Showing results for 
Search instead for 
Did you mean: 

Cisco WLAN configuration


Hi Guys,

I am working on a big scale WLAN configured with WISM.

what I am puzzled with is how capwap works alongside DHCP.

They have over 400 APs and only 10 SSIDs. My understanding is all data is sent back to the controller using the capwap tunnel un encrypted so the APs are connected to an access port switch within their respective capwap vlan .

my question is if I have an SSID that is called CAR and have 10 campus using thet SSID of CAR and the SSID is associated with interface CAR-Camp1, how does Camp 2 to 10 get their IP?

all APs in camp2 to 10 have SSID CAR enabled on them yet if you look under SSID CAR only interface CAR-Camp1 is associated.

so my question is how does Camp2 to 10 work to obtain the right ip address on an SSID that is associated with CAR-Camp1?

does capwap tunnels all dhcp etc requests to the contlroller?

I really really appreciate your help

12 Replies 12

Bob Bagheri

Hi, the CAPWAP tunnel is encrypted to the WISM and from there the traffic based on the SSID<>VLAN association leaves the controller and on to its destination.

In regard to your client's DHCP, I would assume each campus has the same VLAN for the desired SSID and most likely you have layer 3 to the access layer.  If so, then you would treat the VLAN for wireless clients like a wired client.  Each wireless VLAN in the campus would have a DHCP scope served via your DHCP server or the access switch itself.

If you have an all layer 2 network then you need to have a flat VLAN for the SSID and once again provide DHCP the same way you do with a wired client.

As for your AP's, well they should have their own VLAN if not they can use the same VLAN for mobile devices, just make sure you exclude the addresses in your DHCP database.

Lastly, the internal DHCP server of the WLC can be utilized however, that is not recommended for large scale networks.


ok two questions here:

let's assume as you said there is one VLAN for one SSID with 10 subnets across 10 campuses.

That VLAN id is 10 for our example

assuming I have a central DHCP server then how does that server know what 10.0.x.0/24 to assign ?

if campus 1 and campus 2 use ip helper to forward dhcp , when the dhcp server gets the request, how does it know what subnet to associate to that vlan 10?

I can't remember how IP helper worked, does it include the VLAn in the packet it sends so that the DHCP server knows what scope to use?

I think VLAN could not be included and it was only the Gateway address of the interface forwading the packet included hence the router server will be forwarding the packet with its own IP in giaddr and DHCP server know what range to use for it

question 2:

In my case we have vlan 10-20 assigned to each campus and this is what I don't understand as we no longer have 1 VLAN for 10 subnets for 1 SSID

We have 10 Vlans/10 Subnets but 1 SSID associated to 1 interface which is then associated to one VLAN.

I have just checked this once again on the controller before posting back .

how do you think that is possible?

Q1: The same way the wired DHCP scope works with your IP helper address. It knows from the source of the DHCP request.

Q2: Your WLC/ WiSM should be using a trunk port to handle multiple VLAN's assigned to SSID(s).

You have to mix both wireless and route/switch knowledge together and follow the packet. Don't mix the traffic leaving the controller after CAPWAP decryption with the client device obtaining an IP address on the WLAN.

There are lots of good articles on DHCP and tricks with VLAN's in the WLC configuration guide.


ok I am looking at articles and hence why I posted the question.

I still don't understand how it works as per my second question earlier.

any further explanation or link to articles is highly appreciated

If you are designing it from scratch, stick to one SSID<>VLAN and different /24 subnets.

However, in your case, you can use VLAN pooling.  Sorry, I didn't catch that clearly.

Here is a great link:

This guy wrote some great blogs on his path to his CCIE-W:


I have read all this and it makes sense

Can I confirm the following:

AP on CAPWAP VLAN 100 connecting to controller.

When a client on that IP requests IP, is the request encapsulated in capwap all the way to the controller and then controller deals with is ( either in proxy or bridged mode?)

If yes does this mean ip helper is not needed on the capwap vlan if the lightweight AP have a static ip and ip helper should be set on the interfaces within the controller ?

If I understand your question correctly, I believe you will need a helper address at the L3 egress point of the L2 broadcast domain for your mobile clients, therefore, again it depends on the underlying architecture.

Aside from the static IP assigned to an AP, your client still needs his DHCP request before connecting.  I don't believe that traffic is in the CAPWAP tunnel.  Once  you have established full connectivity and fully authenticated, then your traffic traverses the capwap tunnel already established by your AP to the controller.


For local mode APs, all traffic is tunneled via CAPWAP back to the controller.  At that point, the SSID (and AP group, if applicable) that the client is connected to is used to determine which VLAN the client is mapped to.  If using DHCP Proxy on the WLC (the default), then the WLC will forward the DHCP request with the client's VLAN as the giaddr in the request.  If using DHCP passthrough, then the ip helper on the client VLANs SVI will be used to pass the DHCP request.

If the APs have static IP addresses, then you don't need an IP helper on that SVI.

many thanks so in a way the ip helper address on the local switch connecting to the AP is not needed

it will use the dynamic interface dhcp servers ?

many thanks will read through it

one point though, even if it was one VLAN per SSID with multiple subnets I still see the followin problems

AP1 in Campus 1 connects on a seperate Vlan of 100 with ip of which is used for the capwap

now SSID car on that AP which is in VLAN 10 tries to obtain IP, when IP helper on svi 100 with ip of forwards the ip helper, it will include its IP in the packet

when DHCP server gets it , it will look to assign an IP from range of rather than . am I missing somehting here?

This gets worse when you add the second SSID as again same scenario the AP will assign IP from the range used for CAPwap

sorry my brain is fried at this time and just want to have an answer and go to bed

I can then read as much as I need tomorrow to understand it:)


thanks for your reply

As said above lets imagine I have a SSID named CAR

the issue I have is depending on what Campus I am in I get a different IP for that same SSID that is associated with Camp1 interface on the wlan controller.

they have setup camp1 to 10 with different subnets on the wlan controller.

Camp 1



Camp 10

Imaging you have 1000 users to serve on different campuses in our case campus 1 to 10, so having a large class b or subneted /22 would be a big broadcast domain so what they have done is have many small /24( so 10 subnets in 10 campus) but I am puzzled as to how this is working and can't figure it out

they use ACS server so I don't know if that server is changing the vlan for CAR when the get authenticated.

if I am in campus 1 and connect to SSID CAR, I can see that I am getting an ip address of but when in campus 3 for the same SSID I get an ip address of

furthermore if I check the client tab to see all clients connected, the controller believes I am connected to interface from Camp3

as said CAR ssid is associated with camp 1 when you look at the configuration.

It sounds like it is working like it should.  You use the same SSID with the same VLAN number and each campus has a different Layer 3 subnet, classic L3 at the Access  Layer design.  There is no need to change the SSID.

There are ways of dynamically changing SSID based on credentials typically deployed via ISE and possibly ACS.

Again, to recap, you can use the same SSID throughout the campus for a set of users, for example students or faculty.  Each SSID is associated to the same VLAN number throughout the campus, however, each campus or floor would have its own /24 subnet.



Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: