Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Encrypted L3 Communications Between LAP and WLC?

Hi All,

I am working with a client that wants to put LAPs remote to their WLC (a 4402). The rub is that the communications between the LAP and WLC must be secure even across their private WAN! I have a couple of resulting questions if anyone is able to help;

  1. I can't find out if and what encryption method is (is it AES etc.?) used on the backhaul between LAPs and the WLC and what's involved?
    1. Terminology may be wrong here, this is not a wireless mesh, just conventional LAP to WLC
  2. The client's WAN is already encrypted (IPSec VPN over VPLS) in parts - what's the consequence of running AP<-->WLC with end-to-end encryption (if possible) over a WAN with IPSec, i.e. double encryption?

Strange but true - any pointers will be much appreciated.... Phil.C

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Encrypted L3 Communications Between LAP and WLC?

With a 4400 series controller the control traffic between the AP and controller is already AES encrypted.  The user traffic is not encrypted.  If you use a 5508 controller all traffic between the AP and controller is AES encrypted.

As for running the traffic through a VPN, that should work.  The issue I typically see with this is with the MTU.  The controller will drop any packets with a data payload less than 32bytes.  Depending on the MTU over the VPN I have seen packets get fragmented and this to be an issue.  If you are using one of the CAPWAP versions (5.2 or newer) dynamic MTU discovery is part of the protocol and this MTU issue really doesn't exist.

1 REPLY
Gold

Re: Encrypted L3 Communications Between LAP and WLC?

With a 4400 series controller the control traffic between the AP and controller is already AES encrypted.  The user traffic is not encrypted.  If you use a 5508 controller all traffic between the AP and controller is AES encrypted.

As for running the traffic through a VPN, that should work.  The issue I typically see with this is with the MTU.  The controller will drop any packets with a data payload less than 32bytes.  Depending on the MTU over the VPN I have seen packets get fragmented and this to be an issue.  If you are using one of the CAPWAP versions (5.2 or newer) dynamic MTU discovery is part of the protocol and this MTU issue really doesn't exist.

782
Views
0
Helpful
1
Replies
CreatePlease to create content