I have multiple remote office locations and I have implemented HREAP using central authentication and local switching. The offices have 3 vlans. switch/router mngmnt, Wireless management and the office vlan. The access points are 3502I. The code is 18.104.22.168 .
The access point IP addresses come from a DHCP scope on the local router. This is is a specific range i.e. 10.20.x.x. This space is only permited to communicate with the central office controllers and denied any other traffic . The AP network is locked down with both an inbound and outbound set of ACL's on the office router.
The AP port on the switch is setup as a trunk and management is the native vlan .
Our IT Security group came to me with a concern. They were seeing apple traffic over the 10.20.x.x network and alot of ICMP traffic from the internet.
Questionis how is the user traffic that is setup to be switched locally getting on the AP management network ? and not staying on the user vlan ?
Where is your internet link to servcing these branch users ? Do they have own internet connection at each branch ? or are they coming to your central office to acces internet ?
Unless you have any other centrally switch WLAN, all traffic except capwap mgt traffic (src or dst to AP mgt IP) should terminate on your branch local swtich & then go via normal ip routing path to your cerntral office.
Best if you could a packet capture of your branch WAN link & confirm 100% you would see user traffic coming from 10.20.x.x network.
I am not 100% sure whether all packets will be locally switched or first packet will be centrally switched & rest will be locally switched. Your packet capture would prove this.
**** Pls rate all useful responses *****