HREAP - DHCP

Hello,
i currently have a wireless controller in HQ and Access points in branch office on H-REAP mode, connected over IPsec VPN, details provided below
everything is working fine except that my clients in branch office when connected over wireless gets DHCP address from HQ, i want these clients to get the DHCP address from the local branch office available subnet, is this possible.
Controller - AIR-WLC2125-K9 - version 7.0.235.0 
Access Point - AIR-LAP1131G-E-K9 - version 7.0.235.0 
I noticed a comment in the controller WLAN tab - advanced tab - "H-REAP Local Switching is not supported with IPsec, CRANITE authentication"
Please advise if there is any way to overcome this limitation, my branch office clients are getting DHCP address from the local subnet when connected over cable (LAN)
Attached screen shot from my controller showing the settings NOTE
Many thanks in advance.
Regards
SureshV

Yes that is possible, you don't need to worry about that comment:
Make sure that those AP's are in H-REAP mode
Enable the first checkbox from your screenshot (H-REAP Local Switching)
Configure the switchports connected to the AP's as trunks and allow the AP's own (native VLAN) and the VLAN for the clients
Configure on all of the AP's the mapping between the WLAN ID and local VLAN ID
The access-points who are still in local mode will still tunnel the client data back to the WLC. A side note: the hardware and software you are using is quite old and end of service, so please consider a replacement / upgrade.
Please rate useful posts :-)

Similar Messages

  • Clients not receiving DHCP IP address from HREAP centrally Switched Guest SSID

    Hi All,
    I am facing a problem in a newly deployed branch site where the Clients are not receiving DHCP IP address from a centrally switched Guest SSID. I see the client status is associated but the policy manager state is in DHCP_REQD.
    The dhcp pool is configured on the controller itself. The local guest clients are able to get DHCP and all works fine, the issue is only with the clients in the remote site. The Hreap APs are in connected mode. Could you please suggest what could be the problem. Below is the out of the debug client.
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Adding mobile on LWAPP AP 3c:ce:73:6d:37:00(1)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Reassociation received from mobile on AP 3c:ce:73:6d:37:00
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'Guest-ACL' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific IPv6 override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying IPv6 Interface Policy for station 10:40:f3:91:7e:24 - vlan 81, interface id 13, interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 Applying site-specific override for station 10:40:f3:91:7e:24 - vapId 17, site 'APG-MONZA', interface 'vlan_81'
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1393)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Initializing policy
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 3c:ce:73:6d:37:00 vapId 17 apVapId 1
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
    *apfMsConnTask_3: May 24 13:26:49.372: 10:40:f3:91:7e:24 apfMsAssoStateInc
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfPemAddUser2 (apf_policy.c:222) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Idle to Associated
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 49) in 28800 seconds
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sending Assoc Response to station on BSSID 3c:ce:73:6d:37:00 (status 0) ApVapId 1 Slot 1
    *apfMsConnTask_3: May 24 13:26:49.373: 10:40:f3:91:7e:24 apfProcessAssocReq (apf_80211.c:4672) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Associated
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 4183, Adding TMP rule
    *apfReceiveTask: May 24 11:35:53.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
      type = Airespace AP - Learn IP address
      on AP 3c:ce:73:6d:37:00, slot 1, interface = 13, QOS = 3
      ACL Id = 255, Jumbo F
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 7006  IPv6 Vlan = 81, IPv6 intf id = 13
    *apfReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (ACL ID 255)
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 Sent an XID frame
    *apfMsConnTask_3: May 24 13:26:49.401: 10:40:f3:91:7e:24 Updating AID for REAP AP Client 3c:ce:73:6d:37:00 - AID ===> 1
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 12) in 10 seconds
    *osapiBsnTimer: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
    *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:4897) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Associated to Disassociated
    *apfReceiveTask: May 24 13:28:59.315: 10:40:f3:91:7e:24 Scheduling deletion of Mobile Station:  (callerId: 45) in 10 seconds
    *osapiBsnTimer: May 24 13:29:09.315: 10:40:f3:91:7e:24 apfMsExpireCallback (apf_ms.c:599) Expiring Mobile!
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Sent Deauthenticate to mobile on BSSID 3c:ce:73:6d:37:00 slot 1(caller apf_ms.c:4981)
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsAssoStateDec
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 apfMsExpireMobileStation (apf_ms.c:5018) Changing state for mobile 10:40:f3:91:7e:24 on AP 3c:ce:73:6d:37:00 from Disassociated to Idle
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [3c:ce:73:6d:37:00]
    *apfReceiveTask: May 24 13:29:09.316: 10:40:f3:91:7e:24 Deleting mobile on AP 3c:ce:73:6d:37:00(1)
    *pemReceiveTask: May 24 13:29:09.317: 10:40:f3:91:7e:24 0.0.0.0 Removed NPU entry.

