H-Reap, Guest-Access and CAPWAP

Answered Question
Apr 30th, 2012

If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?

I think so, but I'm not really shure.

Sven

I have this problem too.
0 votes
Correct Answer by wesleyterry about 1 year 11 months ago

Those are two mutually exclusive topics...

If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.

If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....

You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).

So what are you trying to do?

If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...

If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Scott Fella Mon, 04/30/2012 - 03:53

Only if centrally switched. Locally switched, there is no need for capwap, since it exits the ap port and placed on the network locally.

Sent from Cisco Technical Support iPhone App

sniff Mon, 04/30/2012 - 04:25

I hope I don't misunderstand something.

Centrally switched is not H-Reap

Locally switched is H-Reap.

Right?

But, If I need guest-access with access-points in H-Reap mode and the guest-traffic leaves on local ap ports, how is a guest-traffic transport to a foreign-controller possible?

Sven

Amjad Abdullah Mon, 04/30/2012 - 05:32

Hi Sven,

If you are using HREAP's then you can choose WLANs to be either locally switched or centrally switched with the WLC.

If a WLAN is centrally switched, then all traffic should be sent to the WLC and hence being encapsulated in CAPWAP the whole way between AP and WLC.

If a WLAN is locally switched however, then the traffic of the clients will be managed in the locally and traffic of the clients will be sent directly to the network without going through any tunnel to the WLC.

Local or central switching can be configured per WLAN basis from advanced tab of the WLAN configuraiton under "HREAP" field.

By default the central switching is active. You can choose to use local switching per WLAN from the advanced tab of the WLAN as I said above.

You may find more information about the matter here:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Hope this is helpful.

Amjad

wesleyterry Mon, 04/30/2012 - 05:37

One more thing to note if you are trying to use Web Auth from the WLC while the wlan is configured for Local Switching (egressing off the AP switchport):

When a client is in WEBAUTH_REQD (pending to authenticate) all traffic (except ARP/DNS/DHCP)  is sent to the WLC in capwap just like if the WLAN was central switching.   Basically webauthentication is still done at the WLC and the WLC needs to see the http packets in order to redirect the client so this is why your guest traffic will still tunnel in CAPWAP to the WLC until they pass webauthentication.....

If you are trying to anchor the guest traffic to a DMZ or something,  then  you just dont check the HREAP local switching option on the WLAN...

sniff Mon, 04/30/2012 - 05:58

"If you are trying to anchor the guest traffic to a DMZ or something,  then  you just dont check the HREAP local switching option on the WLAN..."

So is the final question:

H-Reap local switching and anchoring guest-traffic to a DMZ together is not possible!?!

Correct Answer
wesleyterry Mon, 04/30/2012 - 07:40

Those are two mutually exclusive topics...

If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.

If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....

You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).

So what are you trying to do?

If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...

If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")

sniff Mon, 04/30/2012 - 08:31

Thanks to all your answers.

I understand how H-Reap and guest-net works together, now.

Regards

Sven

Actions

Login or Register to take actions

This Discussion

Posted April 30, 2012 at 3:25 AM
Stats:
Replies:8 Avg. Rating:5
Views:1156 Votes:0
Shares:0
Tags: h-reap, capwap
+

Related Content

Discussions Leaderboard