https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351074#M95490 <HTML><HEAD></HEAD><BODY><P>Where is your internet link to servcing these branch users ? Do they have own internet connection at each branch ? or are they coming to your central office to acces internet ?</P><P></P><P>Rasika</P></BODY></HTML> Fri, 25 Oct 2013 20:29:03 GMT Rasika Nayanajith 2013-10-25T20:29:03Z https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351073#M95489 <P>Hello all, </P><P>I have multiple remote office locations and I have implemented HREAP using central authentication and local switching. The offices have 3 vlans. switch/router mngmnt, Wireless management and the office vlan. The access points are 3502I. The code is 7.0.235.3 . </P><P></P><P>The access point IP addresses come from a DHCP scope on the local router. This is is a specific range i.e. 10.20.x.x.&nbsp;&nbsp; This space is only permited to communicate with the central office controllers and denied any other traffic . The AP network is locked down with both an inbound and outbound set of ACL's on the office router. </P><P></P><P>The AP port on the switch is setup as a trunk and management is the native vlan .</P><P></P><P>Our IT Security group came to me with a concern. They were seeing apple traffic over the 10.20.x.x network and alot of ICMP traffic from the internet. </P><P></P><P>Questionis how is the user traffic that is setup to be switched locally getting on the AP management network ? and not staying on the user vlan ?</P> Sun, 04 Jul 2021 08:09:46 GMT https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351073#M95489 michael.lussier 2021-07-04T08:09:46Z https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351074#M95490 <HTML><HEAD></HEAD><BODY><P>Where is your internet link to servcing these branch users ? Do they have own internet connection at each branch ? or are they coming to your central office to acces internet ?</P><P></P><P>Rasika</P></BODY></HTML> Fri, 25 Oct 2013 20:29:03 GMT https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351074#M95490 Rasika Nayanajith 2013-10-25T20:29:03Z https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351075#M95492 <HTML><HEAD></HEAD><BODY><P>All traffic internet included comes back to the main office. </P></BODY></HTML> Fri, 25 Oct 2013 21:01:14 GMT https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351075#M95492 michael.lussier 2013-10-25T21:01:14Z https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351076#M95494 <HTML><HEAD></HEAD><BODY><P>Unless you have any other centrally switch WLAN, all traffic <SPAN style="font-size: 10pt;">except capwap mgt traffic (src or dst to AP mgt IP) </SPAN><SPAN style="font-size: 10pt;">should terminate on your branch local swtich &amp; then go via normal ip routing path to your cerntral office.</SPAN></P><P></P><P>Best if you could a packet capture of your branch WAN link &amp; confirm 100% you would see user traffic coming from 10.20.x.x network.</P><P></P><P>I am not <SPAN style="font-size: 10pt;">100% </SPAN><SPAN style="font-size: 10pt;">sure whether all packets will be locally switched or first packet will be centrally switched &amp; rest will be locally switched. Your packet capture would prove this.</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">HTH</SPAN></P><P><SPAN style="font-size: 10pt;">Rasika</SPAN></P><P></P><P><SPAN style="font-size: 10pt;">**** Pls rate all useful responses *****</SPAN></P></BODY></HTML> Fri, 25 Oct 2013 21:30:45 GMT https://community.cisco.com/t5/wireless/hreap-behavior/m-p/2351076#M95494 Rasika Nayanajith 2013-10-25T21:30:45Z