There's a mobile version of our website.
If I use acces-points in H-Reap mode, is guest-traffic still encapsulated in CAPWAP?
I think so, but I'm not really shure.
Only if centrally switched. Locally switched, there is no need for capwap, since it exits the ap port and placed on the network locally.
Sent from Cisco Technical Support iPhone App
I hope I don't misunderstand something.
Centrally switched is not H-Reap
Locally switched is H-Reap.
But, If I need guest-access with access-points in H-Reap mode and the guest-traffic leaves on local ap ports, how is a guest-traffic transport to a foreign-controller possible?
If you are using HREAP's then you can choose WLANs to be either locally switched or centrally switched with the WLC.
If a WLAN is centrally switched, then all traffic should be sent to the WLC and hence being encapsulated in CAPWAP the whole way between AP and WLC.
If a WLAN is locally switched however, then the traffic of the clients will be managed in the locally and traffic of the clients will be sent directly to the network without going through any tunnel to the WLC.
Local or central switching can be configured per WLAN basis from advanced tab of the WLAN configuraiton under "HREAP" field.
By default the central switching is active. You can choose to use local switching per WLAN from the advanced tab of the WLAN as I said above.
You may find more information about the matter here:
Hope this is helpful.
One more thing to note if you are trying to use Web Auth from the WLC while the wlan is configured for Local Switching (egressing off the AP switchport):
When a client is in WEBAUTH_REQD (pending to authenticate) all traffic (except ARP/DNS/DHCP) is sent to the WLC in capwap just like if the WLAN was central switching. Basically webauthentication is still done at the WLC and the WLC needs to see the http packets in order to redirect the client so this is why your guest traffic will still tunnel in CAPWAP to the WLC until they pass webauthentication.....
If you are trying to anchor the guest traffic to a DMZ or something, then you just dont check the HREAP local switching option on the WLAN...
"If you are trying to anchor the guest traffic to a DMZ or something, then you just dont check the HREAP local switching option on the WLAN..."
So is the final question:
H-Reap local switching and anchoring guest-traffic to a DMZ together is not possible!?!
Those are two mutually exclusive topics...
If you ANCHOR to the DMZ, all client traffic egress from the Anchor WLC in the DMZ.
If you Locally Switch traffic off HREAP, all client traffic will egress the AP itself into whatever VLAN exists at the AP.....
You can't put your client traffic off the AP and in the DMZ at the same time... (unless you trunk the DMZ L2 vlan into your AP, but that still isn't anchoring).
So what are you trying to do?
If you want your guests from your HREAP AP to egress into the DMZ from a WLC in the DMZ, then you just make your guest WLAN not but HREAP Local Switching. Your traffic will flow from the client to the ap to the foreign wlc to the anchor wlc, just like any other central switching traffic...
If you want your guests from your HREAP AP to egress off the AP itself, then you would enable HREAP Local Switching and webauth would still happen at the WLC but client traffic would egress off the AP into whatever vlan you specified (will not be "anchored")
Login to share your discussion activity with your friends on Facebook. You can control what you share and turn off sharing anytime.
Your Facebook friends can now see that you have started this discussion
Your Facebook friends can now see that you have commented on this discussion
Your Facebook friends can now see that you have read this discussion