Configuring H-REAP (Cisco Wireless LAN Controllers) Part 1

To set up an H-REAP deployment, you need to complete several configuration steps:

Step 1. Get the APs joined to the controller.

Step 2. Configure the WLAN for central or local authentication.

Step 3. Configure the WLAN for central or local switching.

Step 4. Change the AP mode to H-REAP.

Step 5. Configure local switching on the AP if desired.

Step 6. Configure the local switch.

Controller Discovery

An H-REAP AP can use any of the usual AP discovery methods if they are available. If Layer 3 discovery methods are not feasible.

Table 13-3 WLAN Security Configurations: Dependent on H-REAP AP-Mode

Security Type

Connected Mode (Centrally Switched)

Connected Mode (Locally Switched)

Standalone Mode (Locally Switched)

Open

Yes

Yes

Yes

Shared

Yes

Yes

Yes

WPA-PSK

Yes

Yes

Yes

WPA2-PSK

Yes

Yes


Yes

Client exclusion/ blacklisting

Yes

Yes

No

MAC address authentication (onboard or upstream)

Yes

Yes

No new authentications

Dynamic WEP (802.1X)

Yes

Yes

Yes (4.2 or higher)

WPA (802.1X)

Yes

Yes

Yes (4.2 or higher)

WPA2 (802.1X)

Yes

Yes

Yes (4.2 or higher)

CCKM

Yes

Yes

Yes (4.2 or higher)

IBNS1

Yes

Not supported

Not supported

NAC2

Yes


Yes

No new authentications

WebAuth (onboard or upstream)

Yes

Yes

No new authentications

VPN (onboard or upstream)

Yes

Not

supported*

Not supported*

Cranite

Yes

Not

supported*

Not supported*

AirFortress

Yes

Not

supported*

Not supported*

1BNS = identity-based networking services 2NAC = network admission control

*These security methods require the controller to mandate all traffic flow through a given point on the network, that is, through AirFortress appliance, and so on. While in standalone mode, the controller cannot enforce these policies because the LWAPP/CAPWAP tunnel is down and the AP is not capable of enforcing the policies. If you want these security methods to be in place even when the AP is in standalone mode, the security resources must be present on the local network.

When you deploy APs at a remote location, it can be easy to strand an H-REAP AP because local tech support might not be available. There could be a misconfiguration of the AP, incorrect DHCP or Domain Name System (DNS) options, routing problems, and so on.

One method to recover a stranded AP is to enable protocol forwarding on the local Layer 3 switch. As long as the AP has an IP address in the correct subnet, you can enable protocol forwarding for User Datagram Protocol (UDP) port 12223 for LWAPP or 5246 for CAPWAP on the next local Layer 3 device where the AP is connected to the network. With protocol forwarding enabled, the Layer 3 discovery broadcast from the AP, sent to 255.255.255.255, is forwarded as a unicast using the protocol configured to the management interface IP address of the controller you desire using an ip helper-address on the Layer 3 interface by the Layer 3 network switch.

For example, if the management IP address of the LWAPP controller you want the H-REAP AP to join is 10.100.10.6 and the AP resides on VLAN 10 at the remote network, the Layer 3 next hop switch would have the configuration in Example 13-1.

Example 13-1 Sample Switch Configuration to Forward AP Broadcast Discovery

tmp195-24_thumb

After the AP registers, you can remove the ip forward-protocol and ip helper-address commands from the next hop Layer 3 switch configuration.

Using IP protocol forwarding and ip helper-addresses is a great way to recover a stranded AP regardless of whether the AP is in H-REAP mode.

During the AP join process with an H-REAP AP, the AP sends its current H-REAP configuration, including the VLAN mappings for the locally switched WLANS, to the controller. Example 13-2 shows partial output from debug capwap events and debug capwap packet for a 1242 AP in H-REAP mode joining a controller running 5.2 code.

Example 13-2 H-REAP AP Configuration During Join Process

H-REAP AP Configuration During Join Process

From this output, you can see that the native VLAN for the AP is VLAN 1, and WLAN IDs 2 and 3 are locally switched and mapped to local VLANs 12 and 20, respectively.

You can also see that the AP has a static IP address of 192.168.1.15 with a netmask of /24 and a default gateway of 192.168.1.1.

Remember that AP join packets are large and are always fragmented when they are sent to the controller. This can be important when you are trying to join APs across a WAN link.

