Rajan Parmar is a wireless expert and working for the Cisco's Technical Assistance Center (TAC) team providing reactive technical support to majority of Cisco’s premium customers and partners. In this document Rajan has explained HREAP (Hybrid Remote Edge Access Point) in a nutshell.
By default:The traffic flows upstream to-and-from the physical site where is deployed the WLC [ to which the AP is joined ( to which associates a wireless client)]. So, by default, Local Switching is not used.
In fact if AP is physically deployed at the site where the WLC is also deployed, Local Switching is not required. (because of the default behaviour as cited above). If AP is not physically deployed at the site where the WLC is also deployed, Local Switching may be required.
If one wants to override/overwrite the default behaviour, and rather wants the traffic to be sent upstream, from the physical site, where is physically located the HREAP AP, Local Switching is used.
All Possible Combinations
Authentication Central [Default]
(this combination is not applicable)
Authentication DOWN (Nothing is working)
So, its clear that we need to know: # where should happen the authentication ? # after authentication, where should happen the switching of traffic ?
(to understand switching , should know the difference between bridging, switching and routing)
By default, every wlan is centrally authenticated , and, centrally switched. (This is exactly what is mentioned as the default behaviour as documented at the top). These defaults can be overridden, if a wlan is required to be locally authenticated(with or without radius server), and or locally switched.
If we have enabled central authentication (Local Switching option is left as unchecked): All ssids configured on the wlc are visible to the hreap AP.
If we have disabled central authentication (Local Switching option is checked): All ssids configured on the wlc with local switching enabled, are shown in the HREAP tab.
802.1x is not supported on local authentication. In case of WAN link is down, backup radius servers can be deployed locally (at the site of HREAP APs ) only for leap and eap-fast.
To configure local radius servers, Local Authentic check box on wlans-advanced is checked in combination with hreap groups.
Should understand the difference between Authentication Down/Switch Local, and, Local Authentication/Local Switching, in terms of the authenticator of wireless clients: In the former case, we need authentication via the Radius server, however the Radius Server is found be down. In the latter case, we need authentication via the HREAP AP. we have switching modes, operating modes and HREAP states
REAP 1030 APs cannot support trunking mode. Better to connect the HREAP APs to the trunk port. Unlike the 1030 Series REAP AP, which can map wireless user traffic to only a single VLAN, H-REAP APs are capable of supporting the multiple switching modes concurrently, on a per-WLAN basis:
Support per WLAN
Authentication : Authentication of the wireless client
Switching : Data transfer / Communication of the wireless client
Depending on the mode of the HREAP AP, an HREAP AP may find itself in any one of the following states, depending on the configuration of the WLAN.
States in order:
Authentication Central/Switch Central
Authentication Central/Switch Local
Authentication Local /Switch Local ' hreap groups; check mark on local authentication; radius server
Authentication Down /Switch Local
Authentication Down /Switching Down
If (radius server is to be contacted for authenticating wireless clients)
Authentication Local / Switch Local :E
Else (radius server has not to be contacted for authenticating wireless clients)
<---------HREAP STATE---------------> <--Radius--> <------------Local Switching----------->
Authentication Central/Switch Central: A :Radius UP , local switching NOT enabled on the WLAN
Authentication Central/Switch Local : B :Radius UP , local switching enabled on the WLAN
Authentication Down /Switch Local : C :Radius DOWN, local switching enabled on the WLAN
Authentication Down /Switching Down: D :Radius DOWN. local switching NOT enabled on the WLAN
A: This state represents a WLAN that uses a centralized authentication method such as 802.1x, VPN, or web. User traffic is sent to the WLC via LWAPP. This state is supported only when H-REAP is in Connected mode . 802.1X can be used but other mechanisms are equally applicable.
B: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when H-REAP is in Connected mode. 802.1X can be used, but other mechanisms are equally applicable.
C: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session timeout isn't expired (if configured). The WLAN continues to beacon and respond to probes until there are no more (existing) users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
Central switched WLANs no longer beacon or respond to probe requests when the H-REAP is in standalone mode. Existing clients are disassociated.
E: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if an H-REAP goes into standalone mode. The WLAN continues to beacon and respond to probes . Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.
Authentication of wireless clients
Authentication of wireless clients / way to traffic passage of authenticated clients
All 802.11 authentication and association processing occurs at the H-REAP, regardless of which operational mode the AP is in. When in Connected mode, the H-REAP forwards all association/authentication information to the WLC. When in Standalone mode, the AP cannot notify the WLC of such events, which is why WLANs that make use of central authentication/switching methods are unavailable. The hybrid-REAP access point maintains client connectivity for local switched WLANs after entering standalone mode.
Con: However, after the access point re-establishes a connection with the WLC, it disassociates all existing clients, applies updated configuration information from the WLC (if applicable), and re-allows client connectivity.
Branch Guest Access
One of the challenging aspects of using standard REAP APs in the branch is the implementation of guest access, which is difficult to implement for the following reasons:
All WLANs map to the same local VLAN, thereby making it difficult to differentiate and segment guest users from branch users.
All user traffic is switched locally; therefore, guest access traffic must somehow be segmented and routed back to the central site for access control and authentication, or if local Internet access is available at the branch, both segmentation and access control must be implemented locally.
It is also possible to configure a (guest) WLAN, which uses central web authentication, to be switched locally at the branch. In this case, the branch client is redirected to the central WLC (virtual address 220.127.116.11) for web authentication only. Upon authenticating, all client traffic is subsequently switched via the local VLAN interface based on the HREAP settings. Any traffic associated with web login or logoff (destined to the WLC virtual address) is tunneled via LWAPP directly to the central WLC.
Local switch configuration
The configuration of the local network switch port that the H-REAP AP will be physically connected to depends on how you have configured the WLAN and H-REAP switching.
If you are simply doing central switching, all you need is for the AP to be connected to an access port in the correct VLAN (a VLAN that can route to the controller from the remote network).
If you intend to only have a single locally switched WLAN or if multiple WLANs do not need wired side separation, you can use an access port.
If you have multiple locally switched WLANs that need wired side separation or you do not want a single locally switched WLAN to use the same VLAN as the AP, configure an 802.1q trunk port instead.