    #does the client at the remote site roams between AP that connects to different WLC?
    #type 9 is not good.
    *pemReceiveTask: May 24 13:26:49.373: 10:40:f3:91:7e:24 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x0
    #Does your dhcp server getting hits.
    #Also, get debug dhcp message & packet.
    #Dhcp server is not responding.
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout
    *apfReceiveTask: May 24 13:28:49.315: 10:40:f3:91:7e:24 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.

  • AP HREAP NOT WORKING - NO DHCP, NO INTERNET ACCESS

    Current Setup
    WLC  > WAN < AP
    AP is in HREAP mode
    The Wireless SSID shows up at the remote site
    Clients can associate to the SSID on the AP (HREAP)
    But it's not handing out DHCP address
    From the AP (HREAP mode) I cannot ping the WLC (connected via WAN link)
    From the AP (HREAP mode) I cannot ping any network on the remote site.
    I can access the WLC remotely.
    From the WLC i can ping default gateway for the AP dhcp server
    From the WLC i cannot ping the AP
    On the WLC i cannot see any AP
    AP2-1262#show capwap reap association
    SSID: WirelessWLAN on Dot11Radio1
    bssid: f4ea.67c1.618e  Mode: 0x192, WLAN: 2 , VLAN name: 002   VLAN ID: 66
    Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
    SSID: WirelessWLAN on Dot11Radio0
    bssid: f4ea.67c1.6181  Mode: 0x192, WLAN: 2 , VLAN name: 002   VLAN ID: 66
    Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
    Please HELP
    Thanks!

    First off, makes sure the h-reap ap is connected to a trunk port. The native vlan on the trunk port should be the vlan the ap management is on. Now on the WLAN SSID, make sure local switching is enabled in the advanced tab. Go to the h-reap ap and there is a tab on the top that says either h-reap or FlexConnect. Enter the native vlan and hit apply. Go back to that page and click on vlan mapping. Now set your WLAN SSID to the vlan out at the remote site you want to put traffic on.
    If you want traffic to come back to the wlc, then you do not need to enable local switching in the WLAN said advanced tab. Your traffic will be tunneled back to the wlc and placed on the interface you chooses in the WLAN general page.
    Sent from Cisco Technical Support iPhone App

  • AP HREAP NOT WORKING - NO DHCP, NO INTERNET

    Current Setup
    WLC > WAN < AP
    AP is in HREAP mode
    The Wireless SSID shows up at the remote site
    Clients can associate to the SSID on the AP (HREAP)
    But it's not handing out DHCP address
    From the AP (HREAP mode) I cannot ping the WLC (connected via WAN link)
    From the AP (HREAP mode) I cannot ping any network on the remote site.
    I can access the WLC remotely.
    From the WLC i can ping default gateway for the AP dhcp server
    From the WLC i cannot ping the AP
    On the WLC i cannot see any AP
    AP2-1262#show capwap reap association
    SSID: WirelessWLAN on Dot11Radio1
    bssid: f4ea.67c1.618e Mode: 0x192, WLAN: 2 , VLAN name: 002 VLAN ID: 66
    Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
    SSID: WirelessWLAN on Dot11Radio0
    bssid: f4ea.67c1.6181 Mode: 0x192, WLAN: 2 , VLAN name: 002 VLAN ID: 66
    Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
    Please HELP
    Thanks!

