Suppose I have a 4402 installed on a campus and have an internal WLAN and a guest WLAN. Now I want to install some access points at a branch office. Now I have been told that H-Reap is the way to go. But I want to keep the same SSID and Security across both sites. Do I enable H-Reap on my original WLAN configuration but only apply H-Reap to the the access points at the branch office.
I'm also trying to slip this in on a running network but an nervous that all the APs wil reboot. I guess I'm just unclear since I can't find an configuration example where both a local and remote locations are involved.
But I want to keep the same SSID and Security across both sites. Do I enable H-Reap on my original WLAN configuration but only apply H-Reap to the the access points at the branch office.
Just make sure all the APs are in the same AP Groups.
Rule Of Thumb: Before deploying the APs to the site (regardless if it's remote or local and model), it's wise to "prime" them.
I am currently trying set up the same scenario. I too wanted to use the same SSID and security policy at remote and corporate locations where remote traffic is switched locally and corporate traffic is switched centrally by the WLC. This is how I have it set up with the current autonomous APs.
What I found is that on the WLC, you can't have multiple WLANs sharing the same SSID and layer 2 security policy. I had to configure both the corporate and remote APs to use H-REAP for the staff network to make it work. I am still centrally switching the guest WLAN at corporate on the same APs that locally switch the staff WLAN.
One thing to keep in mind is that you have to configure the WLAN to support H-REAP. You then have to configure the AP in H-REAP mode. You can then map the SSID to the correct VLAN on an AP by AP basis. You need to first specify your APs native vlan and then you can map the SSIDs to other VLANs. Putting your AP in H-REAP mode does not keep you from centrally switching other SSIDs on the same AP. You can use both at the same time.
Hope this helps,
Great reply and thanks so much, Mark. I've just begun to set
it up and have done nearly exactly what you suggested. I'm having
some trouble with the Guest WLAN doing WebAuth but am checking.
I would like to see if there is a place where I could check to see just what state
the WLAN is in (central auth, central switching, etc.
Thanks again for your clarity.
Under wireless click on the AP and then on the H-REAP tab and then on the VLAN MAPPING button. It will show you which SSIDs are locally switched and which are centrally switched.
I will be setting up the web auth for guest access soon as well. It is using PSK right now. I migrated it over to the WLC as it was operating as an autonomous AP.
Just realized something about an earlier post. I stated that you have enable HREAP support on the WLAN and then you actually enable it on the AP. If I don't enable H-REAP on my corporate APs, then they will centrally switch while my remote APs are locally switching with the same WLAN (SSID).
H-REAP Local Switching (Enabled)
Learn Client IP Address (Enabled)
Interface (interface on WLC to map centrally switched traffic) - Does not apply for APs in H-REAP mode.
AP: Corperate APs
AP Mode (Local)
AP: Remote APs
AP Mode (H-REAP)
VLAN Support (unchecked) - can be configured with vlans too.
If VLAN Support is enabled you would want to make the AP to controller interface as the native vlan and then click on the VLAN Mapping button to configure your wireless client data traffic VLAN (It defualts to the Native VLAN when you enable VLAN Support).
This allows for H-REAP (Local Switching) at the remote and Central switching at corporate using the same SSID and security settings.
Hope this helps,
Mark - Seems like you have a pretty good handle on this operation. I am trying ot do the same thing. I do have different vlans setup for each of my WLANs though. I think that is where my problem lies. I have setup a test environment. Have a 1142N connected to an ASA 5505 simulating the remote location. That is connecteed via VPN back to an 1841 at the corporate office with a 4402 controller at the head. I believe the H-REAP portions is all configured correctly... My issue comes in that I do not get a local IP address unless the 'remote site' is disconnected and the AP running in the standalone mode of H-REAP. When it is connected, it will pull an IP from the corporate office and assign those to the wireless clients.
Any help you can give here would be appreciated. We have 5 WLAN SSIDs and 5 VLANs and want them distributed to all our sites for ease of roaming and standardized configuration.
Sorry to butt in....It went well for me when I finally realized what Mark was telling me. I used the local switch at my remote location to provide DHCP for the vlan of my guest network and let my server at that location provide DHCP for the local vlan. I re-licensed my ASA with security plus which gave me the ability to do more than one internal interface on the firewall and took the guest vlan straight to the ASA (in that way avoiding them touching the internal network in any way). I figured it was a small price to pay for some added security.
I set the vlans up like Mark indicated. I kept vlan 1 at the remote location and created a vlan 21 for the guest network. The switch is provided for vlan 21 and the server stayed on vlan1.
Hope some of this rambling helps.
Seems like no matter what I try - I pull IP addresses from corporate. I have setup different VLANs, put in IP helper addresses, and use DHCP Server Override on the controller for that WLAN. Still no joy. I am using DHCP on the ASA. Keeping it super simple and just have the AP tied directly to the ASA for the lab environment. Just need to make sure it works before I send them out.
Yes, I did. If the AP is disconnected from the controller, I get an IP address local on that segment (handed out from the ASA to the client). If connected - it is handed out from the DHCP server at corporate and therefore an entirely different range.
Sounds like the corporate side vlan info is being carried across the VPN. Have you tried totally different vlan numbers for the remote side...just to see? I assume the corporate subnet is different then the remote subnet.
Yes - I created a VLAN73 which was separate from everything else...and still not the expected result. It is very strange. Glad I am doing this local before deployment.
I checked my config and don't have DHCP server override configured on the Advanced tab of the WLAN. I do have H-REAP Local Switching and Learn Client IP Address checked on the same tab.
On the AP configuration under the H-REAP tab, I selected VLAN support and used the VLAN that the remote AP's IP address is configured for as the Native VLAN. I then mapped the SSID to the remote VLAN under VLAN Mappings as.
Native VLAN 10
SSID: WLAN1 VLAN: 73
SSID: WLAN2 VLAN: 74
The ASA would need to be set up to trunk vlans 10, 73, and 74 on an 802.1q trunk with vlan 10 as the native vlan.
I believe you already have these settings, but wanted to let you know what worked for me.
NOTE: I did have an issue recently with a centrally switched WLAN. I was getting IP addresses from the subnet that the AP interface was configured on. I'm not sure if the DHCP traffic was being switched locally at the AP or if it was getting it through the WLC. Under WLAN, I had the correct interface chosen. Reboots didn't fix the issue. I had to select a different interface click apply and then click the correct interface again and click apply to get it working correctly again. This is not the same issue you are seeing, but does show that the WLC can be particular at times.
Let me know if there are any other parts of the config you would like me to compare to my setup. If you attach screen shots of the WLAN and the AP pages, it might help as well.
Thanks Mark - that was a huge help. Looks like the missing piece for me was the native and trunk vlan settings on the ASA. Once I put those in, the client machine was able to receive a local IP address.
In further testing, I disconnected the link to the controller and traffic kept flowing. I then tried to disconnect and reconnect the client - that too was fine. My issue came in if I reset the AP when the link to the controller was down. H-REAP should make it act stand alone but my clients are connecting, but not receiving any IP address. That one has me stumped. Feel like I am about 90% there though thanks to your help.
EDIT: Very strange...if I connect to another wireless network and then jump back, it works fine and I can pass traffic after the AP rebots in stand alone mode because the link it down. Just turning off the wireless connection and back on was not enough to jump start it. Wish it would just pick up and go but it must be a registration process between AP and client.
I was going back over this post and noticed that you had relicensed your ASAs to be able to have more than one inside interface. I wanted to let you know that there is a way to have two inside interfaces and one outside interface on the ASA5505 without a security plus license. I assume this works with other ASA models that are default limited DMZ support. It allows you to set up one additional interface, but you have to configure it where it can only forward to one of the other two interfaces. This actually works out great since you don't want your guest and inside VLANS to talk anyway. If the requirement comes down for our remote networks to have guest wireless, this is how I will be setting it up.
In the example below, inside and guest networks can communicate to the outside, but cannot communicate between each other.
License info: VLANs : 3, DMZ Restricted
ip address 192.168.100.1 255.255.255.0
ip address 172.16.100.1 255.255.255.0
no forward interface Vlan1
ip address 192.168.200.1 255.255.255.0
Hope this helps,
Wow, that's great to know! I going to remeber that jewel. I wasn't crazy about the license upgrade but thought I had to do it. Thanks, Mark.