As we discussed in the “OEAP Overview” post, from CCIE lab perspective this feature is enabled on normal LWAP by converting it on to OEAP (No 600 series OEAP HW in CCIE Lab). In this post we will see how to configure this feature on WLCs.

Prior to convert LWAP into OEAP, you need to connect AP into the network in local mode & get it register to a WLC. Once registered you can select this LWAP in controller GUI & change its mode to “Flex Connect” (I am using 7.4 WLC code). This “Flexconnect” is known as “HREAP-Hybrid Remote Edge Access Point” feature in the earlier releases of WLC software.


In order to this AP always goes to specific WLC (normally who has a publicly reachable IP address or WLC’s management IP address NAT to public IP) you can configure WLC name & IP address in “High Availability” tab.Convert-OEAP-02

Once you apply above, AP will reboot & join the controller in “Flex Connect” mode. Once AP register back to controller, you can see “Flex Connect” tab & you can enable “Office Extend” feature via that tab.Convert-OEAP-04

Once you tick “Enable OfficeExtend AP” tickbox it will promt “Do you want to enable encryption ?” & ” Do you want to disable Rouge Detection?”. You need to click “OK” to both of these as best practices.  But in CCIE lab studies perspective, it is good idea to “Cancel” encryption so you can analysis real traffic going through an OEAP by taking wireshark capture. If encryption enable, all traffic will be DTLS (Datagram Transport Layer Security) encrypted & cannot be decoded to analysis.

If your WLC does not have a publicly reachable IP then you need to have NAT IP where controller management IP is reachable. In that case you need to enable NAT on WLC management interface & map NAT IP on to it. Below is the screenshot of how to enable that(You need to type NAT public IP address here).Convert-OEAP-06

Now your OEAP is ready for its operation. Once you connect it behind your home ADSL then you will get your corporate SSIDs. How do you control which SSIDs or WLANs to push to OEAP ? By default 3 WLANs (WLAN ID number less than 8) will be advertised to OEAP. By creating an AP group (WLAN -> Advanced -> AP Groups) you can control this. Below screenshot shows two WLANs added to such AP group and  which APs are getting these.

When configuring this, another best practice is to control AP’s MAC address who can join this WLC. You can do this “Security -> AAA -> MAC Filtering” section of WLC’s GUI by simply adding OEAP’s MAC address (Ethernet & not Radio).

Now if you want to create locally significant SSID or WLAN for home users, you can simply do this by accessing OEAP’s GUI. Default username & password would be cisco/Cisco (In OEAP 600 series it is admin/admin inline with all other cisco’s home grade devices such as linksys DSL routers,etc). Once you access you will see a page like this. Note that I have used 7.4 WLC code, but in CCIE lab exam you would see little bit differently as it runs on WLC software

Next step is to create local SSID for non-corporate users to use this AP. You need to find the IP assign to this OEAP from your DSL router DHCP range & browse that IP in order to configure the local SSID. You have to use default username “cisco” & password “Cisco” to access this page(In OEAP 600, this would be admin/admin). By click “Configuration” tab you will allow to create your own SSID. This SSID traffic won’t be going through DTLS tunnel back to your corporate, it will simply go to internet via your normal DSL router to internet. Below screen shows local SSID configuration parameters( you need to simply select name of the SSID ,security method & password).Convert-OEAP-08

By enabling “Link Latency” feature in “Advanced” tab of the selected OEAP, you can monitor the CAPWAP response time between OEAP & WLC. For services like voice it is important to have response times within 150ms in order to have good quality user experience for such service. You can enable telnet/ssh to OEAP using this “Advanced” tab by tick those check boxes.Convert-OEAP-09

You can configure OEAP using controller’s CLI as well. Keep in mind to replace “flexconnect” keyword with “hreap” when you are working with earlier releases of WLC. (In CCIE lab exam it would be on 7.0.116)
# To enable flextconnect mode on the AP #
config ap mode flexconnect Cisco_AP
# Configure one or more controllerss for the OEAP to join #
config ap primary-base controller_name Cisco_AP controller_ip_address
config ap secondary-base controller_name Cisco_AP controller_ip_address
config ap tertiary-base controller_name Cisco_AP controller_ip_address
# To enable Office Extend mode #
config flexconnect office-extend {enable|disable}
# To clear AP config to factory default or delete only personal SSID#
clear ap config Cisco_AP
Clear flexconnect office-extend clear-personalssid-config Cisco_AP
# Enable or Disable advanced features #
config rogue detection {enable|disable}
config ap link-encryption {enable|disable}
config ap {telnet|ssh} {enable|disable}
config ap link-latency {enable|disable}
# To enable OEAP to choose WLC with least latency #
config flexconnect join min-latency {enable|disable} Cisco_AP
# Configure credential for user to create local SSID #
config ap mgmtuser add username user password password enablesecret enable_password Cisco_AP
# To Save Config #
save config

You can verify OEAP for its operation by using following CLI commands

(BUN-PW00-WC01) >show flexconnect office-extend summary 
Summary of OfficeExtend AP 
AP Name              Ethernet MAC     Encryption  Join-Mode   Join-Time  
------------------ -----------------  ----------  ----------- ---------- 
OE-AP003-GARETH    c4:7d:4f:ac:e4:4e  Enabled    Standard    Fri Jan 11 00:04:29 2013

OE-AP002-HARI      c4:7d:4f:ac:e5:4a  Enabled    Standard    Sat Jan 12 22:20:41 2013

OE-AP005-RASIKA    00:26:0b:63:ca:f4  Enabled    Standard    Mon Jan 14 05:55:09 2013

OE-AP011-TANNIA    00:19:aa:ba:76:82  Enabled    Standard    Tue Jan 15 04:45:08 2013

(BUN-PW00-WC01) >show flexconnect office-extend latency 
Summary of OfficeExtend AP link latency
AP Name              Status  Current   Maximum   Minimum 
OE-AP003-GARETH    Enabled    10 ms    553 ms     32 ms 
OE-AP002-HARI      Enabled    11 ms    130 ms     10 ms 
OE-AP005-RASIKA    Enabled     2 ms    692 ms      0 ms 
OE-AP011-TANNIA    Enabled     1 ms     65 ms      0 ms 

(BUN-PW00-WC01) >show ap link-encryption all

             Encryption  Dnstream  Upstream    Last
AP Name           State     Count     Count  Update
------------------  ---  --------  --------  ------
OE-AP003-GARETH       En   221859    182889    4:55
OE-AP002-HARI         En  1498125   1200851    4:55
OE-AP005-RASIKA       En    97572   1066321    4:54
OE-AP011-TANNIA       En     5059      3911    4:54

(BUN-PW00-WC01) >show ap data-plane all

                       Min Data          Data          Max Data     Last
AP Name               Round Trip      Round Trip      Round Trip    Update
------------------  --------------  --------------  --------------  ------
OE-AP003-GARETH            0.030s          0.040s       0.249s     04:55:11
OE-AP002-HARI              0.009s          0.024s       0.067s     04:55:45
OE-AP005-RASIKA            0.009s          0.010s       0.215s     04:54:45
OE-AP011-TANNIA            0.009s          0.010s       0.010s     04:57:08

Related Posts

1. Office Extend – Overview
2. How does OEAP work ?
3. H-REAP Modes of Operation
5. OEAP with Multiple Remote LANs