cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3319
Views
0
Helpful
19
Replies

H-REAP local switching

skelley5000
Level 1
Level 1

Questions about local switching,

Here is what I would like to do,

I have a new office I will be opening up, it is a remote site so H-REAP will be used for the AP's. I will have 2 connections coming out of the building, 1 will come back to corporate and the other will be an open internet for guest. The connection coming back to corporate will supply internet and data center connectivity to all wired and wireless corporate devices. the Public conenction obviously is for only guest who come to the office. My question is the public internet will be on lets say VLAN 100, the rest of the PC's will be on VLAN 200. If I turn on local switching how to do I keep the public wireless devices going out the public internet and the corporate devices going out the corporate connection?

19 Replies 19

Scott Fella
Hall of Fame
Hall of Fame

If you want Internet at the remote site to go out the Internet connection out there, then you need local switching enabled.  If you want traffic to come back to the WLC, you don't need local switching enabled on the wlan.  Make sense?

-Scott
*** Please rate helpful posts ***

skelley5000
Level 1
Level 1

Nevermind, I see you can turn on local switching pre WLAN.

Thanks

Hi Sean,

Please be aware that for guest access, the WLAN must be centrally switched. You can still enable HREAP on the AP, but for the guest WLAN, do not enable local switching.

Your firewall can be used to separate the guest WLAN subnet from the corporate subnet and direct traffic to the Internet. For best practice, I would advise that you have a separate WLC on the DMZ at the central office, which could also double as the DHCP server. Also do not use the controller management interface for the guest WLAN. Instead create a separate dynamic interface. This ensures that the clients do not pick up an IP address from the corporate if there is controller failure.

Cheers

thats the point of the separate comcast connection, it is totally separate from the corporate network and is open to the guest. So no firewall or anything will be used, it will be on a total separate VLAN.

The WLC will have its own interface, set to the correct VLAN and we will be using a separate DHCP for that VLAN and local to the site

So there is no way to make guest network local switched too? Let authentication be done at the controller but once the traffic is authenticated, local switch the guest traffic. This would be too bad for customers without enough WAN bandwidth to tunnel all guest traffic to corporate site and then go out to internet.

You can do local switching for guest, but you would have to create acl's to prevent guest traffic from accessing the internal network.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

Would that be FlexConnect ACLs or different?

Right now I created 2 different WLANs using same SSID. If I used WLAN # smaller than 17 then it didn't allow me to create same SSID.

WLAN 17 - SSID: Secure, LocalSwitching, Local Authentication(In case the WAN link is down, AP does Radius auth direct), VLAN MAP: 101

WLAN 18 - SSID: Guest, LocalSwitching, No local Authentication, VLAN MAP: 111

WLAN 17 is working fine still not sure if I have guest WLAN working properly. I don't see guest WLAN in the VLAN Mapping list as an option at all.

Scott Fella
Hall of Fame
Hall of Fame

You can do FlexConnect ACL's if you want, but I prefer acl's on the L3 interface. You need to enable FlexConnect local switching on the guest WLAN SSID to have the option to set the local vlan to SSID mapping.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

This is possible right?

HREAP central auth, locally switched?

  sorry for my bad drawing, i did it quickly.

Team,

Below is my screenshot. I was able to do WLAN to VLAN mapping and now getting local IP from local DHCP scope that's doing local switching. However for the guest wireless, I don't seem to have an option to add guest WLAN/VLAN mapping. My guest WLAN is # 18 that needs to map to VLAN # 111.

Thanks,

Sam

Have you enabled FlexConnect local switching on the WLAN?

Also have you added the guest WLAN to that particular AP group?

WLAN tab > Guest SSID > Advanced > FlexConnect Local Switching

Like Aaron mentioned, you didn't enable local switching on the guest WLAN. Enabling that in any WLAN, allows you to get the wlan to vlan mappings.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***

here is how I have my SSID configured:

and here is the AP

copy pasted from my older post.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: