"depends on your code revision"
i performed some testing and packet inspection using 4.x code a year ago
while troubleshooting some ap association/controller roaming issues
in the end we disabled otap completely because it just imports a random
list of controllers from any nearby otap capable ap. and then it tries
every controller on the list simultaneously. the first controller to
respond with an "ok" message is where the ap will go to download
code/configuration info. there are 2 caveats.
1. If an outiside/foreign OTAP capable ap receives a list of your
controllers from one of your OTAP capable aps, that foreign ap can and
will attempt to associate to your controller. unless your controller
has otap disabled, or you have configured whitelist/blacklist, your
controller *will* allow the ap to associate and download
code/configuration.
2. If you have OTAP disabled on some/all of your controllers, then any
AP that attempts to associate and flags the association packet with the
discovery method "otap" (i can't remember the complete list, but there
are several different flags that can be set in the lwapp packet, some of
them include option 43/dhcp discovered controller, assigned/configured
controller (previously known/cached), DNS discovered/master
(cisco-lwapp-controller.wherever.edu), or OTAP(or as i like to call it,
random list of controllers from who knows where). Anyways, if your
lwapp discovery packet is flagged as otap, and your controller has otap
disabled, then the controller will ignore/reject association requests
from that AP.
Once your ap has associated to a controller via OTAP, it may or may not
fall back properly (as far as i can tell, it's inconsistant or at least
it was in the 4.x code).
So our best practice here at a&m was to disable otap completely, and
rely on dhcp/option 43 and DNS to provide proper controller information
to each ap.
--
Justin Hao
Network Engineer
Texas A&M University
Networking and Information Security
[email protected]
(979)862-2162
Daniel Husand wrote:
On 25/08/2009 18:02, Lee H Badman wrote:
FYI
Block CAPWAP/LWAPP at your edge, be happy.
Anyhow, I wonder, if an AP has been associated with a controller
before, and discovers an OTAP controller on reboot; which one will it
select?
--
Justin Hao
Network Engineer
Texas A&M University
Networking and Information Security
[email protected]
(979)862-2162
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
