08-07-2024 05:33 PM - edited 08-07-2024 05:35 PM
I have a 9800-CL that is port forwarding CAPWAP ports (finally got this working in OEAP mode) with a 3802I. The site where the 9800-CL is located has 2 vlans (vlan 2 - 192.168.2.0/24 and a 99 - 192.168.99.0/24). Both vlan's have a dhcp server setup on the router and no dhcp is setup on the controller. This is a little new to me so I'm not sure how to get the 3802I to recognize the vlan 99 and pull a dhcp address from the server or should it get a local address from the router at the home location and recognize the split tunnel ACL that's setup to access traffic across the DTLS connection?
Layout
Non-AD Laptop < 3802i (personal and corp SSID) < Home Router > < Edge Router > 9800-CL
08-07-2024 05:46 PM
corp SSID : Traffic is tunnel back to your 9800 WLC, in that way it should get IP address from your corp DHCP server
personal SSID : Traffic is locally switch to your home router, so they will get IP from your home network.
HTH
Rasika
*** Pls rate all useful responses ***
08-07-2024 05:54 PM
The personal SSID is working with a 10.0.0.0 network going through the home router but I just can't figure out the corp SSID side. No matter what I can't get it to pull a dhcp from the 192.168.99.0/24 network.. I can route and ping from the 192.168.99.10 interface which is NAT'd for public discovery for the OEAP APs. Also added a show-tech export
08-07-2024 10:53 PM
>...Also added a show-tech export
- You may want to replace that with a show tech wireless and feed the output from that into Wireless Config Analyzer
(as stated, do not use a simple show tech as input for this procedure). This to have the controller's configuration
evaluated
That being said : OEAP is a little bit outdated these days, you could consider a flexconnect based setup
with local switching to bring the corporate SSID to the home (office) too.
M.
08-08-2024 07:19 AM
Thanks for that. Are there any guides on how to setup a remote access point in flexconnect without a corporate router/switch at the end users house? Either a full tunnel or split tunnel configuration when accessing corporate data on the corp ssid?
08-08-2024 08:40 AM
- Check if this can help : https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-3/config-guide/b_wl_17_3_cg/m_vewlc_flex_connect.html#spilt-tunneling-for-flex
M.
08-08-2024 09:18 AM
Interesting. This was the article I followed and it referenced flexconnect and OEAP still https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-3/deployment-guide/remote-workforce-solution-wireless.pdf
08-12-2024 04:52 AM - edited 08-12-2024 04:57 AM
Like Marce says OEAP is not used much anymore. The key points which distinguish OEAP:
- Mandatory CAPWAP data tunnel encryption. For companies that don't think VPN, TLS etc is enough to protect their user data. This substantially increases CPU load on the AP (and the WLC) thus limiting the throughput of the AP so performance/throughput is always worse than a similar standard AP setup.
- The AP provides a very rudimentary page for the user to setup their own local SSID. This page is not well maintained at all, looked like something out of ancient history last time I looked at it but maybe it's been updated since then.
Very few companies require that encrypted CAPWAP data these days. With zero trust networks the assumption is that all underlying transport is untrusted so the device must ensure end to end security/encryption without relying on the WiFi or network to be encrypted. This is necessary anyway if the device is allowed to access public hotspots.
Most home broadband routers provide the user with a home SSID with a much more modern and flexible GUI to manage it so the AP local SSID is usually not needed at all.
So the simple solution is:
- AP in flexconnect mode
- Corporate SSID with central authentication, central switching, central DHCP which is tunnelled back to the WLC
- Local user SSID (only if required) with local authentication, local switching, local DHCP which breaks out on the local switch port, never going anywhere near the WLC.
- The AP gets its IP address from the home broadband router just like any other client on the home network or you assign it a static IP from the reserved part of the home IP range.
- I would stay away from using split tunnels at all - corporate SSID should be corporate only and local SSID should be local only. The only use-case I've come across for split tunnel is user wanting to print to local home printer but frankly it's easier to tell the user to connect to their home SSID if they want to print.
But in fact very few companies would extend a corporate SSID to a user's home these days because Google/Microsoft 365 apps require direct cloud access - nobody wants all that traffic traversing their corporate network anymore. So in most cases users simply connect to their own home SSID and then a VPN on the client is used to route the corporate traffic to the company network over VPN while the Google/Microsoft cloud traffic routes directly to the local internet connection. That also simplifies user access to a printer on the local home network. The split tunnelling is done in the VPN client.
ps: if you desperately want to you can still enable CAPWAP data encryption for the AP even without using OEAP but remember the performance impact it will have. I've also noticed a number of bugs that have popped up over the years related to CAPWAP data encryption being enabled because it simply isn't used or tested as much as unencrypted CAPWAP data on the AP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide