Centralized Auth. / Local Switching - Common SSID

Hi All,
I'm looking at a design where I would have a few remote sites and a centralized WLC.  My requirement would be to have a common SSID advertised across the remote sites and have that SSID locally switch; so to note tunnel all the traffic across the WAN back to the central site.
I know the feature I'm looking for is H-REAP with Centralized Authentication and Local switching...but I'm unsure of the second part...which is to have a common SSID across the remote sites.  How do I accomplish the second part?  I heard mention of using AP Groups in another post.  Just looking for more direction.

You're all correct except on the last part.
what you want to do is configure your SSID in advanced options to enable HREAP Local switching.
Then only the APS at remote site you move to HREAP mode one by one.
From there, all the APs you configured as HREAP will be locally switching traffic and the APs in local mode will still forward traffic through the controller.
I hope this clarifies ?
Nicolas
===
Don't forget to rate answers that you find useful

Similar Messages

  • Central Authentication / Local Switching for Mesh?

    Hi all,
    I'm afraid I know the answer but maybe I'm just missing something. Anyway, here's the situation: I have a multi-site installation with a centralized WLC (currently 2504). Each wireless VLAN at each site uses the same ID but has a local network (e.g. site 2 is 192.168.2.0/24, site 3 is 192.168.3.0/24 but both are VLAN 100).
    When I configure APs for H-REAP/FlexConnect, there's no problem. Users are authenticated via a centralized RADIUS server (Cisco SecureACS 5.x) and I have local switching enabled so clients pick up an address from a localized DHCP server (ASA firewall in most cases).
    However, the impetus for installing the WLC requires a mesh network, consisting of 2 RAPs and 2 MAPs. My catch 22 is now this: if a RAP is in FlexConnect mode, the MAP won't associate, but if the RAP is in RAP mode, the MAP associates, but clients don't appear to get IP addresses (on an iPhone for example, the wheel just keeps spinning until it gives up).
    It's my understanding that since the APs are no longer in FlexConnect mode, all the wireless traffic is now being tunneled back through the centralized WLC which associates the VLANs with networks that don't exist on site.
    Is my understanding correct? If so, is there any way I can go about achieving what I want to do which is get the FlexConnect effect but still have Mesh capabilities? Right now it seems the obvious (albeit very expensive answer) is to decentralize the WLC and have HA WLC configured on a per site basis.
    Any input/advice greatly appreciated. Thank you.

    I second your thought about mesh and as for what to do - I don't think you can do anything. Perhaps, a cheap way to solve this problem can be installing a local 2504 at sites that require mesh links. This will allow you terminating all VLAN/SSID mappings locally. Sorry :-(

  • HREAP local switching with web auth

    Hello All,
    Does web authentication work perfectly fine while locally switching the SSID on Hreap mode APs with older WLC firmwares - 7.0.98.218.
    I see it is supported in 7.0.116.0 onwards. Does it work on older versions? Has anyone tested and faced any issues?
    Thanks
    Jeen

    It worked as far back as 4.0 from what I remember
    Steve
    Sent from Cisco Technical Support iPhone App

  • High CAPWAP traffic when locally switched

    Hello all,
    We're seeing an ongoing issue where several APs accross multiple sites log the error, "%CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST., 12)", then disassociates from the controller, and reassociates almost immediately.  The issue is the users get disassociated from the AP and call the helpdesk.
    A counter measure at one site was to add the CAPWAP traffic (udp ports 5246 & 5247)  to the controller in our QOS Platinum policy (setting the DSCP bit to 'ef'), but that doesn't seem to help.
    We're using Flexconnect with central authentication, local switching.
    A couple of questions:
    1) The Platinum queue on the QOS is showing over 500 kbps when the only thing put in that queue is the CAPWAP traffic - there aren't any phones.  Why so much bandwidth for authentication and control traffic?
    2) What is happening with the APs that they can't talk to the controller that causes the issue in the first place?  Bandwidth doesn't seem to be an issue.
    Below are some config and outputs:
    AP-1242#show capwap reap status
    AP Mode:         REAP, Connected
    Radar detected on:
    AP-1242#show capwap reap association
    REAP Data Switching: Local
    2960#show int fa0/22
      Hardware is Fast Ethernet
      Full-duplex, 100Mb/s, media type is 10/100BaseTX
      Last input 00:00:22, output 00:00:00, output hang never
      Last clearing of "show interface" counters never
      Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
      Queueing strategy: fifo
      Output queue: 0/40 (size/max)
      5 minute input rate 23000 bits/sec, 13 packets/sec
      5 minute output rate 208000 bits/sec, 48 packets/sec
         37478173 packets input, 13839718021 bytes, 0 no buffer
         Received 2818773 broadcasts (0 multicasts)
         0 runts, 0 giants, 0 throttles
         0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
         0 watchdog, 502342 multicast, 0 pause input
         0 input packets with dribble condition detected
         118634332 packets output, 36491262361 bytes, 0 underruns
         0 output errors, 0 collisions, 1 interface resets
         0 babbles, 0 late collision, 0 deferred
         0 lost carrier, 0 no carrier, 0 PAUSE output
         0 output buffer failures, 0 output buffers swapped out
    2811#show policy-map interface multilink 1
    Service-policy output: MPLS-QOS
        queue stats for all priority classes:
           queue limit 64 packets
          (queue depth/total drops/no-buffer drops) 0/0/0
          (pkts output/bytes output) 300637/46124112
        Class-map: PLATINUM (match-any)
          300637 packets, 46124112 bytes
          30 second offered rate 28000 bps, drop rate 0 bps
          Match: ip dscp ef (46)
            300637 packets, 46124112 bytes
            30 second rate 28000 bps
          Priority: 18% (552 kbps), burst bytes 13800, b/w exceed drops: -16
    Any help is appreciated.

    Hi Jeff,
    I think you are hitting a bug (CSCse92856) specific to 1242 AP. Solution given is "Enable Proxy ARP on the default-gateway device of your AP". You can try that & see.
    Even I cannot view detail of this bug as of insufficient access permission.Therefore I do not know more details about this bug fix & which software version affected,etc. Better you contact Cisco TAC & get more information.
    I found this infomration here
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml
    One other reason that H-REAP APs do not join WLCs is if the Proxy ARP is disabled on the gateway for the H-REAP APs. From the AP console, this message is logged:
    *Jul 29 14:04:10.897: LWAPP_CLIENT_ERROR_DEBUG: 
    Retransmission count for packet exceeded more than max(CHANGE_STATE_EVENT , 1)
    This can be caused by Cisco bug ID CSCse92856. This problem applies only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or AP1200.
    This problem occurs when these conditions are met:
    HREAP mode is used in the WLAN. Local mode is not affected by this issue. Native VLAN mapping is required.
    The APs have to be on a different IP subnet than the AP Manager of the WLCs.
    Proxy ARP is disabled on the default gateway for the AP.
    The H-REAP AP gets the default gateway from a DHCP server.
    In order to resolve this issue, enable Proxy ARP on the default gateway router of the AP
    HTH
    Rasika
    *** Pls rate all useful responses ****

  • Centrally Switched and Flex Local Switched WLAN - same SSID

    Hi All
    I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
    We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
    My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
    My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
    Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
    *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
    My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
    If someone can verify the above I'd be very grateful.
    Many thanks in advance
    Mark

    Hi Mark
    My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
    When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
    Pls do not forget to rate our responses if that is useful to you
    HTH
    Rasika

  • Clients not receiving DHCP IP address from HREAP centrally Switched Guest SSID

    Hi All,
    I am facing a problem in a newly deployed branch site where the Clients are not receiving DHCP IP address from a centrally switched Guest SSID. I see the client status is associated but the policy manager state is in DHCP_REQD.
    The dhcp pool is configured on the controller itself. The local guest clients are able to get DHCP and all works fine, the issue is only with the clients in the remote site. The Hreap APs are in connected mode. Could you please suggest what could be the problem. Below is the out of the debug client.
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Adding mobile on LWAPP AP 3c:ce:73:6d:37:00(1)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Reassociation received from mobile on AP 3c:ce:73:6d:37:00
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific IPv6 override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying IPv6 Interface Policy for station 10:40:f3:91:7e:24 - vlan 81, interface id 13, interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 3c:ce:73:6d:37:00 vapId 17 apVapId 1
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 apfMsAssoStateInc
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Idle to Associated
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 49) in 28800 seconds
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sending Assoc Response to station on BSSID 3c:ce:73:6d:37:00 (status 0) ApVapId 1 Slot 1
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfProcessAssocReq (apf_80211.c:4672) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Associated
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4183, Adding TMP rule
    *apfReceiveTask: May 24 11:35:53.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 3c:ce:73:6d:37:00, slot 1, interface = 13, QOS = 3
      ACL Id = 255, Jumbo F
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 81, IPv6 intf id = 13
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sent an XID frame
    *apfMsConnTask_3: May 24 13:26:49.401: 10:40:f3:91:7e:24 Updating AID for REAP AP Client 3c:ce:73:6d:37:00 - AID ===> 1
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
    *osapiBsnTimer: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
    *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Disassociated
    *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *osapiBsnTimer: May 24 13:29:09.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Sent Deauthenticate to mobile on BSSID 3c:ce:73:6d:37:00 slot 1(caller apf_ms.c:4981)
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsAssoStateDec
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Disassociated to Idle
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [3c:ce:73:6d:37:00]
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Deleting mobile on AP 3c:ce:73:6d:37:00(1)
    *pemReceiveTask: May 24 13:29:09.317: 10:40:f3:91:7e:24 0.0.0.0 Removed NPU entry.

    #does the client at the remote site roams between AP that connects to different WLC?
    #type 9 is not good.
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    #Does your dhcp server getting hits.
    #Also, get debug dhcp message & packet.
    #Dhcp server is not responding.
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.

  • WebAuth on FlexConnect Local Switched SSID

    Hi All
    I'm working on getting internal WebAuth to work on a FlexConnect local switched SSID. From what I've been reading, it's possible but apparently not very straight forward. 
    FlexConnect AP - if the SSID isn't local switch, WebAuth of course works fine.
    Once I set it to local switching, WebAuth breaks. Any way around that in 7.6?
    Thanks

    Figured it out just now. When using the WLC as a DHCP server(this is just a lab), selecting the Central DHCP Processing for use when in Local Switching also selects a box for NAT-PAT. Unselecting the NAT-PAT box fixed the broken WebAuth. 
    Going to have to figure out what that does.

  • Flexconnect localauth and centralized auth on same SSID

    Hi,
        We try to setup remote APs in FlexConnect mode and wants it set for local auth, while the main site (where the WLC resides) uses central authentication.
    The SSID has is the same at both site so is the L2 security policy.
    thanks,
    Alex

    Central vs Local authentication is a "per WLAN" configuration, so a single WLAN cannot have APs doing both central and local "authentication".  You can keep the auth Central, and if you're FlexConnect groups are configured properly, your "remote" APs can always "failover/fallback" to using LocalAuth in the event of connectivity loss to the WLC (APs transition to standalone), but you can't explicitly force one or the other on the same WLAN.

  • Same wlan both locally switched and centrally switched

    Scenario:
    1 virtual wireless controller
    50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
    Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
    I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
    I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
    Regards,
    Massimo. 

    Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
    I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
    Regards
    Rasika
    **** Pls rate all useful responses ****

  • Locally Switched / Centrally Switched on Flex Connect AP

    Hi All,
    Scenario (is this possible)
    I have HQ Site (Site A) -with the WLC
    I have a remote site (Site B) with one AP.
    Site A has Internet Breakout. Site B doesn't
    Is it possible with this one AP to have Multiple SSIDs, some of which are switched locally at the remote site and some which are switched centrally back at the HQ?
    E.G I want to have SSID for the data vlan at Site B. Any Laptop connecting to this is dropped onto the Data VLAN.
    I also want to have a GUEST SSID for Internet but have this traffic be tunneled back to HQ and use Internet Breakout there.
    Is this possible?
    Thanks

    On the advanced tab of the WLAN you can enable that SSID for FC Local Switching.  The AP then needs to be in Flexconnect mode.  You then go to the FC tab of the AP and define the local VLANs for the locally switched WLANs.  There will be 2 lists of SSIDs, locally switched and centrally switched.  Obviously you don't define VLANs for the centrally switched WLANs.
    Whatever you define on the AP will overwrite the interface on the WLC.
    AP Groups and FC Groups are not needed.

  • HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

    Hi All,
    I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
    I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
    Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
    to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
    The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
    switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
    for "local Switching" on the WLAN page.
    It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
    i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
    and also WPA-PEAP-MSChapv2. Both fails miserably.
    Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
    APs.Cant i do it with just a single WLAN?
    Thank you.
    Warmest regards,
    Azzafir Ariff Patel.

    For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
    http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

  • How to have H-REAP broadcast only specific locally switched SSID's?

    I'm new to this H-REAP configuration, but in the main office we have about 6 WLAN's.  I have a remote office which I want to have 2 new WLAN's and have them switched locally.  How can I only have the H-REAP AP's at this site only broadcast those 2 SSID's vs all 8?  I haven't really read anything about using AP Group VLAN's with H-REAP or know if that's even possible, but is this a possibility and if no,t what would you recommend?
    Thanks for the help!

    I may create another topic - but here it goes...
    I've decided to try to use an existing WLAN in the H-REAP config...
    -I've joined the AP to the remote controller, assigned it an IP, put it in H-REAP mode.
    -I chose a WLAN, enabled local switching
    -I went into the AP, configured the native VLAN, however, I CAN NOT change the vlan of the WLAN listed.  It always goes back to default.
    I verified the vlan exists on the switch, is routable, etc, the switch port is a member of that vlan, it is set as a trunk w/ 802.1q, etc.
    Any ideas on what would cause this?
    I am SOO close   Thanks!

  • Multiple VLANs per SSID with local switch

    Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
    If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
    Thanks!

    dont think its possible...
    I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
    Example:
    AP1 -- ssid 1 --- vlan 10
    AP2 -- said 1 --- vlan 11 and so forth..
    Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
    Sent from Cisco Technical Support iPhone App

  • Confused: Central Switching/Local Switching

    Was wondering if someone could explain local/central switching a little further, when it comes to HREAP/FlexConnect modes for CAPWAP AP's. 
    So in our environment, we're running 7.5.102.0 code on all of our WLC's.  We have a central WLC in two of our regions(US and Europe).  Each region provides internet services for the remote sites connected to it.  So a site in Chicago comes back to our central office over an MPLS for their internet services; just as a site in italy comes back to our central office in the UK for their internet service over MPLS.  These remote sites have AP's that are in FlexConnect mode back to the central WLC's. 
    My question......I understand that an AP in central switching mode tunnels the traffic back to the central controller, whereas local switching does not.  However, what does that mean?  If the WAN link goes down, how does local switching help?  The internet is still down, since that's how the internet is advertised back from the central location.  Does that just mean that local server can be accessed, over wireles, since we are in local switching mode?  Same question for authentciation;  Our AD servers are located at the central sites, with no AD servers at the remote sites.  In local authentication mode, how would an AP register a user, if the MPLS link is down?  Does it download some sort of cached directory for authentication? 
    Thanks for your help!

    Yes, in local switching mode, wireless client traffic locally switched at the branch (you have to defined their SVI on branch switch) and they can access any branch resources whiel WAN link is down. If internet servie is provided by your central office, then they won't get internet services while your WAN link is down.
    If you configured local authentication, yes WLC will pass credential (if WLC has user credential like WAP2-PSK or WEP) to AP where it can use for local authentication. If you are using dot1x with RADIUS & AD, then you should have redundancy  of these services in order to Branch AP to use these in a situation controller is unavailable.
    Following design guide should help you to understand this
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1103070
    Here is some of my notes related to different modes of operation of H-REAP/FlexConnect, that should help you as well
    http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Flexconnect Local Switching Hosts Do Not Receive IP Addresses

