Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

5508 WLC to replace an existing 4402 WLC - DMZ

Hello,   

              

We are implementing a new 5508 WLC to replace an existing 4402 WLC. This will be a DMZ Controller to host our guest and mobility SSIDs.

On our current 4402 we have the clients and the management all on one subnet. On the new 5508 we were looking to seperate each SSID onto their own subnets.

Does CAPWAP communicate to the management interface? The current DMZ controller uses 10.x.x.10 as the endpoint when building the mobility group X1DMZMG. We can't find any hits on the acl entry in the ASA....so I'm guessing that the inside controllers are setting up the connection?

Thanks for any and all input!!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Purple

Re: 5508 WLC to replace an existing 4402 WLC - DMZ

Yes, All CAPWAP tunnels coming from APs (destination port udp 5246 for control traffic & 5247 for user traffic) terminate on 5508 management interface.

If you have multiple controller & establishing mobility tunnel between controllers it will use EoIP to do this.

HTH

Rasika

**** Pls rate all useful responses ****

4 REPLIES
VIP Purple

Re: 5508 WLC to replace an existing 4402 WLC - DMZ

Yes, All CAPWAP tunnels coming from APs (destination port udp 5246 for control traffic & 5247 for user traffic) terminate on 5508 management interface.

If you have multiple controller & establishing mobility tunnel between controllers it will use EoIP to do this.

HTH

Rasika

**** Pls rate all useful responses ****

New Member

Re: 5508 WLC to replace an existing 4402 WLC - DMZ

Thank you Rasika!

One more question. We were wondering if the connection is setup from DMZ controller to inside controller, from inside controller to DMZ controller, or both?

VIP Purple

5508 WLC to replace an existing 4402 WLC - DMZ

For inter-controller mobility control traffic use UDP port 16666 (both src & dst port)

For inter-controller user traffic uses EoIP (IP protocol 97)

You have to allow this bi-directionally as traffic can flow from inside to DMZ & DMZ to inside controllers

HTH

Rasika

*** Pls rate all useful responses ****

5508 WLC to replace an existing 4402 WLC - DMZ

Yes, you need to allow the bi-directional traffic between thw DMZ and the controllers.

165
Views
4
Helpful
4
Replies
CreatePlease login to create content