Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
452
Views
0
Helpful
2
Replies

Cisco WLC, any way to turn off CAPWAP / LWAP AP Layer 2 Join Responses

sww
Level 1
Level 1

‎02-06-2016 06:35 PM - edited ‎07-05-2021 04:35 AM

Hi,

I have a small dilemma at one of mys customers sites.

They have a Cisco vWLC 5508 appliance in VMWare. This is all working fine. This system only can run Flex Connect mode so am currenly breaking out the SSIDs / VLANs at the edge switching that the APs connect to.

The is now a need to use both the CAPWAP  control and data tunnels over an IPSEC VPN to be able to have multiple SSIDs at theses remote sites.

Now I decided that the easiest way for this is to use a spare WLC 2504 controller for this small number of APs scattered over these WAN sites.

Thinking harder about this, effectively could have two WLCs (the VMware vWLC 5508 and the small 2504) sitting on the same subnet. I now worry that the APs that connect to the vWLC5508, may end up attempting to join the 2504 if the APs can do a Layer 2 broadcast and end up joining to the 2504. This would not be good.

My option here is to put the 2504 management interface in another VLAN so that it cannot see the broadcasts from the APs that should talk to the 5508. I will use DHCP option 43 to tell the remote APs connecting in via WAN / IPSEC tunnels  to see the 2504. In this case I only need L3 discovery.

I have looked around the web looking for WLC commands to tell the WLC to only accept CAPWAP Layer 3 join requests. I couldn't find any.

Anyone know if this can be done or not?

I want to keep the remote sites away from the corporate 5508 WLC as it can't do the CAPWAP control and data tunnels. I guess this is due to CPU overheads for tunneling inside a VM. RRM and other stuff is not so resource hungry I guess.

Cheers and thanks in anticipation of an answer,

Simon

Labels:
0 Helpful
2 Replies 2

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-06-2016 10:32 PM

I think I would put the 2504 into a separate VLAN, as you suggest.  The it is isolated.  Worst comes to worst you can also use ACLs as well then.

0 Helpful

sww
Level 1
Level 1
In response to Philip D'Ath

‎02-07-2016 05:07 PM

Hi Philip,

Thanks for confirming this. Yep, I think I will just put the unit into another VLAN and go with that.

Hunted through the CLI to see if there was anything that would lend itself for turning L2 responses off but nothing obvious..

Cheers & thanks,

Simon

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card