    Hello,
    My WLC software version is 7.4.110.0. I have a branch office in my lab. The AP in my branch is configured as flexconnect with native VLAN of 700. The SSID that I have in the branch office is configured to do local switching. The show wlan is added below.
    My tunneled SSID still working and I can still receive IP addresses from it. My issue is last week I have the Flexconnect working with no problem, then this morning I can connect to the SSID, but I'm not receiving IP addresses for my test wireless clients.
    Thanks
    [code]
    WLAN Identifier.................................. 2
    Profile Name..................................... ACS Guest
    Network Name (SSID).............................. RMTGuest
    Status........................................... Enabled
    MAC Filtering.................................... Disabled
    Broadcast SSID................................... Enabled
    AAA Policy Override.............................. Disabled
    Network Admission Control
      Client Profiling Status ....................... Disabled
       DHCP ......................................... Disabled
       HTTP ......................................... Disabled
      Radius-NAC State............................... Disabled
      SNMP-NAC State................................. Disabled
      Quarantine VLAN................................ 0
    Maximum number of Associated Clients............. 0
    Maximum number of Clients per AP Radio........... 200
    Number of Active Clients......................... 0
    Exclusionlist Timeout............................ 60 seconds
    Session Timeout.................................. 1800 seconds
    User Idle Timeout................................ 300 seconds
    --More-- or (q)uit
    User Idle Threshold.............................. 0 Bytes
    NAS-identifier................................... RK2WLC5508-01
    CHD per WLAN..................................... Enabled
    Webauth DHCP exclusion........................... Disabled
    Interface........................................ management
    Multicast Interface.............................. Not Configured
    WLAN IPv4 ACL.................................... unconfigured
    WLAN IPv6 ACL.................................... unconfigured
    mDNS Status...................................... Disabled
    mDNS Profile Name................................ unconfigured
    DHCP Server...................................... 172.28.27.130
    DHCP Address Assignment Required................. Disabled
    Static IP client tunneling....................... Disabled
    PMIPv6 Mobility Type............................. none
    Quality of Service............................... Silver
    Per-SSID Rate Limits............................. Upstream          Downstream
    Average Data Rate................................   0                      0
    Average Realtime Data Rate.......................   0                      0
    Burst Data Rate..................................   0                      0
    Burst Realtime Data Rate.........................   0                      0
    Per-Client Rate Limits........................... Upstream          Downstream
    Average Data Rate................................   0                      0
    Average Realtime Data Rate.......................   0                      0
    --More-- or (q)uit
    Burst Data Rate..................................   0                      0
    Burst Realtime Data Rate.........................   0                      0
    Scan Defer Priority.............................. 4,5,6
    Scan Defer Time.................................. 100 milliseconds
    WMM.............................................. Allowed
    WMM UAPSD Compliant Client Support............... Disabled
    Media Stream Multicast-direct.................... Disabled
    CCX - AironetIe Support.......................... Enabled
    CCX - Gratuitous ProbeResponse (GPR)............. Disabled
    CCX - Diagnostics Channel Capability............. Disabled
    Dot11-Phone Mode (7920).......................... Disabled
    Wired Protocol................................... None
    Passive Client Feature........................... Disabled
    Peer-to-Peer Blocking Action..................... Disabled
    Radio Policy..................................... All
    DTIM period for 802.11a radio.................... 1
    DTIM period for 802.11b radio.................... 1
    Radius Servers
       Authentication................................ Disabled
       Accounting.................................... Disabled
       Dynamic Interface............................. Disabled
       Dynamic Interface Priority.................... wlan
    Local EAP Authentication......................... Disabled
    --More-- or (q)uit
    Security
       802.11 Authentication:........................ Open System
       FT Support.................................... Disabled
       Static WEP Keys............................... Disabled
       802.1X........................................ Disabled
       Wi-Fi Protected Access (WPA/WPA2)............. Enabled
          WPA (SSN IE)............................... Disabled
          WPA2 (RSN IE).............................. Enabled
             TKIP Cipher............................. Disabled
             AES Cipher.............................. Enabled
                                                                   Auth Key Management
             802.1x.................................. Disabled
             PSK..................................... Enabled
             CCKM.................................... Disabled
             FT-1X(802.11r).......................... Disabled
             FT-PSK(802.11r)......................... Disabled
             PMF-1X(802.11w)......................... Disabled
             PMF-PSK(802.11w)........................ Disabled
          FT Reassociation Timeout................... 20
          FT Over-The-DS mode........................ Enabled
          GTK Randomization.......................... Disabled
          SKC Cache Support.......................... Disabled
    --More-- or (q)uit
          CCKM TSF Tolerance......................... 1000
       WAPI.......................................... Disabled
       Wi-Fi Direct policy configured................ Disabled
       EAP-Passthrough............................... Disabled
       CKIP ......................................... Disabled
       Web Based Authentication...................... Disabled
       Web-Passthrough............................... Disabled
       Conditional Web Redirect...................... Disabled
       Splash-Page Web Redirect...................... Disabled
       Auto Anchor................................... Disabled
       FlexConnect Local Switching................... Enabled
       flexconnect Central Dhcp Flag................. Disabled
       flexconnect nat-pat Flag...................... Disabled
       flexconnect Dns Override Flag................. Disabled
       FlexConnect Vlan based Central Switching ..... Disabled
       FlexConnect Local Authentication.............. Disabled
       FlexConnect Learn IP Address.................. Enabled
       Client MFP.................................... Optional
       PMF........................................... Disabled
       PMF Association Comeback Time................. 1
       PMF SA Query RetryTimeout..................... 200
       Tkip MIC Countermeasure Hold-down Timer....... 60
    AVC Visibilty.................................... Disabled
    --More-- or (q)uit
    AVC Profile Name................................. None
    Flow Monitor Name................................ None
    Call Snooping.................................... Disabled
    Roamed Call Re-Anchor Policy..................... Disabled
    SIP CAC Fail Send-486-Busy Policy................ Enabled
    SIP CAC Fail Send Dis-Association Policy......... Disabled
    KTS based CAC Policy............................. Disabled
    Assisted Roaming Prediction Optimization......... Disabled
    802.11k Neighbor List............................ Disabled
    802.11k Neighbor List Dual Band.................. Disabled
    Band Select...................................... Disabled
    Load Balancing................................... Disabled
    Multicast Buffer................................. Disabled
    Mobility Anchor List
    WLAN ID     IP Address            Status
    802.11u........................................ Disabled
    MSAP Services.................................. Disabled
    [/code]

    is the VLAN still mapped on the AP, and allowed across the trunk?
    HTH,
    Steve
    Please remember to rate useful posts, and mark questions as answered

Maybe you are looking for

  • Iphone 4 yellow tinted screen

    i have iphone 4 32gb for like i think 3 months now and yesterday when i compare my phone to my sister iphone 4 16gb i noticed that her iphone is brighter then mine and is whiter. My iphone have like a warm yellow when i compared it and the brightness

  • How to call Web Services with Sun Java Studio Creator?

    Can someone from Sun please explain how to use the sample Web Services USWeather and GoogleSearch in Sun Java Studio Creator (no Portlet Application)? I read the Web Service Tutorial Accessing Web Services (http://developers.sun.com/prodtech/javatool

  • Javax.swing.JTextPane - COLOR Problem

    Hi I am using javax.swing.JTextPane object to display text recieved from two servers. How can I make messages recieved from Server 1 to be in RED and while from Server 2 to be in Green? i.e. the window should look... (red) Server 1 says ta ta (green)

  • How to Restore iWeb Contents From iDisk?

    After a format of my MBP I need to find out how to get the contents of my iWeb site back onto my Mac. Which directory does it belong to on my Mac for iWeb to recognize everything properly?

  • Additional Actions

    Hi all when i am performing 2 actions (same status) on the same day my first action is getting overwritten.  what could be the reason? and how to overcome this? and tell u to all that my additional actions are activated ! can anybody through a light