Design Help.... WLCs / HREAP?

Unanswered Question
Jan 14th, 2009

Here is my scenario...

We have two offices and the each have a WLC 2112 and 1130ag APs.

SITE A (Main Office):

1 - WLC 2112

4 - 1130ag APs

IP: 192.168.0.x/24 (VLAN1)

IP: 192.168.100.x/24 (VLAN10)

VLAN10 is setup for the Guest wireless network using Web Auth and ACLs etc...

SITE B (Branch Office):

1 - WLC 2112

2 - 1130ag APs

IP: 192.168.1.x/24 (VLAN1)

SITE A connected to SITE B via Private T1

Each site also has their own internet...

Okay, so what I want to do is basically setup each controller to back the other one up in case of a failure at either end.

I tested HREAP and it worked great except SITE B clients receive an IP address that is on SITE A's network. They could surf the internet but it was going through SITE A's internet etc...

I can't have that and the clients need to use the internet based out of their location and be assigned an IP from their local network.

Is there a way to do this?

Each site obviously had the same SSID which is fine or they can be different. It doesn't matter... I just want to make sure if one of the WLCs go off the air, the other one picks up the APs and the clients do not notice a difference nor do they receive an IP from the site that would be remote to them.

Also I do not want each site to see the other's SSID if using different SSID's. I only want the SSID to be seen by clients at their respective site. They can use the same SSID and in fact i would like to do that, but not sure if that would work in this scenario.

If this is unclear, please let me know. i am trying to describe this as best as possible...



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jeff.kish Thu, 01/15/2009 - 13:21

You can use the same SSID at each location by using AP groups to map a different VLAN to the same SSID at each location. The downside to this is that any non-HREAPs that move to the new controller will send their clients out the other Internet connection. but that should be fine since it'll be a rare situation.

As it stands, it sounds like the clients at both locations are on the same subnet/VLAN. If that's the case, they'll each have the same default gateway and they'll route that way to the Internet.

Are your locations connected via L2 or L3? Do the same VLANs exist at both locations? Are your clients at both facilities all on the same subnet?

edvalasek Fri, 01/16/2009 - 05:20

They are connected via Layer 2 right now... SITE A is L3 but Site B is L2. SITE B is not setup as a VLAN of SITE A.

That is a good suggestion on the AP groups... I will look into that.

Sounds like I need to create SITE B as another VLAN of SITE A. Is that correct?

I saw that in the H-REAP Doc from Cisco, but not sure if this is exactly what I am trying to accomplish given they have their own internet and such and it is not necessarily a high speed WAN link either.

Thanks for the info!


jeff.kish Fri, 01/16/2009 - 07:34

I'm unfortunately a bit confused, haha. You have a L2 link between the two sites, but you're restricting your VLANs, is that correct? So the local VLANs don't exist at the other site, though you could extend them to make it that way?

edvalasek Fri, 01/16/2009 - 08:49

Okay, sorry.. Ha Ha! I am trying to figure out how to explain without a white board! Ha Ha...

Basically Site A has it's native VLAN ID as the standard 1 and so does Site B, but they each have different IP schemes. I have L3 routing setup on their "core" swtich in Site A but do not have Site B setup as a VLAN extension of the main network in Site A. I just have a routing statement in the core that sends requests to that network through the P2P router to their network.

Does that help?



jeff.kish Fri, 01/16/2009 - 09:14

I think so. So your T1 link is a routed link, in that it has an IP address on both ends. Is that correct?

So people at Site B are going out Site A's Internet and not their own, right? What is the default gateway for clients at Site B? What is that device, where is it at, and what is it's own default gateway?

And just to clarify, the access points themselves are on the correct controllers, right?

edvalasek Fri, 01/16/2009 - 11:01

Yes the Private T1 is a routed link... This is the setup below:

Site A (Main Office):

IP Scheme 192.168.0.x/24


Gateway: (3750 Switch L3 with routing statements for pathe to internet and Site B network)

Internet Gateway: (Checkpoint FW)

Private T-1 Router to Remote site:

Site B (Remote Office):

IP Scheme: 192.168.1.x/24


Default Gateway: (Cisco PIX) -> Internet

Private T1 Router to Main Office:

When in H-REAP Mode the wireless clients at Site B were receiving DHCP addresses from Site A so yes they were using Site A's internet as well but that is not what we wanted. We wanted the wireless client to use the same SSID as defined in the primary controller located at Site A but receive an IP from the local DHCP server ( the pix) and use the local internet connection.

I went ahead for now and setup each site independantly of each other for now so everyone goes out their own gateways and Internet connections. They also have different SSIDs as well now. So yes, now the AP's at each site talk to their own controllers. and are setup independantly of one another but there is no redundancy which is what I am trying to accomplish in case one controller goes offline.

Does that help? :)

Thanks again for your help... I appredciate you sticking with my situation...


jeff.kish Fri, 01/16/2009 - 12:32

Hey Ed,

Yeah, that helps a lot. And no problem, I'm stumbling my way through, haha.

A couple things to check, forgive me if they're basic:

1. Make sure that the DHCP server listed in the controller VLAN interface is correct at each location.

2. Make sure that the access points all have the correct primary and secondary controller. Make sure that you're listing controller names and not IP addresses.

3. Make sure that the access points are on the correct controller when you try the redundant setup again.

The only thing that I can think happened was that your APs were on the wrong controller. This would result in the APs broadcasting the correct SSID, but clients would be placed on the wrong VLAN. Since AP traffic is tunneled to the controller, your clients would have been passed through the layer 3 link and have a point of presence on the other side.

To troubleshoot, I would recommend first disabling HREAP and seeing whether you can make it work with it. When you do re-enable it, ensure that local switching is turned on, otherwise your traffic has the potential of getting tunneled despite being in HREAP mode.

I hope this helps resolve the issue :) Please let me know if there's any more pertinent info that you can share.



Scott Fella Fri, 01/16/2009 - 18:23

This is what you need to do. First of all, make sure the wlan ssid is set to local switching and that you use the same vlan on both sites. On the ap, I figured you already changed the ap from local to h-reap.... if not, then that is what you hvae to do. Then after the ap reboots and is back up, click on the ap and you will have a tab named h-reap. Click that and check the native vlan. Now the ap will be trunked so you need to make sure the ip of the ap is on a seperate vlan than the ssid's. The vlan the ap belongs to would be configured as native vlan on the trunk. On th eh-reap ap, set the vlan that will be the native vlan. exit out of that screen and go back to the h-reap tab. Now you will see the wlans that you specifed as local switching with a box in which you can specify the local vlan in which the user will get an ip address locally and will reside on. You will also see wlans that will not have the entry box, since you don't have local switching enabled. This means the traffic will tunnel back to the wlc it's joined with. This is why you fail one wlc and the ap goes to the other site... failover works, but users are getting address from the new site, which means you are not locally switched.


Site A

Management/AP Manager vlan 100 (native) 192.168.100.x

H-REAP AP vlan 100 (native) 192.168.100.x

* AP can be on a different vlan if you want

Internal Users vlan 110 192.168.110.x

Guest Users vlan 120 192.168.120.x

Site B

Management/AP Manager vlan 100 (native) 192.168.200.x

H-REAP AP vlan 100 (native) 192.168.200.x

* AP can be on a different vlan if you want

Internal Users vlan 110 192.168.210.x

Guest Users vlan 120 192.168.220.x

edvalasek Fri, 01/16/2009 - 19:29


Okay, great information! It is making sense now.... I appreciate your explanation and example. I will give it a shot and see what happens.... Given I have never had this kind of scenario before, this is a new setup situation for me but sounds like I can do it.

Thanks again!


Scott Fella Fri, 01/16/2009 - 20:02

Its a bit confusing until you get it to work. You were just missing the part where you specify the local vlan information. Let me know if you get it working or not.

edvalasek Wed, 01/21/2009 - 09:44


Thanks for the follow-up.... Sorry I haven't been able to try this out yet. I lost the guy I had out at the remote site to help me test this configuration out. Ugh!

We are working a time to try this out in the near future, but still no solid date. I do look forward to trying this out though....

Thanks again!



This Discussion