HREAP and cisco 5508
Dear Forum Members I have found the below link which is great, but I was wondering if you can provide some additional info.
http://www.cisco.com/en/US/partner/products/ps6087/products_tech_note09186a0080736123.shtml
The piece that is missing from the above document is the LAN WAN side of the NTWK>
How do I configure the switchport where the AP is terminated on the remote site?
What if I would like to have 2 SSIDs/VLANs? one for voice and one for data. That port I assume would have to be trunk port right?
Also what are the best practices commands I can use for QoS or anything else for Voice?
Thank you and I do appreciate your help on this matter.
Take a look at this document in order to understand what h-reap mode are you going to implement.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml
then if you are uing locally switching then you need to configure the ap to match the remote set of vlans and therefore configure the remote switch as trunk with only the vlans that you are going to use over that ap.
for voice over wifi, here it is the guide, there are a lot of details...
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/vowlan/41dg/vowlan41dg-book.html
let me know if it answers your questions.
Similar Messages
-
Cisco 5508 Hreap - slow wireless throughput
I have a Cisco 5508 setup at a host site with 3 other sites connected using hreap on 1252APs. When doing testing of network speed I find that the throughput from the wireless to wired network is at about 18mbps yet the same test on wired side is 85-100mbps and wireless to wireless is 18mbps
Any ideas what could cause thisHm, just guessing is hard. So ...
Can you upload the configuration?
Which standard do you use? .11n? Encryption method?
Where you the only one on ap while taking the tests?
Have you tried some tests at various daytimes?
Any chances to check for interference or change channels?
Sebastian
Sent from Cisco Technical Support iPad App -
We have cisco 5508.
We had problems with the connection of the first and second iPad version. Firmware: 7.0.235.3. Putting firmware 7.x. we can not because we have a point of 1310. But we put the firmware 7.2 ipad still have not get wireless. Then we rolled back. It is interesting that not only work the first and second iPads. All the above works. Played with TKIP instead of AES, did not help ...
P.s. iphone works.(Cisco Controller) >show wlan 45
WLAN Identifier.................................. 45
Profile Name..................................... Test
Network Name (SSID).............................. Test
Status........................................... Disabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Network Admission Control
Radius-NAC State............................... Disabled
SNMP-NAC State................................. Disabled
Quarantine VLAN................................ 0
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 6400 seconds
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ guestwifi
Multicast Interface.............................. Not Configured
--More-- or (q)uit
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
Static IP client tunneling....................... Disabled
Quality of Service............................... Silver (best effort)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
WMM UAPSD Compliant Client Support............... Disabled
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... 802.11g only
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Global Servers
--More-- or (q)uit
Accounting.................................... Global Servers
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Local Authentication................... Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
SIP CAC Fail Send-486-Busy Policy................ Enabled
--More-- or (q)uit
SIP CAC Fail Send Dis-Association Policy......... Disabled
Band Select...................................... Disabled
Load Balancing................................... Disabled
Mobility Anchor List
WLAN ID IP Address Status -
We have a corporate office which we have a 5508 WLC and 2 WiSMs (v7.0.116) and WCS (v7.0.172) and rolling out remote offices which will have 2 or 3 APs (1142N). I setup the first remote office with wireless using HREAP and its working well. Configuring the WLAN for the remote office we select an interface we created with the VLAN at the remote office and now that we are preparing for the next remote office can I use the same VLAN for the second office? For example, we are using local switching for a WLAN using VLAN 6 and will need the same at the second remote office.
Thanks for any help.
Jeffif you are user FlexConnect, and are on 7.2 or better code on the WLC.
http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_flexconnect.html#wp1247954
If you are not using FlexConnect, which you said you weren't, the traffic doesn't get locally switched. it all is handeld at the WLC.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
HREAP and Dynamic VLAN assignment (MS NPS)
Hi All
Just a quick rundown of what I am trying to achieve.
We have a Cisco 5508 WLC (running AIR-CT5500-K9-7-0-116-0.aes). At the moment the WLC is controlling only 1 AP (Cisco 1142N LWAP). I want this AP to be placed at a remote site, and users that authenticate via the RADIUS (MS Windows 2008 NPS) server must be assigned their respective VLANs based on the Active Directory groups they belong to (staff, student, or guest).
The AP and dynamic VLAN assignment works 100% if the AP is in local mode. Authentication works, and dynamic VLAN assignment works. As soon as you change the AP to HREAP mode, dynamic VLAN assignment stops working, and the client gets assigned an IP of whatever VLAN is assigned to the SSID under the HREAP tab. Allow AAA Override is enabled on the main SSID that I am broadcasting.
I have read in some of the discussions that HREAP does not support dynamic VLAN assignment, but I haven't seen why this is not supported. Is this true with the latest version of WLC software as well? I cannot see why local traffic destined for a local resource must be sent via a WAN link to the controller, and then back over the WAN link again. This seems very inefficient.
Is there anybody that can confirm if this is in fact an HREAP limitation, and why (if so) it is a limitation, please? Any info would be much appreciated.
Regards
ConnieDo you perhaps know if there are plans for this limitation being addressed in the near future?
We are looking to deploy wireless from end-to-end in all 6 of our sites, and you biggest competitor was penalized because they do not support this feature. It seems we're going to have to apply the same penalty in this respect to Cisco as well.
Thanks for the feedback, though!
Regards
Connie -
Microsoft Lync 2010 and Cisco APs
My company has extensively deployed Microsoft Lync Enterprise voice and this was an upgrade from OCS R2. Staff in my company have complained often of poor calls over wireless. I have resisted applying QoS for now until I understand fully how Cisco APs and WLCs implement QoS. I recently watched a video from Aruba networks comparing performance of Lync calls over its access points and Cisco access points. The Cisco setup was a 3500 AP and 5508 WLC with 7.0.116 code. There were also other bandwidth consuming applications running at the background. I must say that I was impressed at how Aruba's access point performed over Cisco access points. This is because Aruba does application specific QoS and not the traditional client or SSID QoS.
I am considering making recommendation to management to go Aruba for the upgrade of a larger subsidiary. However, before I make such a recommendation,I have 2 quetstions
1. I would like to know if Cisco has revamped its WLC code to better deal with Lync and if so, I would be grateful if I could be shown any documentation or video on how to implement QoS to improve Lync experience.
2. Also if HREAP is implemented, does the WLC still implement QoS or has this to be handled by the switch since packets are locally switched.
I currently have a mix of 5508 and 4404 WLCs with over 300 1041n APs.Osita,
As far as I know, Cisco has not done any optimization specifically for Lync, but as long as Lync is using standards-based tagging for the latency-sensitive parts of the application (voice and video), then you can elevate your WLAN QoS setting to the appropriate metal to allow for elevated QoS-tagged traffic on that WLAN.
Keep in mind that the controller does not actively tag upstream client traffic, so even if you have clients doing other applications on their workstations over that WLAN, that traffic will not be re-marked from best effort to a multimedia QoS level. I.e., you can have a WLAN that shares both data and voice/video in a Lync environment.
If you want to learn WLC QoS from the best (IMO), here is is Jerome Henry doing a 5-part video series explaining and implementing QoS on the WLC. It starts with Part 1, and the goes to Part 2-a, 2-b, 3-a and 3-b:
http://www.youtube.com/watch?v=44t-0JYEwkA&list=UUm3YBBhcJRokmAD1LaJg3hQ&index=15&feature=plcp
Locally switched HREAP traffic will come out into the switchport marked with the DSCP tag given to it by the application. It is up to you to configure proper end-to-end QoS on your network from there.
Justin -
How can I set up 3 different VLANs on Cisco 5508
Dear Community Members,
I have a need to setup three (3) VLANs with different SSID's for students , staff and visitors in a College.
The controller is Cisco 5508 with Cisco 3502E-E-K9 AP
presently the wireless network is flat with just one VLAN
NB.
Staff would log in using active directory user name and password.
Student would log in using username and Registration number Possibly using RADIUS SERVER
How best can i achieve this.Scenes you are using single vlan so the point of have multiple SSID is useless and the better approach will be using the AD for both authentication and managing the Group policy for both. In this way you can manage both students and Staff Kindly see the following link for step by step config and understand Group policy
Server 2008/2012
http://jackstromberg.com/2013/05/tutorial-802-1x-authentication-via-wifi-active-directory-network-policy-server-cisco-wlan-group-policy/
cisco document server 2003 (another explaining in detail the flow)
http://www.cisco.com/en/US/products/ps6366/products_configuration_example09186a0080921f67.shtml -
Redirect to web authentication not working on Cisco 5508 Wireless Controller
Hi,
I have a wlan with web authentication:
http://i55.tinypic.com/w145zk.png
and
http://i51.tinypic.com/344sfm0.png
When I connect to the SSID (I get correct IP from the Cisco 5508 Controller) and try to surf, I do not get redirected to the web authentication page (https://1.1.1.1/login.html), when I manually insert the URL I get "cannot display the webpage". Any idea?
The virtual interface is 1.1.1.1.
Here is a screenshot of interface and internal dhcp:
http://i52.tinypic.com/2vkm1d2.png
Any idea why clients are not redirecting?
Thanks!Thanks for the reply dmantil!
When I changed the Virtual DNS name to 1.1.1.1 (the same as the IP) I get redirected if I use http://198.133.219.25, but not with http://cisco.com, I get redirected only if I use IP.
I forgot to mention that the controller is in a lab with no access to DNS server. Does the controller check if the domain is valid before redirecting users? I cant find any documentation on how the controller redirect users. -
Cisco 5508 external web authentication
Hi all,
Firstly, I do apologise as this question has been posted in another forum, I believe it is the wrong one though hence me posting here.
I am running with a pair of Cisco 5508 controllers with 7.4.121.0 installed. We offer a guest Internet service to our user base and guests. To access the guest service a user must first authenticate via an externally hosted server, I won't go into the specifics but it is a secure service will a valid, signed cert for the login page. The issue I am hitting is that when a user logs into the portal the controller cert is then displayed (2.2.2.2) which returns a cert error. It kind of makes the service look insecure when it isn't. I've read numerous articles about creating CSRs, etc and loading certificates on the controller, but the issue we have is that we use externally hosted DNS servers for the service and they are refusing to create a DNS record. We can't use internally hosted DNS servers as this breaks our security policy. Is there any other way around this or do I just have to have the user accept the cert error?
ThanksI hear you and I was under the same impression. If I go through the steps I followed maybe it can be explained..
Upgraded the primary controller from 6.0.x to 7.0.x a, APs upgraded. Upgraded FUS to 1.9. Upgraded controller to 7.4.121.0, upgraded APs. APs joined the controller. Disabled WebAuth Secure Web. Followed same steps for secondary controller. Shutdown primary controller to test failover to secondary. APs did not failover. Waited 15 mins, debugged CAPWAP and saw nothing coming in. Brought primary back online, waited 15 mins, debugged CAPWAP and saw nothing coming in. Waited a further 15 mins. Still no APs joining. Enabled WebAuth Secure on the primary, and boom, all the APs joined the primary. Not sure if this was just a coincidence, but this was the behaviour I witnessed. I'm running a pair of 5508's.
I've not witnessed this before, but this is the first time I've disabled this setting. Understand it has nothing to do with APs joining and may just be a coincidence, but this is what I experienced. I ran out of time during the change window so couldn't test this further and try to simulate again, will try again when the next window becomes available. -
Cisco 5508-WLC using MS NPS as RADIUS Server for EAP-TLS
Has anyone experienced a problem getting a Cisco WLC to work with MS NPS server? We've done it before albeit with differnt code versions.
I have a Cisco 5508 WLC running 7.0.116.0 code hosting a WLAN configured for WPA2 with 802.1x for authentication. I have two Windows NPS servers configured as the RADIUS servers for EAP-TLS authentication. Via debug info on the WLC I can see the 802.1x handshake take place with the wireless client and the WLC as well as a successful transmission of an Authentication Packet from the WLC to one of the RADIUS servers. However on the WLC I see repeated RADIUS server x.x.x.x:1812 deactivated in global list and on the NPS server I'm seeing event log errors indicating "The Network Policy Server discarded the request for a user" along with the pertinent auth request info that I would expect the NPS server to receive from the WLC.
Based on the WLC debug info I'm never actually getting to the EAP-TLS certificate authentication part. It seems the NPS servers don't like the format of the initial RADIUS authentication request coming from the WLC and so don't respond whcih in turn casues to WLC to switch to the other NPS server which produces the same issue.
Any ideas of what might be the issue or misconfiguration?Jim,
I wanted to know if you can setup wireshark on both of the boxes and see if your are hitting the following bug:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCti91044
It looks as if the WLC is retransmitting the client traffic from one radius session with primary over to the secondary in which the radius state attribute that was assigned from the primary server is probably hitting the secondary server. Therefore if the state attribute isnt assigned from the secondary server it will discard the packet.
May need to open a TAC case to see if this issue is on the 550x controllers also.
Thanks,
Tarik -
Cisco 5508 Firmware update 6.x 7.0.98 Questions
Hi guys,
Have not done an update on any cisco gear since about 2001
We have a cisco services contract with IBM that supplies us access to the usb drivers, firmwares etc, and we have a Cisco 5508 6.x running ~30 Cisco 1252's, some 1231's and (potentially) some 1262's once the firmware update is done.
We have a base-count license(permanent) of 50AP's, no expiry
So I guess my questions are:
1) When flashing the new firmware - do the licenses require any sort of modification, or will they work as per normal
2) Are any serial numbers or codes required to be entered once the 7.0.98 firmware is installed?
3) I assume that the old firmware/config becomes 2nd in line to the primary boot option of the firmware during boot process?
Thanks7.0.98.0 is deferred code.
Browse to deferred release on bottom:-
http://www.cisco.com/cisco/software/release.html?mdfid=282600534&flowid=7012&softwareid=280926587&release=7.2.110.0&relind=AVAILABLE&rellifecycle=ED&reltype=latest
Deferral Notice:-
Wireless Lan Controller (WLC) software version 7.0.98.0 is being deferred due to the following issue :
CSCtj21464 - WLC data plane core crashes, causing WLC reboot
http://www.cisco.com/en/US/docs/wireless/controller/release/notes/crn7_2.html
5500 supports 7.2 code but AP 123X is not supported on 7.2, And 126x supported from 7.0.116.0 code. it is suggested to update to 7.0.235.0. -
Hi all,
We recently installed a pair of Cisco 5508 controllers running 7.6.110.0. Right now I don't want to use the 'Redundancy' / 'HA' features, preferring instead to run with an Active/Standby pair controller through the HA tab configured in all APs.
As part of the upgrade to 7.6.110.0 we upgraded the secondary controller first, moved APs over one by one, then upgraded the primary. Right now I am having an issue moving the APs back to the primary. To confirm:
- the mobility group is the same on both devices
- mobility is up
- I am allowing MIC certificates
- AP fallback is enabled
- device names, etc all match as I appreciate there can be issues as this is case sensitive
As far as I was aware that was all that needed to match for this to work. One thing I have noticed however is that if I go into Redundancy -> Global Configuration both the Primary and Seconday are defined as the 'Primary' redundant unit. I've not activated, at least I thought I had not activated, this level of redundancy. Could this be what is causing it? I'm a bit wary of changing this value as I believe the controller will reboot.
Can anybody shed any light on this. The intention was to eventually enable the redundancy and SSO, etc but not right now.
ThanksHi Leo, Scott
So I was doing a bit more reading on this http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/69639-wlc-failover.html it is an old document but working through it the document suggested that you didn't need to specify the IP address of the Primary or Secondary controller in the Wireless -> All AP -> AP_NAME -> High Availability. I removed this from one of the APs that was at the time serving no clients and tried to move it to the secondary and it worked. I then moved it back to the primary and it worked again.
Any reason why this would happen? The IP addresses I was using were 100% correct. The only difference I see for this controller as opposed to others we manage is the introduction of new interface types i.e. 'redundancy management' , 'redundancy port' ,etc. I do not have redundancy enabled so I'm guessing not, but having trawled through the configuration this is the only difference I can see? -
Cisco 5508 HA - Webauth Bundle for multiple SSID/multiple web pages
Hi Guys,
I have 2* cisco 5508 WLC in HA mode . Both are running IOS 7.5.102.0 . Everything is working perfectly fine.
I need to Creat 3 differnet SSID and Creat 3 different login Pages for them . Each user from respective SSID will get specified login Page. like
I have few questions :
1) I have downloaded webauth bundle from cisco Support Site and in that itself so many files are there. So based on my scenario , in which folder do i need to copy my login and logo file.
2) i have used Picozip to convert the file in .tar format but its giving me following error "
% Error: Webauth Bundle file transfer failed - No reply from the TFTP serve" but i can ping my tftp server easliy.
3) As Controllers are in HA mode , so once i am successful in uploading webauth bundle then it will be replicated on secondary controller or do i have to turn off SSO and upload in both one by one.
Please help me out in this.
CheersHello Sandeep,
i have uploaded the tar which you have sent to me. When i supply my username and pwd, after that it keeps on going and not showing any end result. so it stays on same page and nothing happening after that.
Are there any more radius ACL's to be defined ? 10.10.13.x is wireless client network , 192.168.10.21 is Radius Server , 192.168.10.215 is proxy server. Is there any other ACL need to be defined ??
Source Destination Source Port Dest Port
Index Dir IP Address/Netmask IP Address/Netmask Prot Range Range DSCP Action Counter
1 Any 10.10.13.0/255.255.255.0 192.168.10.21/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
2 Any 192.168.10.21/255.255.255.255 10.10.13.0/255.255.255.0 Any 0-65535 0-65535 Any Permit 0
3 Out 10.10.13.0/255.255.255.0 1.1.1.1/255.255.255.255 Any 0-65535 0-65535 Any Permit 0
4 In 1.1.1.1/255.255.255.255 10.10.13.0/255.255.255.0 Any 0-65535 0-65535 Any Permit 0
5 Any 10.10.13.0/255.255.255.0 192.168.10.215/255.255.255.255 Any 0-65535 0-65535 Any Permit 98
6 Any 192.168.10.215/255.255.255.255 10.10.13.0/255.255.255.0 Any 0-65535 0-65535 Any Permit 98
DenyCounter : 12 -
What is the average memory usage for a Cisco 5508 with 500 APs (mostly 3502s) running 7.0.116.0 code? I am currently at 450 access points and have 80% memory usage should I be concerned?
Tom,
I just had a 5508 in production hit 89% memory usage and crash… I have opened a TAC case and I will update once more information is available. The controller rebooted and came right back online at 56% memory usage; I suggest rebooting it during downtime.
Bill -
Cisco 5508 interface design problem
Cisco 5508 interface design
now i have connect wlc into infra same picture but ap can't register into wlc. How create interface for this diagram. please help me because access switch is unmanage switch i can't config trunk on this.i can install for this solution this isn't ?
thank you for best support.
samyWhy are your AP's on different Vlans?
If you plan to create SSID's on different Vlans then you will need a trunk port to the WLC as the switch needs to pass tagged frames to it and the WLC needs to pass tagged frames back.
Out of interest, you are using a 5508 which is a fairly expensive piece of kit yet you are connecting it to an unmanaged switch. Why?
Maybe you are looking for
-
Hi there,?The other day my computer died, so I had to re-install the OS and everything. I've searched everywhere but I cannot find the software CD that came with my creative Zen touch MP3 player. Is there a way I can get a new copy of this disc?Cheer
-
The HTMLEditor kit inserts extra newline characters when there is a space in the line and the line is greater than 80 chars? Can anyone tell me how to get rid of these extra newlines or how to set an unlimited or hugh line length as would be seen in
-
Mkdir() always return false
Hi all, I just want to create a directory from a standalone appli but the code below always return "8-("... Of course I have the rights to create/delete files because it is my C: drive. Thanks in advance for your help. String expDir = "C:\\mydir\\tem
-
Re: firmware 7.2.x problems
In the past week I posted a couple of questions about the problems I was experiencing with my AEBS and Internet connection. I didn't get an answer. However after scanning through some related posts after my post,I found an answer to my problem. Other
-
Where do I find rawio mentioned in "Best Practices: PreReqs for RAC instal"
Hello, In the document "Best Practices: PreRequisites for Real Application Clusters Installation with SAN Storage", a pointer to http://otn.oracle.com/tech/linux/content.html is advised for the "rawio" utility. Where can I find it? I really have no c