Guest WLAN Deployment, and the EtherIP Process from Campus to DMZ WLCs

Unanswered Question
Apr 16th, 2008

Hi All,

In the WLC deployment guide

It has a very nice and easy way to understand how traffic is passed from the wifi device to the LAN device as listed below.

Now, what happens when there is a controller in the DMZ and the WLC on the campus passes this traffic to that controller via ethernet over IP.

Is the 802.11 header preseved or is it stripped off at the campus WLC? One would assume it is preserved as the WLC in the DMZ may need to act on information in the 802.11 header?

Can anyone help me on this please?

Is there a similar example to the one listed below, but for the full flow from end-user wifi device to the guest controller in the DMZ?

Many thx


In Figure 3, Host A is a wireless LAN client communicating with the wired device, Host B. When Host A sends a data packet to Host B, the following sequence occurs:

• The packet is transmitted by Host A over the 802.11 RF interface. This packet is encapsulated in an 802.11 frame with Host A's MAC address as the source address and the access point's radio interface MAC address as the destination address.

• At the access point, the access point adds an LWAPP Header to the frame with the C-Bit set to zero and then encapsulates the LWAPP Header and 802.11 frame into a UDP packet that is transmitted over IP. The source IP address is the access point's IP address and the destination IP address is the WLC's AP Manager Address. The source UDP port is the ephemeral port based on a hash of the access point MAC address. The destination UDP port is 12222.

• The IP packet is encapsulated in Ethernet as it leaves the access point and transported by the switching and routed network to the WLC.

• At the WLC, the Ethernet, IP, UDP, and LWAPP headers are removed from the original 802.11 frame.

• After processing the 802.11 MAC header, the WLC extracts the payload (the IP packet from Host A), encapsulates it into an Ethernet frame, and then forwards the frame onto the appropriate wired network, typically adding an 802.1Q VLAN tag.

• The packet is then transmitted by the wired switching and routing infrastructure to Host B.


When Host B sends an IP packet to Host A, the process is essentially reversed:

• The packet is delivered by the wired switching and routing network to the WLC, where an Ethernet frame arrives with Host A's MAC address as the destination MAC address.

• The Ethernet header is removed by the WLC and the payload (the IP packet destined for Host A) extracted.

• The original IP packet from Host A is encapsulated with an LWAPP Header, with the C-bit set to zero, and then transported in a UDP packet to the access point over the IP network. The packet uses the WLC AP Manager IP address as the source IP address and the access point IP address as the destination address. The source UDP port is 12222 and the destination UDP port is the ephemeral port derived from the access point MAC address hash.

• This packet is carried over the switching and routing network to the access point.

• The access point removes the Ethernet, IP, UDP and LWAPP headers, and extracts the payload, which is then encapsulated in an 802.11 frame and delivered to Host A over the RF network.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kfarrington Thu, 04/17/2008 - 23:48

Hi There, no worries. Would be good if there was a doco on it.

From packet captures (see attached) it looks like when the campus WLC gets the original 802.11 packet (which is encap'd in LWAPP), the campus WLC strips off the LWAPP stuff and removes the 802.11 packet header, and just rebuilds original packet with an 802.3 packet header,


The WLC encaps the packet with a new ethernet/IP header and sends it off to the DMZ WLC.

I hope this is the way it works, and if anyone does have documentation to confirm it, that would be fantastic.

Many thx and kind regards,



This Discussion



Trending Topics: Other Wireless Mobility

client could not be authenticated
Network Analysis Module (NAM) Products
Cisco 6500 nam
reason 440 driver failure
Cisco password cracker
Cisco Wireless mode