FlexConnect Commands

show Commands

show ap flexconnect

To view the details of APs in FlexConnect mode, use the show ap flexconnect command.

show ap flexconnect module-vlan ap-name

Syntax Description

module-vlan

Displays the status of FlexConnect local switching and VLAN ID value

ap-name

Cisco AP name

Command History

Release Modification
8.3 This command was introduced.

show capwap reap association

To display the list of clients associated with an access point and their SSIDs, use the show capwap reap association command.

show capwap reap association

Syntax Description

This command has no arguments or keywords.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display clients associated to an access point and their SSIDs:

(Cisco Controller) >show capwap reap association

show capwap reap status

To display the status of the FlexConnect access point (connected or standalone), use the show capwap reap status command.

show capwap reap status

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The command shows only the VLAN when configured as AP-specific.

Examples

The following example shows how to display the status of the FlexConnect access point:

(Cisco Controller) >show capwap reap status

show flexconnect acl detailed

To display a detailed summary of FlexConnect access control lists, use the show flexconnect acl detailed command.

show flexconnect acl detailed acl-name

Syntax Description

acl-name

Name of the access control list.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the FlexConnect detailed ACLs:

(Cisco Controller) >show flexconnect acl detailed acl-2

show flexconnect acl summary

To display a summary of all access control lists on FlexConnect access points, use the show flexconnect acl summary command.

show flexconnect acl summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the FlexConnect ACL summary:

(Cisco Controller) >show flexconnect acl summary
ACL Name                         Status
-------------------------------- -------
acl1                            Modified
acl10                           Modified
acl100                          Modified
acl101                          Modified
acl102                          Modified
acl103                          Modified
acl104                          Modified
acl105                          Modified
acl106                          Modified

show flexconnect group detail

To display details of a FlexConnect group, use the show flexconnect group detail command.

show flexconnect group detail group_name [ module-vlan | aps]

Syntax Description

group_name

Name of the FlexConnect group.

module-vlan

Displays status of the FlexConnect local switching and VLAN ID in the group

aps

Displays list of APs that are part of the FlexConnect group

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the detailed information for a specific FlexConnect group:

(Cisco Controller) >show flexconnect group detail myflexgroup
Number of Ap’s in Group: 	1
00:0a:b8:3b:0b:c2 	 AP1200 	 	Joined
Group Radius Auth Servers:
	Primary Server Index ..................... Disabled
	Secondary Server Index ................... Disabled

show flexconnect group summary

To display the current list of FlexConnect groups, use the show flexconnect group summary command.

show flexconnect group summary

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to display the current list of FlexConnect groups:

(Cisco Controller) >show flexconnect group summary
flexconnect Group Summary: 	Count 1
Group Name	 				 	# APs
Group 1 						1

config Commands

config ap flexconnect policy

To configure a policy ACL on a FlexConnect access point, use the config ap flexconnect policy command.

config ap flexconnect policy { add | delete} acl_name

Syntax Description

add

Adds a policy ACL on a FlexConnect access point.

deletes

Deletes a policy ACL on a FlexConnect access point.

acl_name

Name of the ACL.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a policy ACL on a FlexConnect access point:

(Cisco Controller) >config ap flexconnect policy add acl1

config ap flexconnect vlan

To enable or disable VLAN tagging for a FlexConnect access, use the config ap flexconnect vlan command.

config ap flexconnect vlan { enable | disable} cisco_ap

Syntax Description

enable

Enables the access point’s VLAN tagging.

disable

Disables the access point’s VLAN tagging.

cisco_ap

Name of the Cisco lightweight access point.

Command Default

Disabled. Once enabled, WLANs enabled for local switching inherit the VLAN assigned at the Cisco WLC.

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows how to enable the access point’s VLAN tagging for a FlexConnect access:

(Cisco Controller) >config ap flexconnect vlan enable AP02

config ap flexconnect vlan add

To add a VLAN to a FlexConnect access point, use the config ap flexconnect vlan add command.

config ap flexconnect vlan add vlan-id acl in-acl out-acl cisco_ap

Syntax Description

vlan-id

VLAN identifier.

acl

ACL name that contains up to 32 alphanumeric characters.

in-acl

Inbound ACL name that contains up to 32 alphanumeric characters.

out-acl

Outbound ACL name that contains up to 32 alphanumeric characters.

cisco_ap

Name of the Cisco lightweight access point.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the FlexConnect access point:

(Cisco Controller) >config ap flexconnect vlan add 21 acl inacl1 outacl1 ap1

config ap flexconnect vlan native

To configure a native VLAN for a FlexConnect access point, use the config ap flexconnect vlan native command.

config ap flexconnect vlan native vlan-id cisco_ap

Syntax Description

vlan-id

VLAN identifier.

cisco_ap

Name of the Cisco lightweight access point.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure a native VLAN for a FlexConnect access point mode:

(Cisco Controller) >config ap flexconnect vlan native 6 AP02

config ap flexconnect vlan wlan

To assign a VLAN ID to a FlexConnect access point, use the config ap flexconnect vlan wlan command.

config ap flexconnect vlan wlan wlan-id vlan-id cisco_ap

Syntax Description

wlan-id

WLAN identifier

vlan-id

VLAN identifier (1 - 4094).

cisco_ap

Name of the Cisco lightweight access point.

Command Default

VLAN ID associated to the WLAN.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to assign a VLAN ID to a FlexConnect access point:

(Cisco Controller) >config ap flexconnect vlan wlan 192.12.12.1 6 AP02 

config ap flexconnect web-auth

To configure a FlexConnect ACL for external web authentication in locally switched WLANs, use the config ap flexconnect web-auth command.

config ap flexconnect web-auth wlan wlan_id cisco_ap acl_name { enable | disable }

Syntax Description

wlan

Specifies the wireless LAN to be configured with a FlexConnect ACL.

wlan_id

Wireless LAN identifier between 1 and 512 (inclusive).

cisco_ap

Name of the FlexConnect access point.

acl_name

Name of the FlexConnect ACL.

enable

Enables the FlexConnect ACL on the locally switched wireless LAN.

disable

Disables the FlexConnect ACL on the locally switched wireless LAN.

Command Default

FlexConnect ACL for external web authentication in locally switched WLANs is disabled.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

The FlexConnect ACLs that are specific to an AP have the highest priority. The FlexConnect ACLs that are specific to WLANs have the lowest priority.

Examples

The following example shows how to enable FlexConnect ACL for external web authentication on WLAN 6:

(Cisco Controller) >config ap flexconnect web-auth wlan 6 AP2 flexacl2 enable

config ap flexconnect web-policy acl

To configure a Web Policy FlexConnect ACL on an access point, use the config ap flexconnect web-policy acl command.

config ap flexconnect web-policy acl { add | delete} acl_name

Syntax Description

add

Adds a Web Policy FlexConnect ACL on an access point.

delete

Deletes Web Policy FlexConnect ACL on an access point.

acl_name

Name of the Web Policy FlexConnect ACL.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add a Web Policy FlexConnect ACL on an access point:

(Cisco Controller) >config ap flexconnect web-policy acl add flexacl2

config ap flexconnect wlan

To configure a FlexConnect access point in a locally switched WLAN, use the config ap flexconnect wlan command.

config ap flexconnect wlan l2acl { add wlan_id cisco_ap acl_name | delete wlan_id cisco_ap}

Syntax Description

add

Adds a Layer 2 ACL to the FlexConnect access point.

wlan_id

Wireless LAN identifier from 1 to 512.

cisco_ap

Name of the Cisco lightweight access point.

acl_name

Layer 2 ACL name. The name can be up to 32 alphanumeric characters.

delete

Deletes a Layer 2 ACL from the FlexConnect access point.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

  • You can create a maximum of 16 rules for a Layer 2 ACL.

  • You can create a maximum of 64 Layer 2 ACLs on a Cisco WLC.

  • A maximum of 16 Layer 2 ACLs are supported per AP because an AP supports a maximum of 16 WLANs.

  • Ensure that the Layer 2 ACL names do not conflict with the FlexConnect ACL names because an AP does not support the same Layer 2 and Layer 3 ACL names.

