Solved: Re: H-Reap mode

Network Pro · ‎03-23-2011

Hi everyone,

i having trouble with the H-reap design. Could someone please help

We have a few APs in our remote site over the WAN and central WLC (connected to our CORE 6500 switch) in our Head Quarters. I have created Guest Wlan which is used in our HQ and needs to be advertised on our remote sites. I also need a Remote Staff Wlan for the rmeote site that needs local switching (h-reap)

So i created two ids -

Guest - not local switching enabled

Remote Staff Wlan - Local switching and Hreap enabled

The vlans are mapped to vlan 75 on the WLC

All APs on the remote site are on trunk ports connected to a switch

switch ip addresss 172.22.61.4

ap1 - 172.22.61.201

ap2 - 172.22.61.202

ap3 - 172.22.61.203

This switch trunks back to our core switch 172.22.75.1. this switch is used as a dhcp server for the wireless clients( dhcp pool 75). Also vlan 75 are created on both switches. The core switch in turn connects back to a router (cisco 3725) where this address is advertised over ospf to our main site.

My doubt here is :

1. do i need to create a interface vlan 75 on the WLC and link this interface to the remote staff Wlan ( or is it not needed as its just locally switched)

2. also i know that in H-reap mode only local switched wlan (remote staff wlan) gets tagged and central switched wlan (guest) uses native vlan. but when coming to the core router do i need this vlan 75

3. do i need this vlan 75 on our core switches (cisco 6500) or does the packet not get tagged on reaching the c3725 and gets advertised through ospf ?

Thanks

Nicolas Darchis · ‎03-24-2011

1- first switch being the gateway for APs, fine. The AP vlan doesn't need to exist anywhere else then. A second switch a hope away acting as dhcp (and I guess gateway as well ?) for clients : fine too. The vlan for the clients has to exist on : ap switchport, switch where ap is plugged, switch doing gateway/dhcp for clients. That's it.

If that 2nd switch is the gateway for the clients, traffic is routed from there on.

2- When I said "drops", it meant "releases". I mean it's like an IOS AP, no tunnels. The vlan doesnt' have to exist anywhere else than on the path AP -> gateway of the clients which I understood is the 2nd hop.

3- I'm not sure where "the router" is located but the answer is still the same : the vlan has to exist up until a device (layer 3 switch or router) that acts as gateway for those clients.

4- Hell no, when a packet is routed, it doesn't have a vlan tag anymore ... it's routed on other vlans. A vlan tag only survives up to a gateway.

View solution in original post

Nicolas Darchis · ‎03-23-2011

1. Not needed

2. Not quite true. Locally switched WLAN gets tagged yes. "Normal" WLAN (=centrally switched) are tunneled inside capwap and yes capwap is on the native vlan of the AP but that's not really important since it's tunneled.

I'm not sure I followed your deployment but here's the generic reply "the vlan that you configured on the hreap ap for locally switched WLAN has to lead to a gateway, whether it's on central site or remote site. From there, think of it like with IOS AP, the client will have connectivity if he has a gateway".

3.Again I'm not sure to follow.

Your centrally switched WLANs : you should probably not care. They are inside the capwap tunnel and the traffic is exiting the tunnel at the WLC and uses the interfae you defined on the WLC. Just like local mode APs, nothing hreap in here.

Your locally switched WLANs are like IOS APs : the AP drops the traffic on its ethernet port with the vlan tag you configured. The rest is up to you. You can have the client gateway being the switch where HREAP APs are connecting to. Then the traffic would be routed like normal traffic from there on.

Network Pro · ‎03-24-2011

Thanks for the quick reply Nicolas.

At the moment all the APs are connected to a local switch which acts as a gateway to these AP's. This switch in turns connects to a another layer 3 switch which provides dhcp to the clients (the aps are in different subnet to the client ip addressings). This layer 3 switch connects back to a router c3725 which routes back to the main core switches at the head quaters through ospf. This AP switch also has the default gateway of c3725 routers.

1. Do you this this setup is logical ? or can any improvements in design can be made ?

2. when you said the APs drop the packet with the tag ( for local switched wlan), does it mean that the series of switches it connects back to till the router (c3725) should also have the same vlan (ie vlan 75)

3. do i need to create this on the router (vlan 75)

4. once these packets reaches the router c3725 and its gets advertised to the core at head quarters, do i need this vlan 75 on the core switches as well where the wlc is connected to

sorry just bit confused so clearing it up

Thanks

Nicolas Darchis · ‎03-24-2011

1- first switch being the gateway for APs, fine. The AP vlan doesn't need to exist anywhere else then. A second switch a hope away acting as dhcp (and I guess gateway as well ?) for clients : fine too. The vlan for the clients has to exist on : ap switchport, switch where ap is plugged, switch doing gateway/dhcp for clients. That's it.

If that 2nd switch is the gateway for the clients, traffic is routed from there on.

2- When I said "drops", it meant "releases". I mean it's like an IOS AP, no tunnels. The vlan doesnt' have to exist anywhere else than on the path AP -> gateway of the clients which I understood is the 2nd hop.

3- I'm not sure where "the router" is located but the answer is still the same : the vlan has to exist up until a device (layer 3 switch or router) that acts as gateway for those clients.

4- Hell no, when a packet is routed, it doesn't have a vlan tag anymore ... it's routed on other vlans. A vlan tag only survives up to a gateway.

Network Pro · ‎03-24-2011

Lovely good explanation. Thanks very much

I have a few others as well:

1. We are using PEAP authentication. for remote sites on the WLC under the WLAN (Security - AAA servers) deos Local EAP Authentication needs to be checked ? if yes what priority does it need to be used ? (THis is bascially for H-Reap sites). someone said this doesnt need to be checked and this needs checking only for wlan that are local to the site (AP not in h-reap mode)

2. We have setup manually on all the clients (laptops) for PEAP authentication to match with WLC. but recently we have few clients who are stuck in probing state. on looking at the profile on the client (laptop) they are automatically being changed to WEP. this has happenened on a few laptops which makes us think it cant be accidental. any reason for this ?

3. we seem to have two acs servers - one used for tacacs for network devices and the other used for authenticating wireless access. where in the WLC can i find this network configuration i.e wireless users access the first acs server and tacacs users use the second acs server. I have looked at both acs servers and they seem to have similar groups

sorry just new to this organization and understanding how this networks work

Thanks

Nicolas Darchis · ‎03-24-2011

1. Local EAP means "the WLC acts as radius server". You probably don't want that and it has nothing do with with local APs or hreap or whatever.

2.Never saw that happening. 99% sure it's a client behavior problem.

3. "Where are wireless users authenticated". 2 places to check. "Security"-> Radius (or tacacs). That's where you define the radius/tacacs server that WLC can use.

Second place : the WLAN aaa configuraiton. It mentions which servers to us from the place mentioned 1 line here above.

You will see in "Security"->Radius/Tacacs menu that you can select servers for "management users". So you can select one ACS to be used for maangement users authentication. The other server will be configured in the WLAN itself as the aaa server to contact for that SSID

Network Pro · ‎03-24-2011

Thanks Nicholas. Makes sense.

Looks like on the WLC is configured for 1 acs servers and on the switches, ip address for another ACS servers are given. so first acs server is used for WLC and the ip address of acs server on switches is used for tacacs

1. regarding Local EAP, do you mean to say it doesnt matter if its not checked also - because we use acs servers for authentication ? its checked for the local wlan - maybe i can uncheck it

2. I saw this setup in another organizatiob but not sure why this could have been implemeted - They have used a acs server for tacacs+ auth for all switches.

The config used was

aaa new-model
tacacs-server host 172.22.30.64

tacacs-server key cisco
aaa authentication login default group tacacs+ local
aaa accounting exec default start-stop group tacacs+

and it started to work straight away. i dont think there was ny configu done on acs servers - is this possible (dont think they added the switches as clients on acs servers also) - in the above config the key is cisco - where about is this key entered on the acs servers for the switches to authenticate ?

Network Pro · ‎03-24-2011

any thoughts on the above nicholas ?

Thanks

Nicolas Darchis · ‎03-24-2011

1. Disable local eap since you're not using it

2. Impossible. The ACS has to be configured to accept the switch as aaa clients and must be entered the "cisco" key as well.

Only possibility is that they configured an ip range (covering all switches) on ACS with the key cisco. You can then use any switch in the ip range without further config on ACS

Network Pro · ‎03-25-2011

Thanks again Nicholas.

Regarding the tacacs+ for all switches, i am sure i didnt see any on the ACS server. so not sure how they have done it. maybe i didnt check properly !!

if i were to enter a range on the ACS how do it do it ? is it just i enter 172.22.20.1 - 172.22.20.254 on the ip address detail section

Thanks for all your help mate. your explanation gave me a better understanding

Nicolas Darchis · ‎03-25-2011

It depends on the version.

ACS 4.x actually has a tab on the right giving you help on all the fields so you can hardly do it wrong ... ACS 5 has a "range" feature that you cannot miss either.

out of memory it's 172.22.20.1-254

Network Pro · ‎03-25-2011

thanks mate

Network Pro · ‎03-25-2011

just one more thing as well Nicholas, I went to uncheck the local EAP authentciation (under WLAN-security-AAA servers) and found that the we have a profile (Cisco-PEAP) defined which is also disabled when i uncheck the local eap authentication. looks like the cisco peap is defined under security - local eap profiles and cisco peap has been defined. 3 boxes are checked - 1. Peap 2. check againast CA certificate 3. check validity of certificate

will this be a problem if i uncheck the local eap auth as it disables the above profile

Nicolas Darchis · ‎03-25-2011

If there's a profile configured, that means maybe you are using local eap to authenticate one SSID ?

Not sure why you ask me since you're the one supposed to know what is configured in your network :-)

Network Pro · ‎03-25-2011

hi,

yes there is a profle created for 1 ssid. this is for local wlan and was used for remote wlan until someone has just removed for remote wlan. so right now profile just exits for local wlan. i have removed this just for testing purpose and it still seems to works. dont know why ?

i have just joined this organzation couple of weeks ago and trying to figure out why its using this ?

another problem is that if i setup the client on the laptop (windows wireless client) manually to wpa 2 with peap encryption then it automacically changes to wep - dont know why

sorry again