Before we begin, CAPWAP (Control and Provisioning of Wireless Access Points) is an IETF standard protocol defined in RFC 5415. It was developed to support interoperability among different vendors ( various vendors have added lot of proprietary stuff that deters interoperability) . IETF defines two types of operation modes; Local MAC and Split MAC. In local MAC mode, the Data frames are tunneled or bridged as Ethernet Frames. In split MAC mode, all layer 2 data and management frames are encapsulated in CAPWAP and sent between the AP and the Controller.

When the AP attempts to connect to the Controller and begins the join Phase, the CAPWAP Path MTU is negotiated at this phase. If you encounter any EAP-TLS authentication issues, they may be due to the fragmentation that may be happening because of the Tunneling protocol overhead.

In the following example the AP is deployed at the remote site and connects to the Cisco WLC (Wireless LAN Controller) at the Data Centre as follows:

Configurations of the above devices

SB_Cisco 3650#

interface Vlan10
 ip address 10.10.10.1 255.255.255.0
!
interface Vlan20
 ip address 20.20.20.1 255.255.255.0

SB_Cisco 3850-A#

interface Vlan20
 ip address 20.20.20.2 255.255.255.0
!
interface Vlan30
 ip address 30.30.30.2 255.255.255.0
!
interface Tunnel1
 ip address 192.168.1.1 255.255.255.0
 no ip unreachables
 tunnel source 30.30.30.2
 tunnel destination 30.30.30.3
 tunnel path-mtu-discovery

SB_Cisco 3850-B#

interface Vlan30
 ip address 30.30.30.3 255.255.255.0
!
interface Vlan40
 ip address 40.40.40.3 255.255.255.0
!
interface Tunnel1
 ip address 192.168.1.2 255.255.255.0
 no ip unreachables
 tunnel source 30.30.30.3
 tunnel destination 30.30.30.2
 tunnel path-mtu-discovery