Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2519
Views
0
Helpful
7
Replies

Capwap - Vlans allowed on Capwap tunnels

Go to solution
michalis1234
Level 1
Level 1

ā€Ž07-12-2016 01:52 AM - edited ā€Ž07-05-2021 05:24 AM

Dear All,

I have a 3850 switch that is acting as a Mobility controller. I would like to limit the allowed Vlans that are propagated to the APs.

I am attaching  the "sh int trunk" from the cisco switch. Vlan 100 is the AP Management Vlan, 200 - 220 are the client Vlans for my users.

I am concerned about the security of my installation for example I have 3 Vlans (10, 20, 50) that I would like to be completely isolated from the

wireless lans - Vlans. How can I stop these 3 Vlans from propagating to the APs ?

Thank you in advance.

Labels:
Preview file
2 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rasika Nayanajith
VIP
VIP
In response to michalis1234

ā€Ž07-14-2016 01:24 PM

Ok, I got it.

I do not think there is a way to control this. These tunnels are automatically establish and no way to control via config (as far as I know)

HTH

Rasika

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rasika Nayanajith
VIP
VIP

ā€Ž07-12-2016 02:02 PM

You have to configure all your AP connected switchport as Access Port & not trunk ports.

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Go to solution
michalis1234
Level 1
Level 1
In response to Rasika Nayanajith

ā€Ž07-13-2016 06:09 AM

Hi,

I have attached the configuration of the ports that are connected to my APs.

All of them are access ports on the AP Management vlan 100.

Isn't it very weird ?

Regards,

Preview file
3 KB
0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to michalis1234

ā€Ž07-13-2016 05:43 PM

Hi

Port        Vlans allowed and active in management domain
Ca0         1,10,20,50,100,200,210,220,300
Ca1         1,10,20,50,100,200,210,220,300
Ca2         1,10,20,50,100,200,210,220,300
Ca3         1,10,20,50,100,200,210,220,300
Ca4         1,10,20,50,100,200,210,220,300

Above are tunnel established (automatically) between your MA/MC switches (I believe you may have 5 switches). These are not indicating all those vlans are trunk to APs.

If you get "show interface capwap <interface_number>" you will see between what end point each tunnel interface map to.

HTH

Rasika

*** Pls rate all useful responses ***

0 Helpful

Go to solution
michalis1234
Level 1
Level 1
In response to Rasika Nayanajith

ā€Ž07-14-2016 02:25 AM

Hi Rasika,

No I have only one 3850 switch that acts as MC.

The sh int capwap command show that the tunnels are established between the svi (Management vlan: 192.168.100.1) of the 3850 and the APs.

regards,

0 Helpful

Go to solution
Rasika Nayanajith
VIP
VIP
In response to michalis1234

ā€Ž07-14-2016 01:24 PM

Ok, I got it.

I do not think there is a way to control this. These tunnels are automatically establish and no way to control via config (as far as I know)

HTH

Rasika

0 Helpful

Go to solution
michalis1234
Level 1
Level 1
In response to Rasika Nayanajith

ā€Ž07-15-2016 12:09 AM

Ok thanks, but what about security ?

If i would like to setup a dmz vlan on the same switch in order to isolate 2 servers from the wireless networks. I cannot using that single 3850 switch?

In this situation i have to use a second switch?

Thanks for your prompt replies!!!

0 Helpful

Go to solution
mohanak
Cisco Employee
Cisco Employee

ā€Ž07-12-2016 07:01 PM

If you are using AP in local mode then use AP port as access and put in native/management port.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card