Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.
3.6.3. CAPWAP
CAPWAP (Control And Provisioning of Wireless Access Points) is the tunnel protocol between lightweight APs and the WLC. Everything flows through this tunnel—control messages, management, and optionally client data.
| Traffic Type | UDP Port | Encryption | Contents |
|---|---|---|---|
| Control | 5246 | DTLS (mandatory) | AP config, client handoff, management |
| Data | 5247 | DTLS (optional) | Client traffic (in Local mode) |
What happens when the WLC becomes unreachable: Lightweight APs enter a limited "survivability" mode—existing clients stay connected, but no new clients can join, and you can't make configuration changes. That's why WLC redundancy matters. Some deployments use FlexConnect specifically so branches can survive WLC outages.
Loading diagram...
⚠️ Exam Trap: If CAPWAP ports (5246/5247 UDP) are blocked by a firewall between the AP and WLC, the AP can't join the controller. This is a common troubleshooting scenario.