cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1029
Views
0
Helpful
22
Replies

Wireless Deployment

aadeoye
Level 1
Level 1

Hello everyone,

I need some help here. I am currently working on a project with Centralized WLC deployement at a Co-Location Centre.

My WiSMs are located in my co-location switches. The Co-location network is different from the corporate network (MAN/WAN) and traffic between the two is routed (Layer 3)via MPLS connections.

The Access Points will be deployed in the corporate network. With DHCP option 43 and Layer 3 LWAPP, I don't think communication between the WiSMs and APs will be a problem. However, I am a little concerned about the user VLAN. How will I perform the dynamic interface/VLAN mapping configuration on the WiSMs since it is not on the same Layer 2 infrastructure as the APs? The WiSMs and APs do not share any VLAN information.

Thanks in anticpation,

Ade

22 Replies 22

SHANNON WYATT
Level 1
Level 1

You are correct that the VLANs for clients are not going to be local to the clients. You can still make this work by using AP Groups and assigning access points in certain locations to certain AP groups. Another option if HREAP.

Thanks a lot.

I have heard of those mechanisms but I am not too sure how they will work.

Can you just briefly explain this solution?

Best regards,

Ade

AP Group VLANs are a way of defining VLANS that are used by specific access point. I recently used this with a customer where we put all of the access points connected to a specific IDF to it's own VLAN. This way we had for networks in the particular building versus one. Of course the VLANs existing in the core, so all trafic comes back out of the core and on to the network.

Hybrid REAP (Remote Edge Access Point) is a way that you can have a few access points at a remote location that bridge some of the traffic locally. This is intended as a remote location solution to eliminate the need for a controller in a small remote office.

Thanks so much. I think Hybrid REAP may be the option for me. Our centralized deployment is pretty much WAN based. The controllers, WCS, ACS etc are at the co-location datacenter (a separate network) while all the APs are at the separate offices each with their own networks.

Will I need multiple subnets (i.e. WLANs/SSIDs) or can I still have the same WLAN span the APs? Since the APs are remote, does it matter what interface (AP Manager or Management) is used for the controller IP address?

You can have the same SSID across all of the access points. You can also do AP Groups so that the access points in one location would have a subnet for the clients that is different then another. You are limited on the number of HREAP clients per remote. I want to say that it is three APs. It has been a while since I had an HREAP setup, so I don't remember off the top of my head.

Is the data that the users are accessing in the co-lo? If that is the case you could just leave them as is (no HREAP).

The address that is advertised to the access point is the management IP address, but they need to be able to talk to both management and AP Manager, so watch your ACLs. My understanding is that the access point communitcates to the Management inface to detirmine the AP Manager IP address.

Thanks so much for your help on this. I truly appreciate it.

I do believe the bulk of the network resources are located in the co-lo and the corporate locations contain the user subnets and a few network resources. I will confirm in a separate post. As I understand it, H-REAP appears to be some sort of business continuity feature available in the Cisco Wireless infrastructure (more like SRST for IP Telephony).

The reason I asked about the Management IP is that the documentation appears rather conflicting and I wanted to ensure I was using the right IP address in DHCP option 43 (Management or AP Manager) as I was having some issues with the APs registering. The LWAPP JOIN process does not work.

Well, HReap is more useful when you have resources that are local to that subnet, or potentially a guest SSID that would go out an internet connection that is local to the facility. You are limited to the authentication methods as EAP would have to go through the controller.

You definately need the DHCP option. DNS works well too. You can hard code the access point's with the IP, but that is a pain.

I will get the DHCP option working. I guess that HREAP may not be the way to go then.

In that case, here's my question:

Based on the way I understand it, the WiSM will map the SSID/WLAN to a VLAN. I guess this assumes that the WiSM is within the same Layer 2 domain as the users. In my deployment, this is not the case.

How will this mapping work? Is there a means to use a dummy VLAN at the co-lo?

SSIDs map to interfaces, either physical (management interface) or virtual (just a VLAN).

The client VLANs need to be local to the WiSM. They would have to be real VLANs, with routing, ACLs, etc. The client traffic is encapsulated at the Access Point and dumped out of the interfaces on the WiSM. So if the client is directly printing to a printer plugged into the same switch as the access point the traffic will go to the WiSM and then back to the printer. If most of the resources are local to the WiSM (at or near the core or distribution) this is not an issue. But if the majority of the stuff is at the edge (File/Print/Internet) this can create a lot of traffic. If the resources are at the edge (close to the client) you should look at 2106's or the Network module options and then manage them with a central WCS.

If this traffic is mostly destined to the core you can further break out the clients based on additional VLANs by using AP groups. With AP Groups you create additional VLANs and then you associate the access points with the AP groups for a particular VLAN. This way you can create a client VLAN that is specific to an office or area, versus having everyone lumped into one VLAN. Be default the access point would just use the default settings for the SSID, but you can apply AP groups as necessary for issolation. This is also usefull if you have additional tools to track things on the network. You would be easily able to tell the remote location with the issue based on the subnet, versus having to track down the individual clients.

If you would like you can e-mail me directly on this. My e-mail is my login.

My client wants everything to be centrally managed - no controllers at the corporate sites. Like you suggested, a typical deployment like this should use multiple controllers at the remote sites but they want to leverage their co-lo investment and IT resources by centralizing everything.

From the Cisco documentation, we could use an unlimited number of HREAP-enabled APs. Unfortunately, I am not experienced with this type of deployment so I am not sure how the WLAN to VLAN mapping will work.

I do not mind the APs locally switching traffic in a local VLAN while getting information via LWAPP from the controllers. Is this possible ?

I found this note somewhere:

""HREAP supports visibility into VLAN tagging, providing enterprises with the flexibility to determine which SSIDs will have data bridged locally and which will have data tunneled

back to a controller."

Thanks and best regards,

Ade

HREAP is limited in the authentication methods. Unless they have changed it, the only authentication option on an HREAP SSID is WPA-PSK and WEP (or open). Again, I could be wrong on that one, you should probably look at the docs to check that. You are also limited to something like 3 access points per location.

If the resources are centrally located than this is not an issue. You mentioned the customer would like central management. Placing a controller at the edge would still allow central management. Again, if the servers and what not are at the co-lo then this wouldn't be an issue. The exception would be for stuff like printing.

I understand what you mean but they do not want to invest in controllers at the remote sites.

I will check the docs again to see if I am missing something.

From what I understand, in 4.2.61 you are able to use 802.1x EAP authentication enabled SSID's on AP's in HREAP. You do, however, need to have a local RADIUS server available (set either as primary or secondary). More information is available on the 4.2 config guide.

http://www.cisco.com/en/US/docs/wireless/controller/4.2/configuration/guide/ccfig42.html

I have implemented 4.2.61 and H-REAP with authentication centrally switched (802.1x) and users locally switched. Works well.

-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: