Cisco Cisco Aironet 350 Mini-PCI Wireless LAN Client Adapter Guida Alla Progettazione
7-15
Enterprise Mobility 4.1 Design Guide
OL-14435-01
Chapter 7 Cisco Unified Wireless Hybrid REAP
Hybrid REAP
Pro Inside global
Inside local Outside local Outside global
udp 10.20.3.19:54417
192.168.1.121:54417 10.15.9.253:12222 10.15.9.253:12222
3.
All traffic sent from the WLC to the AP, regardless of whether it is control or 802.11 data, is sent
to the inside global IP address and port number 54417 (assuming the example above), where IOS
PAT translates it to the proper inside local address. Multiple APs can be supported because each AP
uses a unique source port to communicate with the WLC.
to the inside global IP address and port number 54417 (assuming the example above), where IOS
PAT translates it to the proper inside local address. Multiple APs can be supported because each AP
uses a unique source port to communicate with the WLC.
The PAT translation examples above occur when the AP boots up for the first time. However, often times
the AP may reset a second and possibly a third time and if it does, it obtains a new IP address each time
(assuming DHCP is used). This creates a problem for the PAT process because now the AP is attempting
to use the same inside local source port number, but with a different inside local IP address. Because the
first translation entries still exist, PAT creates new (unique) inside global source ports. See the following
example:
the AP may reset a second and possibly a third time and if it does, it obtains a new IP address each time
(assuming DHCP is used). This creates a problem for the PAT process because now the AP is attempting
to use the same inside local source port number, but with a different inside local IP address. Because the
first translation entries still exist, PAT creates new (unique) inside global source ports. See the following
example:
Pro Inside global
Inside local Outside local Outside global
udp 10.20.3.19:54417 192.168.1.121:54417 10.15.9.253:12222 10.15.9.253:12222
udp 10.20.3.19:54417 192.168.1.121:54417 10.15.9.253:12223 10.15.9.253:12223
udp 10.20.3.19:1322 192.168.1.122:54417 10.15.9.253:12222 10.15.9.253:12222
udp 10.20.3.19:1323 192.168.1.122:54417 10.15.9.253:12223 10.15.9.253:12223
In the example above, note the translations that PAT creates after the AP resets the second time. The
first translation entries for inside local 192.168.1.121 are no longer used because the AP has reset with
a new IP. In this scenario, the AP is now communicating with the WLC using inside local IP
192.168.1.122 and source port 1323, which works. The problem arises when 802.11 data is sent to the
WLC. In the example above, instead of being sourced by the same inside global port (1323) as the
LWAPP control data, PAT sources the 802.11 data using yet another port: 1322. The WLC receives the
802.11 data, but it sends all 802.11 data back to the AP using 1323. Because of the port mismatch, the
AP does not receive the 802.11 data, effectively breaking the LWAPP data plane.
first translation entries for inside local 192.168.1.121 are no longer used because the AP has reset with
a new IP. In this scenario, the AP is now communicating with the WLC using inside local IP
192.168.1.122 and source port 1323, which works. The problem arises when 802.11 data is sent to the
WLC. In the example above, instead of being sourced by the same inside global port (1323) as the
LWAPP control data, PAT sources the 802.11 data using yet another port: 1322. The WLC receives the
802.11 data, but it sends all 802.11 data back to the AP using 1323. Because of the port mismatch, the
AP does not receive the 802.11 data, effectively breaking the LWAPP data plane.
Note
This is a problem only for centrally switched WLANs. Those WLANs that are switched locally are not
impacted because no 802.11 data is being sent to the WLC on port 12222 for those WLANs.
impacted because no 802.11 data is being sent to the WLC on port 12222 for those WLANs.
Workarounds are as follows:
•
If dynamic DHCP is used, establish more aggressive NAT translation entry timeouts for UDP ports
12222 and 12223. Set the translation timeout for these ports between 20 and 25 seconds. With
anything less than 20 seconds, there is a risk that the APs will lose association with the WLC. If set
too long, the stale entries may not timeout quick enough and the AP will continue to use the
undesired ports. See the following configuration example:
12222 and 12223. Set the translation timeout for these ports between 20 and 25 seconds. With
anything less than 20 seconds, there is a risk that the APs will lose association with the WLC. If set
too long, the stale entries may not timeout quick enough and the AP will continue to use the
undesired ports. See the following configuration example:
ip nat translation port-timeout udp 12222 20
ip nat translation port-timeout udp 12223 20
•
Create static DHCP reservations for each AP. If the AP undergoes sequential resets, it continues to
use the same IP, so PAT does not create secondary or tertiary source port bindings. This option is
practical only if DHCP is implemented locally at the remote/branch location.
use the same IP, so PAT does not create secondary or tertiary source port bindings. This option is
practical only if DHCP is implemented locally at the remote/branch location.
•
for IP configuration options. Again, if the AP undergoes sequential resets, it continues to use the
same IP, and PAT does not create secondary or tertiary source port bindings.
same IP, and PAT does not create secondary or tertiary source port bindings.
shows H-REAP with NAT/PAT.