HREAP - Local switching

Similar Messages

• HREAP local switching with web auth

  Hello All,
  Does web authentication work perfectly fine while locally switching the SSID on Hreap mode APs with older WLC firmwares - 7.0.98.218.
  I see it is supported in 7.0.116.0 onwards. Does it work on older versions? Has anyone tested and faced any issues?
  Thanks
  Jeen

  It worked as far back as 4.0 from what I remember
  Steve
  Sent from Cisco Technical Support iPhone App

• HREAP, Local Switched WLAN and DHCP Address required

  Hi All,
  if i have configure an HREAP AP with a local switched Wlan with "dhcp ADDRESS REQIRED", from my understanding a client will be provided with an ip address from the hreap local infrastructure. How will the controler ensure that no static ip client is able to access the network?
  Any Help Welcome.
  Regards, Michael

  I posted about this subject on my site (see link below). Since the posting I learned that the client needs to minimumally pass a DHCP discovery packet for the controller to then allow traffic to pass to the client. This is how it "safe guards" someone putting a static address on their box ...
  http://www.my80211.com/cisco-wlc-cli-commands/2009/12/30/wlc-dhcp-address-assignment-required-option.html

• HREAP local switching works perfectly BUT central switching fails when WLC is down. Doesnt fallback to local switching.

  Hi All,
  I am currently using as 4402 with 6.0.196 image. The APs that i am using is the 1130.
  I have configure HREAP for Local switching, it works very well. I am even able to do 802.1x
  Authentication after registering with ACS. Currently I am usng only 1 SSID. That SSID is mapped
  to vlan 10 and my AP is on native Vlan 1.All the proper trunks and routing has been enabled.
  The issue i have is that when I am trying to create a central switched WLAN that fallbacks to local
  switching once the controller is down. The only diffrerence I made was to remove the "tick"/checkbox option
  for "local Switching" on the WLAN page.
  It is able to work if the controller is up, I am even able to get the IP network where the controller resides. However when
  i tested by disconnecting the controller, The client is unable to authenticate or send traffic anymore. I've tried using WPA-PSK
  and also WPA-PEAP-MSChapv2. Both fails miserably.
  Does this mean that I need to create 2 WLANs? One for Local Switching and the other for Central Switching on the HREAP mode
  APs.Cant i do it with just a single WLAN?
  Thank you.
  Warmest regards,
  Azzafir Ariff Patel.

  For h-reap, if your doing centrally switch due to using EAP for authentication and the ap looses connectivity to the WLC, then those users should be able to stay associated, but new users will not authenticate.  WPA/WPA2-psk local switching should work even if the ap looses connectivity to the WLC since the h-reap ap will do the authentication.  Here is a link you probobly already seen:
  http://www.cisco.mn/en/US/products/ps6087/products_tech_note09186a0080736123.shtml#topic2

• HREAP - local switching & central authentication

  Should I trunk the port to the AP or not
  I have a WLC 5508 in the head office and have AP's in the remote office. I do not want traffic in the remote office to traverse the wan back to the WLC. I want the users at the remote office to use the local subnet at the remote site.
  Should I then trunk the AP port on the switch to the AP as I have multiple ssid's with different subnets?

  Thanks I thought that but was getting conflicting information on it.
  We also provide a guest access to remote sites that is tunnelled back to the wlc and then on to the DMZ. I guess this is not an issue when the Corporate access is configured for local break out?

• HREAP & Local mode configuration for one SSID

  I'm looking to provide one SSID Corporate access to multiple sites using HREAP. My question is it possible to configure one SSID and switch the traffic locally?
  I have a controller in the main site that provides one SSID for Corporate access (AP's in Local mode) and would like to have the same SSID used at the remote sites, only difference is the break out locally.
  Do I need to configure the HREAP interface on the controller if it is switching locally at the remote site? If so what interface should it be? I thought it would be locally anyway?

  yes, you can do this.
  In the WLAN, select HREAP Local switching.  This does not mean that the WLAN is always locally switched, just that it can be.
  Put the AP that need to be HREAP/FlexConnect in that mode, reboot, then map the WLAN to the approrpriate VLAN for that site.
  For the AP that you want to do central switching, just leave them as they are.
  Steve

• Centralized Auth. / Local Switching - Common SSID

  Hi All,
  I'm looking at a design where I would have a few remote sites and a centralized WLC.  My requirement would be to have a common SSID advertised across the remote sites and have that SSID locally switch; so to note tunnel all the traffic across the WAN back to the central site.
  I know the feature I'm looking for is H-REAP with Centralized Authentication and Local switching...but I'm unsure of the second part...which is to have a common SSID across the remote sites.  How do I accomplish the second part?  I heard mention of using AP Groups in another post.  Just looking for more direction.

  You're all correct except on the last part.
  what you want to do is configure your SSID in advanced options to enable HREAP Local switching.
  Then only the APS at remote site you move to HREAP mode one by one.
  From there, all the APs you configured as HREAP will be locally switching traffic and the APs in local mode will still forward traffic through the controller.
  I hope this clarifies ?
  Nicolas
  ===
  Don't forget to rate answers that you find useful

• Setting Locally Switched VLAN Id for HREAP'd ap's?

  I am using HREAP on a number of AP's to fulfill a need of my end-users to have wireless devices connect to a locally hosted resource on a sites network.  Getting the AP's to operate correctly has not been an issue (for the most part), and getting the "Locally Switched VLAN's" functional was not a problem.  However, when I routinely go back through my AP's to check on them or to look t-shoot an unrelated issue I have noticed that some of the AP's have retained the Locally Switched VLAN mapping (i.e.: WLAN Id=5, Profile Name = test ssid, VLAN Id = 123) and some of them resolve the VLAN Id to 1 (for example).
  Is the anyone that may have experienced this and can offer or point me towards a resolution?
  I am also curious if I can configure the Locally switched vlans directly to my WiSM's instead of to each individual HREAP'd AP?
  BTW: I have a wireless environment of 1242, 1252, and 1142 ap's with WiSM's on a 65xx w/ sup720.
  Thanks for the help.

  I saw similar behavior at a client site running 6.0.181.0 & 6.0.196.0 code, what I found the issue to be was that when you set the native vlan and hit apply the AP took a minute to initate a reboot (or so it appeared) and when I set the VLAN Mappings they weren't actually being applied.
  I found if I set the AP to H-REAP and applied that then waited about 3-4 minutes, then enabled VLAN Support and set Native VLAN, apply that, wait 3-4 minutes, then set my VLAN Mappings that the issue went away.
  Not sure if that's the same issue your running into but it's worth a shot.. I tried tons of things before discovering that pattern.. Incidentally it didn't seem to behave that way in 4.0 code nor does it seem to behave that way in 7.0 code.
  Hope this helps...
  Please rate useful posts.
  Thanks,
  Kayle

• Branch Office & HREAP & local Internet breakout

  Hi,
  I´m planning right now a local Guest Access breakout for a Branch Site which is connected over
  a HREAP AP to a centraliced WLC . If I have it correctly understand then  I´ve to do following:
  1. Creat a Guest SSID on the centralized WLC ( 5508 )  / enable local switching for this SSID
  2. Create a Guest VLAN on the Branch Site with a local Internet breakout
  3. Configure a Trunk port for the HREAP AP on the Branch site ( 1 VLAN for  Corportate SSID/ local switching   and 1x VLAN for Guest
  with local Internet breakout )
  Can I use the WLC as DHCP server for the Guest  SSID or should I use a local DHCP server ? I know about a feature
  "central DHCP Processing "  but I never used this before and it is not 100% clear if this can help me in this case.
  Thanks for help.

  Check these docs:
  http://www.cisco.com/c/en/us/support/docs/wireless-mobility/wireless-lan-wlan/81680-hreap-modes.html
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/71250-h-reap-design-deploy.html
  Regards

• Multiple VLANs per SSID with local switch

  Is it possible to use an 'AP Group' or 'Interface group' to assign multiple VLANs to a WLAN when remote, h-reap APs are in local switch mode? 
  If not, is there a way to overcome 500 maximum host per VLAN when APs are local switching?
  Thanks!

  dont think its possible...
  I donno if the following config will even work but u can have the hreap APs connected at the remote site to map to different vlans...
  Example:
  AP1 -- ssid 1 --- vlan 10
  AP2 -- said 1 --- vlan 11 and so forth..
  Sounds crazy but i ll have to ponder on this a bit more.. Need a pen and paper to draw a quick topology :)...
  Sent from Cisco Technical Support iPhone App

• High CAPWAP traffic when locally switched

  Hello all,
  We're seeing an ongoing issue where several APs accross multiple sites log the error, "%CAPWAP-3-ERRORLOG: Retransmission count for packet exceeded max(CAPWAP_WTP_EVENT_REQUEST., 12)", then disassociates from the controller, and reassociates almost immediately.  The issue is the users get disassociated from the AP and call the helpdesk.
  A counter measure at one site was to add the CAPWAP traffic (udp ports 5246 & 5247)  to the controller in our QOS Platinum policy (setting the DSCP bit to 'ef'), but that doesn't seem to help.
  We're using Flexconnect with central authentication, local switching.
  A couple of questions:
  1) The Platinum queue on the QOS is showing over 500 kbps when the only thing put in that queue is the CAPWAP traffic - there aren't any phones.  Why so much bandwidth for authentication and control traffic?
  2) What is happening with the APs that they can't talk to the controller that causes the issue in the first place?  Bandwidth doesn't seem to be an issue.
  Below are some config and outputs:
  AP-1242#show capwap reap status
  AP Mode:         REAP, Connected
  Radar detected on:
  AP-1242#show capwap reap association
  REAP Data Switching: Local
  2960#show int fa0/22
    Hardware is Fast Ethernet
    Full-duplex, 100Mb/s, media type is 10/100BaseTX
    Last input 00:00:22, output 00:00:00, output hang never
    Last clearing of "show interface" counters never
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
    Queueing strategy: fifo
    Output queue: 0/40 (size/max)
    5 minute input rate 23000 bits/sec, 13 packets/sec
    5 minute output rate 208000 bits/sec, 48 packets/sec
       37478173 packets input, 13839718021 bytes, 0 no buffer
       Received 2818773 broadcasts (0 multicasts)
       0 runts, 0 giants, 0 throttles
       0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
       0 watchdog, 502342 multicast, 0 pause input
       0 input packets with dribble condition detected
       118634332 packets output, 36491262361 bytes, 0 underruns
       0 output errors, 0 collisions, 1 interface resets
       0 babbles, 0 late collision, 0 deferred
       0 lost carrier, 0 no carrier, 0 PAUSE output
       0 output buffer failures, 0 output buffers swapped out
  2811#show policy-map interface multilink 1
  Service-policy output: MPLS-QOS
      queue stats for all priority classes:
         queue limit 64 packets
        (queue depth/total drops/no-buffer drops) 0/0/0
        (pkts output/bytes output) 300637/46124112
      Class-map: PLATINUM (match-any)
        300637 packets, 46124112 bytes
        30 second offered rate 28000 bps, drop rate 0 bps
        Match: ip dscp ef (46)
          300637 packets, 46124112 bytes
          30 second rate 28000 bps
        Priority: 18% (552 kbps), burst bytes 13800, b/w exceed drops: -16
  Any help is appreciated.

  Hi Jeff,
  I think you are hitting a bug (CSCse92856) specific to 1242 AP. Solution given is "Enable Proxy ARP on the default-gateway device of your AP". You can try that & see.
  Even I cannot view detail of this bug as of insufficient access permission.Therefore I do not know more details about this bug fix & which software version affected,etc. Better you contact Cisco TAC & get more information.
  I found this infomration here
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_tech_note09186a008081103d.shtml
  One other reason that H-REAP APs do not join WLCs is if the Proxy ARP is disabled on the gateway for the H-REAP APs. From the AP console, this message is logged:
  *Jul 29 14:04:10.897: LWAPP_CLIENT_ERROR_DEBUG: 
  Retransmission count for packet exceeded more than max(CHANGE_STATE_EVENT , 1)
  This can be caused by Cisco bug ID CSCse92856. This problem applies only to AP1130 and AP1240. This problem does not apply to AP1000s, AP1100, or AP1200.
  This problem occurs when these conditions are met:
  HREAP mode is used in the WLAN. Local mode is not affected by this issue. Native VLAN mapping is required.
  The APs have to be on a different IP subnet than the AP Manager of the WLCs.
  Proxy ARP is disabled on the default gateway for the AP.
  The H-REAP AP gets the default gateway from a DHCP server.
  In order to resolve this issue, enable Proxy ARP on the default gateway router of the AP
  HTH
  Rasika
  *** Pls rate all useful responses ****

• Help needed to configure H-REAP with local switching

  Hi All,
  We are using following devices for campus Wi-fi.
  1. WLC - 4402
  2. AP (1131ag, 1042n) which support H-REAP.
  I want to configure HREAP central auth and local switching. I have enabled from local to HREAP after that I go to HREAP tab and native vlan 1 (by default)(I have changed native vlan 1 to 51.) vlan support is enabled. then click on vlan mapping and my wlan (guestwlan) is there with vlan id 24.
  I have assigned static IP to AP (192.168.51.40/24 gw 192.168.51.254).
  DHCP is running on controller.
  switch port configure is below:
  interface FastEthernet0/18
  description WiFi access point
  switchport trunk native vlan 51
  switchport mode trunk
  no ip address
  end
  Issue : authentication done through RADIUS (Cisco ACS 4.2) but no getting IP address from DHCP.
  Please help.
  Thanks in Adv.
  Thanks,
  AS

  Hi AS,
  Do not use the DHCP on the WLC.
  Use a DHCP on the neighbor swtich if possible for the native VLAN.
  Regards,
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Confused: Central Switching/Local Switching

  Was wondering if someone could explain local/central switching a little further, when it comes to HREAP/FlexConnect modes for CAPWAP AP's. 
  So in our environment, we're running 7.5.102.0 code on all of our WLC's.  We have a central WLC in two of our regions(US and Europe).  Each region provides internet services for the remote sites connected to it.  So a site in Chicago comes back to our central office over an MPLS for their internet services; just as a site in italy comes back to our central office in the UK for their internet service over MPLS.  These remote sites have AP's that are in FlexConnect mode back to the central WLC's. 
  My question......I understand that an AP in central switching mode tunnels the traffic back to the central controller, whereas local switching does not.  However, what does that mean?  If the WAN link goes down, how does local switching help?  The internet is still down, since that's how the internet is advertised back from the central location.  Does that just mean that local server can be accessed, over wireles, since we are in local switching mode?  Same question for authentciation;  Our AD servers are located at the central sites, with no AD servers at the remote sites.  In local authentication mode, how would an AP register a user, if the MPLS link is down?  Does it download some sort of cached directory for authentication? 
  Thanks for your help!

  Yes, in local switching mode, wireless client traffic locally switched at the branch (you have to defined their SVI on branch switch) and they can access any branch resources whiel WAN link is down. If internet servie is provided by your central office, then they won't get internet services while your WAN link is down.
  If you configured local authentication, yes WLC will pass credential (if WLC has user credential like WAP2-PSK or WEP) to AP where it can use for local authentication. If you are using dot1x with RADIUS & AD, then you should have redundancy  of these services in order to Branch AP to use these in a situation controller is unavailable.
  Following design guide should help you to understand this
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob73dg/ch7_HREA.html#wp1103070
  Here is some of my notes related to different modes of operation of H-REAP/FlexConnect, that should help you as well
  http://mrncciew.com/2013/03/10/h-reap-modes-of-operation/
  HTH
  Rasika
  **** Pls rate all useful responses ****

• How to have H-REAP broadcast only specific locally switched SSID's?

  I'm new to this H-REAP configuration, but in the main office we have about 6 WLAN's.  I have a remote office which I want to have 2 new WLAN's and have them switched locally.  How can I only have the H-REAP AP's at this site only broadcast those 2 SSID's vs all 8?  I haven't really read anything about using AP Group VLAN's with H-REAP or know if that's even possible, but is this a possibility and if no,t what would you recommend?
  Thanks for the help!

  I may create another topic - but here it goes...
  I've decided to try to use an existing WLAN in the H-REAP config...
  -I've joined the AP to the remote controller, assigned it an IP, put it in H-REAP mode.
  -I chose a WLAN, enabled local switching
  -I went into the AP, configured the native VLAN, however, I CAN NOT change the vlan of the WLAN listed.  It always goes back to default.
  I verified the vlan exists on the switch, is routable, etc, the switch port is a member of that vlan, it is set as a trunk w/ 802.1q, etc.
  Any ideas on what would cause this?
  I am SOO close   Thanks!

• Flex connect with a per user ACL with APs locally switched

  Hi all,
  Does flex connect allow a per user ACL to be downloaded to the session with local switched, central authentication? We are using ISE for the central policy engine and have setup dACL for wired but am about to embark on WLAN. The controller is a 5508 and the. APs are 3700's.
  Second question- if the flex connect APs don't do any form of per user ACL, the other option is to have the units in regular mode where they are both centrally switched and centrally authenticated which I understand to support a per user ACL. Our WAN links are between 10mbps - 30mbps and the most latency would be around 40ms. Will this cause issues at all with the size WAN links and latency?
  Thanks
  Sent from Cisco Technical Support iPad App

  Well you are running v7.6 so FlexConnect per user radius ACL's are supported per this doc since v7.5.
  http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html#anc9
  As far as WAN latency, 200ms is good, but it depends in your WAN utilization now and how many AP's you plan on installing and the increase in wireless traffic across your WAN. There is a minimum requirement, but it's up to you in the end to make sure you have enough bandwidth or else you will need to QoS the capwap traffic to ensure the APs don't bounce from connected to stand alone.
  Sent from Cisco Technical Support iPhone App