Does anyone know if its possible for an LWAP to connect to a vWLC directly over the internet? (not a VPN/WAN link).
While I appreciate there is a security risk involved (as the data CAPWAP is unencrypted) but this is purely for a Research and development project relating to SDN). There will be no corporate traffic passing over the tunnel.
I see this as almost a backwards OEAP deploy.
I'm trying to avoid shipping an AP to him configuring OEAP, shipping it back and deploying it here. Or working out some kind of Lan 2 Lan Deployment.
We have a home based developer with virtual Prime, MSE and a WLC but would like to connect an AP from our HQ which has significantly more footfall than his remote site to his local WLC.
I've consoled into the LWAP i have in our sandbox network here in the office and manually configured settings to define his public address as the WLC (which in turn has port forwarding enabled to forward CAPWAP traffic to his WLC).
However what appears to be happening is the WLC is responding to the AP correctly and asks the AP to create a DTLS tunnel (i assume for the management connection) but the AP is trying to build this tunnel to the WLCs Private IP which of course is not rotatable over the Internet. Does the WLC provide the IP address of its management interface in its join response to the AP?
AP7426.ac51.b3c1#show capwap ip config
LWAPP Static IP Configuration IP Address 172.16.1.240 IP netmask 255.255.255.0 Default Gateway 172.16.1.253 Primary Controller 126.96.36.199 (edited to hide real public address)
AP7426.ac51.b3c1#show capwap client rcb AdminState : ADMIN_ENABLED SwVer : 188.8.131.52 NumFilledSlots : 0 Name : AP7426.ac51.b3c1 Location : default location MwarName : Cisco_8c:8f:8f MwarApMgrIp : 192.168.0.20 MwarHwVer : 0.0.0.0 ApMode : Local ApSubMode : Not Configured OperationState : CAPWAP Path MTU : 576 LinkAuditing : disabled AP Rogue Detection Mode : Enabled AP Tcp Mss Adjust : Disabled Predownload Status : None Auto Immune Status : Disabled RA Guard Status : Disabled Efficient Upgrade State : Disabled Efficient Upgrade Role : None TFTP Server : Disabled
Is it possible to connect a LWAP to a WLC located in a different private subnet by manually configuring the AP to connect to a public IP address configured with NAT translation/ Port forwarding. Or does the WLC management IP address need to be directly route-able from the AP?
Thanks In Advance and sorry for such an unorganized post
You need to setup the WLC like it was an OEAP. You need to enter the nat ip address in the management interface and also have a NAT translation that forwards UDP 5246 & UDP 5247 to the management ip of the WLC. DTLS doesn't need to be enabled if you don't want. This works, because I have had my peers connect an AP from their home to my home lab all over the USA. If you have local AP's, which you probably don't, then you also need to configure this:
Transferring Crash file from standby: Login to the Active WLC in HA.
From CLI: (Cisco Controller) >transfer upload datatype crash (Cisco
Controller) >transfer upload filename (Cisco
Controller) >transfer upload mode tftp (Cisco Controller) >transfer
This is the start of a display filter cross reference between Wireshark
and OmniPeek. The 1st installment is a table of advanced filters. More
filters will be added as time allows. It is a living doc, so check back
for changes every so often Please feel f...