Configuring H-REAP

This post contains notes about H-REAP configuration.

Quick notes

  1. H-REAP is abbreviation from hybrid Remote-Edge AP
  2. successor of H-REAP is Flexconnect. Cisco added some new features to H-REAP and re-branded it to the new name
  3. H-REAP is LAP mode (the default LAP mode is Local mode)
  4. H-REAP mode allows to control LAP (and its clients) from WLC (for example you can restart AP, disassociate the client from WLC, see statistics from LAP, etc.)
  5. if your LAP is in H-REAP mode it can be configured (associated) with two types of WLANs (in the same time):
    1. WLAN with H-REAP mode disabled – in this case the packet are centrally switched in the same way as in the default Local mode (the client packets are NOT tunneled with CAPWAP to WLC)
    2. WLAN with H-REAP mode enabled – in this case the packets are locally switched (they are not tunneled with CAPWAP to WLC)
    3. Cisco uses the following terminology – LAP (configured as H-REAP) is in connected mode if it has connection with WLC; otherwise it is in standalone mode. For example, in connected mode the LAP can be in central authentication and central switching state; in standalone mode the LAP can be in  local authentication and local switching state (however this state is also possible in connected mode)

    Note – it means that you configure H-REAP in two places – for LAP and for WLAN separately.

  6. if H-REAP is enabled for LAP and WLAN then you have to map WLANs to local VLANs. Recall that when you define WLAN you actually bind it to the interface (on WLC) and indirectly to VLAN. However in this case the packets are NOT tunneled to WLC so this mapping has no sense. That is why you have to redefine it another place.

Configuration

Discovering WLC

First your LAP has to obtain IP address and discover WLC. It can be a problem if your LAP is already in remote office and it cannot discover WLC automatically (using layer 2). Here is the post which explain how to setup LAP with static IP address and static WLC information: Manually Configuring the LAP

Define WLAN

First define WLAN which your LAP will service for the clients. In our example we will configure H-REAP to switch packets locally so the WLAN can be bound to any WLC interface (WLC interface will not be used because clients packets will not be tunneled to WLC). Next create AP Groups (it binds WLAN with APs).

Define WLAN

Associate WLAN with AP

If your LAP joined successfully to WLC then add it to the AP group created previously:

Add AP to WLAN

Now your LAP is configured to service WLAN in Local mode. The clients packets are tunneled to WLC.

Setup H-REAP mode on LAP

Configure your LAP to work in H-REAP mode.

H-REAP on LAP

Now your LAP is configured to service WLAN in H-REAP mode but the clients packets are still tunneled to WLC!

Setup H-REAP on WLAN

Configure WLAN as H-REAP – check on H-REAP option.

H-REAP on WLAN

This option means – “if LAP is also in H-REAP then switch client packets locally”. If this option is disabled then clients packet are switched centrally with CAPWAP even if LAP is in H-REAP mode (such configuration is also valid – H-REAP LAP may service both H-REAP and non-H-REAP WLANs in the same time).

Note:
there is also additional option “H-REAP Local Auth“. By default the client authentication packets are tunneled to WLC (even if the clients packets are switched locally).

However if WAN connections fails then client will be authenticated by LAP itself. There is one benefit of checking this box: Local authentication reduces the latency requirements of the branch office.

However there is also one disadvantage – in Local authentication access point provides minimal information about the locally authenticated client to the controller. The following information is not available to the controller:

  • Policy type
  • Access VLAN
  • VLAN name
  • Supported rates
  • Encryption cipher

Basic configuration notes

This is a minimal configuration to enable H-REAP on LAP and WLAN (so clients packets are switched locally). This configuration works properly; however all the packets sent from LAP to the local switch are untagged.

LAP configured as H-REAP creates the connection to the WLC using untagged frames (it cannot be changed). However WLANs can be mapped to any VLAN. Usually you configure the trunk connection between your LAP and switch where native VLAN is used for communication between the LAP and WLC.

Enable VLANs mapping

Edit your LAP settings (H-REAP tag). As you can see by default no VLANs are used.

Edit LAP VLAN

Check on the VLAN box and setup native vlan to match the settings on the switch (native VLAN is used by LAP to make connection to WLC).

Enable VLAN

Click VLAN Mappings button to map the LAP WLANs to VLANs. You can only choose WLANs configured for H-REAP.

Map VLANs

Veryfication

You can verify reap status from LAP:

war-ap-001#show capwap reap status
 AP Mode:         REAP, Connected
 Radar detected on:

// cable from LAP disconnected
 
war-ap-001#show capwap reap status
 AP Mode:         REAP, Standalone
 Radar detected on:

To see if a client’s data traffic is being locally or centrally switched, go to Monitor > Clients on the WLC GUI and look at the Data Switching parameter

Client Monitor

Tips

  1. Let’s assume that your LAP is connected to WLC and configured for local switching and central authentication. If the WAN connection (to WLC) fails then client connection will not be broken. Also new connections (clients) will be allowed. I tested it with WEP and WPA2.
  • Let’s assume that your LAP is connected to WLC and configured for local switching and local authentication. If the WAN connection (to WLC) fails then client connection will not be broken. Also new connections (clients) will be allowed. I tested it with WEP and WPA2.
  • You can configured something which is called H-REAP groups. Basically H-REAP group contains the list of H-REAP LAPs with some common settings. Most of the settings are related with authentication parameters – for example you can put the LAPs in the same H-REAP group to use the same Radius server (as backup server if WAN connection to WLC fails).H-REAP group
  • What if LAP was configured for default mode (Local mode) and WLAN was configured with H-REAP option enabled? In this case the LAP will service the WLAN as if the WLAN H-REAP option was disabled (so client packets will be tunneled to WLC).

Sources

  1. Video tutorial (part 1) – HREAP part 1, local switching
  2. Video tutorial (part 1) – HREAP part 2, 802.1X authentication in disconnected mode
  3. Cisco doc – H-Reap Design and Deployment Guide

Leave a Reply

Your email address will not be published. Required fields are marked *