Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1207
Views
0
Helpful
8
Replies

H-REAP Issues

Go to solution
Alexey Shishkovskiy
Level 1
Level 1

‎10-12-2012 08:04 PM - edited ‎07-03-2021 10:49 PM

In central / local auth/switching state of H-REAP, I would like, if feasible, clients to obtain IP addresses from DHCP Server placed in remote office subnet (I mean where H-REAP is installed and the clients operate):

:

  • •- How should DHCP process for clients be configured and operate ?
  • •- Should I create dynamic interfaces (VLANs) on the controller for WLANs (SSIDs) being switched locally. In the VLANs configuration page, what IP address (from which subnet) should be administered for DHCP ?
  • •- How will VLANs administered in VLAN mapping page and mapped for the certain SSIDs (WLANs) interoperate with VLANs created as Dynamic Interfaces for the same SSIDs (WLANs). Should the VLANs ID numbers match?

In central / local state auth/switching of H-REAP, if I want to create public internet access in the remote office and switch the Internet traffic locally

  • •- Should I create a new internal Web Authentication VLAN / WLAN in addition to the existing ones for clients in Central office?
  • •- Should I also map SSID to VLAN in the VLAN mapping page for local switching of the internet traffic?

  • Thanks
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Saravanan Lakshmanan
Cisco Employee
Cisco Employee

‎10-13-2012 12:44 AM

see inline.

In central / local auth/switching state of H-REAP, I would like, if feasible, clients to obtain IP addresses from DHCP Server placed in remote office subnet (I mean where H-REAP is installed and the clients operate):

:

•- How should DHCP process for clients be configured and operate ?

#Configure hreap AP connected switch/core router/ext microsoft server as dhcp server for wireless clients. DHCP works similar to your wired PC connected to the hreap AP connected switch.

•- Should I create dynamic interfaces (VLANs) on the controller for WLANs (SSIDs) being switched locally. In the VLANs configuration page, what IP address (from which subnet) should be administered for DHCP ?

#No, For locally switched wlan, the dhcp packets won't hit the controller, the requests will be brdiged out to hreap AP connected switch using respective vlan. Think of hreap AP as a L2 switch connecting to another switch on Trunk port at remote site.

•- How will VLANs administered in VLAN mapping page and mapped for the certain SSIDs (WLANs) interoperate with VLANs created as Dynamic Interfaces for the same SSIDs (WLANs). Should the VLANs ID numbers match?

#They do not interoperate, Dynamic interface used for central switching purpose only, while hreap's VLAN mapping is only for local switching. That's why vlan mappings config is on each hreap AP, that wlan to vlan mappings on each hreap AP == allowed vlans on hreap AP's trunk port.

In central / local state auth/switching of H-REAP, if I want to create public internet access in the remote office and switch the Internet traffic locally

•- Should I create a new internal Web Authentication VLAN / WLAN in addition to the existing ones for clients in Central office?

#No, Existing webauth wlan should work, just set the WLAN to locally switched. Local and remote hreap APs will be fine mapped to this wlan.

•- Should I also map SSID to VLAN in the VLAN mapping page for local switching of the internet traffic?

# Yes. And No if you prefer to use central switching.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎10-12-2012 08:17 PM

If you want to use a local dhcp for clients at the remote site, then you need to use local switching. This requires the ap to be connected to the switch via a trunk port if you will be mapping users to multiple vlans. In central switching, all traffic goes back to the WLC and dhcp should be located where the WLC is located.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Peter Nugent
Cisco Employee
Cisco Employee
In response to Scott Fella

‎10-12-2012 08:28 PM

If I understand correctly you are using HREAP now called Flexconnect in later codes.

If you are using local switching the tha VLAN mappings for HREAP overide the WLAN VLAN mapping so in theory you don't need a new dynamic interface. However if you use the WLAN interface mapping that willl be management so if for any reason your HREAP breaks  clients will be on the management VLAN. I usually create a dynamic nterface and black hole it for locally switched WLANs.

Switching guest trafic locally is a nightmare as you then have guests on your corporate infrastructure. It can be done but is painful. I would still switch at the WLC and rate limit them. If you can't then make sure you secure the relevant VLAN.

0 Helpful

Go to solution
Alexey Shishkovskiy
Level 1
Level 1
In response to Peter Nugent

‎10-12-2012 08:47 PM

Peter,

as a matter of fact I am trying to understand the process before start deploying. Appreciate if could you share any operational config example.

As I understood your suggestion is to switch Public Internet traffic centrally. In this case should I prioritize CAPWAP data UDP port  5247 for traffic  as well.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Alexey Shishkovskiy

‎10-12-2012 09:01 PM

Alexey,

Take a look at the h-reap design guide its the same as FlexConnect, but it will help you understand how to deploy h-reap/FlexConnect AP's.

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Peter Nugent
Cisco Employee
Cisco Employee
In response to Scott Fella

‎10-12-2012 09:09 PM

there are  Flexconnect config examples online and yes you should prioritise CAPWAP.

The config will vary depending on which flavours of Flexconnect you use.

Personally I would always anchor guest trafic in my DMZ to an anchor controller. That means centrally switching your guest trafic. that way its off your internal LAN. start locally switching it and you need all your ACLs in place.

Decide how your clients will authenticate as that will affect things aswell. 802.1x for example.

0 Helpful

Go to solution
Saravanan Lakshmanan
Cisco Employee
Cisco Employee

‎10-13-2012 12:44 AM

see inline.

In central / local auth/switching state of H-REAP, I would like, if feasible, clients to obtain IP addresses from DHCP Server placed in remote office subnet (I mean where H-REAP is installed and the clients operate):

:

•- How should DHCP process for clients be configured and operate ?

#Configure hreap AP connected switch/core router/ext microsoft server as dhcp server for wireless clients. DHCP works similar to your wired PC connected to the hreap AP connected switch.

•- Should I create dynamic interfaces (VLANs) on the controller for WLANs (SSIDs) being switched locally. In the VLANs configuration page, what IP address (from which subnet) should be administered for DHCP ?

#No, For locally switched wlan, the dhcp packets won't hit the controller, the requests will be brdiged out to hreap AP connected switch using respective vlan. Think of hreap AP as a L2 switch connecting to another switch on Trunk port at remote site.

•- How will VLANs administered in VLAN mapping page and mapped for the certain SSIDs (WLANs) interoperate with VLANs created as Dynamic Interfaces for the same SSIDs (WLANs). Should the VLANs ID numbers match?

#They do not interoperate, Dynamic interface used for central switching purpose only, while hreap's VLAN mapping is only for local switching. That's why vlan mappings config is on each hreap AP, that wlan to vlan mappings on each hreap AP == allowed vlans on hreap AP's trunk port.

In central / local state auth/switching of H-REAP, if I want to create public internet access in the remote office and switch the Internet traffic locally

•- Should I create a new internal Web Authentication VLAN / WLAN in addition to the existing ones for clients in Central office?

#No, Existing webauth wlan should work, just set the WLAN to locally switched. Local and remote hreap APs will be fine mapped to this wlan.

•- Should I also map SSID to VLAN in the VLAN mapping page for local switching of the internet traffic?

# Yes. And No if you prefer to use central switching.

0 Helpful

Go to solution
Alexey Shishkovskiy
Level 1
Level 1
In response to Saravanan Lakshmanan

‎10-13-2012 06:06 AM

Saravanan,

perfect. Thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card