Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

LWAPP and VLAN's

Hi,

Please help me to understand one thing here. When using WLC on router, all AP's are communicating with it using encrypted tunnel via LWAPP protocol. Now, according to documentation, for every SSID you configure separate VLAN to keep traffic isolated. My question is , why do you do that ? This traffic is in a the tunnel already, cannot be read by anyone else, and WLC could recognize where is comes from just by checking SSID, so what is the real benefit of VLAN's here ?

Regards,

Mariusz

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions

Re: LWAPP and VLAN's

Correct. But you dont need to and it may not be recommended to put the APs on the AP MANAGER vlan. So long as the AP can route to the controller managment address it will build an end point connection with the AP manager.

Cool ?

Please rate helpful post ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
8 REPLIES
Bronze

Re: LWAPP and VLAN's

1st, lwapp tunnel is not encrypted, so packets can be read by someone. 2nd, by using VLANs, you limit the broadcast domain and other security exposures.

Zhenning

Cisco Employee

Re: LWAPP and VLAN's

LWAPP control messages –  Exchanges that are used to  configure the LAP and menage its operation. THe control messages are  authenticated and encrypted so that the LAP is securely contolled by  only the WLC.

LWAPP data - Packets to and from wireless clients  assiciated with the LAP. The data is encapsulated within LWAPP, but is  not encrypted or otherwise secured between the LAP and WLC.

Regards

Surendra

Re: LWAPP and VLAN's

Your question is a good one and to be honest is confusing to folks who are new to a central wireless solution. Lets break it down so you understand...

1. The access point builds an LWAPP tunnel from the access point to the AP Manager on your wireless controller

2. Inside this LWAPP tunnel, (CAPWAP) if you are using 5.2 code or newer code your wireless traffic transverses

3. Your wireless taffic generated at the access points destined for the wired is aggregated to the wireless controller, specifically the wired interface in which your SSID is configured (under youe WLAN / SSID -- its a drop down)

4. When this traffic hits the wireless controller it is then sorted onto this wired interface (VLAN).

VLANs separate broadcast domains. Assume for a moment a device on vlan 100 sends as broadcast, only device on vlan 100 see this broadcast... They say you shouldnt have more then 300 or so device in a broadcast domain.

I hope this helps... Please rate posts that are helpful

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: LWAPP and VLAN's

Thanks for your answers, but I've got still some doubts.

Let's say that I've got LAP with two SSID's configured connected to switch. AP Manager interface is in VLAN5.  I assign switch port with LAP connected  to VLAN5 then.  Now, each SSID is assign to different VLAN in controller, let's say SSID10 in VLAN10 and SSID20 in VLAN20. Data flow, as I see it, looks like this :

- LAP receive traffic from client in SSID10

- traffic is send via LWAPP tunnel in VLAN5 to router

- router forward traffic still in VLAN5 via trunk between router and controller

- controller receive it, read SSID and transform packet from 802.11 to 802.3 and assign it to VLAN10

- packet is send back to router

Is that right ?

Regards,

Mariusz

New Member

Re: LWAPP and VLAN's

Anyone ?

Re: LWAPP and VLAN's

Correct. But you dont need to and it may not be recommended to put the APs on the AP MANAGER vlan. So long as the AP can route to the controller managment address it will build an end point connection with the AP manager.

Cool ?

Please rate helpful post ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: LWAPP and VLAN's

Now cool. Thanks.

Re: LWAPP and VLAN's

thanks for the rating ... let me know if you have any other questions,

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
3114
Views
0
Helpful
8
Replies
CreatePlease to create content