    Kelly,
    You post is confusing.
    1. How was your AP able to dowload it's code if there was no connection to the WLC?
    An AP firstly gets an IP via dhcp or statically configured and then it searches for a WLC. If the AP doesn't see any WLC, it can never come up. The status lights will keep flashing red and orange.
    Since your clients have a layer 2 connection, then that means the AP is up and working with the connection to the WLC. Your problem is solely layer 3.
    Check you local vlan mapping on the HREAP AP to ensure that the client vlan is correct. Also check your routing table by using 2 commands on your router: 1.Show ip protocols
                                                     2. Show ip route

  • HREAP, Local Switched WLAN and DHCP Address required

    Hi All,
    if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
    Any Help Welcome.
    Regards, Michael

    I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

  • HREAP and DHCP

    Hi All,
    I have a Cisco 4402 wireless controller and I am trying to set up HREAP to dump traffic off locally.  I have the HREAP function working as I can see my wireless MAC address on the correct vlan in the MAC table on various switches.  The problem, the Wireless NIC isn't recieving a DHCP address.  I have verified that my pool is operational.  I connected a laptop to the same switch that the WAP is connected to and it pulls an IP address from that VLANs DHCP pool. 
    What am I missing?  Another question is what interface to I set up for this WLAN?  If it is going to be at a remote office, what should it be set to?
    Thanks,
    Chris

    I went to go add a virtual interface on VLAN 14 and that brought down my access to the WLC.  I rebooted and now I can pull IP addresses at my office.  I have this WLAN in my Corporate office and now it is working just fine.  I have now applied this WLAN to a remote office WAP (will be using the same vlan, just differnet subnet) and it won't pull an IP address.  Again, I can see the MAC address on the swtich that is directly connected to the router with the IP Helper address and it still can't pull an IP address.  This is a different switch from which the WAP is connected.  If I plug a laptop into the same switch that the WAP is connected to, it pulls an IP address not problem.

  • How can local & Hreap attached clients get the correct DHCP address

    I am going to have a single private SSID that can be used by clients in our local AP's office and by h-reap clients on AP's in the foreign offices.
    All clients will authenticate via a radius server but how do I ensure that the local and remote clients will be given a dhcp address from their relevant local dhcp server?
    What setting are required to ensure this happens.
    I require Cental Authentication and local switching.
    I have a 2112 WLC and 1131LWAP's
    Thanks in advance
    Richard

    You just have to have a dhcp server listening wherever you're putting the clients.  You can change which vlan a ssid is mapped to on a per-AP basis.  So if your remote office uses vlan 50 for workstations you just need to change the vlan mappings for the AP(s) to 50, then make your AP port a trunk on whatever switch you're plugging into.  Then as long as you have a dhcp server listening on that AP, clients will get an IP from it.

  • Wireless and guest network and HREAP

    Hi,
    I have inherited a wireless infrastructure which comprises of a head office with WCS and WLC plus LWAPP access points.
    There is a sub office in another town who wishes to deploy a wireless infrastrucure and it struck me that as they only want to deploy a couple of AP's that HREAP would be good to use in this senario.
    However they want to also use the guest wireless network that we have in the head office but I dont want their guest traffic to come to our DSL modem that we have set up for the HO guest wireless. The two offices are connected via an MPLS link which doesnt need anymore traffic on it.
    Is there a way of configuring the HREAP and the WLC and WCS so that the sub office breaks out locally for guest and yet the lobby admin at HO can control the password?
    Many thanks,

