cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2520
Views
0
Helpful
7
Replies

Capwap - Vlans allowed on Capwap tunnels

michalis1234
Level 1
Level 1

Dear All,

I have a 3850 switch that is acting as a Mobility controller. I would like to limit the allowed Vlans that are propagated to the APs.

I am attaching  the "sh int trunk" from the cisco switch. Vlan 100 is the AP Management Vlan, 200 - 220 are the client Vlans for my users.

I am concerned about the security of my installation for example I have 3 Vlans (10, 20, 50) that I would like to be completely isolated from the

wireless lans - Vlans. How can I stop these 3 Vlans from propagating to the APs ?

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Ok, I got it.

I do not think there is a way to control this. These tunnels are automatically establish and no way to control via config (as far as I know)

HTH

Rasika

View solution in original post

7 Replies 7

You have to configure all your AP connected switchport as Access Port & not trunk ports.

HTH

Rasika

*** Pls rate all useful responses ***

Hi,

I have attached the configuration of the ports that are connected to my APs.

All of them are access ports on the AP Management vlan 100.

Isn't it very weird ?

Regards,

Hi

Port        Vlans allowed and active in management domain
Ca0         1,10,20,50,100,200,210,220,300
Ca1         1,10,20,50,100,200,210,220,300
Ca2         1,10,20,50,100,200,210,220,300
Ca3         1,10,20,50,100,200,210,220,300
Ca4         1,10,20,50,100,200,210,220,300

Above are tunnel established (automatically) between your MA/MC switches (I believe you may have 5 switches). These are not indicating all those vlans are trunk to APs.

If you get "show interface capwap <interface_number>" you will see between what end point each tunnel interface map to.

HTH

Rasika

*** Pls rate all useful responses ***

Hi Rasika,

No I have only one 3850 switch that acts as MC.

The sh int capwap command show that the tunnels are established between the svi (Management vlan: 192.168.100.1) of the 3850 and the APs.

regards,

Ok, I got it.

I do not think there is a way to control this. These tunnels are automatically establish and no way to control via config (as far as I know)

HTH

Rasika

Ok thanks, but what about security ?

If i would like to setup a dmz vlan on the same switch in order to isolate 2 servers from the wireless networks. I cannot using that single 3850 switch?

In this situation i have to use a second switch?

Thanks for your prompt replies!!!

mohanak
Cisco Employee
Cisco Employee

If you are using AP in local mode then use AP port as access and put in native/management port.

Review Cisco Networking for a $25 gift card