Even though the maximum round trip network delay that the H-REAP APs can handle is 300 milliseconds (ms) (see "H-REAP Guidelines and Limitations"), packet fragments need to arrive within 100 ms of each other for the controller to able to reassemble them. It is also important to remember that the controller/AP can only handle four fragments. If a packet between the controller and the AP are broken up into more than four fragments, then they will not be able to reassemble it.

As an example of the affects of network delay during the AP join process, Figure 13-4 shows an AP is trying to join a controller across a slow WAN link. As you can see, the AP is sending the join request and the controller is responding with the join response, yet the AP is never able to successfully register.

 Failed AP join process across a slow WAN link

Figure 13-4 Failed AP join process across a slow WAN link

The reason the AP is not able to join the controller in Figure 13-4 is because the WAN link is causing a several hundred millisecond delay between the join request from the AP and the join response from the controller. The delay is large enough that the AP believes the controller did not respond and the process repeats over and over.

Configuring the WLAN

The default switching mode for a WLAN is central switching. So if you do want a particular WLAN to be locally switched, you need not change any of the configurations. If you do plan to locally switch a WLAN, select H-REAP local switching on the Advanced tab of the WLAN. Figure 13-5 shows the H-REAP selection check box.

Configuring H-REAP Local Switching on the WLAN

Figure 13-5 Configuring H-REAP Local Switching on the WLAN

When this feature is selected on the WLAN, an AP in H-REAP mode can bridge the client traffic directly to the local switch for the VLAN this WLAN is mapped to on the AP.

To configure the WLAN for H-REAP with local switching using the command-line interface (CLI), enter the following command:

tmp195-28_thumb

A common misconception is that enabling H-REAP local switching on a WLAN affects non-H-REAP APs. This is not true. An AP in local mode ignores the H-REAP local switching setting. This means that you can easily have the same WLAN for both local and remote users. Along those same lines, an H-REAP AP ignores the local switching parameter for a WLAN unless local switching (VLAN support) is enabled.

In addition to the WLAN switching mode, you need to decide if you want to configure central or local authentication. Figure 13-6 shows the WLAN configured for WPA2-PSK, which is a local authentication method.

Also notice that, as part of the WLAN configuration, no mention was made of choosing an interface for the WLAN. Unless you will have APs in local mode servicing a WLAN configured for local switching in conjunction with H-REAP APs, the controller interface is irrelevant because the controller will not bridge the client traffic on the network. The H-REAP AP performs that function. Even if you will not be using any local mode APs, you must choose an interface to be associated with your WLAN. In this case, you could use the management interface or create a quarantine VLAN interface, for example if you do not want client traffic to be bridged by the controller if the client traffic is no longer locally switched.

WLAN Local Authentication Configuring the AP

Figure 13-6 WLAN Local Authentication Configuring the AP

The majority of configuring an H-REAP deployment is on the AP. You have to change the AP from the default AP-Mode of local to H-REAP mode (see Figure 13-7) and reboot the AP. After the AP rejoins the controller, you see the H-REAP configuration tab that is also shown in Figure 13-7. Under the H-REAP tab, you can configure the switching mode from the default of central switching. Using H-REAP groups, you configure local authentication settings if desired. H-REAP groups are covered later under the "H-REAP Enhancements" section.

To enable H-REAP mode on the AP from CLI, enter the following command:

tmp195-30_thumb

Changing the switching mode of the AP from the default of central to local switching requires you to enable VLAN support on the AP. Select the native VLAN for the AP, and then map the H-REAP local switching enabled WLANs to the desired local VLAN. Figures 13-8 and 13-9 illustrate these steps from the controller graphical user interface (GUI).

H-REAP Mode and H-REAP Tab on the AP Configuration

Figure 13-7 H-REAP Mode and H-REAP Tab on the AP Configuration

To configure the native VLAN for the H-REAP AP from the CLI, enter the following commands:

tmp195-32_thumb

The native VLAN for the AP should match the native VLAN of the trunk port on the local switch.

To enable local switching for a WLAN, select the local VLAN you want a particular WLAN to use on the remote network. Remember that until you have configured at least one WLAN for local switching, you cannot map a WLAN to a local VLAN.

To map the WLANs to the local VLANs from the CLI, enter the following command:

tmp195-33_thumb

Next post:

Previous post: