You can add bpduguard and port security on the same port where you have connected an access point, however, you must keep the following in mind.
If the AP is operating in Layer 2 mode (that is, it is not performing routing) then the port-security mac-address sticky command may not be very useful. This is because every wireless client’s MAC address will appear on that interface, and thus you must have enough sticky MAC addresses configured to accommodate the estimated number of users connecting. If the AP is performing routing, then only the MAC address of the AP will appear on the interface, thus the “sticky” command is useful.
As for the bpduguard, it’s always a good idea to enable it on such ports as you should never receive BPDUs on such a port.
For more info, take a look at these related lessons:
This lession mention the WLC must trunk all vlans, but i don’t understand why if the CAPWAP tunnel only needs L3/L4 reachabilty.
For example, in a large company, you could have many branches and the HQ. In the HQ you place the WLC connected to a Core node, so between the WLC and the Core Router you could only use a /30 subnet, and also configure a loopback on the WLC (i don’t know if you could do configure logical interfaces in the WLC). So, a /30 or /31 between WLC ↔ Core router, and using vlan 10 , and then the Core router could propagate via an IGP this subnet or loopback address to the other branches.
The LWAP could reach the IP of the WLC via its default gateway (Core branch router).
So why in this lesson says the WLC must trunk all vlans ?
I believe that the WLC by design requires a trunk port to all of the VLANs where access points are connected. This is the case when using LWAP in the Unified WLC deployment.
If however, you use FlexConnect, then it is possible to use an access port and layer 3 connectivity to the APs. If user traffic comes back to the WLC via a CAPWAP tunnel, trunks must be used.
More info can be found at the below Cisco Community forum post.
I understand that the logic of the CAPWAP states that you only need L3 connectivity to make the tunnel work. However, the WLC by design needs those trunks for it to function correctly.
Can someone please help me understand this?:
“Real-time functions: Transmission of 802.11 frames”
The online course I worked through said that “802.11 to 802.3 communication” is handled by the WLC, and Wendell Odom’s CCNA book also implies the same:
“Or consider roaming for a moment. If at one instant a packet arrives for your phone, and you are associated with AP1, and when the next packet arrives over the wired network you are now connected to AP4, how could that packet be delivered through the network? Well, it always goes to the WLC, and because the WLC keeps in contact with the APs and knows that your phone just roamed to another AP, the WLC knows where to forward the packet.” (This is at the very end of “Appendix K: Analyzing Ethernet LAN Designs.”)
On page 638 of his book, Wendell Odom lists these Real-Time Functions:
• RF Transmit/Receive
• MAC Management
• Encryption
So the “Transmission of 802.11 frames” means taking care of the Physical/L1 side of things, right?
Do I understand it correctly that with lightweight APs, the user traffic goes to the lightweight AP, then through the switches to the WLC, and from the WLC back through the switches to the lightweight AP, and finally the lightweight AP transmits the user traffic to the original user? I assume the function of the CAPWAP Data tunnel is to accomplish communication between the Ethernet (802.11) and wireless (802.3) network.
Real-time functions, including the transmission of 802.11 frames, refer to the tasks performed by the AP to handle wireless communication. These tasks take place on both the user plane and the control plane and include things like dealing with RF signals, MAC management, and encryption/decryption. These tasks are indeed related to Layers 1 and 2 of the OSI model.
Now specifically with lightweight APs, the user traffic goes through the following steps:
User traffic is sent to the lightweight AP (over the wireless 802.11 network).
The lightweight AP encapsulates the user traffic inside a CAPWAP tunnel and forwards it through the wired Ethernet network (802.3) to the WLC.
The WLC processes the traffic, makes decisions (e.g., access control, quality of service), and forwards the traffic as necessary, either back to the same AP or another AP (in case of roaming).
The receiving AP decapsulates the CAPWAP-encapsulated traffic and transmits it to the user over the wireless 802.11 network.
You are correct in understanding that the CAPWAP data tunnel is used for communication between the Ethernet (802.3) and wireless (802.11) networks. The WLC plays a crucial role in managing lightweight APs, user traffic, and overall network performance. Does that make sense?
Comparing Auntomous design VS Split-MAC design (CAPWAP Tunnel) :
It’s pretty clear for me Autonomous design requires VLAN implementation everywhere (besides other configs such as mgmt, tx power, ch assignation, etc etc that you do per Autonomous AP basis). in Access Layer (between Access switches and APs) , trunks between Access switches and Distribution Switches and then on trunks between Distribution and Core.
In the other design, Split-MAC is also clear for me because of this CAPWAP tunnel we move the mgmt functions to the WLC and the real time remains in the AP.
But its not 100% clear for me, the switched tunnel vs routed tunnel. For me switched means no L3 involved, if we say a switched tunnel we dont need an IP add configured on both AP and WLC ? how the tunnel is established in a switched tunnel ? lets say we use VLAN 10 for Mgmt , so we configure it in the LWAP , and also in the WLC, but if guess in this case we would need to configure VLAN 10 all across the network such as an autonomous design…
The routed tunnel is more clear for me because im acostumed to other kind of tunnels such as GRE , while you reach the ip add of the other side its ready to go then the tunnel is established.
When talking about CAPWAP tunnels, there is really no distinction concerning routed or switched tunnels. CAPWAP tunnels are created between an AP and its WLC over an underlay network that can traverse routers, switches, multiple subnets etc, just as long as the AP can reach the WLC. The CAPWAP tunnel is specially created to carry the multiple VLANs that correspond to the SSIDs that an AP may be serving.
Rene states in the lesson that “Tunneled traffic can be switched or routed” and this phrase may be the source of your question. The idea here is that the underlay network that carries the CAPWAP tunnel can be either routed or switched. Rene goes on to say that this:
…means the lightweight APs and WLC don’t have to be in the same VLAN. This is useful since APs are typically on the access layer, and the WLC is in a central location (core layer or data center attached to the core).
So it’s not referring to the tunnel as a Layer 2 or Layer 3 entity, but in the way the tunnel is encapsulated and transmitted over the underlying (layer 2 or layer 3) infrastructure. Does that make sense?
But why is necessary to tag all vlans between WLC and Core ? for establishing the capwap lwap uses the mgmt ip add to reach the wlc , you only need to tag the mgmt vlans for each lwap, but the ssid vlan why ? its because the vlan must be present at both ends of the tunnel for encapsulation/dencapsulation purpose ?
lets say SSID “my-wifi” VLAN 100 configured on LWAP 1 , CAPWAP is already established, so LWAP 1 wants to forward traffic to VLAN 200 configured on LWAP 2 (this lwap also has established capwap) LWAP 1 encapsulates VLAN 100 traffic into the CAPWAP tunnel using udp 5247, 2 WLC receives the CAPWAP pckt and deencapsutale it, it see that is destined for VLAN 200 (LWAP 2) 3. WLC encapsulates it traffic VLAN 200 into a new CAPWAP pckt and forward it to LWAP 2, 4. LWAP 2 deencapsulte it and forward it to the client ?
To establish the tunnel between LWAP and WLC, all you need is the IP address because the CAPWAP tunnel is created over the underlay network infrastructure that exists between the WLC and LWAP. As long as those two can reach each other, the CAPWAP tunnel can be established.
Why do we need all VLANs between WLC and the core? Well, it depends upon where you are performing your routing. If the routing takes place at the core network, then this must be done in order for the clients connected to each SSID to reach the default gateway of each VLAN. The default gateway will actually exist within the core itself. However, you can change that topology and make the WLC itself the default route for every VLAN/SSID. In that case, you wouldn’t need a trunk between the WLC and the core network. The scenario you described in your post assumes routing takes place in the WLC.
The question is, what is considered best practice in this? Well, typically we don’t want to overburden the WLC with routing, especially in a large network where it would have to act as router to all wireless clients. If the WLC has to handle, say, 50 or 60 clients, then you should be OK with routing at the WLC. However, if you have a network with thousands of wireless clients, it is best to leave routing to a different device, and this is why you need the trunk. That way the WLC will only be burdened with the management of the LWAPs and not routing as well.
Creating a trunk and performing routing on the core network is considered best practice, even in smaller networks. Does that make sense?
The only purpose for vlan 11 in AP1 is for associating a subnet such as 192.168.11.x ? that has allocated the ip host 192.168.11.1 used to establish CAPWAP with WLC 192.168.10.1 ?
In this case the link Core ↔ WLC is a trunk with all vlans passing through it including the vlan used for 192.168.10.x (i guess it could be and interface vlan X lets say 192.168.10.254), so AP1 192.168.11.1 can reach 192.168.10.1 through the Core , DG 192.168.10.254 an the core itself resolves the routing because it also has the directly connected network 192.168.11.0/24… therefore AP1 can establish CAPWAP and encapsulates mgmt traffic UDP 5246 and data traffic UDP 5247 (i guess both ends, LWAP and WLC encapsulate when they want to send to the other end , and dencapsulte when they receive from the other end).
The last one, this excerpt from this lesson, the one in bold , i think CAPWAP is routed, this phrase was generic regarding any tunnel or CAPWAP ?
Tunneled traffic can be switched or routed
Thanks for your patience (i dont have any WLAN experience because the environment i work on daily basis does not require this knowledge but im interested in it).
Yes that is correct, and I believe your subsequent explanation is correct as well. Routing between the AP and the WLC is achieved within the core network, while the CAPWAP tunnel uses that routing to terminate on the WLC and the AP. The core network is the underlay network which can be routed/switched, while the CAPWAP tunnel is the overlay network.
As I mentioned in my previous post, the idea here is that the underlay network that carries the CAPWAP tunnel can be either routed or switched. Also, the CAPWAP tunnel may terminate on the WLC and be routed there, or (ideally), it should be switched to the core network to be routed within the core.
No problem at all, that’s what we’re here for, to help people learn new things!! I hope this discussion has been helpful and if you have any further clarification questions, feel free to ask them!
Management functions:
Client authentication
Security management
Association and reassociation (roaming)
Quality of Service (QoS)
Real-time functions:
Transmission of 802.11 frames
MAC management
Encryption
Im trying to order and meaningful to the above.
Client auth, Sec Mgm and Encryption … Client Auth could be 802.1x ? What is Sec Mgm ?
i need some help in vlan based bandwidth restriction. Could you please explain how to create policy to restrict bandwidth on vlan. we have cisco 4500X,3750 & 3850
There are several options that you can apply depending upon what you actually want to achieve. Your options, depending upon your ultimate goal include making some of the following choices:
First, you must decide if you want to apply shaping or policing. Shaping will limit bandwidth while attempting not to drop any packets by implementing buffering. Policing will drop any packets that surpass the bandwidth restriction you have set.
Next, you must decide where do you want to apply these policies? At the SVI which serves as a default gateway for VLAN? At each interface of a particular VLAN? On the VLAN as a whole? What you answer will affect the complexity of the configuration.
Finally, what kind of clients will be using these VLANs? Since you’re writing this in a Wireless Network Architectures thread, I assume you may have wireless clients. You may want to consider applying bandwidth restriction at the client itself, something that is much simpler than on a per VLAN basis for example.
If you want to take a look at some of the configs involved with shaping and policing, take a look at the following lessons:
If you want to take a look at QoS features that function solely at Layer 2, take a look at this lesson:
This information should be enough to get you started. Let us know how you get along and if you have any more specific questions.
I’ve had 4 major doubts ever since I passed my CCNA after learning about CAPWAP.
If stretching VLANs is considered bad practice and thanks to the lightweight deployment, the AP can connect to the switch via an access port and the traffic does not need to be trunked (since its tunneled), we’ll end up like this
If everything else is an access port, doesn’t this mean that we’re not using any VLANs even for the wired network?
How do APs even forward data? Imagine autonomous APs for simplicity so we don’t have to worry about the controller. What do they read and use to forward data? Do they have a MAC address table like a switch?
Why is literally everything, even traffic within the same VLAN tunneled to the WLC?
How do WLCs forward data? If something from VLAN10 destined towards VLAN20 comes in, the WLC would send this traffic to the L3 core switch, it would route the traffic, return it back to the WLC, and the WLC would tunnel it back?
CAPWAP tunnels encapsulate all client data into IP packets from APs, eliminating the need for per-SSID VLAN trunking at the edge switches. However, this does not mean that the whole VLAN structure of the network is solely set up to serve those access points. If there are wired hosts that connect to access ports of the access layer switches, those should be set up with the appropriate VLAN settings independent of any configurations set up for the wireless APs. In other words, the VLAN structure for the wired network would be deployed regardless of whether or not then network supports wireless lightweight APs. The CAPWAP tunnels only serve APs, and are not involved in the wired connectivity of devices.
Autonomous APs can be thought of as “bridges” between wireless and wired networks, but with additional frame processing. Yes, APs do maintain MAC address tables like switches to forward frames between wireless clients and the wired LAN. They also perform local processing to handle encryption, beacon generation, and client association without a controller, assuming they are autonomous as you mentioned. And, they do support VLANs, where typically an SSID is assigned on a per-VLAN basis. As such, the connection between the AP and the switch can be a trunk connection.
In the case of a lightweight AP, all traffic is tunneled to the WLC for several reasons. For policy enforcement, the WLC applies security (802.1X, ACLs), QoS, and roaming policies uniformly to all wireless traffic. This is also the very definition of split-MAC architecture, where real-time tasks (beacons, encryption) are the responsibility of the AP, while management (auth, roaming) is handled by the WLC. It also aids in mobility support, establishing seamless client roaming between APs. Although it seems cumbersome and counterintuitive, this design simplifies AP configurations. The downside is it creates a single point of failure (which can be remedied with a redundant deployment), and may increase the bandwidth requirements of a network somewhat, but there are always tradeoffs.
In this particular diagram, the setup looks like the core network is doing the routing. But you can also deploy a WLC to perform routing itself between wireless SSIDs/VLANs. The question has to do with your architecture. If you have a wireless SSID that shares the same VLAN with a wired network (i.e. both wired and wireless hosts are on the same subnet/VLAN) then you would have to perform your routing at the core network. If however each of your wireless networks is self contained and corresponds to a whole subnet or VLAN, then you can perform routing at the WLC. It also depends on the number of wireless networks you have and the number of clients you will be supporting. Does your WLC have enough resources to perform routing as well or should that be offloaded to the core network? These questions must be resolved during the design phase of the network.
If PC from VLAN20 wanted to talk to the other PC in VLAN30, it would send it to the LWAP, the LWAP would tunnel it over to the WLC, the WLC would send it to the core switch for routing, the core switch would return it, then it would be tunneled back to VLAN30.
How does the WLC perform forwarding in this case? Does it read the destination MAC or the destination IP? How does it know that it needs to send the traffic to the core for routing first?
Also, the WLC and the APs exchange certificates to authenticate eachother. My WLC in VM did that with an AP I got off e-bay.
How does the WLC know that the AP is authorized to join the network, though? Doesn’t every cisco AP come with one? I suppose that you can tweak them or use your own?
