux distros' GUIs are as good as, if not better than Windows
• IT'S FREE!

Drawbacks:

• Visio and a few other office like products
• I like Outlook much better than Thunderbird or Evolution

*** I still have Windows 10 installed on my hard drive for now if I need to use certain applications

More info on current Linux distributions: Click Here

More info on Mint: Click Here

Cisco VIRL Installation

So I finally had the chance to install Cisco VIRL.

Here are a few things that I learned:

• Installation on bare metal is a pain
• it is totally possible and is doable, but installing on a free esxi host is much easier
• interfaces get tricky unless your box matches the base config exactly
• ESXi is your friend
• if you have an old PowerEdge 710 server laying around you might as well run ESXi on it an load the pre-configured OVA
• no messing with linux interfaces in the server
• just have to build the back end networking in ESXi
• Don't use the minimum required RAM
• purchased the 30 node license, but quickly ran out of 32GB (only ran 14 nodes)
• maxed out the server at 128GB and I can max out my node limit
• Cisco's community links don't work (as of 7/6/16)
• all of the google results redirect you to a parked domain
• this makes troubleshooting and tips a pain if something gets screwed up
• community forum exists, but it hard to get to threads directly at the moment
• YOU CAN EXPORT TO GNS3!

All in all I think its great that you can run multiple types of devices (NXOS, IOS, IOSXE, switches).  If you have someone paying for it I would get it, but GNS3 will still be my personal go-to software.  

Here is a link to Cisco's documentation: Click Here

If you'd like some detailed info on doing a Bare Metal install (on a poweredge server): Click Here