Examples

The following example shows how to configure a Layer 2 ACL on a FlexConnect AP.

(Cisco Controller) >config ap flexconnect wlan add 1 AP1600_1 acl_l2_1

config flexconnect acl

To apply access control lists that are configured on a FlexConnect access point, use the config flexconnect acl command.

config flexconnect acl { apply | create | delete} acl_name

Syntax Description

apply

Applies an ACL to the data path.

create

Creates an ACL.

delete

Deletes an ACL.

acl_name

ACL name that contains up to 32 alphanumeric characters.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to apply the ACL configured on a FlexConnect access point:

(Cisco Controller) >config flexconnect acl apply acl1

config flexconnect acl rule

To configure access control list (ACL) rules on a FlexConnect access point, use the config flexconnect acl rule command.

config flexconnect aclrule { action rule_name rule_index { permit | deny} | 
 add rule_name rule_index | 
 change index rule_name old_index new_index | 
 delete rule_name rule_index | 
 destination address rule_name rule_index ip_address netmask | 
 destination port range rule_name rule_index start_port end_port |
 direction rule_name rule_index { in | out | any} | 
 dscp rule_name rule_index dscp | 
 protocol rule_name rule_index protocol | 
 source address rule_name rule_index ip_address netmask | 
 source port range rule_name rule_index start_port end_port |
 swap index rule_name index_1 index_2}

Syntax Description

action

Configures whether to permit or deny access.

rule_name

ACL name that contains up to 32 alphanumeric characters.

rule_index

Rule index between 1 and 32.

permit

Permits the rule action.

deny

Denies the rule action.

add

Adds a new rule.

change

Changes a rule’s index.

index

Specifies a rule index.

delete

Deletes a rule.

destination address

Configures a rule’s destination IP address and netmask.

ip_address

IP address of the rule.

netmask

Netmask of the rule.

start_port

Start port number (between 0 and 65535).

end_port

End port number (between 0 and 65535).

direction

Configures a rule’s direction to in, out, or any.

in

Configures a rule’s direction to in.

out

Configures a rule’s direction to out.

any

Configures a rule’s direction to any.

dscp

Configures a rule’s DSCP.

dscp

Number between 0 and 63, or any.

protocol

Configures a rule’s DSCP.

protocol

Number between 0 and 255, or any.

source address

Configures a rule’s source IP address and netmask.

source port range

Configures a rule’s source port range.

swap

Swaps two rules’ indices.

index_1

The rule first index to swap.

index_2

The rule index to swap the first index with.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows how to configure an ACL to permit access:

(Cisco Controller) >config flexconnect acl rule action lab1 4 permit

config flexconnect arp-caching

To save an ARP entry for a client in the cache with locally switched WLAN on FlexConnect APs use config flexconnect arp-caching command.

config flexconnect arp-caching { enable } disable}

Syntax Description

arp-caching enable

Instructs the access point to save the ARP entry for a client in the cache and reply on its behalf of the client for locally switched WLAN.

arp-caching disable

Disables ARP caching.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to apply the proxy ARP with locally switched WLAN on FlexConnect APs.

(Cisco Controller) >config flexconnect arp-caching enable

config flexconnect group vlan

To configure VLAN for a FlexConnect group, use the config flexconnect group vlan command.

config flexconnect group group_name vlan { add vlan-id acl in-aclname out-aclname | delete vlan-id}

Syntax Description

group_name

FlexConnect group name.

add

Adds a VLAN for the FlexConnect group.

vlan-id

VLAN ID.

acl

Specifies an access control list.

in-aclname

In-bound ACL name.

out-aclname

Out-bound ACL name.

delete

Deletes a VLAN from the FlexConnect group.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add VLAN ID 1 for the FlexConnect group myflexacl where the in-bound ACL name is in-acl and the out-bound ACL is out-acl:

(Cisco Controller) >config flexconnect group vlan myflexacl vlan add 1 acl in-acl out-acl

config flexconnect group web-auth

To configure Web-Auth ACL for a FlexConnect group, use the config flexconnect group web-auth command.

config flexconnect group group_name web-auth wlan wlan-id acl acl-name { enable | disable}

Syntax Description

group_name

FlexConnect group name.

wlan-id

WLAN ID.

acl-name

ACL name.

enable

Enables the Web-Auth ACL for a FlexConnect group.

disable

Disables the Web-Auth ACL for a FlexConnect group.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable Web-Auth ACL webauthacl for the FlexConnect group myflexacl on WLAN ID 1:

(Cisco Controller) >config flexconnect group myflexacl web-auth wlan 1 acl webauthacl enable

config flexconnect group web-policy

To configure Web Policy ACL for a FlexConnect group, use the config flexconnect group web-policy command.

config flexconnect group group_name web-policy acl { add | delete} acl-name

Syntax Description

group_name

FlexConnect group name.

add

Adds the Web Policy ACL.

delete

Deletes the Web Policy ACL.

acl-name

Name of the Web Policy ACL.

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to add the Web Policy ACL mywebpolicyacl to the FlexConnect group myflexacl:

(Cisco Controller) >config flexconnect group myflexacl web-policy acl add mywebpolicyacl

config flexconnect join min-latency

To enable or disable the access point to choose the controller with the least latency when joining, use the config flexconnect join min-latency command.

config flexconnect join min-latency { enable | disable} cisco_ap

Syntax Description

enable

Enables the access point to choose the controller with the least latency when joining.

disable

Disables the access point to choose the controller with the least latency when joining.

cisco_ap

Cisco lightweight access point.

Command Default

The access point cannot choose the controller with the least latency when joining.

Command History

Release Modification
8.3 This command was introduced.

Usage Guidelines

When you enable this feature, the access point calculates the time between the discovery request and discovery response and joins the controller that responds first.

This configuration overrides the HA setting on the controller, and is applicable only for OEAP access points.

Examples

The following example shows how to enable the access point to choose the controller with the least latency when joining:

(Cisco Controller) >config flexconnect join min-latency enable CISCO_AP

debug Commands

debug capwap reap

To configure the debugging of Control and Provisioning of Wireless Access Points (CAPWAP) settings on a FlexConnect access point, use the debug capwap reap command.

debug capwap reap [ mgmt | load]

Syntax Description

mgmt

(Optional) Configures the debugging for client authentication and association messages.

load

(Optional) Configures the debugging for payload activities, which is useful when the FlexConnect access point boots up in standalone mode.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the debugging of FlexConnect client authentication and association messages:

(Cisco Controller) >debug capwap reap mgmt

debug dot11 mgmt interface

To configure debugging of 802.11 management interface events, use the debug dot11 mgmt interface command.

debug dot11 mgmt interface

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to debug 802.11 management interface events:

(Cisco Controller) >debug dot11 mgmt interface

debug dot11 mgmt msg

To configure debugging of 802.11 management messages, use the debug dot11 mgmt msg command.

debug dot11 mgmt msg

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

This example shows how to debug dot11 management messages:

(Cisco Controller) >debug dot11 mgmt msg

debug dot11 mgmt ssid

To configure debugging of 802.11 SSID management events, use the debug dot11 mgmt ssid command.

debug dot11 mgmt ssid

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the debugging of 802.11 SSID management events:

(Cisco Controller) >debug dot11 mgmt ssid

debug dot11 mgmt state-machine

To configure debugging of the 802.11 state machine, use the debug dot11 mgmt state-machine command.

debug dot11 mgmt state-machine

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the debugging of 802.11 state machine:

(Cisco Controller) >debug dot11 mgmt state-machine

debug dot11 mgmt station

To configure the debugging of the management station settings, use the debug dot11 mgmt station command.

debug dot11 mgmt station

Syntax Description

This command has no arguments or keywords.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure the debugging of the management station settings:

(Cisco Controller) >debug dot11 mgmt station

debug flexconnect aaa

To configure debugging of FlexConnect backup RADIUS server events or errors, use the debug flexconnect aaa command.

debug flexconnect aaa { event | error} { enable | disable}

Syntax Description

event

Configures the debugging for FlexConnect RADIUS server events.

error

Configures the debugging for FlexConnect RADIUS server errors.

enable

Enables the debugging of FlexConnect RADIUS server settings.

disable

Disables the debugging of FlexConnect RADIUS server settings.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of FlexConnect RADIUS server events:

(Cisco Controller) >debug flexconnect aaa event enable

debug flexconnect acl

Configures debugging of FlexConnect access control lists (ACLs), use the debug flexconnect acl command.

debug flexconnect acl { enable | disable}

Syntax Description

enable

Enables the debugging of FlexConnect ACLs.

disable

Disables the debugging of FlexConnect ACLs.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of FlexConnect ACLs:

(Cisco Controller) >debug flexconnect acl enable

debug flexconnect cckm

Configure debugging of FlexConnect Cisco Centralized Key Management (CCKM) fast roaming, use the debug flexconnect cckm command.

debug flexconnect cckm { enable | disable}

Syntax Description

enable

Enables the debugging of FlexConnect CCKM fast roaming settings.

disable

Disables the debugging of FlexConnect CCKM fast roaming settings.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of FlexConnect CCKM fast roaming events:

(Cisco Controller) >debug flexconnect cckm event enable

debug flexconnect client ap

To debug FlexConnect client access point MAC addresses, use the debug flexconnect client ap command.

debug flexconnect client ap ap-name { add | delete} MAC-address1 MAC-address2 MAC-address3 MAC-address4

Syntax Description

add

Adds the MAC address to the group.

delete

Deletes the MAC address from the group.

MAC-address

MAC address of the client

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to debug FlexConnect client ap 'room' MAC addresses:

(Cisco Controller) >debug flexconnect client ap room add 00.0c.41.07.33.a6 0A.0c.52.17.97.b6

debug flexconnect client ap syslog

To configure debug logging of the syslog server for a FlexConnect client AP, use the debug flexconnect client ap command.

debug flexconnect client ap ap-name syslog { ip-address | disable}

Syntax Description

ip-address

Configures the syslog server ip-address for debug logging.

disable

Disables the debug logging to the syslog server.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure syslog server for debug log for the FlexConnect client AP 'room':

(Cisco Controller) >debug flexconnect client ap room syslog 192.168.1.1

debug flexconnect client group

To debug FlexConnect client group MAC addresses, use the debug flexconnect client group command.

debug flexconnect client group group-name { add | delete} MAC-address1 MAC-address2 MAC-address3 MAC-address4

Syntax Description

add

Adds the MAC address to the group.

delete

Deletes the MAC address from the group.

MAC-address

MAC address of the client.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to debug FlexConnect client group MAC addresses:

(Cisco Controller) >debug flexconnect client group school add 00.0c.41.07.33.a6 0A.0c.52.17.97.b6

debug flexconnect client group syslog

To debug FlexConnect group access point syslog, use the debug flexconnect client group command.

debug flexconnect client group group-name syslog ip-address | disable

Syntax Description

ip-address

Configures the syslog server ip-address for debug logging.

disable

Disables the debug logging to the syslog server.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to configure FlexConnect client group 'school' for debug logging purposes:

(Cisco Controller) >debug flexconnect client group school syslog 192.168.1.1

debug flexconnect group

To configure debugging of FlexConnect access point groups, use the debug flexconnect group command.

debug flexconnect group { enable | disable}

Syntax Description

enable

Enables the debugging of FlexConnect access point groups.

disable

Disables the debugging of FlexConnect access point groups.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of FlexConnect access point groups:

(Cisco Controller) >debug flexconnect group enable

debug pem

To configure debugging of the access policy manager, use the debug pem command.

debug pem { events | state} { enable | disable}

Syntax Description

events

Configures the debugging of the policy manager events.

state

Configures the debugging of the policy manager state machine.

enable

Enables the debugging of the access policy manager.

disable

Disables the debugging of the access policy manager.

Command Default

None

Command History

Release Modification
8.3 This command was introduced.

Examples

The following example shows how to enable the debugging of the access policy manager:

(Cisco Controller) >debug pem state enable