Wireless: From Central office to Branch office over Frame relay

Introduction

The enterprise has a 64kbps frame relay link that links central office and branch office together. The wireless lan controller (WLC: cisco 2125) is deployed at central office, and two lightweight access points (LAP) are deployed at branch office.(Not all configuration is configured, the main objective is to test H-REAP over a frame-relay wan link)

Central office: 2651-2 sub-interface configuration for dot1q trunk

interface FastEthernet0/0
no ip address
duplex auto
speed auto
end

interface FastEthernet0/0.10
description Controller Vlan
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0

interface FastEthernet0/0.40
description Central video servers
encapsulation dot1Q 40
ip address 172.16.40.1 255.255.255.0

interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 192.168.99.1 255.255.255.0

interface FastEthernet0/0.100
description LAN users group 100
encapsulation dot1Q 100
ip address 172.16.100.1 255.255.255.0

interface FastEthernet0/0.200
encapsulation dot1Q 200
ip address 172.16.200.1 255.255.255.0

Central office: 2651-2 frame relay configuration

interface Serial0/0
no ip address
encapsulation frame-relay
no fair-queue
end

interface Serial0/0.100 point-to-point
ip address 192.168.10.9 255.255.255.252
frame-relay interface-dlci 100
end

Central office: 2651-2 routing configuration

interface Loopback0
ip address 11.11.11.11 255.255.255.255
end

router ospf 1
router-id 11.11.11.11
log-adjacency-changes
network 11.11.11.11 0.0.0.0 area 0
network 172.16.0.0 0.0.255.255 area 0
network 192.168.10.9 0.0.0.0 area 0
network 192.168.99.1 0.0.0.0 area 0

Central office: 2651-2 dhcp server configuration

ip dhcp pool vlan10-pool
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1

ip dhcp excluded-address 172.16.10.1 172.16.10.10

Central office: 2950-1 interface configuration

interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
end

interface FastEthernet0/9
description Trunk to WLC
switchport trunk native vlan 99
switchport mode trunk
end

Vlan configurations will not be shown here.

Branch office: 2651-3 dot1q configuration

interface FastEthernet0/0.20
description LAP-1
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
ip helper-address 172.16.10.3

interface FastEthernet0/0.30
description LAP-2
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.0
ip helper-address 172.16.10.3

interface FastEthernet0/0.50
description Branch office user group 50
encapsulation dot1Q 50
ip address 172.16.50.1 255.255.255.0

interface FastEthernet0/0.99
description Native
encapsulation dot1Q 99 native
ip address 192.168.99.2 255.255.255.0
ip helper-address 172.16.10.3

interface FastEthernet0/0.201
description Video receivers
encapsulation dot1Q 201
ip address 172.16.201.1 255.255.255.0

interface FastEthernet0/0.300
description LAN user group 300
encapsulation dot1Q 300
ip address 172.17.30.1 255.255.255.0

Branch office: 2651-3 frame relay configuration

interface Serial0/1
no ip address
encapsulation frame-relay
end

interface Serial0/1.200 point-to-point
ip address 192.168.10.10 255.255.255.252
ip helper-address 172.16.10.3
frame-relay interface-dlci 200
end

Branch office: 2651-3 routing configuration

interface Loopback0
ip address 22.22.22.22 255.255.255.255
end

router ospf 1
router-id 22.22.22.22
log-adjacency-changes
network 22.22.22.22 0.0.0.0 area 0
network 172.16.0.0 0.0.255.255 area 0
network 172.17.30.0 0.0.0.255 area 0
network 192.168.10.10 0.0.0.0 area 0
network 192.168.99.2 0.0.0.0 area 0

Branch office: 2651-3 dhcp server configuration

ip dhcp excluded-address 172.16.20.1 172.16.20.10
ip dhcp excluded-address 172.16.30.1 172.16.30.10
ip dhcp excluded-address 172.16.50.1 172.16.50.10
ip dhcp excluded-address 172.17.30.1 172.17.30.10
ip dhcp pool vlan20-pool
network 172.16.20.0 255.255.255.0
default-router 172.16.20.1
ip dhcp pool vlan30-pool
network 172.16.30.0 255.255.255.0
default-router 172.16.30.1
ip dhcp pool vlan50-pool
network 172.16.50.0 255.255.255.0
default-router 172.16.50.1
ip dhcp pool vlan300-pool
network 172.17.30.0 255.255.255.0
default-router 172.17.30.1

Branch office: 2950-2 interface configuration

interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
end

interface FastEthernet0/9
switchport access vlan 20
switchport mode access
spanning-tree portfast
end

interface FastEthernet0/10
switchport access vlan 30
switchport mode access
spanning-tree portfast
end

Vlan configuration will not be shown here as well.

Central office: WLC configuration

If no configuration is found, WLC will initiate a start-up script, refer to this note on how the start-up script looks like.

Branch office: LAP-1 and LAP-2

In my opinion it is easier to manage LAP if you give it a static IP address, here are the IP config information for LAP-1 and LAP-2

LAP-1#sh capwap ip config

LWAPP Static IP Configuration
IP Address         172.16.20.2
IP netmask         255.255.255.0
Default Gateway    172.16.20.1

LAP-2#sh capwap ip config

LWAPP Static IP Configuration
IP Address         172.16.30.3
IP netmask         255.255.255.0
Default Gateway    172.16.30.1

LWAPP command is not available for H-REAP enabled APs.

A new AP has no config at all, you can issue commands to the LAP:

lwapp ap ip address <ip address of the LAP>

lwapp ap hostname <LAP’s hostname>

lwapp ap ip default-gateway <if there’s a default gateway>

lwapp ap controller ip address <ap manager’s ip address>

If you have reset the AP by holding on the mode button and powercycle, use the clear lwapp private-config command if you need to erase all config stored in the LAP, it is not necessary to use this command, after factory reset the LAP’s lwapp command will be enabled again, you can modify the lwapp ap settings from the CLI.

A side note for factory reset the LAP, hold the mode button and issue reload command or powercycle, hold the mode button until the Status light turns white. Once the status light turns white, you may release the mode button.

H-REAP AP

The branch office has no WLC only two LAPs, the LAPs have a LWAPP tunnel to WLC over the frame-relay link. If for some reason there’s an frame-relay outage, or should there be a power outage in central office, LAP will not be able to associate itself to the WLC in central office causing a wireless outage in branch office.

LAP can be configured as H-REAP to do local switching as well as local authentication, so if there’s an event when LAP lost communication to the WLC there will be no wireless outage in branch office.

Read this article to have an idea on how to configure H-REAP AP. Here’s the review:

1. Create a dynamic interface and map it to a vlan.

2. Create a WLAN ID (SSID) and map the WLAN to the appropriate dynamic interface, go to advanced tab and make sure local switching is ticked.

3. Go to wireless, and click on the AP in the table, under the AP mode drop down box choose H-REAP, the LAP will reboot.

4. Refresh the wireless page again, you should see H-REAP AP, click on the H-REAP AP, this time you will see a new H-REAP tab, click on it.

This page is for your LAP to map the vlans, let say if the H-REAP is broadcasting SSID that is mapped to vlan 50, while communication to WLC is lost, H-REAP AP can still locally authenticate you and let you join the SSID that belongs to vlan 50. This page is for you to configure the vlans that are supported by the H-REAP AP.

5. Click the Vlan support, you will be required to write your native vlan id. Click on apply. Do not worry about the disabled Vlan mapping button.

6. After you have applied, click on the H-REAP AP again, and go to H-REAP, this time you will be able to click on the VLAN mappings button.

7. Not much to do here, just click apply. These are the vlans that will be supported by the H-REAP AP.

For H-REAP AP that is supporting more than one vlan (i.e. SSID) it is recommended to configure the switch to trunk to connect your H-REAP AP.

Trunk the H-REAP AP

I did not do this successfully, as soon as I trunk the switchport that is connected to the H-REAP AP, WLC lost the H-REAP AP. Readers who have trunked H-REAP AP successfully please leave me a message and share with me how you do it.

From the switch, issue these commands:

switchport trunk native vlan 99

switchport trunk allowed vlan 20,30,50,300,201,99

switchport mode trunk

spanning-tree portfast trunk

Your H-REAP AP must have the same IP subnet as your native vlan.

The reason for H-REAP AP to be trunked is to allow end user’s client to be able to get the ip subnet from various SSID, example SSID guest-access belongs to vlan 50, user’s client connected to guest-access will be issued vlan 50 ip address. If H-REAP AP is not trunked but connected to access port, whichever SSID you connect you will only get the H-REAP AP’s subnet ip address which is not desirable.

Allow local authentication of H-REAP while WLC is uncontactable

You need to create a H-REAP group for local authentication, radius authentication can also be done here.

What you need to do is to click on Add AP button and there will be a list of available APs associated with the WLC, you simply add the desired AP into the group, remember to check Enable AP local authentication if this operation is desired. Under normal operation, authentication request will be sent back to WLC through LWAPP tunnel from the LAP, but since WLC is down LAP can act according to what is configured in the H-REAP group settings.

Test the H-REAP APs

I turned off my WLC and see how the H-REAP AP reacts.

If H-REAP is not configured, once WLC has failed, the LAPs will have “disco” lights meaning LAP lost association to the WLC group. For the case of H-REAP AP, operation seems normal to end user, but H-REAP AP is “awared” that WLC is uncontactable and keeps hunting for another WLC, this operation is transparent to end users.

My client connects to the SSID branch_access, while WLC is turned off, my client still connected to the LAP and seemed nothing had happened, I could ping to the local vlan of the LAP.

C:\Users\User>ping 172.16.20.1

Pinging 172.16.20.1 with 32 bytes of data:
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255

Ping statistics for 172.16.20.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms

I disconnected from the SSID and reconnect the SSID again, my client was challenged with an authentication, this shows that H-REAP AP is acting individually during the absence of WLC, after I authenticated I can still ping to the local vlan of the LAP.

At the background the two H-REAP APs kept searching for a WLC

I turned on my WLC back, and as soon as H-REAP AP contacts the WLC it joins, this operation is transparent to end user, my continuous ping was not lost at all.

Ensure H-REAP AP will not be stranded once WLC back in action

LWAPP is using udp 12222 for data and udp 12223 for control.

In my branch router I need these commands in global configuration mode:

ip forward-protocol udp 12222

ip forward-protocol udp 12223

interface fa0/0.20

ip helper-address 172.16.10.3
The ip helper-address is to translate a broadcast into a unicast, you can put this command in the appropriate vlan interface. These commands ensure that my H-REAP AP is able to join back the WLC once the WLC is back in action.

 

Additional: Frame-relay configuration

interface Serial0/0
bandwidth 64
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
no fair-queue
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 100 interface Serial0/1 200
end

interface Serial0/1
bandwidth 64
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 200 interface Serial0/0 100
end

Advertisements
This entry was posted in WAN, Wireless and tagged , , , . Bookmark the permalink.

9 Responses to Wireless: From Central office to Branch office over Frame relay

  1. bet365 says:

    hi I was fortunate to look for your blog in google
    your subject is splendid
    I get much in your Topics really thanks very much
    btw the theme of you site is really marvelous
    where can find it

  2. 監視器 says:

    Thanks because of this! I’ve been searching all above the web for that facts.

    • Rob says:

      Great write-up! I am working on implementing a Wireless LAN solution at my work over the Christmas break and ran into similiar issues with trunking and H-REAP. I hope to have this complete before Jan. 7th, 2011 and if all things work out, I will provide you information about what solution I was able to use. If you find it first please let me know. My WLC is a 5508 and I am using 1252LAP’s on a WAN using microwave dishes communicated to remote sites with 11 different subnets using EIGRP for routing (all Cisco). Thanks!

      • ciscolok says:

        Hi Rob 🙂

        Thank you for visiting my blog. I do not have the wireless equipments with me right now so I am unable to test the trunking again at the moment, hope you can share with me your method once you have done trunking successfully. 🙂

  3. Rob says:

    I got this working today!! I have my own website as well, but I have done nothing with it. I will get the documentation together and format it in HTML and then post the link to the website. Seems to have been a problem with trunking and the native VLAN. I’ll be in touch soon.

    • ciscolok says:

      Great to hear you have done it! How? I did the configuration based on cisco doc’s recommendation about the trunking of h-reap AP but it did not work… was my configuration wrong? The H-reap AP ip is in native vlan subnet…

      • Rob says:

        It turns out that our last System Admin was using a native vlan of 999, possibly to tag traffic from the dozens of hubs at each location…I’m not really sure. The trunk port for the AP was also setup in this same fashion following the settings on all ports. This however is not sufficient for VoIP with will be implemented in the near future. After I entered “no switchport trunk native vlan 999” the AP was instantly found by the WLC. I have not fully documented the entire configuration yet because I am still traveling to all our sites replacing hubs with switches, installing new switches, and new APs, as well as converting AP’s to LWAPP. Plan to be at a point to complete my documentation after the end of this week…or at least I hope.

  4. fabianidrissi says:

    I have had alot of trouble finding reliable information regarding setting up HREAP. Cisco and related support forums all state that the management interface be used in an HREAP local switching setup. This was tried failed and only once setting up a dynamic interface for the relevant client data vlan did it actualy work. Documentation says one thing – real world setup says different – who is right???

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s