Ports used by LWAPP/CAPWAP

General Information

Permit these ports for LWAPP/CAPWAP communication when there is a firewall in between the wireless LAN controller and the APs.


  • Source and destination IPs
  • What services you will be using from the below

Enable these UDP ports for LWAPP traffic:

  • Data: 12222
  • Control: 12223

Enable these UDP ports for CAPWAP traffic:

  • Data: 5247
  • Control: 5246

Enable these UDP ports for Mobility traffic:

  • 16666: Secured Mode
  • 16667: Unsecured Mode
  • IP protocol 97 must be allowed on the firewall to allow EtherIP packets.
  • If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500.
  • You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.

These ports are optional (depending on your requirements):

  • TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
  • UDP 69 for TFTP
  • TCP 80 and/or 443 for HTTP or HTTPS for GUI access
  • TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access
  • security_wiki/ports_used_by_lwapp_capwap.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)