HREAP - local switching & central authentication

Should I trunk the port to the AP or not
I have a WLC 5508 in the head office and have AP's in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local subnet at the remote site.
Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different subnets?

Thanks I thought that but was getting conflicting information on it.
We also provide a guest access to remote sites that is tunnelled back to the wlc and then on to the DMZ. I guess this is not an issue when the Corporate access is configured for local break out?

Similar Messages

  • HREAP - Local switching

    Hi All,
    I have a working WLC with several HREAP AP's all Woking as they should, my question is what happens to dhcp requests when an AP is configured for HREAP local switching with no VLan support enabled ( connected to an access port not a trunk)? The local VLan has a dhcp helper address configured for an external DHCP server When a wireless client connects does all the traffic get dropped directly onto the local VLAN (in my case VLAN 10) or does any traffic transverse through the controller? I ask this because on the advanced setting page of the WLAN I have ticked DHCP REQ, how does the controller determine if the wireless client has a valid IP if the DHCP request is being supplied by the local VLAN.
    I was under the impression that the control and data planes are separated?
    Thanks in advance for any replies.
    Sent from Cisco Technical Support iPhone App

    You are correct, it gets dumpped on your vlan 10. As for your very specific question, thats a great question and I dont know that I have the anwser. Perhaps someone else like Steve, Leo or Scott can reply if they tested it.
    Im going to take a stab in the dark and say perhaps the ap makes sure it sees a dhcp req packet come in before it allows the client to get into the run state.
    OR, its doesnt work.
    OR, if that check box is marked, perhaps the ap relays some type of response back to the WCL ...
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin

  • HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

    Hi All,
    I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
    I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
    Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
    to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
    The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
    switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
    for "local Switching" on the WLAN page.
    It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
    i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
    and also WPA-PEAP-MSChapv2. Both fails miserably.
    Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
    APs.Cant i do it with just a single WLAN?
    Thank you.
    Warmest regards,
    Azzafir Ariff Patel.

    For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
    http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

  • HREAP local switching with web auth

    Hello All,
    Does web authentication work perfectly fine while locally switching the SSID on Hreap mode APs with older WLC firmwares - 7.0.98.218.
    I see it is supported in 7.0.116.0 onwards. Does it work on older versions? Has anyone tested and faced any issues?
    Thanks
    Jeen

    It worked as far back as 4.0 from what I remember
    Steve
    Sent from Cisco Technical Support iPhone App

  • Locally Switched / Centrally Switched on Flex Connect AP

    Hi All,
    Scenario (is this possible)
    I have HQ Site (Site A) -with the WLC
    I have a remote site (Site B) with one AP.
    Site A has Internet Breakout. Site B doesn't
    Is it possible with this one AP to have Multiple SSIDs, some of which are switched locally at the remote site and some which are switched centrally back at the HQ?
    E.G I want to have SSID for the data vlan at Site B. Any Laptop connecting to this is dropped onto the Data VLAN.
    I also want to have a GUEST SSID for Internet but have this traffic be tunneled back to HQ and use Internet Breakout there.
    Is this possible?
    Thanks

    On the advanced tab of the WLAN you can enable that SSID for FC Local Switching.  The AP then needs to be in Flexconnect mode.  You then go to the FC tab of the AP and define the local VLANs for the locally switched WLANs.  There will be 2 lists of SSIDs, locally switched and centrally switched.  Obviously you don't define VLANs for the centrally switched WLANs.
    Whatever you define on the AP will overwrite the interface on the WLC.
    AP Groups and FC Groups are not needed.

  • HREAP, Local Switched WLAN and DHCP Address required

    Hi All,
    if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
    Any Help Welcome.
    Regards, Michael

    I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
    http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

  • Flex connect with a per user ACL with APs locally switched

    Hi all,
    Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
    Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
    Thanks
    Sent from Cisco Technical Support iPad App

    Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
    http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
    As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
    Sent from Cisco Technical Support iPhone App

  • Centralized Auth. / Local Switching - Common SSID

    Hi All,
    I'm looking at a design where I would have a few remote sites and a centralized WLC.  My requirement would be to have a common SSID advertised across the remote sites and have that SSID locally switch; so to note tunnel all the traffic across the WAN back to the central site.
    I know the feature I'm looking for is H-REAP with Centralized Authentication and Local switching...but I'm unsure of the second part...which is to have a common SSID across the remote sites.  How do I accomplish the second part?  I heard mention of using AP Groups in another post.  Just looking for more direction.

    You're all correct except on the last part.
    what you want to do is configure your SSID in advanced options to enable HREAP Local switching.
    Then only the APS at remote site you move to HREAP mode one by one.
    From there, all the APs you configured as HREAP will be locally switching traffic and the APs in local mode will still forward traffic through the controller.
    I hope this clarifies ?
    Nicolas
    ===
    Don't forget to rate answers that you find useful

  • Understanding Flexconnect - Local vs Central Switching, and WLC failover scenario ??

    Hello Experts
    We have one WLC 5508 in Building1, few 2700 Series AP in Building1, and one 1252AG in Building2. The LAN subnet is same for both Buildings connected via a dark fiber.
    My requirement is to have Central Switching in Building1 since WLC is located locally, and Local Switching in Building2 to avoid inter-building traffic, for both Buildings we already one VLAN/IP Subnet. (Both Buildings access resources from a central Datacenter which hosts all the servers.)
    Questions:
    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
    Thanks.

    Hi
    The LAN subnet is same for both Buildings connected via a dark fiber.
    If this is the case there is no need of FlexConnet, as you have enough bandwidth & same L2 extended in those two buildings. Typically FlexConnect is for branch deployment where WAN link bandwidth is a concern.
    Anyway if you want to do this & here is the answer for your specific queries.
    1. Is the above scenario possible using single SSID ? My understanding is that one WLAN+SSID can't have both Local and Central switching enabled.
    You can have both local switching & central switching available for a given SSID. Only FlexConnect mode AP will do Local switching & all Local mode AP will do central switching, though both using the same SSID.
    2. In Flexconnect Central Switching mode, during WLC failure, does the switching change to Local switching automatically ?
    No, if it is central switching SSID, when WLC is not available client won't able to join this SSID. It is not fall back to Local switching.
    3. When I choose Local Switching for a specific WLAN, does it Locally switch always , or does it Locally switch only when WLC is down ?
    This is applicable only to FlexConnect mode APs & it always do local switching if that configured. If WLC is not reachable AP will go on "standalone mode" & still do local switching.
    4. We want to use Microsoft PEAP using AD User Authentication. When Local Authentication is enabled on WLC, I understand that when WLC fails (and RADIUS Server is still reachable), can we still have the AP directly contact RADIUS server as a direct client and provide 802.1X Microsoft PEAP authentication. Guess this is Primary Backup Radius Server configuration. Is this understanding correct ?
    Yes, when this option configured & WLC is not reachable (but RADIUS is reachable) then AP will act as Authenticator & pass radius messages to Auth Server directly.
    This is a very good Ciscolive presentation you should see as it describe lots of these features & which WLC codes they introduced.
    BRKEWN-2016 - Architecting Network for Branch Offices with Cisco Unified Wireless
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • HREAP & Local mode configuration for one SSID

    I'm looking to provide one SSID Corporate access to multiple sites using HREAP. My question is it possible to configure one SSID and switch the traffic locally?
    I have a controller in the main site that provides one SSID for Corporate access (AP's in Local mode) and would like to have the same SSID used at the remote sites, only difference is the break out locally.
    Do I need to configure the HREAP interface on the controller if it is switching locally at the remote site? If so what interface should it be? I thought it would be locally anyway?

    yes, you can do this.
    In the WLAN, select HREAP Local switching.  This does not mean that the WLAN is always locally switched, just that it can be.
    Put the AP that need to be HREAP/FlexConnect in that mode, reboot, then map the WLAN to the approrpriate VLAN for that site.
    For the AP that you want to do central switching, just leave them as they are.
    Steve

  • Central Authentication / Local Switching for Mesh?

    Hi all,
    I'm afraid I know the answer but maybe I'm just missing something. Anyway, here's the situation: I have a multi-site installation with a centralized WLC (currently 2504). Each wireless VLAN at each site uses the same ID but has a local network (e.g. site 2 is 192.168.2.0/24, site 3 is 192.168.3.0/24 but both are VLAN 100).
    When I configure APs for H-REAP/FlexConnect, there's no problem. Users are authenticated via a centralized RADIUS server (Cisco SecureACS 5.x) and I have local switching enabled so clients pick up an address from a localized DHCP server (ASA firewall in most cases).
    However, the impetus for installing the WLC requires a mesh network, consisting of 2 RAPs and 2 MAPs. My catch 22 is now this: if a RAP is in FlexConnect mode, the MAP won't associate, but if the RAP is in RAP mode, the MAP associates, but clients don't appear to get IP addresses (on an iPhone for example, the wheel just keeps spinning until it gives up).
    It's my understanding that since the APs are no longer in FlexConnect mode, all the wireless traffic is now being tunneled back through the centralized WLC which associates the VLANs with networks that don't exist on site.
    Is my understanding correct? If so, is there any way I can go about achieving what I want to do which is get the FlexConnect effect but still have Mesh capabilities? Right now it seems the obvious (albeit very expensive answer) is to decentralize the WLC and have HA WLC configured on a per site basis.
    Any input/advice greatly appreciated. Thank you.

    I second your thought about mesh and as for what to do - I don't think you can do anything. Perhaps, a cheap way to solve this problem can be installing a local 2504 at sites that require mesh links. This will allow you terminating all VLAN/SSID mappings locally. Sorry :-(

  • Confused: Central Switching/Local Switching

    Was wondering if someone could explain local/central switching a little further, when it comes to HREAP/FlexConnect modes for CAPWAP AP's. 
    So in our environment, we're running 7.5.102.0 code on all of our WLC's.  We have a central WLC in two of our regions(US and Europe).  Each region provides internet services for the remote sites connected to it.  So a site in Chicago comes back to our central office over an MPLS for their internet services; just as a site in italy comes back to our central office in the UK for their internet service over MPLS.  These remote sites have AP's that are in FlexConnect mode back to the central WLC's. 
    My question......I understand that an AP in central switching mode tunnels the traffic back to the central controller, whereas local switching does not.  However, what does that mean?  If the WAN link goes down, how does local switching help?  The internet is still down, since that's how the internet is advertised back from the central location.  Does that just mean that local server can be accessed, over wireles, since we are in local switching mode?  Same question for authentciation;  Our AD servers are located at the central sites, with no AD servers at the remote sites.  In local authentication mode, how would an AP register a user, if the MPLS link is down?  Does it download some sort of cached directory for authentication? 
    Thanks for your help!

    Yes, in local switching mode, wireless client traffic locally switched at the branch (you have to defined their SVI on branch switch) and they can access any branch resources whiel WAN link is down. If internet servie is provided by your central office, then they won't get internet services while your WAN link is down.
    If you configured local authentication, yes WLC will pass credential (if WLC has user credential like WAP2-PSK or WEP) to AP where it can use for local authentication. If you are using dot1x with RADIUS & AD, then you should have redundancy  of these services in order to Branch AP to use these in a situation controller is unavailable.
    Following design guide should help you to understand this
    http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1103070
    Here is some of my notes related to different modes of operation of H-REAP/FlexConnect, that should help you as well
    http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
    HTH
    Rasika
    **** Pls rate all useful responses ****

  • Same wlan both locally switched and centrally switched

    Scenario:
    1 virtual wireless controller
    50 access points, some of them some local to the controller (same site), other on remote sites, all in flexconnect mode.
    Is there a way for a wlan to be locally switched for a group of ap's, essentialy those local to the controller, and centrally switched for other groups of ap's, in fact those placed on remote sites?
    I've tried configuring flexconnect groups, and ap groups, but no luck, I've found no way to override the globally configured flag "flexconnec local switching".
    I've also tried to create two identical wlans, one locally switched and the second globally switched, but the wlc refuses to activate the second one since it has the same ssid of the first one.
    Regards,
    Massimo. 

