cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2332
Views
5
Helpful
8
Replies

H-Reap, Guest-Access and CAPWAP

sniff
Level 1
Level 1

If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?

I think so, but I'm not really shure.

Sven

1 Accepted Solution

Accepted Solutions

Those are two mutually exclusive topics...

If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.

If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....

You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).

So what are you trying to do?

If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...

If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")

View solution in original post

8 Replies 8

Scott Fella
Hall of Fame
Hall of Fame

Only if centrally switched. Locally switched, there is no need for capwap, since it exits the ap port and placed on the network locally.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

I hope I don't misunderstand something.

Centrally switched is not H-Reap

Locally switched is H-Reap.

Right?

But, If I need guest-access with access-points in H-Reap mode and the guest-traffic leaves on local ap ports, how is a guest-traffic transport to a foreign-controller possible?

Sven

Hi Sven,

If you are using HREAP's then you can choose WLANs to be either locally switched or centrally switched with the WLC.

If a WLAN is centrally switched, then all traffic should be sent to the WLC and hence being encapsulated in CAPWAP the whole way between AP and WLC.

If a WLAN is locally switched however, then the traffic of the clients will be managed in the locally and traffic of the clients will be sent directly to the network without going through any tunnel to the WLC.

Local or central switching can be configured per WLAN basis from advanced tab of the WLAN configuraiton under "HREAP" field.

By default the central switching is active. You can choose to use local switching per WLAN from the advanced tab of the WLAN as I said above.

You may find more information about the matter here:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Hope this is helpful.

Amjad

Rating useful replies is more useful than saying "Thank you"

One more thing to note if you are trying to use Web Auth from the WLC while the wlan is configured for Local Switching (egressing off the AP switchport):

When a client is in WEBAUTH_REQD (pending to authenticate) all traffic (except ARP/DNS/DHCP)  is sent to the WLC in capwap just like if the WLAN was central switching.   Basically webauthentication is still done at the WLC and the WLC needs to see the http packets in order to redirect the client so this is why your guest traffic will still tunnel in CAPWAP to the WLC until they pass webauthentication.....

If you are trying to anchor the guest traffic to a DMZ or something,  then  you just dont check the HREAP local switching option on the WLAN...

Thanks Wesley for the valuable information.

Rating useful replies is more useful than saying "Thank you"

"If you are trying to anchor the guest traffic to a DMZ or something,  then  you just dont check the HREAP local switching option on the WLAN..."

So is the final question:

H-Reap local switching and anchoring guest-traffic to a DMZ together is not possible!?!

Those are two mutually exclusive topics...

If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.

If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....

You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).

So what are you trying to do?

If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...

If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")

Thanks to all your answers.

I understand how H-Reap and guest-net works together, now.

Regards

Sven

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: