Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1728
Views
0
Helpful
4
Replies

Catalyst 9800 - Anchor WLC - How to prevent AP from joining Anchor WLC

Go to solution
Martin Jelinek
Level 1
Level 1

‎06-22-2021 01:26 AM - edited ‎07-02-2021 09:35 PM

Hi all,

 

Is there any general recommendation how to prevent AP joining/associating with Anchor WLC?

I though about WMI, however WMI is used for management traffic as well (AAA, syslog, SNMP,...) and not only for WLC-AP communication.

 

But is there a command for 9800 WLC which simply refuse AP if any will try to join/associate?

I'm running IOS-XE 17.3.3.

 

Thank you for any hint.

Martin

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Martin Jelinek

‎06-23-2021 12:45 AM

Well typically you would have the anchor in the dmz and not allow udp 5246/5247. You can also enable ap policy for mac authentication and make sure you have zero ap license.
-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎06-22-2021 01:35 AM

DHCP Option 43

0 Helpful

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Leo Laohoo

‎06-23-2021 12:02 AM

Hi Leo

this won't help you if an AP already knows "somehow" an IP of the Anchor WLC since it is being kept in the AP memory. So if AP has a problem with one WLC it will give a try to known controllers in the memory and if in memory is Anchor IP it will give a try...

 

In case of standardized environment it might be an option, but in case of widely spread environment with more controllers and administrators, it's a bit challenging.

 

Thanks

 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Martin Jelinek

‎06-23-2021 12:45 AM

Well typically you would have the anchor in the dmz and not allow udp 5246/5247. You can also enable ap policy for mac authentication and make sure you have zero ap license.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Martin Jelinek
Level 1
Level 1
In response to Scott Fella

‎06-24-2021 01:59 AM

Yes, that we have in DMZ, so of course firewall ACL is an option, it is just still AP will give a try to associate even though FW will block/drop such connection. And apart of AP policy based on MAC address, most likely there is no other way around.

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card