    Hi Nell,
    the feature you are looking for is "H-REAP local switching".
    So you can set the remote AP to H-REAP mode (which optimizes it for "behind a WAN link") and from there you can set several ssids as "local switching".
    this means that everything about the authentication phase is handled by WLC but after authentication, the traffic is dropped locally at the AP and doesn't transit through the WLC.
    The guest SSID has to be enabled for local switching and then, on the H-REAP APs, go in the AP configuration (from WLC "wireless" tab, then click on ap) and in the hreap tab, you can configure the vlan where the guest traffic will be dropped on  the remote site. It must be a vlan that exists on the remote site and users will get a DHCP address on that vlan.
    Regards,
    Nicolas

  • Branch Office & HREAP & local Internet breakout

    Hi,
    I´m planning right now a local Guest Access breakout for a Branch Site which is connected over
    a HREAP AP to a centraliced WLC . If I have it correctly understand then  I´ve to do following:
    1. Creat a Guest SSID on the centralized WLC ( 5508 )  / enable local switching for this SSID
    2. Create a Guest VLAN on the Branch Site with a local Internet breakout
    3. Configure a Trunk port for the HREAP AP on the Branch site ( 1 VLAN for  Corportate SSID/ local switching   and 1x VLAN for Guest
    with local Internet breakout )
    Can I use the WLC as DHCP server for the Guest  SSID or should I use a local DHCP server ? I know about a feature
    "central DHCP Processing "  but I never used this before and it is not 100% clear if this can help me in this case.
    Thanks for help.

    Check these docs:
    http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81680-hreap-modes.html
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/71250-h-reap-design-deploy.html
    Regards

  • HREAP not working correctly

    I have a 4404 with 1242's running 6.0.199.0 all ap's are in HREAP mode(at remote sites).
    When the controller goes down all users are disconnected.
    The SSID in question is using WPA-PSK & has HREAP local switching enabled.
    the clients get local IP Addresses and switch locally, just fine, until the controller goes down, then all clients are disconnected immediately.
    it was my understanding that when the controller went down, authentication and switching would continue.
    not sure if i missed something somewhere.
    Thanks for any help in advance.

    That shouldn't happen.  As long as you are sure you have local switching and also mapped the AP's ssid to a local vlan, then the ap will have a connection to that local subnet no matter if the WLC is up or down.  Are you sure you mapped the vlan in the h-reap tab on the AP?  I have a test h-reap ap that is configured from a WLC then moved to another subnet where it will never join the WLC again and it works fine using WPA2/PSK.  Again... not know how everything is setup, can you verify that the local dhcp server is issuing the address and not something else? 

  • WLC 5508 Internal DHCP server issues

    Hi,
    I am hoping to get your feedback around the dhcp issues I am facing with Two Centrally Switched Wireless LANs. I have tried to explain the setup and the problems below and would appreciate it if anyone can suggest a solution for the problems I am facing:
    The setup is as follows:
    - I have a WLC 5508 which has been configured with 4 SSIDs, out of which 2 are using Central Authentication and Switching.
    - I have an LWAP connected to the WLC in HREAP mode.
    - WLC is configured as the DHCP server for clients connecting to the SSID 'Guest'. For the rest, I am using external dhcp server.
    - Only one scope for Guest Interface is setup on the WLC. 
    Problems:
    1. As far as I know, for WLC to act as internal dhcp server, it is mandatory to have the proxy enabled, but the Clients connecting to SSID 'Internet' are
    unable to get an ip address from the external dhcp server, if dhcp proxy is enabled on the WLC. If i disable the proxy, it all works fine.
    2. DHCP does not release the ip addresses assigned to clients even after they are logged out.
    3. If a machine which was earlier connected to 'Guest' SSID connects to the 'Internet' SSID, it requests the same ip it was assigned by the WLC which it was assigned under 'Guest', but gets tagged with the Vlan configured on the management interface.  
    ************Output from the Controller********************
    (Cisco Controller) >show sysinfo
    Manufacturer's Name.............................. Cisco Systems Inc.
    Product Name..................................... Cisco Controller
    Product Version.................................. 7.0.116.0
    Bootloader Version............................... 1.0.1
    Field Recovery Image Version..................... 6.0.182.0
    Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
    Build Type....................................... DATA + WPS + LDPE
    (Cisco Controller) >show interface summary
    Interface Name                   Port Vlan Id  IP Address         Type        Ap Mgr        Gu                                                                            
    est
    guest                                        1    301      10.255.255.30    Dynamic   No              No                                                                            
    management                          1    100      172.17.1.30        Static          Yes            No                                                          
    service-port                              N/A  N/A      192.168.0.1       Static         No               No                                                                            
    virtual                                        N/A   N/A      10.0.0.1              Static         No               No                                                                            
    (Cisco Controller) >show wlan summary
    Number of WLANs.................................. 4
    WLAN ID  WLAN Profile Name / SSID               Status    Interface Name
    1        LAN                                    Enabled   management
    2        Internet                               Enabled   management
    3        Managment Assets          Enabled   management
    4        Guest                                  Enabled   guest
    (Cisco Controller) >show dhcp detailed guest
    Scope: guest
    Enabled.......................................... Yes
    Lease Time....................................... 86400 (1 day )
    Pool Start....................................... 10.255.255.31
    Pool End......................................... 10.255.255.254
    Network.......................................... 10.255.255.0
    Netmask.......................................... 255.255.255.0
    Default Routers.................................. 10.255.255.1  0.0.0.0  0.0.0.0
    DNS Domain.......................................
    DNS.............................................. 8.8.8.8  8.8.4.4  0.0.0.0
    Netbios Name Servers............................. 0.0.0.0  0.0.0.0  0.0.0.0
    (Cisco Controller) >show interface detailed management
    Interface Name................................... management
    MAC Address...................................... e8:b7:48:9b:84:20
    IP Address....................................... 172.17.1.30
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 172.17.1.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 100
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. 172.30.50.1
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... Yes
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    (Cisco Controller) >show interface detailed guest
    Interface Name................................... guest
    MAC Address...................................... e8:b7:48:9b:84:24
    IP Address....................................... 10.255.255.30
    IP Netmask....................................... 255.255.255.0
    IP Gateway....................................... 10.255.255.1
    External NAT IP State............................ Disabled
    External NAT IP Address.......................... 0.0.0.0
    VLAN............................................. 301
    Quarantine-vlan.................................. 0
    Active Physical Port............................. 1
    Primary Physical Port............................ 1
    Backup Physical Port............................. Unconfigured
    Primary DHCP Server.............................. Unconfigured
    Secondary DHCP Server............................ Unconfigured
    DHCP Option 82................................... Disabled
    ACL.............................................. Unconfigured
    AP Manager....................................... No
    Guest Interface.................................. No
    L2 Multicast..................................... Enabled
    (Cisco Controller) >show dhcp leases
           MAC                IP         Lease Time Remaining
    00:21:6a:9c:03:04    10.255.255.46    23 hours 52 minutes 42 seconds        <<<<<<< lease remains even when the client is disconnected.
    *********Example of Client connected to the right Vlan with an ip address from the incorrect interface. *************
    (Cisco Controller) >show client detail 00:21:6a:9c:03:04
    Client MAC Address............................... 00:21:6a:9c:03:04
    Client Username ................................. N/A
    AP MAC Address................................... a0:cf:5b:00:49:c0
    AP Name.......................................... mel
    Client State..................................... Associated
    Client NAC OOB State............................. Access
    Wireless LAN Id.................................. 2                 <<<<<<<<   'Internet' SSID
    BSSID............................................ a0:cf:5b:00:49:ce
    Connected For ................................... 319 secs
    Channel.......................................... 36
    IP Address....................................... 10.255.255.46      <<<<<<< IP address assigned from the 'Guest' Interface or dhcp scope on the WLC
    Association Id................................... 1
    Authentication Algorithm......................... Open System
    Reason Code...................................... 1
    Status Code...................................... 0
    Session Timeout.................................. 1800
    Client CCX version............................... 4
    Client E2E version............................... 1
    QoS Level........................................ Silver
    802.1P Priority Tag.............................. disabled
    WMM Support...................................... Enabled
    Power Save....................................... OFF
    Mobility State................................... Local
    Mobility Move Count.............................. 0
    Security Policy Completed........................ Yes
    Policy Manager State............................. RUN
    Policy Manager Rule Created...................... Yes
    ACL Name......................................... none
    ACL Applied Status............................... Unavailable
    Policy Type...................................... N/A
    Encryption Cipher................................ None
    Management Frame Protection...................... No
    EAP Type......................................... Unknown
    H-REAP Data Switching............................ Central       <<<<<<<<<
    H-REAP Authentication............................ Central       <<<<<<<<<<
    Interface........................................ management
    VLAN............................................. 100           <<<<<<<<<<< right Vlan
    Quarantine VLAN.................................. 0
    Access VLAN...................................... 100

