02-24-2021 04:15 PM - edited 07-05-2021 01:17 PM
Hi, I would like to setup a Palo Alto firewall between cisco WLC and APs to control some traffic. Anyone can share some idea for this? or send link in order to know what I need to pay attention to? Thank you very much.
02-24-2021 08:26 PM
Hi
Here 1 link out of plenty on Cisco websites to show what ports are used and so that will need to be open between APs and WLC:
02-25-2021 06:51 AM
At the minimum APs need UDP 5246-5247 (CAPWAP control and CAPWAP data) to the WLC.
UDP 5248 for multicast depending on your design and configuration.
That's assuming the AP DHCP etc is provided local to the AP and will not need to pass through the firewall.
02-25-2021 06:04 PM
Thank you very much for your reply. The below is a diagram. Can I do this way?
WLC ------------FW(Palo Alto) -------switch------AP ............ PC/user
|
DHCP
02-26-2021 02:29 AM
Yes
02-26-2021 06:37 PM - edited 02-26-2021 06:40 PM
If we setup vlan10 as management interface and vlan20 for client traffic going through firewall like the below. and DHCP is connected to vlan20 at firewall outside. The reason is we can make it easier to setup relation between WLC and AP. How do you think about it?
WLC(vlan10) --------------------(vlan10)AP . . . . . . . PC
| |
vlan20-------------FW----------------vlan20
|
DHCP
02-26-2021 11:58 PM
02-27-2021 02:24 AM
I'll go one step further than @Scott Fella and say no you can't do what you show in your second design.
You seem to not understand what the options are with local and central switching of the client traffic with a WLC.
If the client traffic is centrally switched then your AP has no connection to vlan 20. The client traffic is tunnelled to the WLC over CAPWAP and exits the WLC on vlan 20. Yes you could then switch that back to the client side via firewall if you wanted to but that would be independent of the AP. There wouldn't be much point in having a firewall at all in this case.
If you use flexconnect with local switching then the traffic is switched directly onto vlan 20 by the AP so why would you want to send it to the WLC, and over a firewall, and then obviously the WLC doesn't need any connection to vlan 20. Although maybe you'd want a firewall between your client vlan 20 and the internet but then vlan 20 will go to your internet router not the WLC.
So you need to decide on the most appropriate design, understanding the difference between AP in local mode or flexconnect mode and the difference between central switching and local switching. Then you can decide if you want to put a firewall in the path. Go read the basics of how WLC and CAPWAP APs work. Then when you've understood that, work out which design works best for your circumstances and then decide whether a firewall is appropriate and where it should be situated. Don't put a firewall in just for the sake of it when it doesn't add any value and could reduce the reliability of your solution (like Scott said headaches down the road).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide