Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

4402 and H-Reap

Unanswered Question
Oct 6th, 2010
User Badges:

Suppose I have a 4402 installed on a campus and have an internal WLAN and a guest WLAN.  Now I want to install some access points at a branch office.  Now I have been told that H-Reap is the way to go.  But I want to keep the same SSID and Security across both sites.  Do I enable H-Reap on my original WLAN configuration but only apply H-Reap to the the access points at the branch office.

I'm also trying to slip this in on a running network but an nervous that all the APs wil reboot.  I guess I'm just unclear since I can't find an configuration example where both a local and remote locations are involved.

Any insights?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Leo Laohoo Wed, 10/06/2010 - 15:07
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

But I want to keep the same SSID and Security across both sites.  Do I enable H-Reap on my original WLAN configuration but only apply H-Reap to the the access points at the branch office.

Just make sure all the APs are in the same AP Groups.

Rule Of Thumb:  Before deploying the APs to the site (regardless if it's remote or local and model), it's wise to "prime" them.

jgadbois Fri, 10/08/2010 - 07:05
User Badges:

I still don't get it. Can I use the same WLAN for both the local and remote sites even though I want local switching for the remote site?

MARK BAKER Tue, 10/12/2010 - 10:46
User Badges:
  • Bronze, 100 points or more


I am currently trying set up the same scenario. I too wanted to use the same SSID and security policy at remote and corporate locations where remote traffic is switched locally and corporate traffic is switched centrally by the WLC. This is how I have it set up with the current autonomous APs.

What I found is that on the WLC, you can't have multiple WLANs sharing the same SSID and layer 2 security policy. I had to configure both the corporate and remote APs to use H-REAP for the staff network to make it work. I am still centrally switching the guest WLAN at corporate on the same APs that locally switch the staff WLAN.

One thing to keep in mind is that you have to configure the WLAN to support H-REAP. You then have to configure the AP in H-REAP mode. You can then map the SSID to the correct VLAN on an AP by AP basis. You need to first specify your APs native vlan and then you can map the SSIDs to other VLANs. Putting your AP in H-REAP mode does not keep you from centrally switching other SSIDs on the same AP. You can use both at the same time.

Hope this helps,


jgadbois Tue, 10/12/2010 - 12:01
User Badges:

Great reply and thanks so much, Mark.  I've just begun to set

it up and have done nearly exactly what you suggested.  I'm having

some trouble with the Guest WLAN doing WebAuth but am checking.

I would like to see if there is a place where I could check to see just what state

the WLAN is in (central auth, central switching, etc.

Thanks again for your clarity.

MARK BAKER Tue, 10/12/2010 - 12:53
User Badges:
  • Bronze, 100 points or more


Under wireless click on the AP and then on the H-REAP tab and then on the VLAN MAPPING button. It will show you which SSIDs are locally switched and which are centrally switched.

I will be setting up the web auth for guest access soon as well. It is using PSK right now. I migrated it over to the WLC as it was operating as an autonomous AP.


MARK BAKER Wed, 10/20/2010 - 11:05
User Badges:
  • Bronze, 100 points or more

Just realized something about an earlier post. I stated that you have enable HREAP support on the WLAN and then you actually enable it on the AP. If I don't enable H-REAP on my corporate APs, then they will centrally switch while my remote APs are locally switching with the same WLAN (SSID).

WLAN: staff

Advanced tab:

     H-REAP Local Switching (Enabled)

     Learn Client IP Address (Enabled)

General tab:

     Interface (interface on WLC to map centrally switched traffic) - Does not apply for APs in H-REAP mode.

AP: Corperate APs

General tab:

     AP Mode (Local)

AP: Remote APs

General tab:

     AP Mode (H-REAP)

H-REAP tab:

     VLAN Support (unchecked) - can be configured with vlans too.

If VLAN Support is enabled you would want to make the AP to controller interface as the native vlan and then click on the VLAN Mapping button to configure your wireless client data traffic VLAN (It defualts to the Native VLAN when you enable VLAN Support).


This allows for H-REAP (Local Switching) at the remote and Central switching at corporate using the same SSID and security settings.

Hope this helps,


jgadbois Wed, 10/20/2010 - 11:50
User Badges:

You bet, it makes perfect sense now!  Thanks for you insight!

richdepas Mon, 11/15/2010 - 10:10
User Badges:

Mark - Seems like you have a pretty good handle on this operation. I am trying ot do the same thing. I do have different vlans setup for each of my WLANs though. I think that is where my problem lies. I have setup a test environment. Have a 1142N connected to an ASA 5505 simulating the remote location. That is connecteed via VPN back to an 1841 at the corporate office with a 4402 controller at the head. I believe the H-REAP portions is all configured correctly... My issue comes in that I do not get a local IP address unless the 'remote site' is disconnected and the AP running in the standalone mode of H-REAP. When it is connected, it will pull an IP from the corporate office and assign those to the wireless clients.

Any help you can give here would be appreciated. We have 5 WLAN SSIDs and 5 VLANs and want them distributed to all our sites for ease of roaming and standardized configuration.

jgadbois Mon, 11/15/2010 - 11:57
User Badges:


Sorry to butt in....It went well for me when I finally realized what Mark was telling me.  I used the local switch at my remote location to provide DHCP for the vlan of my guest network and let my server at that location provide DHCP for the local vlan.  I re-licensed my ASA with security plus which gave me the ability to do more than one internal interface on the firewall and took the guest vlan straight to the ASA (in that way avoiding them touching the internal network in any way).  I figured it was a small price to pay for some added security.

I set the vlans up like Mark indicated.  I kept vlan 1 at the remote location and created a vlan 21 for the guest network.  The switch is provided for vlan 21 and the server stayed on vlan1.

Hope some of this rambling helps.

Jim Gadbois

richdepas Mon, 11/15/2010 - 12:03
User Badges:

Seems like no matter what I try - I pull IP addresses from corporate. I have setup different VLANs, put in IP helper addresses, and use DHCP Server Override on the controller for that WLAN. Still no joy. I am using DHCP on the ASA. Keeping it super simple and just have the AP tied directly to the ASA for the lab environment. Just need to make sure it works before I send them out.

jgadbois Mon, 11/15/2010 - 12:14
User Badges:


So you enabled H-REAP on the the AP, waited for it to re-boot and then configured the locally switched vlans?


richdepas Mon, 11/15/2010 - 12:20
User Badges:

Yes, I did. If the AP is disconnected from the controller, I get an IP address local on that segment (handed out from the ASA to the client). If connected - it is handed out from the DHCP server at corporate and therefore an entirely different range.

jgadbois Mon, 11/15/2010 - 12:30
User Badges:

Sounds like the corporate side vlan info is being carried across the VPN.  Have you tried totally different vlan numbers for the remote side...just to see?  I assume the corporate subnet is different then the remote subnet.

richdepas Mon, 11/15/2010 - 12:35
User Badges:

Yes - I created a VLAN73 which was separate from everything else...and still not the expected result. It is very strange. Glad I am doing this local before deployment.

MARK BAKER Tue, 11/16/2010 - 06:04
User Badges:
  • Bronze, 100 points or more


I checked my config and don't have DHCP server override configured on the Advanced tab of the WLAN. I do have H-REAP Local Switching and Learn Client IP Address checked on the same tab.

On the AP configuration under the H-REAP tab, I selected VLAN support and used the VLAN that the remote AP's IP address is configured for as the Native VLAN. I then mapped the SSID to the remote VLAN under VLAN Mappings as.

Native VLAN 10



The ASA would need to be set up to trunk vlans 10, 73, and 74 on an 802.1q trunk with vlan 10 as the native vlan.

I believe you already have these settings, but wanted to let you know what worked for me.

NOTE: I did have an issue recently with a centrally switched WLAN. I was getting IP addresses from the subnet that the AP interface was configured on. I'm not sure if the DHCP traffic was being switched locally at the AP or if it was getting it through the WLC. Under WLAN, I had the correct interface chosen. Reboots didn't fix the issue. I had to select a different interface click apply and then click the correct interface again and click apply to get it working correctly again. This is not the same issue you are seeing, but does show that the WLC can be particular at times.

Let me know if there are any other parts of the config you would like me to compare to my setup. If you attach screen shots of the WLAN and the AP pages, it might help as well.



richdepas Tue, 11/16/2010 - 07:38
User Badges:

Thanks Mark - that was a huge help. Looks like the missing piece for me was the native and trunk vlan settings on the ASA. Once I put those in, the client machine was able to receive a local IP address.

In further testing, I disconnected the link to the controller and traffic kept flowing. I then tried to disconnect and reconnect the client - that too was fine. My issue came in if I reset the AP when the link to the controller was down. H-REAP should make it act stand alone but my clients are connecting, but not receiving any IP address. That one has me stumped. Feel like I am about 90% there though thanks to your help.


EDIT: Very strange...if I connect to another wireless network and then jump back, it works fine and I can pass traffic after the AP rebots in stand alone mode because the link it down. Just turning off the wireless connection and back on was not enough to jump start it. Wish it would just pick up and go but it must be a registration process between AP and client.

MARK BAKER Thu, 12/23/2010 - 11:33
User Badges:
  • Bronze, 100 points or more


I was going back over this post and noticed that you had relicensed your ASAs to be able to have more than one inside interface. I wanted to let you know that there is a way to have two inside interfaces and one outside interface on the ASA5505 without a security plus license. I assume this works with other ASA models that are default limited DMZ support. It allows you to set up one additional interface, but you have to configure it where it can only forward to one of the other two interfaces. This actually works out great since you don't want your guest and inside VLANS to talk anyway. If the requirement comes down for our remote networks to have guest wireless, this is how I will be setting it up.

In the example below, inside and guest networks can communicate to the outside, but cannot communicate between each other.

License info: VLANs       : 3, DMZ Restricted

interface Vlan1
nameif inside
security-level 100
ip address
interface Vlan2
nameif outside
security-level 0
ip address
interface Vlan3
no forward interface Vlan1
nameif guest

security-level 50

ip address

Hope this helps,


jgadbois Thu, 12/23/2010 - 12:39
User Badges:

Wow, that's great to know!  I going to remeber that jewel.  I wasn't crazy about the license upgrade but thought I had to do it. Thanks, Mark.



This Discussion



Trending Topics - Security & Network