HREAP & Local mode configuration for one SSID

I'm looking to provide one SSID Corporate access to multiple sites using HREAP. My question is it possible to configure one SSID and switch the traffic locally?
I have a controller in the main site that provides one SSID for Corporate access (AP's in Local mode) and would like to have the same SSID used at the remote sites, only difference is the break out locally.
Do I need to configure the HREAP interface on the controller if it is switching locally at the remote site? If so what interface should it be? I thought it would be locally anyway?

yes, you can do this.
In the WLAN, select HREAP Local switching. This does not mean that the WLAN is always locally switched, just that it can be.
Put the AP that need to be HREAP/FlexConnect in that mode, reboot, then map the WLAN to the approrpriate VLAN for that site.
For the AP that you want to do central switching, just leave them as they are.
Steve

Similar Messages

Is it possible to run TWO parellel configurations for one Object??

SAP Gurus,
We have a strange requirement from the client to have to configurations established in the system for one configuration object.
Without taking much of your time let me paraphrase the requirements.
The client is having two different types of putaway strategies in their current business process. And they toggle between these putaway strategies by reaching out to their production support group and they make configuration changes to have the other put away strategy
One Step Putaway: GR area --> High Rack Storage
Two Step Putaway: GR area --> Interim storage (area at the end of each aisle of high rack storage) --> High Rack
Client wants to have two parallel configurations for both of these put away strategies and needs an ability to switch from one to another. This switching ability should be accessed from SAP screen without any IT intervention (no configuration)
- Switching ability should allow the warehouse manager to change from one step to two step put away strategies without any IT intervention.
- Switching ability should be accessed my SAP Screen (Z-transaction or something with a radio button to toggle around)
Is it possible to have two configuration made for Putaway Strategies and switch them on/off depending on the warehouse needs??
Your invaluable feedback on this will be highly appreciated.
Thanks again folks,
Dhaval
Edited by: Dhaval Joshi on Mar 4, 2008 12:09 PM

Q1--I don't believe it is possible. An organization can have multiple licenses tied to its main email address, for example, but then they are assigned to the individual users.
Q2--Yes, you would just need to log out of your account within the CC desktop app prior to logging in on the other account.
If you have any questions, feel free to reach out.

Address field configuration for one-time customer FB70

Hi,
I understand there is more address field entered (street2, street3, street4) during the sales order creation VA01 for one-time customer. However, i hardly find the configuration to open more address field for one-time customer if user raise FI-invoice via FB70. Do you have any idea?
Thanks.

Thanks Mauri.
I understand that address field of FB70 are linked to BSEC table whereas address field of sales order creation (va01) for one-time customer, the latter linked to ADDR1_data and having the Street2, 3, 4 provided in the pop-up screen.
I am wondering is there anyway to have more address field for the FB70 since my client will have longer 'street' name so that the dunning will take place properly for one-time customer.
Thank you so much

Please verify the CSS and SCA configuration for one-armed transparent mode

I have a problem to configure one-armed transparent mode. I cannot access the server with "https://9.9.9.1" even "http://9.9.9.1:80" and "http://9.9.9.1:81" operational. looks CSS cannot communicate properly with SCA.
I couldn't figure out from CCO sample configuration. please correct the attached configuraiton.
Thanks,
** connectivity ********
<client>----<router>----<CSS>---<SCA>,<Server>
- client=7.7.7.100
- router's e0/0=7.7.7.1, e0/1=8.8.8.3(connect to VLAN2 of CSS)
- SCA=11.11.11.100, connect to VLAN3 of CSS
- server=10.147.153.12 and 10.147.153.15 on the same box, connect to VLAN4 of CSS
** configuration *********
CSS11050# sh run
!Generated on 01/01/2079 00:00:47
!Active version: ap0500105
configure
!*************************** GLOBAL ***************************
acl enable
ip route 0.0.0.0 0.0.0.0 11.11.11.100 1
ip route 7.7.7.100 255.255.255.255 8.8.8.3 1
ip route 7.7.7.200 255.255.255.255 8.8.8.3 1
!************************* INTERFACE *************************
interface e2
bridge vlan 2
interface e3
bridge vlan 3
interface e4
bridge vlan 4
interface e5
bridge vlan 4
!************************** CIRCUIT **************************
circuit VLAN1
ip address 9.9.9.2 255.255.255.0
circuit VLAN2
ip address 8.8.8.2 255.255.255.0
circuit VLAN3
ip address 11.11.11.1 255.255.255.0
circuit VLAN4
ip address 10.147.153.1 255.255.255.0
!************************** SERVICE **************************
service ING_SVC_12
protocol tcp
ip address 10.147.153.12
active
service ING_SVC_15
protocol tcp
ip address 10.147.153.15
active
service ING_SVC_SCA
port 443
protocol tcp
ip address 11.11.11.100
type transparent-cache
no cache-bypass
active
service upstream
ip address 8.8.8.3
type transparent-cache
active
!*************************** OWNER ***************************
owner ING_OWNER
content cnt_443
add service ING_SVC_SCA
protocol tcp
port 443
vip address 9.9.9.1
active
content cnt_80
add service ING_SVC_12
add service ING_SVC_15
protocol tcp
port 80
url "/*"
vip address 9.9.9.1
active
content cnt_81
add service ING_SVC_12
add service ING_SVC_15
vip address 9.9.9.1
protocol tcp
port 81
url "/*" <-- If I configure url "/secure/*", not working "http://9.9.9.1:81" from client.
active
!**************************** ACL ****************************
acl 1
clause 10 permit any any destination any
apply circuit-(VLAN1)
acl 2
clause 10 permit any any destination any
apply circuit-(VLAN2)
acl 3
clause 10 permit any any destination any
apply circuit-(VLAN3)
acl 4
clause 10 permit any any destination any
apply circuit-(VLAN4)
ING_SCA# sh run
# Cisco SCA Device Configuration File
# Written: Sun Feb 6 01:12:54 2106 MST
# Inxcfg: version 4.1 build 200211151311
# Device Type: CSS-SCA
# Device Id: S/N 11aca8
# Device OS: MaxOS version 4.1.0 build 200211151311 by reading
### Mode ###
mode one-port
### Interfaces ###
interface network
auto
end
interface server
auto
end
### Device ###
ip address 11.11.11.100 netmask 255.255.255.0
hostname ING_SCA
timezone "MST7MDT"
### Password ###
password idle-timeout 15
### SNTP ###
sntp interval 86400
### Static Routes ###
ip route 0.0.0.0 0.0.0.0 11.11.11.1 metric 1
### RIP ###
no rip
### DNS ###
no ip name-server
no ip domain-name
### Telnet ###
telnet enable
### Web Management ###
web-mgmt port 80
no web-mgmt enable
### SNMP Subsystem ###
no snmp
### SSL Subsystem ###
ssl
server ING create
ip address 9.9.9.1
localport 443
remoteport 81
key default
cert default
secpolicy default
sslv2 enable
sslv3 enable
tlsv1 enable
session-cache size 20480
session-cache timeout 300
session-cache enable
no clientauth enable
clientauth verifydepth 1
clientauth error cert-other-error fail
clientauth error cert-not-provided fail
clientauth error cert-has-expired fail
clientauth error cert-not-yet-valid fail
clientauth error cert-has-invalid-ca fail
clientauth error cert-has-signature-failure fail
clientauth error cert-revoked fail
sharedcipher error failhtml
ephemeral error failhtml
no httpheader client-cert
no httpheader server-cert
no httpheader session
no httpheader pre-filter
httpheader prefix "SSL"
ephrsa
keepalive frequency 5
keepalive maxfailure 3
no keepalive enable
end
end

the problem is the routing.
You need a route for the client pointing to the SCA like this
ip route 7.7.7.100 255.255.255.255 11.11.11.100 1
This is so the reply from the server to the client goes back to the SCA first
for encryption.
Gilles.

VLAN assignment depending on AP for one SSID

Hi,
I read the AP Group VLANs with WLC configuration examples but did not find exactly what I look for. I'm on a WLC 5500.
I try to create AP groups which broadcast a set of SSID, but inside AP groups, depending on the AP on which the connection is made, i want to assign a specific VLAN for the clients.
If connection is made on SSID1 and AP1 -> one VLAN, for example VLAN_SSID1_AP1
same for SSID1 and AP2 -> another VLAN, for example VLAN_SSID1_AP2
I want to assign some VLANs to one of my networks to get local IPs depending on the AP.
The VLAN are all defined as dynamic interfaces, currently the SSID matches one VLAN, but i did not find how to do this assignment. I cannot define a VLAN for a network(SSID) and an AP.
Thanks for your ideas,
Christophe

You need to create two AP Groups. Both will have the SSID, but AP Group #1 will have SSID mapped to vlan 1 and AP Group #2 will have SSID mapped to vlan 2. Then you add the appropriate ap's to which group you want.

Multiple Local Product Categories for One ECC Material Group

Hello experts,
I have a question regarding Product Categories. I am using an Extended Classic Scenario and so, I retrieve Material Groups from the backend. Nevertheless, in order to have a more accurate split than ECC Material Groups in SRM, I would like to create local Product Categories which point on the same ECC Material Group. Eg. :
ECC Material Group
- SRM Product Category 1
- SRM Product Category 2
I saw that I can create this kind of structure in COMM_HIERARCHY and I updated it in the PPOMA_BBP (I set * for backend and for SRM).
Nevertheless, when I create a SC, I can not find the local Product Categories I created?
Do you know how I could process?
Thanks for your help
Patrick

Hi Patrick,
Looks like you got confused in understanding the concept.
You can not create a Local product category (material group) from a back end product category.
You can have both backend R/3 material groups and local product categoris (material groups) parallelly.
That means in COMM_HIERARCHY for R3MATCLASS hierarchy you have two nodes created under that, one for backend material groups and the other for local material groups.
In stand alone scenario or de-coupled scenario you can use local product categories and not in Extended classic and Classic scenarios.
For accessing a local product category you should have a local P.Org, local P.Group and the users should be assigned to these local P.Orgs or P.groups.
If you have such a setting in your org. structure then you can create S.Cs for local Product categories and local materials.
Hope this makes you more clear in understanding the issue.
Clarifications are welcome.
Award points for helpful answers.
Rgds,
Teja

Long delay for add-in saving emails with Cached Exchange Mode off for one user's Exchange account

Hello,
Before I start, I have asked questions in the Outlook Developer forum and was referred here as it appears to be an Exchange Server problem that I am experiencing, not related to Outlook or the add-in that I am developing.
I am an Outlook developer with an Outlook add-in that adds MAPI properties to emails and then calls MailItem.Save to save the changes.
The add-in uses the Internet Message ID MAPI property for some functionality, so I have to turn turn Cached Exchange Mode off to ensure that my functionality works correctly for the Sent Items folder (otherwise no Message ID property exists).
This process works fine for 99% of users.
I have one particular user that has a huge delay (~1 minute) when MailItem.Save is called for items in his account. He is using an Exchange account. If I switch Cached Exchange Mode on there is no longer a delay (as no communication with Exchange Server). The
user does not have an excessively large Mailbox.
The problem is not caused by the network or communication path to the server as the problem exists on any computer where other users are ok.
I'm sure the problem is not caused by my add-in, but likely a problem with the user's Exchange account. Does anyone have any suggestions on how I may be able to resolve the delay and what might be causing it?
Thanks
Glen Thomas

Hello,
Before I start, I have asked questions in the Outlook Developer forum and was referred here as it appears to be an Exchange Server problem that I am experiencing, not related to Outlook or the add-in that I am developing.
I am an Outlook developer with an Outlook add-in that adds MAPI properties to emails and then calls MailItem.Save to save the changes.
The add-in uses the Internet Message ID MAPI property for some functionality, so I have to turn turn Cached Exchange Mode off to ensure that my functionality works correctly for the Sent Items folder (otherwise no Message ID property exists).
This process works fine for 99% of users.
I have one particular user that has a huge delay (~1 minute) when MailItem.Save is called for items in his account. He is using an Exchange account. If I switch Cached Exchange Mode on there is no longer a delay (as no communication with Exchange Server). The
user does not have an excessively large Mailbox.
The problem is not caused by the network or communication path to the server as the problem exists on any computer where other users are ok.
I'm sure the problem is not caused by my add-in, but likely a problem with the user's Exchange account. Does anyone have any suggestions on how I may be able to resolve the delay and what might be causing it?
Thanks
Glen Thomas

DIFFRENT SUBNET IS POSSIBLE OR NOT FOR ONE VLAN

Hi ,
i have a client they have main office and some 10 branches connected via 1 mbps link .
We put new WLC 5508 in main office (software version 6.0.199.4) and i connected braches 1142 ap's and they registerd with WLC .
Now client have 3 ssid 1> scanners 2>network 3> guest
They want to show same ssid in all branches no single change requried on ssid .
suppose the scanners connecte in main offcie via mac filtering and they will get ip range 192.168.1.0
and when from branch a there they have different range they should get 172.16816.0 range .
the ssid network will be acs authentication and ssid guest will be preshared key . All the ssid ip range will be differnt in branches but they want same ssid . Is it possible.( Can any body give me the steps )
Also one more issue am facing is . in MAIN OFFICE switch vlan 600 for ssid scanners range 192.168.1.0
and in branch same vlan 600 for ssid scanners ip range is 172.168.16.0 . so am getting some error when i save in WLAN SSID enable and save .

Hi,
If you have all your WLANs centrally switched then you can use AP groups:
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml
If you have local switching enabled for the SSID then you may need to use HREAP groups. You can override the VLAN in each branch office to use a local significant VLAN. You need DHCP server in each bran office for this.
Here are some useful links:
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70hreap.html#wp1133688
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#HREAPGROUPS
HTH
Amjad

Invoice Layout configuration for a specific customer within a sales org.

Hi,
I have a situation where the invoice layout need to be configured for one particular customer within a sales org in a different style from rest of the customers.
Could someone let me know how to do it please.
Thanks.
Best regards,
Srikrishhna

By u201Cinvoice layoutu201D, I assume you mean layout of the print output. If so, then
u2022     Set up a new output type as a copy of your standard output type. Assign an access sequence containing customer.
u2022     Add the new type to your active output determination procedure and assign an appropriate requirements routine (if any).
u2022     Assign a layout set (smartform, sapscript, adobe, etc.) that meets your customeru2019s requirements.
u2022     Maintain the condition record.
And away you go.
Regards,
zKen

Design: different AP Groups for different SSIDs?!

Imagine I have different requirements for the AP Groups for different SSIDs
I suppose I can't have different AP Groups for different SSIDs?!
Imagine I have to many Clients to use one single VLAN for one SSID. So I will use AP Groups.
For SSIDâXâ
Let's say I have 5 buildings with 800 Users, so I make a AP Group per Building and tell those APs that they are in that group.
For SSIDâYâ
All though I have this SSID also in all 5 buildings, I only have very view Users, so I could make one single VLAN which makes everything easier.
Am I obligated now to create 5 VLANs for SSIDâYâ too?!
*This is a made up example. In reality I would make different numbers of AP Groups for different SSIDs because I have significantly different number of Clientsâ¦ and traffic characteristics (more or less broadcast).
But it's also about the size of the VLANs, do I make a view large Broadcast Domains (VLANs) or more small ones.
Greetings, Andi

You can have a setup like this if you want:
AP Group 1
SSID X Vlan 10
SSID Y Vlan 21
SSID Z Vlan 31
AP Group 2
SSID X Vlan 10
SSID Y Vlan 22
SSID Z Vlan 31
AP Group 3
SSID X Vlan 10
SSID Y Vlan 23
SSID Z Vlan 32
AP Group 4
SSID X Vlan 10
SSID Y Vlan 24
SSID Z Vlan 32
AP Group 5
SSID X Vlan 10
SSID Y Vlan 25
SSID Z Vlan 33
AP Group 6
SSID X Vlan 10
SSID Y Vlan 26
SSID Z Vlan 33
Here is a link, which you probably already saw.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008073c723.shtml

SSID on FlexConnect versus Local mode APs???

Hello!
A collegue of mine and I discussed the different ways we could deliver a SSID on a customers APs on their geographically different sites ......
The customer have a WLC5508 (r7.6) and (mostly) AP1142.
All of the APs are in FlexConnect mode
Two SSIDs are centrally switched
One SSID are FlexConnect on all the sites with a local VLAN
Now we would like to deploy a new SSID which should be centrally switched on all the sites, except for one site ... So the problem is that the SSID need support for FlexConnect for one site but should be centrally switched on all the other sites. And on these sites the APs are also in FlexConnect mode...
Is there a way to do this??? We have been looking around the settings for WLAN, APs, FlexConnect groups etc and cannot figure this out! :-)
Best Regards
Göran Blomqvist
TDC
Sweden

How about creating two SSID profiles for the same SSID Name. One with WLAN-ID > 16 & configured it for FlexConnect local switching. Then create an AP group for the particular branch & map that SSID (the one with local switching) to that.
For other SSID (without local switching) you can map to all other branch AP (if you have specific group). If you have ap in default-apgroup then as long as you choose WLAN ID < 16, it should be available in all other branches
Give it a try & see.
HTH
Rasika
**** Pls rate all useful responses ****

AIR-AP1142N-A-K9 configuration issue for guest ssid

I'm trying to get the guest ssid working. I was frustrated so saved my old config and wiped out everything on this AP. Now my bvi1 does not come online.
ap#sh ip int bri
Interface                  IP-Address      OK? Method Status                Protocol
BVI1                       192.168.2.249   YES NVRAM down                  down
Dot11Radio0                unassigned      YES NVRAM up                    up
Dot11Radio0.50             unassigned      YES unset up                    up
Dot11Radio0.51             unassigned      YES unset up                    up
Dot11Radio1                unassigned      YES NVRAM administratively down down
GigabitEthernet0           unassigned      YES NVRAM up                    up
GigabitEthernet0.50        unassigned      YES unset up                    up
GigabitEthernet0.51        unassigned      YES unset up                    up
ap#
ap#sh int bvi
*May 6 15:05:24.611: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]1
BVI1 is down, line protocol is down
Hardware is BVI, address is 003a.99eb.8d00 (bia b862.1fe9.9af0)
Internet address is 192.168.2.249/24
MTU 1500 bytes, BW 54000 Kbit, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     3 packets output, 180 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
ap#
I have a private vlan 50 and the public vlan 51. The private ssid seems to work and allow connectivity to the internet but I don't understand with the same configuration the Public ssid doesn't seem to work.
I get this output when trying to connect with my cell phone.
*May 6 15:00:37.288: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:00:38.432: %DOT11-6-ASSOC: Interface Dot11Radio0, Station TYLOR-NB 9c4e.3617.483c Reassociated KEY_MGMT[WPAv2 PSK]
*May 6 15:00:42.935: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:00:54.320: %DOT11-6-ASSOC: Interface Dot11Radio0, Station   2c44.01c3.70a6 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:13.913: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:17.281: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:01:48.181: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:01:51.583: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
*May 6 15:02:22.500: %DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station 847a.8835.4f22 Reason: Sending station has left the BSS
*May 6 15:03:41.852: %DOT11-6-ASSOC: Interface Dot11Radio0, Station 847a.8835.4f22 Associated KEY_MGMT[WPAv2 PSK]
SSID [PUBLIC] :
MAC Address    IP address      Device        Name            Parent         State
847a.8835.4f22 0.0.0.0         ccx-client    -               self           Assoc
ap#
ap#show run
Building configuration...
Current configuration : 2746 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
enable secret 5 $1$4jEJ$ajpjBvSx3DUhxyvLADj.91
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
dot11 syslog
dot11 ssid PRIVATE
   vlan 50
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 01150F035E050E0A2D
dot11 ssid PUBLIC
   vlan 51
   authentication open
   authentication key-management wpa version 2
   mbssid guest-mode
   wpa-psk ascii 7 045D02010A2F444B05
username Admin privilege 15 password 7 0526071D3545175840
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption vlan 50 mode ciphers aes-ccm
encryption vlan 51 mode ciphers aes-ccm
encryption mode ciphers aes-ccm tkip
ssid PRIVATE
ssid PUBLIC
antenna gain 0
mbssid
station-role root
interface Dot11Radio0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
bridge-group 50 subscriber-loop-control
bridge-group 50 block-unknown-source
no bridge-group 50 source-learning
no bridge-group 50 unicast-flooding
bridge-group 50 spanning-disabled
interface Dot11Radio0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
bridge-group 51 subscriber-loop-control
bridge-group 51 block-unknown-source
no bridge-group 51 source-learning
no bridge-group 51 unicast-flooding
bridge-group 51 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
shutdown
antenna gain 0
dfs band 3 block
channel dfs
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
interface GigabitEthernet0.50
encapsulation dot1Q 50 native
no ip route-cache
bridge-group 50
no bridge-group 50 source-learning
bridge-group 50 spanning-disabled
interface GigabitEthernet0.51
encapsulation dot1Q 51
no ip route-cache
bridge-group 51
no bridge-group 51 source-learning
bridge-group 51 spanning-disabled
interface BVI1
ip address 192.168.2.249 255.255.255.0
no ip route-cache
ip default-gateway 192.168.2.1
ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
bridge 1 route ip
line con 0
line vty 0 4
end
switch config:
interface FastEthernet1/0/46
switchport trunk encapsulation dot1q
switchport trunk native vlan 50
switchport trunk allowed vlan 50,51
switchport mode trunk

Hi
I know the bridge-group have to be identical to the sub interface number and vlan number
This is true for all other vlans except for native vlan. For native vlan sub-interfaces bridge group number always should be 1. In your case, if vlan 50 is the native vlan (192.168.2.x/24 belong vlan) then configure bridge-group 1 under those .50 sub-interfaces. Then everything should work :)
It is ideal if you could put AP management (BVI IP) into separate vlan & two user groups put vlan 50 & 51. Here is a sample configuration where vlan 110 is Mgmt & vlan 12,13 for user vlans.
http://mrncciew.com/2012/10/24/multiple-ssid-config-on-autonomous-ap/
HTH
Rasika
**** Pls rate all useful responses ****

One ssid to multiples vlan without hreap, flex connect

Hi my name is Ivan
I have a question about a wireless solution
I have one cisco wlc 2112 with ios 7.0.230.0 with license to support 12 access points. My access points are nine (9) lap1231ag and one (1) lap1310
I just have one wlan (ssid). My scenario of deployment is in layer 3. I have one interface management and ap manager in the WLC. All my Access Points
have differents ip address that WLC. I need to configure a unique ssid to associate my six (6) dynamics interfaces (each dymanic interface with different vlan subnet).
Each wlan profile (ssid) should have the same security in phase 2 (wpa2/psk). My cisco access points don't support hreap. My wlc support only (4)
interface into an interface group, and i need six (6) dynamics interfaces.
Is this possible to configure this scenario?
I have a research about it, and i found this link:
https://supportforums.cisco.com/thread/2180009
They mention there, that i need HREAP, but my AP's dont support it.
How can i do it?
Regards

1° It doesn't matter that my buildings are connected between layer 3 links, having my WLC in a different VLAN/Subnet.
Correct. The APs do not have any requirement of being L2 adjacent to the WLC. If your APs are already joined, they will no how to find the WLC once you move them to their new network. I would suggest making sure you have High Availability configured specifying the APs primary WLC. Regardless, if joined already, the AP "knows" the controller it wants to join. If you have "new" APs that are installed at a different L3 network, you just want to make sure you have discovery methods for these new APs to find the WLC (option 43, dns, etc)
2° It doesn't matter what interface is associated to the WLAN in the WLAN profile.
That depends on your design. "IF" you have "all" your APs placed in to respective custom AP groups, then no it doesn't matter as the group interface assignment will override the WLAN interface assignment. "IF" you still have APs in the "default group" that are not being placed in a new AP group, then these APs will inherit the WLAN configuration so the interface should be assigned accordingly. In some cases, customers may choose to build a dummy/blackhole interface that the WLAN is bound to in the event an AP winds up in the default group. Just make sure any dummy interfaces you create are non-routable on your network.
3° It is not necessary to create an interface group.
No. An interface group will bundle multiple dynamic interfaces in to a single group that can be assigned. For instance, if you bundle all these in to a group and then assign, via an AP group, for a WLAN to use the new interface "group", then clients will be placed on the respective dynamic interfaces within that group in a round-robin fashion (or whatever algorithim is in use depending on code release), therefore clients at site A may end up on any of the 6 interfaces. The interface group is traditionally used when customers are running out of usable space and would like to expand through the use of additional network segments, rather than increasing a subnet size through a mask reduction.

Best Practice "One SSID for everything"

Hello Guys,
we switched from ACS to ISE and now we want to have just two SSIDs for alle Business Needs:
I´m not sure if this is the right or best way to do it.
One SSID is for Guest Network and also for BYOD Registration.
The second SSID is for BYOD and Company Devices (LAptop ipad iphone....). But we have also cisco 7925g which should get and client cert and then also connect to that ssid. In the old setup it was an seperate SSID with CCKM enabled. Now because of campatibilty i had to disable cckm. Also the new SSId would have CLient band select enabled, which should be good for voice, right ?
With your expirience is it a good idea to but all clients in 1 SSID ?
Is Wireless Voice working fine without cckm ?
What is your recommendation for that setup regarding ssid and voice/video configuration specially 802.11 settings and CAC
Thanks for help
Kind regards
Philip

A lot of vendors will suggest also to have one SSID if possible, but the rule of thumb is 3-4 max. The main issue is the differences required for specific WLAN's, which isn't just for Data and Voice, but you also have to look at mDNS, multicast, 802.11r, DTIM's, MFP, etc. You can combine all devices to use one, but all the features/setting will be the same, which isn't ideal all the time. There are attributes which you can set from ISE to push out to the WLC(s), but its the other unique values that you need to research and understand.

HREAP vs LOCAL modes

after reading through numerous docs from Cisco - it seems that latest firmware on WLC provides HREAP functions similar to that of using local mode. So what if the APs on a LAN are all set to HREAP giving you the benefit of redundancy and also network local switching avoiding that local traffic needs to traverse the WLC ? I know Cisco are still recommneding use of HREAP for WAN remote sites - but why not use it on LAN too ? The limitations are very few and most either relate to WAN type (which on LAN these do not apply) or else refer to when LAP looses WLC communication (at least it works in limited mode better than not at all like when it is set for 'local' mode. The HREAP does not use CAPWAP tunnel to encapsulate data traffic so I agree some security is lost but if security at the LAP end is not a big issue for client I still see all other features work with HREAP - like RRM / Roaming etc . so you get full benefits of WLC whne HREAP is in connect mode and keep some if WLC is down .. can anyine convince me otherwise ? : )

As per my usual on this type of question.
It all depends on what you want to do.
Yes, you can use the AP like they were autonomous, and bridge all the traffic down to the LAN if you want. Or you can backhaul it to the WLC. It's all up to what you need to support.
For example, if you were using Air Fortress, you would have to use HREAP, because of how that applicaiton interacts.
If you're only doing standard, web and email, there is no real need to.
Both designs are valid, all depending on what you want to do.
As for the security aspect of it, the traffic on the LAN isn't encrypted anyway. So once the traffic egresses the WLC, it's raw, if you have a protocol analyzer you can get the data. So that comes down to physicl security more than anything, not wired vs. wireless.
Cheers,
Steve
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

HREAP & Local mode configuration for one SSID

Similar Messages

Maybe you are looking for