cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4733
Views
0
Helpful
16
Replies
Highlighted
Beginner

Prevent certain APs from associating with WLC

Hi, we have the following situation which I'd appreciate assistance with.

We have 9 WLCs around a corporate network.  Each of the WLCs was in the same mobility group for failover purposes, and to permit APs to reconnect back to their primary WLC in the event of a failover.

However one of the sites has now been sold and pending separation of the LAN infrastructure the APs need to be isolated and prevented from associating with any WLC other than their primary (on site).  From our experience once the APs know about other WLCs they retain this list in NVRAM even if the secondary WLC is removed from the configuration they will still associate with one of the known APs if possible (Cisco document this).

WLC v 8.1.185.

Does anyone have any recommendations to achieve this?  My thoughts are:

1) configure WAN router to deny outgoing LWAPP / CAPWAP packets.  Router is a managed service which will entail negotiations and cost with the service provider.

2) completely default all APs on site.  69 APs mounted in the roof of a large distribution depot.

3) Use ACLs on the other WLCs to prevent ones from this subnet connecting to them.  May be the easiest because it is all in our control.  But I'm unsure of the implications of this.

4) any other?

Thoughts?

Thanks

R

16 REPLIES 16
Highlighted

I see this is an old thread but info still relevant. Didnt see any mention of this as an easy solution. At the default gateway, configure a route for the WLC which you do not want the remote APs to join. Send the next hop to null0. This will make it impossible for the site to contact the WLC IP hence preventing join.

 

Highlighted
Beginner

You may be able to do this by adding a network route at the WLCs in your org which points to the subnet(s) at the site via a non-existent gateway. All traffic mentioned in network routes should leave the WLC via the Service Port so it should stop APs from being able to connect to the WLC. If it's one subnet it's quick and dirty, but it should work.

Content for Community-Ad