Introduction
The enterprise has a 64kbps frame relay link that links central office and branch office together. The wireless lan controller (WLC: cisco 2125) is deployed at central office, and two lightweight access points (LAP) are deployed at branch office.(Not all configuration is configured, the main objective is to test H-REAP over a frame-relay wan link)
Central office: 2651-2 sub-interface configuration for dot1q trunk
interface FastEthernet0/0
no ip address
duplex auto
speed auto
end
interface FastEthernet0/0.10
description Controller Vlan
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
interface FastEthernet0/0.40
description Central video servers
encapsulation dot1Q 40
ip address 172.16.40.1 255.255.255.0
interface FastEthernet0/0.99
encapsulation dot1Q 99 native
ip address 192.168.99.1 255.255.255.0
interface FastEthernet0/0.100
description LAN users group 100
encapsulation dot1Q 100
ip address 172.16.100.1 255.255.255.0
interface FastEthernet0/0.200
encapsulation dot1Q 200
ip address 172.16.200.1 255.255.255.0
Central office: 2651-2 frame relay configuration
interface Serial0/0
no ip address
encapsulation frame-relay
no fair-queue
end
interface Serial0/0.100 point-to-point
ip address 192.168.10.9 255.255.255.252
frame-relay interface-dlci 100
end
Central office: 2651-2 routing configuration
interface Loopback0
ip address 11.11.11.11 255.255.255.255
end
router ospf 1
router-id 11.11.11.11
log-adjacency-changes
network 11.11.11.11 0.0.0.0 area 0
network 172.16.0.0 0.0.255.255 area 0
network 192.168.10.9 0.0.0.0 area 0
network 192.168.99.1 0.0.0.0 area 0
Central office: 2651-2 dhcp server configuration
ip dhcp pool vlan10-pool
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
ip dhcp excluded-address 172.16.10.1 172.16.10.10
Central office: 2950-1 interface configuration
interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
end
interface FastEthernet0/9
description Trunk to WLC
switchport trunk native vlan 99
switchport mode trunk
end
Vlan configurations will not be shown here.
Branch office: 2651-3 dot1q configuration
interface FastEthernet0/0.20
description LAP-1
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
ip helper-address 172.16.10.3
interface FastEthernet0/0.30
description LAP-2
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.0
ip helper-address 172.16.10.3
interface FastEthernet0/0.50
description Branch office user group 50
encapsulation dot1Q 50
ip address 172.16.50.1 255.255.255.0
interface FastEthernet0/0.99
description Native
encapsulation dot1Q 99 native
ip address 192.168.99.2 255.255.255.0
ip helper-address 172.16.10.3
interface FastEthernet0/0.201
description Video receivers
encapsulation dot1Q 201
ip address 172.16.201.1 255.255.255.0
interface FastEthernet0/0.300
description LAN user group 300
encapsulation dot1Q 300
ip address 172.17.30.1 255.255.255.0
Branch office: 2651-3 frame relay configuration
interface Serial0/1
no ip address
encapsulation frame-relay
end
interface Serial0/1.200 point-to-point
ip address 192.168.10.10 255.255.255.252
ip helper-address 172.16.10.3
frame-relay interface-dlci 200
end
Branch office: 2651-3 routing configuration
interface Loopback0
ip address 22.22.22.22 255.255.255.255
end
router ospf 1
router-id 22.22.22.22
log-adjacency-changes
network 22.22.22.22 0.0.0.0 area 0
network 172.16.0.0 0.0.255.255 area 0
network 172.17.30.0 0.0.0.255 area 0
network 192.168.10.10 0.0.0.0 area 0
network 192.168.99.2 0.0.0.0 area 0
Branch office: 2651-3 dhcp server configuration
ip dhcp excluded-address 172.16.20.1 172.16.20.10
ip dhcp excluded-address 172.16.30.1 172.16.30.10
ip dhcp excluded-address 172.16.50.1 172.16.50.10
ip dhcp excluded-address 172.17.30.1 172.17.30.10
ip dhcp pool vlan20-pool
network 172.16.20.0 255.255.255.0
default-router 172.16.20.1
ip dhcp pool vlan30-pool
network 172.16.30.0 255.255.255.0
default-router 172.16.30.1
ip dhcp pool vlan50-pool
network 172.16.50.0 255.255.255.0
default-router 172.16.50.1
ip dhcp pool vlan300-pool
network 172.17.30.0 255.255.255.0
default-router 172.17.30.1
Branch office: 2950-2 interface configuration
interface FastEthernet0/1
switchport trunk native vlan 99
switchport mode trunk
end
interface FastEthernet0/9
switchport access vlan 20
switchport mode access
spanning-tree portfast
end
interface FastEthernet0/10
switchport access vlan 30
switchport mode access
spanning-tree portfast
end
Vlan configuration will not be shown here as well.
Central office: WLC configuration
If no configuration is found, WLC will initiate a start-up script, refer to this note on how the start-up script looks like.
Branch office: LAP-1 and LAP-2
In my opinion it is easier to manage LAP if you give it a static IP address, here are the IP config information for LAP-1 and LAP-2
LAP-1#sh capwap ip config
LWAPP Static IP Configuration
IP Address 172.16.20.2
IP netmask 255.255.255.0
Default Gateway 172.16.20.1
LAP-2#sh capwap ip config
LWAPP Static IP Configuration
IP Address 172.16.30.3
IP netmask 255.255.255.0
Default Gateway 172.16.30.1
LWAPP command is not available for H-REAP enabled APs.
A new AP has no config at all, you can issue commands to the LAP:
lwapp ap ip address <ip address of the LAP>
lwapp ap hostname <LAP’s hostname>
lwapp ap ip default-gateway <if there’s a default gateway>
lwapp ap controller ip address <ap manager’s ip address>
If you have reset the AP by holding on the mode button and powercycle, use the clear lwapp private-config command if you need to erase all config stored in the LAP, it is not necessary to use this command, after factory reset the LAP’s lwapp command will be enabled again, you can modify the lwapp ap settings from the CLI.
A side note for factory reset the LAP, hold the mode button and issue reload command or powercycle, hold the mode button until the Status light turns white. Once the status light turns white, you may release the mode button.
H-REAP AP
The branch office has no WLC only two LAPs, the LAPs have a LWAPP tunnel to WLC over the frame-relay link. If for some reason there’s an frame-relay outage, or should there be a power outage in central office, LAP will not be able to associate itself to the WLC in central office causing a wireless outage in branch office.
LAP can be configured as H-REAP to do local switching as well as local authentication, so if there’s an event when LAP lost communication to the WLC there will be no wireless outage in branch office.
Read this article to have an idea on how to configure H-REAP AP. Here’s the review:
1. Create a dynamic interface and map it to a vlan.
2. Create a WLAN ID (SSID) and map the WLAN to the appropriate dynamic interface, go to advanced tab and make sure local switching is ticked.
3. Go to wireless, and click on the AP in the table, under the AP mode drop down box choose H-REAP, the LAP will reboot.
4. Refresh the wireless page again, you should see H-REAP AP, click on the H-REAP AP, this time you will see a new H-REAP tab, click on it.
This page is for your LAP to map the vlans, let say if the H-REAP is broadcasting SSID that is mapped to vlan 50, while communication to WLC is lost, H-REAP AP can still locally authenticate you and let you join the SSID that belongs to vlan 50. This page is for you to configure the vlans that are supported by the H-REAP AP.
5. Click the Vlan support, you will be required to write your native vlan id. Click on apply. Do not worry about the disabled Vlan mapping button.
6. After you have applied, click on the H-REAP AP again, and go to H-REAP, this time you will be able to click on the VLAN mappings button.
7. Not much to do here, just click apply. These are the vlans that will be supported by the H-REAP AP.
For H-REAP AP that is supporting more than one vlan (i.e. SSID) it is recommended to configure the switch to trunk to connect your H-REAP AP.
Trunk the H-REAP AP
I did not do this successfully, as soon as I trunk the switchport that is connected to the H-REAP AP, WLC lost the H-REAP AP. Readers who have trunked H-REAP AP successfully please leave me a message and share with me how you do it.
From the switch, issue these commands:
switchport trunk native vlan 99
switchport trunk allowed vlan 20,30,50,300,201,99
switchport mode trunk
spanning-tree portfast trunk
Your H-REAP AP must have the same IP subnet as your native vlan.
The reason for H-REAP AP to be trunked is to allow end user’s client to be able to get the ip subnet from various SSID, example SSID guest-access belongs to vlan 50, user’s client connected to guest-access will be issued vlan 50 ip address. If H-REAP AP is not trunked but connected to access port, whichever SSID you connect you will only get the H-REAP AP’s subnet ip address which is not desirable.
Allow local authentication of H-REAP while WLC is uncontactable
You need to create a H-REAP group for local authentication, radius authentication can also be done here.
What you need to do is to click on Add AP button and there will be a list of available APs associated with the WLC, you simply add the desired AP into the group, remember to check Enable AP local authentication if this operation is desired. Under normal operation, authentication request will be sent back to WLC through LWAPP tunnel from the LAP, but since WLC is down LAP can act according to what is configured in the H-REAP group settings.
Test the H-REAP APs
I turned off my WLC and see how the H-REAP AP reacts.
If H-REAP is not configured, once WLC has failed, the LAPs will have “disco” lights meaning LAP lost association to the WLC group. For the case of H-REAP AP, operation seems normal to end user, but H-REAP AP is “awared” that WLC is uncontactable and keeps hunting for another WLC, this operation is transparent to end users.
My client connects to the SSID branch_access, while WLC is turned off, my client still connected to the LAP and seemed nothing had happened, I could ping to the local vlan of the LAP.
C:\Users\User>ping 172.16.20.1
Pinging 172.16.20.1 with 32 bytes of data:
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Reply from 172.16.20.1: bytes=32 time=2ms TTL=255
Ping statistics for 172.16.20.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
I disconnected from the SSID and reconnect the SSID again, my client was challenged with an authentication, this shows that H-REAP AP is acting individually during the absence of WLC, after I authenticated I can still ping to the local vlan of the LAP.
At the background the two H-REAP APs kept searching for a WLC
I turned on my WLC back, and as soon as H-REAP AP contacts the WLC it joins, this operation is transparent to end user, my continuous ping was not lost at all.
Ensure H-REAP AP will not be stranded once WLC back in action
LWAPP is using udp 12222 for data and udp 12223 for control.
In my branch router I need these commands in global configuration mode:
ip forward-protocol udp 12222
ip forward-protocol udp 12223
interface fa0/0.20
ip helper-address 172.16.10.3
The ip helper-address is to translate a broadcast into a unicast, you can put this command in the appropriate vlan interface. These commands ensure that my H-REAP AP is able to join back the WLC once the WLC is back in action.
Additional: Frame-relay configuration
interface Serial0/0
bandwidth 64
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
no fair-queue
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 100 interface Serial0/1 200
end
interface Serial0/1
bandwidth 64
no ip address
encapsulation frame-relay
logging event subif-link-status
logging event dlci-status-change
clock rate 64000
no frame-relay inverse-arp
frame-relay intf-type dce
frame-relay route 200 interface Serial0/0 100
end
