Wireless: Setting up H-REAP APs

About H-REAP

Hybrid Remote Edge Access Point is designed for APs deploying in small branch offices, the APs in the branch offices have LWAPP path back to the central controller in central office via WAN link.

Supposed there’s a WAN outage, H-REAP AP will be in standalone mode providing authentication service as well as local switching service while the LWAPP path is lost due to outage, this is known as Local authentication, local switching.

While the H-REAP APs have LWAPP path back to controller, it is in connected mode, meaning the authentication will be done by the controller, while the AP is doing local switching service, this is known as Central authentication, local switching.

While in connected mode, client data and authentication requests can also be tunneled (LWAPP) back to the controller, this is known as Central authentication, central switching.

While in standalone mode, all new client join requests will be dropped by the AP, however all existing clients connected to the AP will still be served. This is known as Authentication down, local switching.

While in standalone mode, the AP drops everything and no wireless service, this is known as Authentication down, switching down.

Trunk or not to trunk

Use trunk link on AP if you have more than one locally switched WLAN configured.

Use access link on AP if you have not more than a single locally switched WLAN, or multiple locally switched that do not require wired-side separation. (Thanks Jared, for explaining this wired-side separation portion) In other words, if you do not care which VLAN the SSID is mapped to, then you can use access port, however if you want individual SSID to be mapped to the configured VLAN then a trunk port is more desirable.

Configuring dynamic interfaces, WLAN ID and H-REAP

Create dynamic interface to be used by a new SSID.

For my case this dynamic interface is to be associated with vlan 100.

Put in all details associated with this dynamic interface.

Once the new dynamic interface is created, check again.

Create new WLAN ID.

Choose a profile name as well as SSID

Edit the new WLAN, associate the newly created dynamic interface.

Edit the appropriate security, I do not have Windows 2003 server and no other radius server hence I used PSK instead.

Turn on H-REAP local switching under Advanced tab.

Go to Wireless, and select the AP by clicking the AP name.

Choose H-REAP under AP mode drop down box.

A reboot will be triggered for the AP.

Do the same for another AP if needed. This screen shows the H-REAP APs.

IP subnet will be local to the SSID that the client connects

I have posted a question to clarify this. https://learningnetwork.cisco.com/message/106318#106318

For LAP configured as Local AP mode, the client receives the IP subnet that belongs to the dynamic interface associated with the WLAN. Meaning if the SSID is associated with VLAN 100, the client receives vlan100 ip subnet. However it is not the case for H-REAP enabled LAP, the client receives the IP subnet that is local to the H-REAP LAP. In other words, if the H-REAP LAP resides in vlan 30, your client receives Vlan 30 IP assignment regardless of which interface you have associated the WLAN ID. Reason for this is my AP is connected as access port, refer to section Trunk or not to trunk

Advertisements
This entry was posted in General stuffs, Wireless and tagged , , . Bookmark the permalink.

3 Responses to Wireless: Setting up H-REAP APs

  1. Pingback: Wireless: From Central office to Branch office over Frame relay « Ciscolok's Blog

  2. Rich says:

    Greetings.. Excellent work on the HREAP set up… Question, why didn’t you go into creating HREAP AP Groups / AP Groups? Aren’t they required when the connectivity to the WLC is down, which would help point the AP’s / local authentication to the local radius server?

    Thanks,

    Rich

    • cyruslab says:

      Hi Rich.

      To what I remembered I did not need to create specific groups for HREAP, I just need to enable the HREAP feature. As soon as the local AP lost connection to its WLC over the WAN, it continued to function and authenticate new users locally.

      At that time I did not setup an authentication server like Radius, I only use preshared key to authenticate. As of now I did not have the wireless equipment anymore, those were my clients’ 😉 I got a chance to use it for 2 weeks and came across HREAP and tried them on my own. It was a fun experience.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s