Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guide De Conception
7-14
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 7 Cisco Unified Wireless Hybrid REAP
Hybrid REAP
H-REAP Limitations and Caveats
Local Switching Restrictions
If one of the following security methods is configured on the WLC for a specific WLAN, then that
WLAN cannot be configured for local switching on an H-REAP AP:
WLAN cannot be configured for local switching on an H-REAP AP:
•
IPSEC
•
CRANITE
•
FORTRESS
1
Note
VPN pass-through to external aggregation platforms is permitted. However, WLC-imposed VPN
passthrough restriction is not permitted.
passthrough restriction is not permitted.
Max Supported WLANs
H-REAP APs support eight WLANs. Therefore, any WLAN that is expected to be supported by an
H-REAP AP must fall within WLAN IDs 1–8. WLAN IDs 9–16 are not propagated.
H-REAP AP must fall within WLAN IDs 1–8. WLAN IDs 9–16 are not propagated.
Network Address Translation (NAT/PAT)
WLC
A WLC cannot reside behind a NAT boundary when communicating with APs because LAPs
communicate with the WLC in two phases using two different IP addresses:
communicate with the WLC in two phases using two different IP addresses:
•
WLC discovery—A LAP initially queries a list of WLCs using the management IP address of a
WLC. The management IPs are learned via DHCP Option 43, DNS, or they can be configured
manually (see
WLC. The management IPs are learned via DHCP Option 43, DNS, or they can be configured
manually (see
). The discovery phase is used to determine which
WLC, within the list of eligible WLCs, the AP will join. This is conveyed by sending an LWAPP
control message containing the eligible WLC AP management IP address.
control message containing the eligible WLC AP management IP address.
•
WLC join—The AP joins the eligible WLC using the learned AP management IP address. The AP
management IP address cannot be supported by NAT because the AP learns this address during the
discovery phase. Even if 1:1 NAT relationships are established, the WLC is not capable of passing
the outside NAT address of the AP manager as the IP address the AP should use to join the WLC.
management IP address cannot be supported by NAT because the AP learns this address during the
discovery phase. Even if 1:1 NAT relationships are established, the WLC is not capable of passing
the outside NAT address of the AP manager as the IP address the AP should use to join the WLC.
AP
Standard 1:1 static NAT can be used to support one or more APs behind a NAT boundary. Also, multiple
LAPs (H-REAP or standard) can use PAT. In this scenario, a single IP NAT pool is configured with
“overload” or a WAN interface (or loopback I/F) is used with “overload”. Following is a summary of
the behavior when the overload (PAT) method is used:
LAPs (H-REAP or standard) can use PAT. In this scenario, a single IP NAT pool is configured with
“overload” or a WAN interface (or loopback I/F) is used with “overload”. Following is a summary of
the behavior when the overload (PAT) method is used:
1.
When an AP boots up, it obtains an “inside local” IP address from DHCP and then use a random
source port (5xxxx) to initiate the WLC discovery process using LWAPP control port 12223. Cisco
IOS PAT preserves the inside local source port number selected by the AP and makes a translation
using the “NAT pool” IP address or interface IP address (inside global). See the following example:
source port (5xxxx) to initiate the WLC discovery process using LWAPP control port 12223. Cisco
IOS PAT preserves the inside local source port number selected by the AP and makes a translation
using the “NAT pool” IP address or interface IP address (inside global). See the following example:
Pro Inside global Inside local Outside local Outside global
udp 10.20.3.19:54417 192.168.1.121:54417
10.15.9.253:12223 10.15.9.253:12223
2.
After the AP has joined a WLC and 802.11 data is sent upstream, the IOS PAT process sources the
802.11 data traffic using the same inside local port number and sends it to the WLC using LWAPP
port 12222. See the following example:
802.11 data traffic using the same inside local port number and sends it to the WLC using LWAPP
port 12222. See the following example: