VLAN Groups

Information About VLAN Groups

Whenever a client connects to a wireless network (WLAN), the client is placed in a VLAN that is associated with the policy profile mapped to the WLAN. In a large venue, such as an auditorium, a stadium, or a conference room where there are numerous wireless clients, having only a single WLAN to accommodate many clients might be a challenge.

The VLAN group feature uses a single policy profile that can support multiple VLANs. The clients can get assigned to one of the configured VLANs. This feature maps a policy profile to a single VLAN or multiple VLANs using the VLAN groups. When a wireless client associates to the WLAN, the VLAN is derived by an algorithm based on the MAC address of the wireless client. A VLAN is assigned to the client and the client gets the IP address from the assigned VLAN.

The system marks VLAN as Dirty for 30 minutes when the clients are unable to receive IP addresses using DHCP. The system might not clear the Dirty flag from the VLAN even after 30 minutes for a VLAN group. After 30 minutes, when the VLAN is marked non-dirty, new clients in the IP Learn state can get assigned with IP addresses from the VLAN if free IPs are available in the pool and DHCP scope is defined correctly. This is the expected behavior because the timestamp of each interface has to be checked to see if it is greater than 30 minutes, due to which there is a lag of 5 minutes for the global timer to expire.


Note


The Controller marks the VLAN interface as Dirty when three or more clients fail to receive IP addresses through DHCP. The VLAN interface is deemed Dirty using the Non-Aggressive method, which involves counting one failure per association per client that surpasses the predefined IP_LEARN_TIMEOUT duration of 120 seconds. If a client sends a new association request before the IP_LEARN_TIMEOUT elapses, it will not be considered a failed client.

In Non-Aggressive method, each client gets a unique hash value derived from its MAC address. This approach ensures that clients belonging to the same vendor, which may differ only by a few bits, do not mistakenly trigger the Dirty marking of a VLAN.


Prerequisites for VLAN Groups

  • A VLAN should be present in the device for it to be added to the VLAN group.

Restrictions for VLAN Groups

  • If the number of VLANs in a VLAN group exceeds 32, the mobility functionality might not work as expected and Layer 2 multicast might break for some VLANs. Therefore, it is the responsibility of network administrators to configure a feasible number of VLANs in a VLAN group.

    For the VLAN Groups feature to work as expected, the VLANs mapped in a group must be present in the controller. The static IP client behavior is not supported.

  • The VLAN Groups feature works for access points in local mode.

  • The VLAN Groups feature works only in central switching mode and it cannot be used in FlexConnect local switching mode.

  • ARP Broadcast feature is not supported on VLAN groups.

  • VLAN group Multicast with VLAN group is only supported in local mode AP. Multicast VLAN is required when VLAN group is configured and uses multicast traffic.

  • While you configure VLAN groups with multiple VLANs and each VLAN is used by a different subnet, clients having static IP addresses might be assigned to a wrong VLAN if SVIs are not present on the controller. Hence, for every VLAN that belongs to the VLAN group, ensure that you configure an SVI interface with a valid IP address.

Creating a VLAN Group (GUI)

Procedure


Step 1

Choose Configuration > Layer2 > VLAN

Step 2

On the VLAN > VLAN page, click Add.

Step 3

Enter the VLAN ID in the VLAN ID field.

The valid range is between 2 and 4094.

Step 4

Enter the VLAN name in the Name field.

Configure the other parameters if required.

Step 5

Click Update & Apply to Device.


Creating a VLAN Group (CLI)

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

vlan group WORD vlan-list vlan-ID

Example:

Device(config)#vlan group vlangrp1 vlan-list 91-95

Creates a VLAN group with the given group name (vlangrp1) and adds all the VLANs listed in the command. The VLAN list ranges from 1 to 4096 and the maximum number of VLANs supported in a group is 64.

Step 3

end

Example:

Device(config)#end

Exits the global configuration mode and returns to privileged EXEC mode. Alternatively, press CTRL-Z to exit the global configuration mode.

Adding a VLAN Group to Policy Profile (GUI)

Policy profile broadly consists of network and switching policies. Policy profile is a reusable entity across tags. Anything that is a policy for the client that is applied on the AP or controller is moved to the policy profile. For example, VLAN, ACL, QOS, Session timeout, Idle timeout, AVC profile, Bonjour profile, Local profiling, Device classification, BSSID QoS, etc. However, all wireless related security attributes and features on the WLAN are grouped under the WLAN profile.

Procedure


Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

On thePolicy Profile page, click on a policy profile name.

Step 3

Click Access Policies tab.

Step 4

Under VLAN section, use the VLAN/VLAN Group drop-down list to select a VLAN or VLAN Group.

Step 5

Click Update & Apply to Device.


Adding a VLAN Group to a Policy Profile

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 2

wireless profile policy wlan-policy-profile-name

Example:

Device(config)# wireless profile policy my-wlan-policy

Configures the WLAN policy profile.

Step 3

vlan vlan-group1

Example:

Device(config-wireless-policy)# vlan myvlan-group

Maps the VLAN group to the WLAN by entering the group name.

Step 4

end

Example:

Device(config-wlan)# end

Exits global configuration mode and returns to privileged EXEC mode.

Viewing the VLANs in a VLAN Group

Command Description
show vlan group Displays the list of VLAN groups with name and the VLANs that are configured.
show vlan group group-name group_name Displays the specified VLAN group details.
show wireless client mac-address client-mac-addr detail

Displays the VLAN group assigned to the client.

show wireless vlan details

Displays VLAN details.