Ports used by LWAPP/CAPWAP
General Information
Permit these ports for LWAPP/CAPWAP communication when there is a firewall in between the wireless LAN controller and the APs.
Checklist
- Source and destination IPs
- What services you will be using from the below
The Services/Ports
Enable these UDP ports for LWAPP traffic:
- Data: 12222
- Control: 12223
Enable these UDP ports for CAPWAP traffic:
- Data: 5247
- Control: 5246
Enable these UDP ports for Mobility traffic:
- 16666: Secured Mode
- 16667: Unsecured Mode
- IP protocol 97 must be allowed on the firewall to allow EtherIP packets.
- If you use ESP to encapsulate mobility packets, you have to permit ISAKMP through the firewall when you open UDP port 500.
- You also have to open the IP protocol 50 to allow the encrypted data to pass through the firewall.
These ports are optional (depending on your requirements):
- TCP 161 and 162 for SNMP (for the Wireless Control System [WCS])
- UDP 69 for TFTP
- TCP 80 and/or 443 for HTTP or HTTPS for GUI access
- TCP 23 and/or 22 for Telnet or secure shell (SSH) for CLI access