cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2674
Views
5
Helpful
4
Replies

Write up on the traffic flow with anchor controllers?

Pete Bauer
Level 1
Level 1

Hello,

I’m having a hard time finding a good document that easily explains the traffic flow when using an anchor controller.

I believe I understand the AP creating a CAPWAP tunnel to the main controller and there being a mobility tunnel created between the main controller and the anchor…?  Since the interface logically resides on the anchor controller interface, does all traffic after authentication/authorization still pass through the main primary controller?

Also what kind of encryption is used on the mobility tunnel etc?


Sorry for the open ended question – I’m just trying to accurately wrap my head around the traffic flow process.

Thanks!

Pete

1 Accepted Solution

Accepted Solutions

If this is correct, is it possible for someone connected to the primary  controller to sniff out traffic from the mobility tunnel connecting to  the anchor controller?

no, they would need to connect to your switch infrastructure, and span the port(s) the WLC is connected to.  And at that point, there are bigger issues with the physical access they have, IMHO.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

View solution in original post

4 Replies 4

Stephen Rodriguez
Cisco Employee
Cisco Employee

Traffic flow is client -AP(capwap)WLC - WLC (mobility tunnel)- network.

The traffic only goes through the internal on its way to the anchor. But the anchor is the ingress/egress point for the anchored device.

As for encryption, IIRC, there currently is not a secure mobility tunnel. But soon we should be capwap between the WLC and that would be able to have DTLS.

Steve

Sent from Cisco Technical Support iPhone App

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

grabonlee
Level 4
Level 4

Hi Pete

The mobility messages sent between the foreign controller and anchor controller sent on UDP 16666 are not encrypted. Anyone with a sniffer on your LAN can see the packet contents. UDP 16667 was proposed as the secure mobility mode, but it never worked and support for it was removed from controller CLI code 6.0 upwards. If you are running code 5.2 below, you can use the commands:

config mobility secure-mode enable

config certificate compatibility on

However, the CAPWAP tunnel between the AP and the controller is encrypted using DTLS. The link below explains guest networking:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch10GuAc.html

Thanks for the explanations!

If I’m reading this correct, the CAPWAP tunnel is encrypted via DTLS however the mobility tunnel between controllers doesn’t offer any encryption at this time.

If this is correct, is it possible for someone connected to the primary controller to sniff out traffic from the mobility tunnel connecting to the anchor controller?

In my example, the anchor controller is used in a more secure environment than the normal production controller. I just want to determine if the traffic being sent and anchored on that secure anchor controller would be accessible by anyone connected to our normal prod network (residing on the main/pri controller).

Sorry for the confusing questions!

Thanks again,

Pete

If this is correct, is it possible for someone connected to the primary  controller to sniff out traffic from the mobility tunnel connecting to  the anchor controller?

no, they would need to connect to your switch infrastructure, and span the port(s) the WLC is connected to.  And at that point, there are bigger issues with the physical access they have, IMHO.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered
Review Cisco Networking for a $25 gift card