H-REAP Mode

Similar Messages

• Does WiSM 6.0.196.0 suport AIR-LAP1131AG-N-K9 in H-REAP mode

  Hello,
  I have WiSMs running code version 6.0.196.0. I have to deploy AIR-LAP1131AG-N-K9 in H-REAP mode.
  Q1. Does AIR-LAP1131AG-N-K9 require CAPWAP or can run off of LWAPP?
  Q2. Does anyone know how to find out if a WLC is running LWAPP or CAPWAP?
  Q3. If one has to convert LWAPP to CAPWAP, how is it done?
  Thanks
  Bo

  Hi,
  Q1. Does AIR-LAP1131AG-N-K9 require CAPWAP or can run off of LWAPP?
  A1. The AP will run CAPWAP as soon the WLC is running a CAPWAP image. There is nothing special to do on the AP, once it joins the WLC, the WLC will check the image on the AP and if using a diferent one, the WLC will push the correct image to the AP that matchs the WLC version.
  Q2. Does anyone know how to find out if a WLC is running LWAPP or CAPWAP?
  A2. CAPWAP was introuduced in WLC version 5.2 and all versions above are running CAPWAP software.
  •If  your firewall is currently configured to allow traffic only from access  points using LWAPP, you must change the rules of the firewall to allow  traffic from access points using CAPWAP.
  •Make  sure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP  ports 12222 and 12223) are enabled and are not blocked by an  intermediate device that could prevent an access point from joining the  controller.
  •If  access control lists (ACLs) are in the control path between the  controller and its access points, you need to open new protocol ports to  prevent access points from being stranded.
  Q3. If one has to convert LWAPP to CAPWAP, how is it done?
  A1. On the APs nothing has to be done. Once the WLC is running CAPWAP software, it will automatically push the corresponding AP software to the AP.
  WLC runs CAPWAP if the software version is earlier then 5.2. WLC version 5.2 and all versions above are running CAPWAP software.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Different between H-REAP mode & Office Extention in Cisco AP

  What is the different between H-REAP mode & Office Extention .
  Hope both created for remote branch support , but it seems only H-REAP can route the data traffic locally & forwards control traffic to remote WLC.
  This Office extend feature forwards both Data & Control traffic to office WLC.
  Is my understanding correct ..please help me.

  Hello,
  As per your query i can suggest you the following solution  -
  Hybrid Remote Edge Access Point (H REAP) is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. The H REAP access points can switch client data traffic locally and perform client authentication locally when the connection to the controller is lost. When connected to the controller, H REAPs can also tunnel traffic back to the controller.
  The Office Extend AP (OEAP) is a specific submode of H-REAP, and is supported on the Cisco Aironet 1130AG, 1140, and 3500i (not 3500e) APs. You can also use the Cisco Aironet 600 AP, which is a model dedicated to the OEAP mode. This dual-band (2.4-GHz and 5-GHz) AP supports 2 corporate SSIDs and 1 home SSID, up to 15 clients, and offers 5 Ethernet ports at the back (1 uplink port, 1 corporate VPN port, and 3 local switch ports). Other OEAP-capable APs support 16 SSIDs (15 corporate SSIDs and 1 personal SSID).
  Hope this will help you.

• AP in H-REAP mode

  Hello,
  few questions regarding the H-REAP mode:
  1. How many H-REAP mode AP's can be configured for 1 location?
  2. Does H-REAP AP need some special settings from the network side? no NAT, static IP etc.?
  3. which interface does the H-REAP AP should "see"? the management or the AP-Manager? or both?
  Thanks in advance!

  Jeff -
  YES, you CAN perform H-REAP with NAT. However, as fella5 already mentioned, you can't do it with just plain old NAT, you must use static NAT and you cannot alter the destination ports. You should still be able to use multiple VLANs and trunks, but that will have to be routed by the time it hits the internet, and obviously won't work with standard SOHO equipment. I have tried this with a Netscreen firewall, and although I haven't had time to make it work, the join request made it to the controller. I used an additional public IP and only opened the necessary ports in the firewall for that IP. If I remember, the ports are 16666,16667,12222,12223 and 97. Here is an excerpt from the H-REAP Design and Deployment Guide (URL below):
  -Regards,
  Scott
  http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#new
  Does H-REAP work behind a NAT? In a deployment where Static NAT is used, can the WLC and H-REAP AP be placed behind Static NAT?
  Yes, for the AP. Make sure that the AP source ports are not changed during the operation time by the NAT device. Normally with static NAT, it is not an issue. However, take these points into consideration:
  There are two main NAT'ed UDP dialogs between the AP and controller: LWAPP data and LWAPP control.
  Source port in the AP is a temporary dynamic port (>1024). In the controller, it is a fixed destination port (12222, 12223).
  UDP translations are based on timeouts. This means that a current entry is left created for an X amount of time then deleted if not used, which is based on the timeout (could be shorter or longer depending on which is your NAT device).
  LWAPP control is active. In general, you would expect that it will send one packet each 30 seconds (echo keepalive). Thus, for NAT translations for LWAPP control, you can assume that it will keep the NAT timeout refreshed.
  LWAPP data only sends traffic if there is activity. For APs without any clients around, the LWAPP data NAT translation entry can expire (for example, more than 90 seconds without activity), and the NAT device creates a new entry if the AP sends new traffic. If the new entry is the same source port number, then you will not have any problems. However, if the UDP source port changes, then the WLC will drop it, as now the LWAPP data tunnel information no longer matches what was created before when the AP joined controller.
  Therefore, it works as long as your NAT device preserves the UDP source port for traffic between the AP and the WLC at all times, even after UDP translation has expired due to no activity. If not, the data traffic is dropped, and you will end with the AP joined to the controller, but no data traffic for wireless clients.

• Client Association in H-REAP mode - getting 0.0.0.0

  I am experiencing issues with clients not getting ip addresses when they connect to an access point in H-REAP mode. There are 2 WiSMs at our headquarters and various 1242's around the world that connect back to the WiSMs. The most common reoccurrence of this issue seems to occur at the Bogota, Colombia location. The access point will be operating normally and the clients pull addresses from their local subnet (the AP is in H-REAP mode); at some point in the day, the AP will not assign ip addresses anymore and clients just pull 0.0.0.0. I am not sure if the AP is just going into standalone mode and cannot authenticate new clients because it cannot build a successful tunnel to the controller. I enabled H-REAP Mode AP Fast Heartbeat Timer State and tweaked the timeout, but it does appear to have remedied this issue. Is there any limitation on how many H-REAP AP's can be connected to a controller?
  The WiSMs are running version 5.2.178.0 code.

  Hi,
  I am having the same problem that client show an 0.0.0.0 address but when i check the mac address in the router i can see that the mac address binds to an ip address and i can ping the client on this ip address. So for my issue the client has an ip address which works but it does not show in the controller. In this network we are also using static wep keys so it is not an issue that the client has to authenticate first. Another strange thing is that some of the clients show an ip address and some do not and this is on the same access point.
  /Daniel

• WLC4402 and 104x H-REAP mode

             Hi,
  Is there is is any posibility to run WLC4402 and 104x family in H-REAP mode.
  Some documantaion says yes , some no. What is the true?
  Marcin

  7.0 or later release on controller is enough.
  check this:
  http://www.cisco.com/en/US/partner/prod/collateral/wireless/ps5678/ps11203/data_sheet_c78-609338.html

• APCisco 1242 LAP in H-REAP mode.

  Hello,
  I 've two questions for the h-REAP mode on a WLC2100 (7.0.98.0) with 1242 Cisco :
  first: what the maximun number of clients can connect on a H-REAP LAP ?
  second: I've configured one WLC with 4 LAP Cisco 1242 in H-Reap mode: the power level of 4 LAP are configured in auto global configuration TPC.
  But I don't understand why the power level is still on 1 after installing ?
  Thank you for your Help.
  Regard.
  Lorenzo

  Maximum amount of clients has always been in the past 15-25.  However, it depends on your users.... you can have 3 users that do file transfers and that would be you limit.  SO your max number of client can vary depending on your users bandwidth requirements.
  As for h-reap, look at this section:
  http://www.cisco.com/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#t7

• Blocking SSID selectively in H-REAP mode

  Hi,
  We have deployed 500 access-points in 100 sites using 8 controllers.  SSID is switched locally and access-points are in H-REAP mode.
  Customer wanted us to host one more SSID, which will be used in only 10 sites. It will be using pre-configured user-name and password for authentication.
  1. How to block the SSID from advertising to remaining 90 sites? If I configure any SSID in controller, it is pushed to all 100 sites. How to block SSID selectively.
  2. Is there anyway to apply the acl on this SSID in local switching
  Thanks,
  Ramesh

  Ramesh:
  I think you asked question 2 as a suggested solution to question 1, right?
  So if we resolve question 1 the question 2 can be ignored.
  As Steve mentioned, you only add AP groups and that is it.
  Here is a config example: http://tiny.cc/j7tqcw
  Although config example shows old versoin, it is still be applicable to newer versions (with some few differences). But if you know the concept you'll be able to do it with no problems.
  Ask if you got to any issue while configuring this.
  Good luck.
  Amjad

• WCS problem roaming H-reap

  Hello
  I have a problem with my wcs and my controller, I have ap H-Reap mode with cisco 7921 connected to it. My problem is roaming takes 3-4 seconds to switch to another antenna but not all the time.
  Here is my config: 5500 WCL 7.0.116.0 / 7.0.172.0 WCS / AP 1242 H-mode Reap / Phone 7921 /
  I broadcast the SSID WVOICE on other ap Cisco 3500 mode LOCAL and there is no problem
  This is the log file
  Tanks your help
  Enzo

  i've done a bit more testing and the results have me really scratching my head.  If I switch the vlan assignment
  company -> 1
  companypriv 91
  then both work.  but my guest wlan is now getting an internal IP and my priv wlan is now getting a public IP.
  If I set them
  company -> 91
  companypriv -> 91
  only companypriv gets a public IP, company doesn't at all
  If i set them
  company -> 1
  companypriv -> 1
  both wlans work and get internal ip addresses.
  so it seems to be that the company wlan will only work with vlan 1.  That does happen to be the native vlan for hte AP to work with capwap too but that shouldn't matter

• Does ISE 1.1 support TACACS and H-REAP?

  Hello,
  Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
  Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
  Thanks
  Olu

  EAP-TLS does not rely on AD.
  CA root cert is installed on ACS for trust and identity.
  you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
  Users and Identity Stores >
  Certificate Authentication Profile >
  Edit: "CN Username"
  see the checkbox at the bottom.
  I do EAP TLS machine auth only without integrating AD into the policy at all.
  hth,
  jk

• How to have H-REAP broadcast only specific locally switched SSID's?

  I'm new to this H-REAP configuration, but in the main office we have about 6 WLAN's.  I have a remote office which I want to have 2 new WLAN's and have them switched locally.  How can I only have the H-REAP AP's at this site only broadcast those 2 SSID's vs all 8?  I haven't really read anything about using AP Group VLAN's with H-REAP or know if that's even possible, but is this a possibility and if no,t what would you recommend?
  Thanks for the help!

  I may create another topic - but here it goes...
  I've decided to try to use an existing WLAN in the H-REAP config...
  -I've joined the AP to the remote controller, assigned it an IP, put it in H-REAP mode.
  -I chose a WLAN, enabled local switching
  -I went into the AP, configured the native VLAN, however, I CAN NOT change the vlan of the WLAN listed.  It always goes back to default.
  I verified the vlan exists on the switch, is routable, etc, the switch port is a member of that vlan, it is set as a trunk w/ 802.1q, etc.
  Any ideas on what would cause this?
  I am SOO close   Thanks!

• Guest Access and H-REAP

  I have 30 1242 LWAPPs on my network. Six of these are operating in H-REAP mode as they are outside of our main campus area in other states. We use two WLANs on our wireless network.
  One of the WLANs is for all company users and the other is a guest network run off our anchor controller in the DMZ. The 24 APs that are in local mode have very few issues, but more often than not, when someone tries to connect to my guest network on an AP that is running in H-REAP mode I have to reboot the AP in order to get them authenticated.
  This happens about 75% of the time. There are some cases when it just works and I have no issues, but those are few and far between.
  Does anyone have any idea why this may be occuring?

  Are you seeing any errors when the clients try to connect to the guest network? Does it happen with all the LAPs? We will need more information to troubleshoot this issue.

• REAP Configuration Questions

  I have a site in which I would like to configure my 1030 in REAP mode on my WLC4124. I want all of the traffic to stay local. What I'm thinking is that I create an interface with the local vlan at the remote site on the controller (40) then create an AP Group and associate our main WLAN SSID to the new vlan40 interface. Then I apply the AP Group to the 1030 destine for the remote site and turn on REAP mode. Does that make sense? I want to make sure this is done correctly as I'm mailing the thing and will not be there to get the AP up and running should it not come up.
  Thanks,
  Bryan Kent

  It's actually a bit of a shame to have that fast 1TB as your system drive, as the ideal is keep the system drive clean, except for OS and programs. Still, it's fast, and that counts.
  My workstation is set up this way:
  C:\ OS and programs with part of Page File
  D:\ Media and other part of Page File
  E:\ Projects and Scratch Disks in Project folder structure
  F:\ Exports Video
  G:\ Audio files
  H:\ Media storage
  Gigabit NAS media archival storage. I bring these Assets onto D:\ as copies, so I am never working with originals - other than Capture files from tape, but I archive my tapes, in case I have to recapture
  I also have 2 multi-drives of different brands and a couple dozen 2TB FW-800 externals for archiving Projects, or for transporting Project between the workstation and my laptop.
  I tested my Page File and found the best results on the workstation with it fixed and split. The next best was fixed and on D:\. It differs machine to machine, as it's better fixed and on D:\ on my laptop with 3 identical 200GB SATA II's. Given your C:\'s speed and size, I'd experiment with it fixed and on C:\ to see what performance increase, or hit, you take.
  Good luck,
  Hunt

• H-REAP maximum RTT requirement?

  Our wireless controllers & WiSM's are deployed centrally.
  We set up all our LWAPP AP's in H-REAP mode to take advantage of local switching, so that clients can access local resources w/o having to traverse all the way to the WiSM's and then back to the remote sites.
  One WiSM cluster is deployed in the east coast, and one in the West Coast, because we were told the RTT for H-REAP should be <100ms.
  We were told as long as we increase the EAP timer, H-REAP would work coast to coast.
  My questions are:
  Has anyone done it?
  If it's true and works, exactly what variables and parameters should we set in terms of EAP?
  (WISM) config>advanced eap ?
  advanced eap ?
  eapol-key-timeout                          Configures EAPOL-Key Timeout in seconds.
  eapol-key-retries                             Configures EAPOL-Key Max Retries.
  identity-request-timeout             Configures EAP-Identity-Request Timeout in seconds.
  identity-request-retries                Configures EAP-Identity-Request Max Retries.
  key-index                                            Configure the key index used for dynamic WEP (802.1x) unicast key (PTK).
  max-login-ignore-identity-response Configure to ignore the same username count reaching max in the EAP identity response
  request-timeout                              Configures EAP-Request Timeout in seconds.
  request-retries                                 Configures EAP-Request Max Retries.

  Hi John,
  Good news!
  The support for the number of H-Reap AP's increased to 8 in the WLC 4.0.206.0 Release :)
  These additional changes are available in controller software release 4.0.206.0:
  •Client roaming with multicast packets is now supported.
  •Up to 10 access points can be concurrently upgraded from the controller.
  •***Hybrid REAP can now be used with up to eight access points.
  From these release notes;
  http://www.cisco.com/en/US/docs/wireless/controller/release/notes/cont402060rn.html#wp201506
  Hope this helps!
  Rob

• WLAN H-REAP Problem

  Hi,
  I have a problem with a wireless deployment using cisco 1130AG access points and a 4402 WLC. The network setup composes of 2 branch offices. The main office has 3 APs together with the controller. The branch office has 5 APs which are all in the H-REAP mode. They want to use 3 SSIDs in the branch office each with its own VLAN and each has to obtain an IP from a local Windows 2000 DHCP server. I have already configured the 3 VLANs as well as the 3 SSIDs. One SSID worked well. Users can connect to this SSID and they are given an IP on a 192.168.137.0 subnet. In the other 2 SSIDs, users can't get an IP address. I have already configured trunk ports on the switch ports to which the APs are connected. I have also done the VLAN Mapping on the WLC. I don't know why in the other 2 SSIDs users still cannot get an IP. I have also tested on obtaining an IP from those VLANs or subnets in the LAN and there was no problem.
  If anyone has already tried this, and has made it work, tell me the things that I should still do.
  Thanks!

  Hi Ankur,
  Yes, the native VLAN on the branch office is 137. The ports to which the APs are connected are already configured as trunk ports with native vlan 137. The H-REAP APs are also configured with native VLAN 137. The H-REAP APs already got their IP address from the local Windows DHCP server. I have also tried to set a static IP on a laptop connected to that SSID, but the problem is it cannot ping any IP on that subnet, even the gateway. One odd thing is that the controller shows that the client is authenticated if an IP address is set on it.