    Hi All,
    I have a similar issue where Wireless clients are not receiving automatic addressing from an internal DHCP server. I have multiple interfaces configured on the WLC which are connected to separate VLANS. The manually specified DHCP primary server entry is the same on all interfaces. Some clients are able to authenticate and receive automatic IP configuration but some clients are failing the address assignment process. I have checked connectivity between the WLC and DHCP server, this is confirmed as working. When I carry out a "debug dhcp packet enable", I get the following outputs which seems as if the DHCP discover request from the client is skipped. Your thoughts and inputs on this are appreciated.
    DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: message type = DHCP DISCOVER
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 116 (len 1) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 61 (len 7) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: requested ip = 169.254.223.5
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 12 (len 13) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: vendor class id = MSFT 5.0 (len 8)
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 55 (len 11) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option: 43 (len 2) - skipping
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP options end, len 76, actual 68
    *DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP Forwarding DHCP packet (332 octets) packet DHCP Socket Task: Nov 07 11:16:09.174: 00:22:fb:7b:37:32 DHCP option len (including the magic cookie) 76
    Thanks,
    Raj Sandhu

  • WLC 5508 and Multiple DHCP servers in different sites?

    Hi
    I work for health authority in our region and we just purchased a Cisco wlc 5508 controller along with 25 3500 AP's. We have multiple sites with different IP subnets in each, all connected by a frame relay (owned by ISP). Each site has its own DHCP server. I have the controller in our main site. So when I take an AP to a remote site, the Ap gets an DHCP address from local DHCP server (which is great) and contacts controller and joins controller. Everything is good. BUT, when a client joins at the remote site, it gets an address from a previous site which will not work because the client is now on a different subnet. We dont use Vlans as they dont transvers the frame relay. I need those clients to obtain DHCP from the local DHCP server from the site they are on. Is that possible??
    I have updated the controller to latest version as well.
    Thanks
    Bryan Yaciuk, CCNA
    Parkland Regional Health Authority

    We call this as HREAP LOCAL SWITCHING!! but here is the catch.. everytime the AP joins the new site.. we need to configure the VLAN mapping and this wil do it for you!! Here is the link which will resolve ur issue..
    http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00807cc3b8.shtml#ll
    Lemme know if this answered ur question and please dont forget to rate the usefull posts!!
    Regards
    Surendra

  • Restrictions ACL for Wireless AP to WLC in HREAP Desgin Setup

                       Hello, Everyone  I have Wireless HREAP setup in which the Wireless LAN Controllers (WLC) are located across the WAN in DataCenter while the Wireless Access Points (AP) are located within the branches, so setup is fine but as security requirement mandates that the APs VLAN in the branch should be restricted from accessing any thing except neccessary communication to WLC across the WAN so on the interface VLAN assigned for the APs in the branch i Applied an inbound ACL as below and it works fine but after some times my be days i found that the Access points are not present in the WLC GUI and it will appear only if i removed the ACL...............So question here what else is missing in my ACL which is neccessary for AP communication to WLC?
    Extended IP access list HO_AP_Restrictions
        10 permit udp any host (WLC 1 IP) eq 12222
        20 permit udp any host (WLC 1 IP) eq 12223 (58563 matches)
        30 permit udp any host (WLC 1 IP) eq 5247
        40 permit udp any host (WLC 1 IP) eq 5246 (58563 matches)
        50 permit udp any host (WLC 2 IP)  eq 12222
        60 permit udp any host (WLC 2 IP)  eq 12223 (22270 matches)
        70 permit udp any host (WLC 2 IP)  eq 5247
        80 permit udp any host (WLC 2 IP)  eq 5246 log (22270 matches)
        90 permit udp any host (ap-manager 1 IP)  eq 12222
        100 permit udp any host (ap-manager WLC 1 IP)  eq 12223
        110 permit udp any host (ap-manager WLC 1 IP)  eq 5247 (440902 matches)
        120 permit udp any host (ap-manager WLC 1 IP)  eq 5246 (1950854 matches)
        130 permit udp any host (ap-manager WLC 2 IP)  eq 12222
        140 permit udp any host (ap-manager WLC 2 IP)  eq 12223
        150 permit udp any host (ap-managerWLC  2 IP)  eq 5247 (360037 matches)
        160 permit udp any host (ap-manager WLC 2 IP)  eq 5246 (1484968 matches)

    Thanks Amjad Abdullah and sorry for late reply i was on sick leave
    Actually the issue was due to the ACL, which was blocking the DHCP (how stupidly I overlooked that)
    I have did the same command as you instructed and it reveal that AP has timed out, so I have enabled debugging on ACL to see what kindly of communication is going on and I found many communication which I was keep allowing it based try and error till I found this log that Some APs IP address are trying to communicate to the default VLAN gateway IP address on port 67 which is DHCP then I realized this is the issue.....
    In brief....the APs are assigned to a dynamic VLAN (DHCP-enabled) so when I apply the old ACL, the APs already has obtained an IP addresses and they work fine with WLC, but when the DHCP lease timer expires, the APs try to send DHCP renew to the default gateway in which no ACE inside the ACL is matching so that request being denied and therefore doesn't get an IP address so it loses communication with the WLC....
    So I added the following ACE at the end of the above ACL
    permit udp host 0.0.0.0 any eq bootps
    NowI will always remember.......Security comes with cost

  • HREAP - Local switching

    Hi All,
    I have a working WLC with several HREAP AP's all Woking as they should, my question is what happens to dhcp requests when an AP is configured for HREAP local switching with no VLan support enabled ( connected to an access port not a trunk)? The local VLan has a dhcp helper address configured for an external DHCP server When a wireless client connects does all the traffic get dropped directly onto the local VLAN (in my case VLAN 10) or does any traffic transverse through the controller? I ask this because on the advanced setting page of the WLAN I have ticked DHCP REQ, how does the controller determine if the wireless client has a valid IP if the DHCP request is being supplied by the local VLAN.
    I was under the impression that the control and data planes are separated?
    Thanks in advance for any replies.
    Sent from Cisco Technical Support iPhone App

    You are correct, it gets dumpped on your vlan 10. As for your very specific question, thats a great question and I dont know that I have the anwser. Perhaps someone else like Steve, Leo or Scott can reply if they tested it.
    Im going to take a stab in the dark and say perhaps the ap makes sure it sees a dhcp req packet come in before it allows the client to get into the run state.
    OR, its doesnt work.
    OR, if that check box is marked, perhaps the ap relays some type of response back to the WCL ...
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

  • HREAP VLAN Mapping

    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-parent:"";
    mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
    mso-para-margin-top:0cm;
    mso-para-margin-right:0cm;
    mso-para-margin-bottom:10.0pt;
    mso-para-margin-left:0cm;
    line-height:115%;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;
    mso-bidi-font-family:"Times New Roman";
    mso-bidi-theme-font:minor-bidi;
    mso-fareast-language:EN-US;}
    Hi,
    I've searched around to see if someone else has experienced the same issue regarding HREAP AP's losing their VLAN mappings; however I could not find any related topics.
    Scenario
    I've got a 5508 WLC running ver 7.0 with local VLANs assigned as follow:
    VLAN 241 - Data Users
    VLAN 253 - Voice Users
    The HREAP AP's (Cisco 1242AG) running at the remote branches is mapped to the following:
    VLAN 2 - Data Users
    VLAN 253 - Voice
    The Problem...
    HREAP works perfect; users get the local DHCP addresses at the branch office and have no issues with connectivity. Once and a while some of the HREAP AP's will lose the VLAN mapping I've assigned to them. In this case I've mapped VLAN 2 to the SSID for the Data Users, I will get complaints that users can't connect to the network when I go check the HREAP AP's VLAN mapping it defaulted back to VLAN 241 (the same VLAN the local AP's at head office use for the same SSID). Of course with the Voice SSID I don't have this problem as it's using the same VLAN ID as head office.
    Once I've corrected the mapping everything works perfect.
    Why...
    I just want to know why this happens, I've rebooted the AP's to see if they retain the mappings and they did. I've seen in the HREAP design deployment that it is preferred to use the same VLAN ID's of the head office where the WLC is located as for the same to the branch offices where the HREAP AP's are located.
    I can see why as this will resolve my problem, however this network was designed without the knowledge of HREAP being deployed to the remote sites and I would like to minimize change from a LAN perspective.
    Will this be my only solution by standardizing the branch office VLAN ID's the same as the head office network or should I be able to use different VLAN ID's for the branch offices?
    Thanks for your time reading this and for your input. If you know any discussion regarding this, please add the url.
    Regards
    Jurgens

    Hi,
    I'm having the same problem. And I have two WLCs (WISM) with 7.0.220 version.
    I think because of this BUG: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtw92394&from=summary
    Anyone knows how can I solve this problem?
    I Have 42 HREAP APs, and when I have some link problem on the remote Branch and the AP lose for a few seconds Connectivity to the 1º Controller its loses the VLAN Mappings (all turned to the Native VLAN).

Maybe you are looking for

  • ORA-06502 while running a function in a report

    Hi guys, I am having a problem executing this function in my report to get the beg balance for my statment. any idea as why -- the error I am getting is ORA-06502 Thanks ========================================================= function CF_OPNE_BALFo

  • Best Car Stereo for iPhone 3g

    I'm about to buy a new car stereo and really want a unit that will play nice with my iPhone 3g. I've been looking at the Alpine ida-X100, but it doesn't support the iPhone natively. I've heard that it works, but it sounds like there is the possibilit

  • Best way to set up user to hide pages in a fillable form once complete.

    I have created an 11 page fillable PDF form from a word document that will be used for Mentors. The last page (11) is a summary page with fields automatically populated from various preceeding pages. Once the form has been filled out, I'd like the us

  • WebRowSetImpl and & in xml output

    When a string column value in a table has a '&' (ampersant) sign in it, WebRowSetImpl.writeXml(OutputStream) does not escape that character in the resulting xml. A table with value Eve & Adam results in <columnValue>Eve & Adam</columnValue> instead o

  • Whiteboard & Powerpoint share failing !!

    Hello All, I am having issues with sharing the Whiteboard and Powerpoint with external users. The error which I am getting is "Some sharing features are unavailable due to server connectivity issues" which seems to be a generic error. I cant say if t