LWAPP and VLAN's

Answered Question
Aug 2nd, 2010

Hi,

Please help me to understand one thing here. When using WLC on router, all AP's are communicating with it using encrypted tunnel via LWAPP protocol. Now, according to documentation, for every SSID you configure separate VLAN to keep traffic isolated. My question is , why do you do that ? This traffic is in a the tunnel already, cannot be read by anyone else, and WLC could recognize where is comes from just by checking SSID, so what is the real benefit of VLAN's here ?

Regards,

Mariusz

Correct Answer by George Stefanick about 6 years 6 months ago

Correct. But you dont need to and it may not be recommended to put the APs on the AP MANAGER vlan. So long as the AP can route to the controller managment address it will build an end point connection with the AP manager.

Cool ?

Please rate helpful post ...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
zhenningx Mon, 08/02/2010 - 18:26

1st, lwapp tunnel is not encrypted, so packets can be read by someone. 2nd, by using VLANs, you limit the broadcast domain and other security exposures.

Zhenning

Surendra BG Mon, 08/02/2010 - 18:36

LWAPP control messages –  Exchanges that are used to  configure the LAP and menage its operation. THe control messages are  authenticated and encrypted so that the LAP is securely contolled by  only the WLC.

LWAPP data - Packets to and from wireless clients  assiciated with the LAP. The data is encapsulated within LWAPP, but is  not encrypted or otherwise secured between the LAP and WLC.

Regards

Surendra

George Stefanick Mon, 08/02/2010 - 21:14

Your question is a good one and to be honest is confusing to folks who are new to a central wireless solution. Lets break it down so you understand...

1. The access point builds an LWAPP tunnel from the access point to the AP Manager on your wireless controller

2. Inside this LWAPP tunnel, (CAPWAP) if you are using 5.2 code or newer code your wireless traffic transverses

3. Your wireless taffic generated at the access points destined for the wired is aggregated to the wireless controller, specifically the wired interface in which your SSID is configured (under youe WLAN / SSID -- its a drop down)

4. When this traffic hits the wireless controller it is then sorted onto this wired interface (VLAN).

VLANs separate broadcast domains. Assume for a moment a device on vlan 100 sends as broadcast, only device on vlan 100 see this broadcast... They say you shouldnt have more then 300 or so device in a broadcast domain.

I hope this helps... Please rate posts that are helpful

mkoniuszko Tue, 08/03/2010 - 12:46

Thanks for your answers, but I've got still some doubts.

Let's say that I've got LAP with two SSID's configured connected to switch. AP Manager interface is in VLAN5.  I assign switch port with LAP connected  to VLAN5 then.  Now, each SSID is assign to different VLAN in controller, let's say SSID10 in VLAN10 and SSID20 in VLAN20. Data flow, as I see it, looks like this :

- LAP receive traffic from client in SSID10

- traffic is send via LWAPP tunnel in VLAN5 to router

- router forward traffic still in VLAN5 via trunk between router and controller

- controller receive it, read SSID and transform packet from 802.11 to 802.3 and assign it to VLAN10

- packet is send back to router

Is that right ?

Regards,

Mariusz

Correct Answer
George Stefanick Sun, 08/08/2010 - 11:53

Correct. But you dont need to and it may not be recommended to put the APs on the AP MANAGER vlan. So long as the AP can route to the controller managment address it will build an end point connection with the AP manager.

Cool ?

Please rate helpful post ...

Actions

This Discussion

Related Content