WLAN design guide for branch office

Answered Question
Jan 23rd, 2012


     Is there any document that explain different designs for branch offices? I have a customer with one head quarters with more than 150 branch offices. Today he has one or more autonomous APs per brach office connected directed to the BO switch. Each BO has its own IP address space. Beacuse all wireless client traffic has to travel to the HQ, he wants a controller based solution where all traffic is tunneled to the WLC and from there, it goes through a firewall in order to reach the servers farm.

     The problem is I don't realize how to manage all the different IPs of each BO in the HQ. Because when the WLC will send the packet to the core switch, the packet will reach the servers, but when the servers will respond that packet, it will go to the branch office directly. It won't be sent to the WLC in order to be delivered back to the branch office.

     I don't know if the most suitable solution is to create a big unique WLAN with one SSID for all the brach offices.

     Another idea could be to create one SSID per brach office, in order to have different IP address for wireless clients, but the customer doesn't want to change the IP addressing. He wants to keep all the branch office IP address, no matter if the client is wired or wireless.

     Another option is to use H-REAP, and make all the traffic between BO and HQ to go through the firewall.

     Finally, the idea is to know if it exists any design document where it explains the different ways to design a solution for branch offices with centralized controllers in order to evaluate all of them.



Correct Answer by George Stefanick about 5 years 1 month ago

Here is the offical HREAP Design Guide By Cisco


Sound like LOCAL switch is the way to go. LOCAL switch is much like AUTONOMOUS. Keeps local IPs and traffic local as well.

What security are you using on your wifi clients in the BO ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Stephen Rodriguez Mon, 01/23/2012 - 18:56

@george, the starting license for the 7500 is 300 AP

Sent from Cisco Technical Support iPhone App

George Stefanick Mon, 01/23/2012 - 19:01

Thanks Steve ... I dont think I will ever get a chance to play with a Flex... And they ONLY do LOCAL ... correct

Stephen Rodriguez Mon, 01/23/2012 - 18:49

If you have low latency from the BO to the Central, then you can leave the AP in local mode.

In local mode the AP will send all the traffic to the WLC and the WLC will be the ingress-egress point for all the client traffic.

With this design the wireless clients will get an IP address from the central site, so the BO IP scheme won't come into play.


Sent from Cisco Technical Support iPhone App

gariup.guido Mon, 01/23/2012 - 19:10

Thanks averybody. I'll check both documents and see if they help me.

I have a problem with latency because some BO have a satelite conection, and their latency is around 600ms. How many ms is the maximum that is supported for local mode?



George Stefanick Mon, 01/23/2012 - 19:14

My 2 cents...

HREAP- LOCAL SWITCH ... Keep it simple and you will have little change to what you are doing now. However if you are doing 802.1X security that could pose a problem..

marioderosa2008 Wed, 02/29/2012 - 06:25

Hi George,

can you elaborate on the 802.1x authentication problems...?

Sorry to Hijack this thread, but I am in the same boat where we have 100 or so DSL branch sites each wanting wireless and I need to make sure that all APs are managed and that all wireless clients are properly authenticated & posture checked.

Profiling would be nice too.

I am looking at the ISE. I understand that it works fine on a campus network where all APs tunnel back to a WLC, but what about branch offices that wont have controllers on them?

Any help would be great.


Mario De Rosa

George Stefanick Wed, 02/29/2012 - 09:15

No worries...

If you use 802.1X and your Radius lives at the centeral location if the WAN breaks new clients can not authenticate.

Make sense?

marioderosa2008 Mon, 03/05/2012 - 02:43

Hi George, thanks, I undersand that, but I thought that you could configure some sort of fallback authentication method in the APs or the WLC?

Also, do you know whether wireless clients can be posture checked at a wireless branch without needing a WLC or ISE onsite and without tunneling wireless traffic back to the DC?



Stephen Rodriguez Mon, 01/23/2012 - 19:18

really want to keep the latency to around 300ms. So as George said HREAP local switching would be the way to go. Then you can just PBR it to force the traffic to go through the firewall.


Sent from Cisco Technical Support iPad App


This Discussion

Related Content



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode