====== Ports used by LWAPP/CAPWAP ======

**General Information**

Permit these ports for LWAPP/CAPWAP communication when there is a firewall in between the wireless LAN controller and the APs.

**Checklist**
  * Source and destination IPs
  * What services you will be using from the below

----

===== The Services/Ports =====

__Enable these UDP ports for LWAPP traffic:__
  * Data: 12222
  * Control: 12223

__Enable these UDP ports for CAPWAP traffic:__
  * Data: 5247
  * Control: 5246

__Enable these UDP ports for Mobility traffic:__
  * 16666: Secured Mode
  * 16667: Unsecured Mode

  * IP protocol 97 must be allowed on the firewall to allow EtherIP packets.
  * If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500. 
  * You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.

These ports are optional (depending on your requirements):
  * TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
  * UDP 69 for TFTP
  * TCP 80 and/or 443 for HTTP or HTTPS for GUI access
  * TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access