Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Help with H-REAP


I am testing out a setup for one of our remote offices where we are considering an H-REAP setup.  At our central office we already have a 5500 controller and a number of local AP's that are all up and running.  I followed the config guide and got the remote AP all running in H-REAP mode (its a single AP so I haven't bothered with an H-REAP group).  All works ok whilst I have communication between the controller and the AP (Connected mode).  I can see my exisitng centrally managed WLANs and I can access and I configured a locally managed WLAN that I can also see & access.

The issue is when I simulate loss of the WAN (access list denying AP to Controller comms) to put the AP in standalone mode I don't seem to be able to get onto the locally managed WLAN any more, the laptop wont' pick up an IP address from my local DHCP server.  The local WLAN is set up with WPA2 + PSK auth.

Can any one help..

Just some general questions :-

1). I have built a specific interface under the controller menu on the WLC for the local WLAN defining the local VLAN, ip address space and DNS.  Is that normal the guide seems to leave this as the management interface.   I tried with both but still no joy.

2). How long should  the AP take when it moves between connected and standalone mode ?   I noticed that sometimes I have to reset the AP LAN port to get it back to centrally managed once I restablish the WAN link back to the WLC.

Many Thanks


Everyone's tags (1)

Re: Help with H-REAP

What do you exactly block with your test access list ? which ports ?

Can you clarify your question 1 ? Having H-REAP APs normally means you don't need a dynamic interface on the WLC (unless local mode APs use the same SSID). This is why in examples, the SSID is left on management interface : because hreap APs will anyway user their own vlan.



Don't forget to rate answers that you find useful

New Member

Re: Help with H-REAP

Thanks for your reply.

The access list blocks anything from the AP ip address to/from the controller IP address. 

access-list 199 deny   ip host host
access-list 199 deny   ip host host
access-list 199 permit ip any any

For Question 1). what I noticed when I took the access list out and re-established comms between the AP and the WLC was that when I looked at the AP HREAP VLAN config the local SSID VLAN was defaulting back to the VLAN of the management interface and not the local VLAN that I had configured it with.  So I started to play with having a local interface with the local VLAN assigned.  I was playing with this as I was having the issues connecting locally.

Re: Help with H-REAP

Your acces list only blocks traffic with one controller ip address ... which one ?

Let me remind you that the AP discovers WLC with the management ip but talks to the ap manager.

So let's say you are blocking ap manager, AP think WLC is down but when it sends discoveries, the WLC is still replying so that's an awkward state ... Try blocking to both management and ap manager ip address to have a more realistic acl.


New Member

Re: Help with H-REAP


Thanks again good suggestion but I have a 5500 controller and it just has the management address without an AP manager.  The management address has the option to enable dynamic AP management so I'm told there is no need for a AP manager interface on this device (and I know it all works ok except for this HREAP).  On my older controllers (2106) I do have both an AP manager and a management interface in the same subnet.



Re: Help with H-REAP

My bad. This is indeed the case for 5508 controllers. Then I said nothing ...

Strange, it would need some troubleshooting "debug capwap" + sniffer traces. A TAC case may come in handy :-)

New Member

Re: Help with H-REAP

RK -

You say that your clients can't get a DHCP address when you break connectivity with the controller?  Is your H-REAP AP plugged into a trunk port?  If the DHCP server is not on the same subnet as the AP, do you have an ip helper-address for the local VLAN to forward that request?