Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

H-Reap, Guest-Access and CAPWAP

If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?

I think so, but I'm not really shure.

Sven

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

H-Reap, Guest-Access and CAPWAP

Those are two mutually exclusive topics...

If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.

If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....

You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).

So what are you trying to do?

If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...

If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")

8 REPLIES
Hall of Fame Super Silver

Re: H-Reap, Guest-Access and CAPWAP

Only if centrally switched. Locally switched, there is no need for capwap, since it exits the ap port and placed on the network locally.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

H-Reap, Guest-Access and CAPWAP

I hope I don't misunderstand something.

Centrally switched is not H-Reap

Locally switched is H-Reap.

Right?

But, If I need guest-access with access-points in H-Reap mode and the guest-traffic leaves on local ap ports, how is a guest-traffic transport to a foreign-controller possible?

Sven

H-Reap, Guest-Access and CAPWAP

Hi Sven,

If you are using HREAP's then you can choose WLANs to be either locally switched or centrally switched with the WLC.

If a WLAN is centrally switched, then all traffic should be sent to the WLC and hence being encapsulated in CAPWAP the whole way between AP and WLC.

If a WLAN is locally switched however, then the traffic of the clients will be managed in the locally and traffic of the clients will be sent directly to the network without going through any tunnel to the WLC.

Local or central switching can be configured per WLAN basis from advanced tab of the WLAN configuraiton under "HREAP" field.

By default the central switching is active. You can choose to use local switching per WLAN from the advanced tab of the WLAN as I said above.

You may find more information about the matter here:

http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml

Hope this is helpful.

Amjad

Rating useful replies is more useful than saying "Thank you"
Bronze

H-Reap, Guest-Access and CAPWAP

One more thing to note if you are trying to use Web Auth from the WLC while the wlan is configured for Local Switching (egressing off the AP switchport):

When a client is in WEBAUTH_REQD (pending to authenticate) all traffic (except ARP/DNS/DHCP)  is sent to the WLC in capwap just like if the WLAN was central switching.   Basically webauthentication is still done at the WLC and the WLC needs to see the http packets in order to redirect the client so this is why your guest traffic will still tunnel in CAPWAP to the WLC until they pass webauthentication.....

If you are trying to anchor the guest traffic to a DMZ or something,  then  you just dont check the HREAP local switching option on the WLAN...

H-Reap, Guest-Access and CAPWAP

Thanks Wesley for the valuable information.

Rating useful replies is more useful than saying "Thank you"
New Member

H-Reap, Guest-Access and CAPWAP

"If you are trying to anchor the guest traffic to a DMZ or something,  then  you just dont check the HREAP local switching option on the WLAN..."

So is the final question:

H-Reap local switching and anchoring guest-traffic to a DMZ together is not possible!?!

Bronze

H-Reap, Guest-Access and CAPWAP

Those are two mutually exclusive topics...

If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.

If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....

You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).

So what are you trying to do?

If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...

If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")

New Member

H-Reap, Guest-Access and CAPWAP

Thanks to all your answers.

I understand how H-Reap and guest-net works together, now.

Regards

Sven

1532
Views
5
Helpful
8
Replies