Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7151
Views
0
Helpful
16
Replies

Prevent certain APs from associating with WLC

robinwenham
Level 1
Level 1

‎03-30-2012 02:41 AM - edited ‎07-03-2021 09:54 PM

Hi, we have the following situation which I'd appreciate assistance with.

We have 9 WLCs around a corporate network.  Each of the WLCs was in the same mobility group for failover purposes, and to permit APs to reconnect back to their primary WLC in the event of a failover.

However one of the sites has now been sold and pending separation of the LAN infrastructure the APs need to be isolated and prevented from associating with any WLC other than their primary (on site).  From our experience once the APs know about other WLCs they retain this list in NVRAM even if the secondary WLC is removed from the configuration they will still associate with one of the known APs if possible (Cisco document this).

WLC v 8.1.185.

Does anyone have any recommendations to achieve this?  My thoughts are:

1) configure WAN router to deny outgoing LWAPP / CAPWAP packets.  Router is a managed service which will entail negotiations and cost with the service provider.

2) completely default all APs on site.  69 APs mounted in the roof of a large distribution depot.

3) Use ACLs on the other WLCs to prevent ones from this subnet connecting to them.  May be the easiest because it is all in our control.  But I'm unsure of the implications of this.

4) any other?

Thoughts?

Thanks

R

Labels:
0 Helpful
16 Replies 16

tonypearce1
Level 3
Level 3
In response to robinwenham

‎12-18-2019 07:28 AM

I see this is an old thread but info still relevant. Didnt see any mention of this as an easy solution. At the default gateway, configure a route for the WLC which you do not want the remote APs to join. Send the next hop to null0. This will make it impossible for the site to contact the WLC IP hence preventing join.

 

0 Helpful

craig.beck
Level 1
Level 1

‎12-18-2019 03:27 PM

You may be able to do this by adding a network route at the WLCs in your org which points to the subnet(s) at the site via a non-existent gateway. All traffic mentioned in network routes should leave the WLC via the Service Port so it should stop APs from being able to connect to the WLC. If it's one subnet it's quick and dirty, but it should work.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card