10-05-2012 12:33 PM - edited 07-03-2021 10:46 PM
Hello,
I’m having a hard time finding a good document that easily explains the traffic flow when using an anchor controller.
I believe I understand the AP creating a CAPWAP tunnel to the main controller and there being a mobility tunnel created between the main controller and the anchor…? Since the interface logically resides on the anchor controller interface, does all traffic after authentication/authorization still pass through the main primary controller?
Also what kind of encryption is used on the mobility tunnel etc?
Sorry for the open ended question – I’m just trying to accurately wrap my head around the traffic flow process.
Thanks!
Pete
Solved! Go to Solution.
10-08-2012 07:02 AM
If this is correct, is it possible for someone connected to the primary controller to sniff out traffic from the mobility tunnel connecting to the anchor controller?
no, they would need to connect to your switch infrastructure, and span the port(s) the WLC is connected to. And at that point, there are bigger issues with the physical access they have, IMHO.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
10-05-2012 02:03 PM
Traffic flow is client -AP(capwap)WLC - WLC (mobility tunnel)- network.
The traffic only goes through the internal on its way to the anchor. But the anchor is the ingress/egress point for the anchored device.
As for encryption, IIRC, there currently is not a secure mobility tunnel. But soon we should be capwap between the WLC and that would be able to have DTLS.
Steve
Sent from Cisco Technical Support iPhone App
10-05-2012 02:13 PM
Hi Pete
The mobility messages sent between the foreign controller and anchor controller sent on UDP 16666 are not encrypted. Anyone with a sniffer on your LAN can see the packet contents. UDP 16667 was proposed as the secure mobility mode, but it never worked and support for it was removed from controller CLI code 6.0 upwards. If you are running code 5.2 below, you can use the commands:
config mobility secure-mode enable
config certificate compatibility on
However, the CAPWAP tunnel between the AP and the controller is encrypted using DTLS. The link below explains guest networking:
http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html
10-08-2012 06:58 AM
Thanks for the explanations!
If I’m reading this correct, the CAPWAP tunnel is encrypted via DTLS however the mobility tunnel between controllers doesn’t offer any encryption at this time.
If this is correct, is it possible for someone connected to the primary controller to sniff out traffic from the mobility tunnel connecting to the anchor controller?
In my example, the anchor controller is used in a more secure environment than the normal production controller. I just want to determine if the traffic being sent and anchored on that secure anchor controller would be accessible by anyone connected to our normal prod network (residing on the main/pri controller).
Sorry for the confusing questions!
Thanks again,
Pete
10-08-2012 07:02 AM
If this is correct, is it possible for someone connected to the primary controller to sniff out traffic from the mobility tunnel connecting to the anchor controller?
no, they would need to connect to your switch infrastructure, and span the port(s) the WLC is connected to. And at that point, there are bigger issues with the physical access they have, IMHO.
HTH,
Steve
------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide