Configure Remote LAN (RLAN) on Access Point Catalyst 9124

Available Languages

Download Options

PDF (2.4 MB)
View with Adobe Reader on a variety of devices
ePub (2.7 MB)
View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle) (1.8 MB)
View on Kindle device or Kindle app on multiple devices

Updated:August 29, 2024

Document ID:222284

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

FlexConnect Local Switching RLAN

Verify

Central Switching

Flex-Connect Local Switching

Introduction

This document describes how to configure Remote Local Area Network (RLAN) on AP Catalyst 9124 model using WLC model 9800.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

9800 WLC
Command-line Interface (CLI) access to the wireless controllers and Access Points.

Components Used

The information in this document is based on these software and hardware versions:

Catalyst 9800-L WLC version 17.09.05
C9124 Series AP

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background

A Remote LAN (RLAN) is used for authenticating wired clients using the controller. Once the wired client successfully joins the controller, the LAN ports switch the traffic between central or local switching modes. The traffic from the wired clients is treated as wireless client traffic. The RLAN in Access Point (AP) sends the authentication request to authenticate the wired client. The authentication of the wired clients in RLAN is similar to the central authenticated wireless client.

For more detailed information about RLAN, please visit the Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide .

RLAN is supported in APs that have more than one Ethernet port and AP model 9124 contains 2 Ethernet ports named GigabitEthernet0 and LAN1, labeled as 2 and 3 respectively in the picture:

9124 Ethernet ports

Complete HW details please read the Cisco Catalyst 9124AX Series Outdoor Access Point Hardware Installation Guide .

Configure

This document assumes that the AP is already joined to the WLC.

If you need guidance on joining AP 9124 to WLC, please read this guide: Configure Mesh on Catalyst 9800 Wireless LAN Controllers .

AP supports RLAN both on Local Mode and Flex Mode. If you need RLAN traffic to be locally switched, the AP mode must be Flex and configure the RLAN Profile accordingly.

Note: If you set AP as Flex+Bridge mode, the AP logs a message like: "RLAN_CFG: enable_LAN_port Cannot enable LAN[0]: ClickPort 66: Feature not supported on Mesh".

Network Diagram

Topology

Configurations

AAA Configuration

1. In this document, the security method for the RLAN is MAC filtering, therefore you need to configure AAA in advance. You can have the mac addresses in a remote AAA server or locally on the WLC.

Here the local WLC database is used. Add the mac address of the client without any delimeters, that is expected to connect to the RLAN to the Device Authentication list:

Device Management Local DB

2. Configure the Authorization method to use the local database. Here named RLAN_macF:

AAA Authorization Method

RLAN Configuration

1. In order to create RLAN Profile, navigate to Configuration > Wireless > Remote LAN and enter a Profile Name and RLAN ID for the RLANProfile, as shown in this image.

RLAN Profile General

2. Navigate to Security. In this example, the security method used is MAC Filtering. Go to Layer 2, leave 802.1x to Disabled and select the Authorization method for MAC Filtering, as shown in this image.

RLAN Security

3. Create the RLAN Policy. Navigate to Configuration > Wireless > Remote LAN and on the Remote LAN page, click RLAN Policy tab, as shown in this image.

RLAN Policy

In this setup, all traffic is Centrally Switched at the WLC.

4. Navigate to Access Policies and configure the VLAN and Host Mode and apply the settings.

RLAN Policy Access Policies

5. Create a PolicyTag and map RLAN Profile to RLAN Policy. Navigate to Configuration > Tags & Profiles > Tags.

Policy Tag

6. We must apply the Policy Tag to the AP and Enable the LAN port. Navigate to Configuration > Wireless > Access Points and click on the AP.

Policy Tag on AP configuration

Apply the setting and the AP re-joins the WLC. Click on the AP, then select Interfaces and enable the LAN port in the LAN Port Settings.

AP LAN1 port settings

Apply the settings and verify the status. Make sure the RLAN shows Green.

FlexConnect Local Switching RLAN

If you need RLAN traffic to be locally switched, the AP mode must be Flex and configure the RLAN Profile accordingly.

Note: If you set AP as Flex+Bridge mode, the AP logs a message like: "RLAN_CFG: enable_LAN_port Cannot enable LAN[0]: ClickPort 66: Feature not supported on Mesh".

1. Start by the Flex Profile configuration to be applied to the Site Tag. Ensure to configure the correct native VLAN and push the correct client VLAN(s) to the Flex AP.

Flex Profile Configuration

2. To change the AP 9124 to FlexConnect mode, you need to disable the option "Enable Local Site" in the Site Tag configuration. After that, the option to select the Flex Profile appears. Select the Flex Profile configured previously:

Site Tag Disable Local Site

Once you click on Update and Apply to Device, the AP console logs:

AP mode change Local to Flex

And the AP now shows Flex as AP Mode:

AP Flex Mode

Note: When we move the AP from Local to Flex mode, the AP does NOT reload, however when we move from Flex to Local mode, the AP reloads.

3. Go to Configuration > Tags & Profiles > Remote LAN > RLAN Policy and edit the RLAN Switching Policy for Local Switching. Disable Central Switching and Central DHCP:

RLAN Policy Local Switching

Verify

Central Switching

Connect a PC in the LAN1 port of the AP. PC authenticates via MAB and gets an IP address from the configured VLAN.

Navigate to Monitoring >Wireless > Clients to check the client status.

Client details

From the AP CLI you can view the port status change and client details:

AP9124_01#debug client F8:E4:3B:EE:53:AF
AP9124_01#debug rlan 
critical Enable RLAN critical level debugging
errors Enable RLAN error level debugging
events Enable RLAN event level debugging
info Enable RLAN info level debugging

AP9124_01#show wired clients 
Total wired clients: 1
mac port state local_client detect_ago associated_ago tx_pkts tx_bytes rx_pkts rx_bytes
F8:E4:3B:EE:53:AF 2 ASSOCIATED No 12 12 9 1074 337 55639

Debugs for Central Switched RLAN

Flex-Connect Local Switching

Debugs for Local Switched RLAN

Revision History

Revision	Publish Date	Comments
2.0	29-Aug-2024	Added Flex Local Switching sections
1.0	07-Aug-2024	Initial Release

Contributed by Cisco Engineers

Tiago Antunes
CX Technical Leadership

Was this Document Helpful?

Feedback

Contact Cisco

Open a Support Case
(Requires a Cisco Service Contract)

Configure Remote LAN (RLAN) on Access Point Catalyst 9124

Available Languages

Download Options

Bias-Free Language

Contents

Introduction

Prerequisites

Requirements

Components Used

Background

Configure

Network Diagram

Configurations

AAA Configuration

RLAN Configuration

FlexConnect Local Switching RLAN

Verify

Central Switching

Flex-Connect Local Switching

Revision History

Contributed by Cisco Engineers

Was this Document Helpful?

Contact Cisco

This Document Applies to These Products