04-30-2013 12:46 PM - edited 11-18-2020 03:02 AM
HREAP in a Nutshell
By default:The traffic flows upstream to-and-from the physical site where is deployed the WLC [ to which the AP is joined ( to which associates a wireless client)]. So, by default, Local Switching is not used.
In fact if AP is physically deployed at the site where the WLC is also deployed, Local Switching is not required. (because of the default behavior as cited above) if AP is not physically deployed at the site where the WLC is also deployed, Local Switching may be required.
If one wants to override/overwrite the default behavior, and rather wants the traffic to be sent upstream-from-the-physical-site( where is physically located the HREAP AP, Local Switching is used.
Authentication Central [Default] Switching Central Authentication Central Switching Local Authentication Local Switching Central (this combination is not applicable) Authentication Local Switching Local Authentication DOWN Switching Local Authentication DOWN (Nothing is working) Switching DOWN
So, its clear that we need to know:
# where should happen the authentication ?
# after authentication, where should happen the switching of traffic ?
(to understand switching , should know the difference between bridging, switching and routing)
By default, every wlan is centrally authenticated , and, centrally switched. (This is exactly what is mentioned as the default behavior as documented at the top). These defaults can be overridden, if a wlan is required to be locally authenticated(with or without radius server), and or locally switched.
Unlike the 1030 Series REAP AP, which can map wireless user traffic to only a single VLAN, H-REAP APs are capable of supporting the multiple switching modes concurrently, on a per-WLAN basis:
Authentication : Authentication of the wireless client Switching : Data transfer / Communication of the wireless client
Depending on the mode of the HREAP AP, an HREAP AP may find itself in any one of the following states, depending on the configuration of the WLAN.
States in order:
Authentication Central/Switch Central Authentication Central/Switch Local Authentication Local /Switch Local ' hreap groups; check mark on local authentication; radius server Authentication Down /Switch Local Authentication Down /Switching Down If (radius server is to be contacted for authenticating wireless clients) { Authentication Local / Switch Local :E } Else (radius server has not to be contacted for authenticating wireless clients) { Status of <---------HREAP STATE---------------> <--Radius--> <------------Local Switching-----------> Authentication Central/Switch Central: A :Radius UP , local switching NOT enabled on the WLAN Authentication Central/Switch Local : B :Radius UP , local switching enabled on the WLAN Authentication Down /Switch Local : C :Radius DOWN, local switching enabled on the WLAN Authentication Down /Switching Down: D :Radius DOWN. local switching NOT enabled on the WLAN }
[ Authentication of wireless clients / way to traffic passage of authenticated clients ]
All 802.11 authentication and association processing occurs at the H-REAP, regardless of which operational mode the AP is in. When in Connected mode, the H-REAP forwards all association/authentication information to the WLC. When in Standalone mode, the AP cannot notify the WLC of such events, which is why WLANs that make use of central authentication/switching methods are unavailable. The hybrid-REAP access point maintains client connectivity for local switched WLANs after entering standalone mode.
Con: However, after the access point re-establishes a connection with the WLC, it disassociates all existing clients, applies updated configuration information from the WLC (if applicable), and re-allows client connectivity.
One of the challenging aspects of using standard REAP APs in the branch is the implementation of guest access, which is difficult to implement for the following reasons:
•All WLANs map to the same local VLAN, thereby making it difficult to differentiate and segment guest users from branch users.
•All user traffic is switched locally; therefore, guest access traffic must somehow be segmented and routed back to the central site for access control and authentication, or if local Internet access is available at the branch, both segmentation and access control must be implemented locally.
2. It is also possible to configure a (guest) WLAN, which uses central web authentication, to be switched locally at the branch. In this case, the branch client is redirected to the central WLC (virtual address 1.1.1.1) for web authentication only. Upon authenticating, all client traffic is subsequently switched via the local VLAN interface based on the HREAP settings. Any traffic associated with web login or logoff (destined to the WLC virtual address) is tunneled via LWAPP directly to the central WLC.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: