Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

H-REAP local switching

Questions about local switching,

Here is what I would like to do,

I have a new office I will be opening up, it is a remote site so H-REAP will be used for the AP's. I will have 2 connections coming out of the building, 1 will come back to corporate and the other will be an open internet for guest. The connection coming back to corporate will supply internet and data center connectivity to all wired and wireless corporate devices. the Public conenction obviously is for only guest who come to the office. My question is the public internet will be on lets say VLAN 100, the rest of the PC's will be on VLAN 200. If I turn on local switching how to do I keep the public wireless devices going out the public internet and the corporate devices going out the corporate connection?

Everyone's tags (4)
19 REPLIES
Hall of Fame Super Silver

H-REAP local switching

If you want Internet at the remote site to go out the Internet connection out there, then you need local switching enabled.  If you want traffic to come back to the WLC, you don't need local switching enabled on the wlan.  Make sense?

-Scott
*** Please rate helpful posts ***
New Member

H-REAP local switching

Nevermind, I see you can turn on local switching pre WLAN.

Thanks

Bronze

Re: H-REAP local switching

Hi Sean,

Please be aware that for guest access, the WLAN must be centrally switched. You can still enable HREAP on the AP, but for the guest WLAN, do not enable local switching.

Your firewall can be used to separate the guest WLAN subnet from the corporate subnet and direct traffic to the Internet. For best practice, I would advise that you have a separate WLC on the DMZ at the central office, which could also double as the DHCP server. Also do not use the controller management interface for the guest WLAN. Instead create a separate dynamic interface. This ensures that the clients do not pick up an IP address from the corporate if there is controller failure.

Cheers

New Member

H-REAP local switching

thats the point of the separate comcast connection, it is totally separate from the corporate network and is open to the guest. So no firewall or anything will be used, it will be on a total separate VLAN.

New Member

H-REAP local switching

The WLC will have its own interface, set to the correct VLAN and we will be using a separate DHCP for that VLAN and local to the site

New Member

H-REAP local switching

So there is no way to make guest network local switched too? Let authentication be done at the controller but once the traffic is authenticated, local switch the guest traffic. This would be too bad for customers without enough WAN bandwidth to tunnel all guest traffic to corporate site and then go out to internet.

Hall of Fame Super Silver

Re: H-REAP local switching

You can do local switching for guest, but you would have to create acl's to prevent guest traffic from accessing the internal network.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: H-REAP local switching

Would that be FlexConnect ACLs or different?

Right now I created 2 different WLANs using same SSID. If I used WLAN # smaller than 17 then it didn't allow me to create same SSID.

WLAN 17 - SSID: Secure, LocalSwitching, Local Authentication(In case the WAN link is down, AP does Radius auth direct), VLAN MAP: 101

WLAN 18 - SSID: Guest, LocalSwitching, No local Authentication, VLAN MAP: 111

WLAN 17 is working fine still not sure if I have guest WLAN working properly. I don't see guest WLAN in the VLAN Mapping list as an option at all.

Hall of Fame Super Silver

Re: H-REAP local switching

You can do FlexConnect ACL's if you want, but I prefer acl's on the L3 interface. You need to enable FlexConnect local switching on the guest WLAN SSID to have the option to set the local vlan to SSID mapping.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
New Member

Re: H-REAP local switching

This is possible right?

HREAP central auth, locally switched?

  sorry for my bad drawing, i did it quickly.

New Member

Re: H-REAP local switching

Team,

Below is my screenshot. I was able to do WLAN to VLAN mapping and now getting local IP from local DHCP scope that's doing local switching. However for the guest wireless, I don't seem to have an option to add guest WLAN/VLAN mapping. My guest WLAN is # 18 that needs to map to VLAN # 111.

Thanks,

Sam

New Member

Re: H-REAP local switching

Have you enabled FlexConnect local switching on the WLAN?

Also have you added the guest WLAN to that particular AP group?

WLAN tab > Guest SSID > Advanced > FlexConnect Local Switching

Hall of Fame Super Silver

Re: H-REAP local switching

Like Aaron mentioned, you didn't enable local switching on the guest WLAN. Enabling that in any WLAN, allows you to get the wlan to vlan mappings.

Sent from Cisco Technical Support iPad App

-Scott
*** Please rate helpful posts ***
New Member

Re: H-REAP local switching

here is how I have my SSID configured:

and here is the AP

copy pasted from my older post.

New Member

Re: H-REAP local switching

Edondurguti,

This is how I have setup mine too. Both secure and guest SSIDs are working fine. No operational issues. But I wanted to know how does guest traffic get routed? Which setting tells guest WLAN to put the traffic to local VLAN instead of backhauling to the controller? I don't remember where but someone had posted that if I want captive web portal authentication, I have to backhaul the guest WLAN traffic to the controller. That's why I stopped chasing the issue.

However if there is a way to do captive webportal authentication for the guests and upon success do the local switching on vlan X, I would love to know how. So far I haven't figure that out.

Thanks,

Sam

Re: H-REAP local switching

That should just be a matter of setting the WLAN to be allowed locally switched and defining the VLAN on the ap.

The WLC still knows the client will be webauth required and you should get the splash page.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: H-REAP local switching

Stephen,

That's the issue. How do I define the VLAN on AP? I did define it for the secure because it shows up. There was no option to define it for the AP. See below my screen shots.

My Secure VLAN is 101 and guest VLAN is 111.

Re: H-REAP local switching

In the guest WLAN config have you checked the HREAP local switching box? It won't show up in the VLAN mapping until you do.

Steve

Sent from Cisco Technical Support iPhone App

HTH, Steve ------------------------------------------------------------------------------------------------ Please remember to rate useful posts, and mark questions as answered
New Member

Re: H-REAP local switching

Yes. Screenshot attached. As a matter of fact, I created another guest WLAN since some postings told me I have to have WLAN with ID # 17 or higher for this.

Again, things are working and for now I can live with central switching but wanted to know what I am doing wrong.

2567
Views
0
Helpful
19
Replies
CreatePlease to create content