Cisco Cisco 2000 Series Wireless LAN Controller Manual Técnico
ID (MBSSID), the 1030 REAP can only support the first WLAN when connectivity with a controller is
interrupted. During times of WAN link outage, all WLANs except the first are decommissioned. Therefore,
WLAN 1 should be intended as the primary WLAN and security policies should be planned accordingly.
Security on this first WLAN is particularly important because if the WAN link fails, so does the backend
RADIUS authentication. This is because such traffic traverses the LWAPP controller plane. Therefore, no
users are granted wireless access.
interrupted. During times of WAN link outage, all WLANs except the first are decommissioned. Therefore,
WLAN 1 should be intended as the primary WLAN and security policies should be planned accordingly.
Security on this first WLAN is particularly important because if the WAN link fails, so does the backend
RADIUS authentication. This is because such traffic traverses the LWAPP controller plane. Therefore, no
users are granted wireless access.
It is recommended that a local authentication/encryption method, such as the pre−shared key portion of Wi−Fi
Protected Access (WPA−PSK), be used on this first WLAN. Wired Equivalent Privacy (WEP) suffices, but is
not recommended because of known security vulnerabilities.When WPA−PSK (or WEP) is used, properly
configured users can still gain access to local network resources even if the WAN link is down.
Protected Access (WPA−PSK), be used on this first WLAN. Wired Equivalent Privacy (WEP) suffices, but is
not recommended because of known security vulnerabilities.When WPA−PSK (or WEP) is used, properly
configured users can still gain access to local network resources even if the WAN link is down.
Note: All RADIUS−based security methods require authentication messages to be transmitted across the
LWAPP control plane back to the central site. Therefore, all RADIUS−based services are unavailable during
WAN outages. This includes, but is not limited to, RADIUS−based MAC authentication, 802.1X, WPA,
WPA2, and 802.11i.
LWAPP control plane back to the central site. Therefore, all RADIUS−based services are unavailable during
WAN outages. This includes, but is not limited to, RADIUS−based MAC authentication, 802.1X, WPA,
WPA2, and 802.11i.
The 1030 REAP can only reside on a single subnet because it cannot perform 802.1q VLAN tagging.
Therefore, traffic on each SSID terminates on the same subnet on the wired network. This means that while
wireless traffic might be segmented over the air between SSIDs, user traffic is not separated on the wired side.
Therefore, traffic on each SSID terminates on the same subnet on the wired network. This means that while
wireless traffic might be segmented over the air between SSIDs, user traffic is not separated on the wired side.
Security
The 1030 REAP can provide all Layer 2 security policies supported by Ciscos controller−based WAN
architecture. This includes all Layer 2 authentication and encryptions types, such as WEP, 802.1X , WPA,
WPA2, and 802.11i. As stated previously, most of these security policies require WLC connectivity for
backend authentication. WEP and WPA−PSK are fully implemented at the AP−level and do not require
backend RADIUS authentication. Therefore, even if the WAN link is down, users can still connect. The client
exclusion list feature provided in the Cisco WLCis supported with the 1030 LAP. MAC filtering functions on
the 1030 if connectivity back to the controller is available.
architecture. This includes all Layer 2 authentication and encryptions types, such as WEP, 802.1X , WPA,
WPA2, and 802.11i. As stated previously, most of these security policies require WLC connectivity for
backend authentication. WEP and WPA−PSK are fully implemented at the AP−level and do not require
backend RADIUS authentication. Therefore, even if the WAN link is down, users can still connect. The client
exclusion list feature provided in the Cisco WLCis supported with the 1030 LAP. MAC filtering functions on
the 1030 if connectivity back to the controller is available.
Note: The REAP does not support WPA2−PSK when the AP is in standalone mode.
All Layer 3 security policies are not available with the 1030 LAP. These security policies include web
authentication, controller−based VPN termination, ACLs, and peer−to−peer blocking, because they are
implemented at the controller. VPN pass−through does operate for clients that connect to external VPN
concentrators. However, the controller feature that allows only traffic destined for a specified VPN
concentrator (VPN pass−through only) does not.
authentication, controller−based VPN termination, ACLs, and peer−to−peer blocking, because they are
implemented at the controller. VPN pass−through does operate for clients that connect to external VPN
concentrators. However, the controller feature that allows only traffic destined for a specified VPN
concentrator (VPN pass−through only) does not.
Network Address Translation (NAT)
WLCs to which REAPs connect cannot reside behind NAT boundaries. However, REAPs at remotes sites can
sit behind a NAT box, provided the ports used for LWAPP (UDP ports 12222 and 12223) are forwarded to the
1030s. This means that each REAP must have a static address in order for port forwarding to work reliably,
and that only a single AP can reside behind each NAT instance. The reason for this is that only a single port
forwarding instance can exist per NAT IP address, which means only one LAP can work behind each NAT
service at remote sites. One−to−one NAT can work with multiple REAPs because the LWAPP ports can be
forwarded for each external IP address to each internal IP address (static REAP IP address).
sit behind a NAT box, provided the ports used for LWAPP (UDP ports 12222 and 12223) are forwarded to the
1030s. This means that each REAP must have a static address in order for port forwarding to work reliably,
and that only a single AP can reside behind each NAT instance. The reason for this is that only a single port
forwarding instance can exist per NAT IP address, which means only one LAP can work behind each NAT
service at remote sites. One−to−one NAT can work with multiple REAPs because the LWAPP ports can be
forwarded for each external IP address to each internal IP address (static REAP IP address).
Quality of Service (QoS)
Packet prioritization based on 802.1p precedence bits is not available because the REAP cannot perform
802.1q tagging. This means that Wi−Fi Multimedia (WMM) and 802.11e are not supported. Packet
802.1q tagging. This means that Wi−Fi Multimedia (WMM) and 802.11e are not supported. Packet