    Since you have vWLC all AP needs to be in FlexConnect mode (If you got a normal WLC you can keep HQ AP in local mode & Remote AP in Flex mode to achieve this)
    I think in your case you have to either choose "Central Switching" or "local switching" for your APs.
    Regards
    Rasika
    **** Pls rate all useful responses ****

  • Centrally Switched and Flex Local Switched WLAN - same SSID

    Hi All
    I am currently working on a WLAN migration from lightweight to autonomous and would like advice on whether the following scenario is possible.
    We've deployed an 8500HA pair at the customer's central HQ with the plan that SSIDs at the central HQ will centrally switch with SSIDs at branch sites locally switching.  AP and Flex groups have been configured for the HQ and branch sites.  There is a legacy SSID at HQ that will need to break out locally so a flex group is required for HQ.
    My original plan was to do this with one WLAN Profile per SSID, configured to locally switch.  The HQ AP group will map WLAN to the relevant IP interface with the SSID omitted from the HQ Flex Group so that the SSID will centrally switch.  The branch AP groups will be configured with the SSIDs required for branch and Flex groups will be configured to break out the SSIDs  into the relevant local VLAN.
    My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
    Configured as above a client debug gives the below which seems to suggest that it isn't possible, unless I've configured something incorrectly...
    *apfMsConnTask_5: Oct 03 15:48:51.012: c0:18:85:48:c0:5d Central switch is FALSE
    My alternative option is to create a second WLAN profile for each SSID with the same SSID name but centrally switched and then apply that accordingly in the AP groups.
    If someone can verify the above I'd be very grateful.
    Many thanks in advance
    Mark

    Hi Mark
    My question is, is it possible for an SSID to be configured as locally switched for branches but also centrally switched for HQ, by configuring it in the HQ AP Group but omitting it from the HQ Flex group?
    When you configure an SSID for local switching, it is only applicable if AP in Flexconnnect mode. So as long as your HQ APs are in Local mode then all those users traffic will be central switch for the given SSID. At branch those AP are in Flex mode, they will locally switched.
    Pls do not forget to rate our responses if that is useful to you
    HTH
    Rasika

  • Locally switched Guest WLAN with Web Authentication

    I have a remote location that has its own internet pipe.  I have set up a new guest SSID and set to switch locally and changed the AP mode to Flex connect. When I connect to the new SSID, I get an IP address from the local LAN, but the Web redirection page will not load. Is this because the local LAN does not have a route to the WLC virtual interace of 1.1.1.1? Is there a way to tunnel just the web authentication portion of traffic and locally switch everything else?

    You are close in your understanding.
    If you want to use the web portal services on the WLC then you need to bring that traffic back to the WLC.
    "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
    ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."

Maybe you are looking for

  • Ver 7.0.1 wont support frames.

    I upgraded to ver. 7.0.1 and on certain sites its blank and when I right click view page source, it tells me that the browser doesn't support frames. Here's a copy and paste. <noframes><h2>Your browser does not support frames. We recommend upgrading

  • Error creating 2 or  1:M relationships in DBAdapter help mee

    hi my req is if i enter partyid it shd show partyid and partyname/accountid/incidentid/repairlineid i have try to get it with DBAdapter error while creating 2 or more 1:M relationships here face error when i give input partyid or partyname SELECT DIS

  • Special character in print

    Hello SAP gurus. For some inspection description we are using capital delta (Trangle) it is comming in print preview of certificate but after taking print of same in out put we are getting 'A' insted of delta. Please suggest what may be reason of sam

  • STAD data is missing

    Dears, Recently we have installed GRC AC 5.3 server. All post installation activities have been completed but we are not getting any data in STAD. We checked SAPOSCOL is also running. So please tell do we need to do some configuration step for it. Pl

  • 2010 workflow support

    Hi,  Is there any official communication on support for SharePoint 2010 workflow platform in SP 2013 edition. Basically, how by when we should migrate (recreate) 2010 workflows in 2013 (WFM). Any clarification will be very helpful. Thanks.  regards S