* OEAP with Multiple Remote LANs

Tags

Normally Cisco Office Extend AP (OEAP600) allow user to extend their office network into any public place (like home, event venue, etc) without much trouble.This AP has 4 ports (excluding WAN port) where one (Yellow port) of them labeled as Remote-LAN that can be used to extend one of your wired LAN.

In my office environment below is the typical use-case for OEAP solution.

One type of users are normal staff user where they require corporate WLAN to be extended to their home. In certain cases (VIP) extending a wired LAN for their VoIP phone & if required wired PC connect to it. This is pretty much out of the box OEAP can do.

In the next user group is students who are given accommodation in small units scatter around the state. Mainly those are in regional areas & DSL would be the preferred solution for internet. Other than typical office extend user requirement this bring additional requirement. Our Security group required extend their Door Access systems wired VLAN to these remote units.

That’s where you require to configure Multiple Remote LANs in OEAP. Will look at how we can do this in this post. Keep in mind screenshot below is based on WLC 7.4 software code (you may look this differently based on the WLC software code).

First you have to create dynamic interfaces on WLC related to the wired subnet you need to extend. I have shown one of my interface created for security Door Access system. In here I have not selected DHCP option as IP allocated statically. But in the voice subnet I have tick that option (not shown a screenshot for that)

Once you create the interfaces you can define the required WLAN (as Remote LAN type) in order to extend wired LAN( see below for steps)

Here is the tricky part. You have to enable “Dual RLAN ports feature” using WLC CLI. In OEAP-600 series APs using the Dual RLAN Ports feature, which allows OEAP-600 Ethernet port 3 to operate as a remote LAN. The configuration is only allowed through the CLI, and here is an example:

config network oeap-600 dual-rlan-ports enable|disable

In the event that this feature is not configured, the single port 4 remote-lan continues to function. Each port uses a unique remote-lan for each port. The remote-lan mapping is different, which depends on whether the default-group or AP Groups is used.

Default-group

If the default-group is used, a single remote LAN with an even remote-lan ID is mapped to port 4. For instance, the remote-lan with remote-lan-id 2 is mapped to port 4 (on the OEAP-600). The remote-lan with an odd numbered remote-lan ID is mapped to port 3 (on the OEAP-600).

As an example, take these two remote-lans:

(Cisco Controller) >show remote-lan summary

Number of Remote LANS............................ 2

RLAN ID  RLAN Profile Name    Status    Interface Name
-------  -------------------------------------  --------  --------------------
2        rlan2                                  Enabled   management
3        rlan3                                  Enabled   management

rlan2 has an even numbered remote-lan ID, 2, and as such maps to port 4. rlan3 has odd remote-lan ID 3, and so maps to port 3.

AP Groups

If you use an AP group, the mapping to the OEAP-600 ports is determined by the AP-Group ordering. In order to use an AP group, you must first delete all remote-lans and WLANs from the AP-group and leave it empty. Then add the two remote-lans to the AP group. First add the port 3 AP remote-LAN first, then add port 4 remote group, and finally add any WLANs. Here is my AP Group for this OEAP.

A remote-lan in the first position in the list maps to port 3, and second in the list maps to port 4, as in this example:

(BUN-PW00-WC01) >show remote-lan summary 
Number of Remote LANS............................ 2

RLAN ID  RLAN Profile Name                      Status    Interface Name
-------  -------------------------------------  --------  --------------------  
8        SEC-CARDAX                             Enabled   bun-sci-sec-cardax    
9        bun-sci-voice                          Enabled   bun-sci-voice

You can verify the details by using “show remote-lan <rlan-id>” command. Here is output in my case.

(BUN-PW00-WC01) >show remote-lan 8
Remote LAN Identifier............................ 8
Profile Name..................................... SEC-CARDAX
Status........................................... Enabled
MAC Filtering.................................... Disabled
AAA Policy Override.............................. Disabled
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... BUN-PW00-WC01
Webauth DHCP exclusion........................... Disabled
Interface........................................ bun-sci-sec-cardax
Remote LAN ACL................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
PMIPv6 Mobility Type............................. none
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
   802.1X........................................ Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. LTU-AVC-POLICY
Flow Monitor Name................................ Scrutinizer
802.11u........................................ Disabled
MSAP Services.................................. Disabled

(BUN-PW00-WC01) >show remote-lan 9
Remote LAN Identifier............................ 9
Profile Name..................................... bun-sci-voice
Status........................................... Enabled
MAC Filtering.................................... Disabled
AAA Policy Override.............................. Disabled
Maximum number of Associated Clients............. 0
Number of Active Clients......................... 0
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 86400 seconds
User Idle Timeout................................ 300 seconds
User Idle Threshold.............................. 0 Bytes
NAS-identifier................................... BUN-PW00-WC01
Webauth DHCP exclusion........................... Disabled
Interface........................................ bun-sci-voice
Remote LAN ACL................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Enabled
PMIPv6 Mobility Type............................. none
Radius Servers
   Authentication................................ Global Servers
   Accounting.................................... Global Servers
      Interim Update............................. Disabled
   Dynamic Interface............................. Disabled
   Dynamic Interface Priority.................... wlan
Local EAP Authentication......................... Disabled
Security
   802.1X........................................ Disabled
   Web Based Authentication...................... Disabled
   Web-Passthrough............................... Disabled
AVC Visibilty.................................... Enabled
AVC Profile Name................................. LTU-AVC-POLICY
Flow Monitor Name................................ Scrutinizer
802.11u........................................ Disabled
MSAP Services.................................. Disabled

Finally you can verify this connecting to Port3 & Port 4 of your OEAP. Once you conneted to Port3, Which maps to first remote-lan you added to your AP Group (in my case SEC-CARDAX) get connectivity on that. I have used static IP as I do not want DHCP on this.

Once you connect to Port4 which maps to “bun-sci-voice” DHCP subnet I should get an IP via DHCP & should get the connectivity to rest of the network.

That’s how you can create multiple Remote LAN on your OEAP. You can go through this configuration guide for more detail.

Aironet 600 Series OfficeExtend Access Point Configuration Guide

Also following post may help you as well

OEAP 602 Remote LAN 802.1x (Port 4) with Wired IP Phone and Laptop behind the IP Phone

1. Office Extend – Overview
2. Configuring OEAP
3. How does OEAP work ?
4. H-REAP Modes of Operation
5. H-REAP with RADIUS

8 thoughts on “* OEAP with Multiple Remote LANs”

tazsolo said:

May 23, 2013 at 12:08 am

Very good post. Cheers

- nayarasi said:
  
  May 23, 2013 at 6:08 am
  
  thanks
  
Zukjeff said:

April 14, 2014 at 2:39 pm

Thanx Rasika , I have just the job for the 2nd Vlan.

- nayarasi said:
  
  April 15, 2014 at 7:09 am
  
  Thanks for feedback…
  
justlearningoeaps said:

May 9, 2014 at 7:49 am

Great doc! I am connecting my OEAPs to a foreign controller. That said, how do I connect my OEAP rlan to the foreign controller?

hurj said:

May 19, 2015 at 12:46 am

Is it possible to use unique dual-rlan ports for 2 different AP groups? Or is this limited to just the 2 in either the default group or a single AP group. Your examples just show 2 rlans. I’d like to have 2 rlans for a single AP group and 2 additional different rlans for a second AP group (still using port 4 and port 3 on the OEAP602).

- nayarasi said:
  
  May 19, 2015 at 5:45 am
  
  Single AP cannot be part of two AP groups.
  
  HTH
  Rasika
  
ron wilkerson said:

March 10, 2017 at 12:26 am

does this mean you can get 8 wired hosts, 4 per remote lan?