WLC - Mode APs Local or Bridge

JRGC · ‎06-23-2015

I implemented a wireless solution with 2504 WLC and APs 2602e

Some of the APs is in Local mode and others in bridge mode. What is the best advice?

Sandeep Choudhary · ‎06-24-2015

Hi,

In local mode, the LAP maintains a CAPWAP tunnel to its associated controller. All client traffic is centrally switched by the controller. If a LAP operating in local mode loses its connection to the WLC, the LAP will stop forwarding and begin looking for the controller. Until the LAP (operating in local mode) joins another WLC it will not forward any user traffic.

Bridge: It allows you to bridge together the WLAN and the wired infrastructure together.

Regards

Don't forget to rate helpful posts

moin.meer · ‎12-03-2015

Hey Sandeep,

Could you please provide more details on these mode?

or any document if you could share?

Thanks.

Scott Fella · ‎12-03-2015

There are a lot of information about the various modes out there. Here are some links:

local vs flexconnect

https://supportforums.cisco.com/discussion/11950811/difference-between-local-mode-and-flexconnect-central-switching

FlexConnect

https://supportforums.cisco.com/document/98646/wireless-lan-flexconnect-configuration-example

Bridge mode is for mesh

http://www.cisco.com/c/en/us/td/docs/wireless/technology/mesh/8-0/design/guide/mesh80/mesh80_chapter_0101.html

Hope this clears some things up

-Scott

-Scott
*** Please rate helpful posts ***

moin.meer · ‎12-03-2015

Hey Scott,

Thanks man. By default the APs would be working on Local Mode, correct me if I'm wrong?

I would be having the following scenario.

Internet-->Firewall-->L3 SW-->WLC --> 4 APs (1 in each room)

2 SSIDs (Employee, Guest)

Employee WLAN --> VLAN 10

Guest WLAN --> VLAN 20

My questions here:

1. Switchports where APs are connected, should I keep them as 'access ports' or 'trunk'?

2. WLC to switchport would be trunk, right?

3. I would like Employees to use their AD credentials to connect to Employee WLAN. I was thinking to use LDAP. Am I right here?

4. For Guest, would WebAuth be the only option or we have other ways too?

Thanks.

Scott Fella · ‎12-03-2015

Local mode is default and if the WLC and AP's are in the same location, then keep the AP's in local mode.

1. Switchports where APs are connected, should I keep them as 'access ports' or 'trunk'?

> They are access ports since wireless user traffic is tunneled back to the controller.

2. WLC to switchport would be trunk, right?

> That is correct Allow vlans defined on the controller, vlan 10 and vlan 20 along with the vlan the WLC is on.

3. I would like Employees to use their AD credentials to connect to Employee WLAN. I was thinking to use LDAP. Am I right here?

> You can use LDAP, but I prefer using an NPS radius server if your a Microsoft shop.

4. For Guest, would WebAuth be the only option or we have other ways too?

> If your talking about a portal page, there is WebAuth, Passthrough where the user just hits accept and email, but email can be a bogus email and really never use that.

-Scott

-Scott
*** Please rate helpful posts ***

moin.meer · ‎12-03-2015

1. Switchports where APs are connected, should I keep them as 'access ports' or 'trunk'?

> They are access ports since wireless user traffic is tunneled back to the controller.

It means I could use L2 Switch and connect all APs to that L2 Switch. Then a port from L2 to L3 access port in native VLAN (Lets say VLAN 1). Does it make sense?

Scott Fella · ‎12-03-2015

AP's can be connected to a layer 2 switch. You need to have a layer 3 device to route, which I'm assuming you have. Even the WLC can be connected to a layer 2 switch as long as you can setup the port as a trunk.

AP-Access Port

WLC-Trunk

-Scott

-Scott
*** Please rate helpful posts ***

moin.meer · ‎12-03-2015

Thanks Scott, that cleared a lot of doubts I had in the first place.

Also, if possible, could you share some documents where I could have step by step procedure to integrate NPS Server with WLC?

What I would want, is to authenticate users based on their credentials in the Active Directory.

Scott Fella · ‎12-03-2015

Here is a good link but you can search "WLC NPS radius and you will find more reference.

http://wifinigel.blogspot.com/2014/03/the-microsoft-network-policy-server-nps.html?m=1

Hope this helps answers your question

-Scott

-Scott
*** Please rate helpful posts ***

moin.meer · ‎12-03-2015

Yeah, I am already looking at one doc regarding WLC with NPS.

Thanks a lot Scott, it really helped.

Scott Fella · ‎12-03-2015

Just reference a few because there are a lot of info out there. Radius makes it more customized than LDAP.

-Scott

-Scott
*** Please rate helpful posts ***

moin.meer · ‎12-10-2015

Hey Scott,

Is it a good idea to keep WLC and APs in the same VLAN?

What would be the best practice?

Scott Fella · ‎12-10-2015

If you have less than 50, I would say it's fine. I have had customers want to keep both on the same vlan and had a lot more AP's. The reason I do this, is when I stage the AP's. Placing them in the same vlan just helps with them joining the WLC. Once the AP's join, you can move them to another vlan because they now known of that controller. Again, I have had clients that desperate the controller and AP's. Hope that helps.

-Scott

*** Please rate useful posts ***

-Scott
*** Please rate helpful posts ***

moin.meer · ‎12-10-2015

Thanks Scott, let me put all the pieces together.

Internet>>Fire Wall>>L3 SW>>WLC (Trunk Port) and give WLC an IP Address from VLAN10 pool, lets say 192.168.10.1

As the switchport is Trunk, whatever IP I'd give to WLC Management port, the WLC would go into that particular VLAN..right? (Int his case VLAN 10)

L3 SW>>APs (All ports configured as access ports for VLAN 10) if we want WLC and APs to be in the same VLAN.

Is my understanding right here?