Damn You, CAPWAP Tunnels… Damn You All to Hell

There comes a time in every person’s life when they have to face the truth: maybe their CAPWAP tunnels that have been so good for so long actually have a dark side… Maybe them tunnels make you feel empowered, nay- maybe they make you feel invincible when it comes to creatively using VLANs in your overall Wireless LAN construct… and maybe someday that good thing leaves you in a bad place. Maybe.

Let’s pause for some lyrics from the immortal Waylon Jennings’ song “Wrong”:

I should have known it all along
When the future looks too bright can’t be anything but right

Everything was going strong
The sky was always blue I thought my dreams had all come true

Let’s get right to it: CAPWAP TUNNELS SPOIL YOU.

You’ve been using a WLAN solution for a lot of years. It’s been buggy at times, the vendor has left you frustrated on countless levels. You’re thinking “shit I would freakin love to finally ditch controllers and that bloated, semi-functional NMS and move to a cloud WLAN solution for my thousands of wireless access points” – WAPs for some of you (shut it- you know who you are)… But then you run into the CAPWAP tunnel thing and a big honkin Layer 2 quandary down in your switches.

If I have a controller-based WLAN, I can get away with this at the AP uplink port, which clearly gets the Polly Pony Seal of Approval:

But alas, take away the CAPWAP tunnel construct and you are left with something less savory, and Cactus Mike isn’t digging it:

I gotta agree with Cactus Mike- in very large WLAN environments, the thought of no CAPWAP tunnels sucks ass. Sure, maybe a radical redesign of the LAN that underpins the WLAN would help, by pushing L3 out closer to the edge and reducing the need for VLANs. But such undertakings aren’t always a possibility, and if they are a possibility, the timing of redesign opportunities may not line up. Back to topic.

Am I suggesting that by going to a cloud-managed WLAN solution that CAPWAP tunnels aren’t possible? Yes and no… Some cloud vendors recognize Cactus Mike’s conclusion, others not so much. I have not actually used any of the following solutions, but I do appreciate that they recognize that “switching to cloud” and “ditching the controller” isn’t all that easy for those of us with CTA (CAPWAP Tunnel Addiction):


Aruba: (link is here)

Extreme definitely has an answer but I’m not finding the right link. Will edit

Mist: (link is here)

Ruckus: (link is here)

By no means is this summary meant to be comprehensive. And, if you were to drill in to any of these, I’m not sure they would each stand up as an answer to “how do we ditch our current controllers, terminate VLANs somewhere, yet move the rest of the show out to the cloud while retaining our CAPWAP tunnels and not doing a massive L2 reconfiguration?” as I have not tested any of them.

But- I do appreciate that the situation is being recognized and addressed by major vendors. AND- I am surprised that at least one long-running pure cloud innovating powerhouse vendor has yet to provide an answer to the situation. As long as the only answer is to configure the uplink to a cloud-managed AP as if it was an old fat legacy access point, they won’t be getting an invite to Cactus Mike’s summer bash…

Your thoughts on the topic?

11 thoughts on “Damn You, CAPWAP Tunnels… Damn You All to Hell

  1. Timothy O'Hara

    One other issue to ponder. Assuming you are using some sort of WPA-Enterprise flavor, in a controller based network, the controllers end up being the RADIUS authenticators, so you only have to set those limited number of devices up on the server. If you do cloud based management, EVERY AP becomes a RADIUS authenticator.

    1. wirednot Post author

      Right you are. I’ve been doing cloud WLAN with 802.1X in branches in the US and Europe for many years, and it is a slightly different animal for sure when it comes to RADIUS.

    1. Steve B

      +1 for what Clint said. MR-MX VPN concentrator mode on a specific SSID fulfills the same requirement – in my case dropping guest traffic into a DMZ at L2 so it can then egress via a dedicated internet link. Downside is scaling wise it’s a tunnel per SSID, per AP so watch out for the MX tunnel capacity.

      That said I will be able to drop even this tunneling when I have SD-WAN in place and can allow guests to go direct to the internet via Cloud SGW. I’m confident almost all designs that currently tunnel back to an anchor/concentrator can be resolved though alternative means now.

  2. males149

    In category for entire redesign to nix CAPWAP. Will keep you posted on the adventure. Many vendors with fabric solutions (C, A, E among others), so our current vendor may or may not be “The One”….we’ll see!

  3. Wifitodd

    Aruba Central Cloud Mgmt with Gateways (WLAN Controllers running AOS10) provides a termination point for the GRE tunnels. You get the best of both worlds. Fantastic Cloud Mgmt platform, Gateways to terminate your AP Traffic, AI with a deep data lake, and Wi-Fi Certified AP(s) that also serve as a multifunction IOT platform.

  4. Pingback: Networking Industry Update 2021-05 – loopback1.net

Tell me what YOU think.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s