Autonomous Access Point Configuration via CLI

Not every wireless deployment uses a Wireless LAN Controller. In small offices, branch sites, or environments where centralised management is unavailable, a standalone (autonomous) Cisco AP operates independently — storing its own configuration in local flash, managing its own radios, and requiring direct CLI or GUI access for administration. Unlike a lightweight AP that relies on a WLC for all intelligence, an autonomous AP runs a full IOS image and is configured much like a router: you enter interface configuration mode, define SSIDs with dot11 ssid, assign security, and bridge wireless clients to the wired network through the Bridge Virtual Interface (BVI).

This lab configures a Cisco Aironet 1142N from scratch: initial console access, hostname and credentials, BVI1 IP addressing, two SSIDs (corporate WPA2 and guest WPA2) across both the 2.4 GHz and 5 GHz radios, channel selection, and transmit power settings. Before working through this lab, ensure the switch port connected to the AP is correctly configured — see VLAN Creation and Management and Assigning VLANs to Switch Ports. For SSH hardening applied after initial access, see SSH Configuration. For environments that have scaled beyond standalone APs, compare this workflow with Configuring a WLC — Getting Started. For RF planning concepts including channel and power design, see Wireless RF Channel and Power Planning.

1. Autonomous vs Lightweight AP Architecture

Understanding where configuration lives is fundamental before touching the CLI. The two AP modes have entirely different operational models:

Feature	Autonomous AP (Standalone)	Lightweight AP (CAPWAP)
Configuration storage	Local flash — full IOS config file (`show running-config`)	Pushed from WLC over CAPWAP control tunnel — no local SSID config
Management	Direct CLI (console/SSH/Telnet) or built-in web GUI per AP	Centralised WLC GUI or CLI — individual APs have no SSID config
Data path	Local bridging — client frames go directly to the wired LAN port	CAPWAP tunnelled to WLC (Local mode) or local switching (FlexConnect)
Roaming	Basic — client must re-associate; no WLC-assisted fast roaming	WLC-assisted fast roaming with context transfer between APs
IOS image	Full IOS AP image (e.g., `c1140-k9w7-tar.124-25d.JA2`)	Recovery image (LWAPP/CAPWAP) — most intelligence resides on WLC
Scale	1–10 APs manageable; beyond that, per-AP administration is impractical	Centralised management of hundreds to thousands of APs
RF management	Manual — administrator sets channel and power per AP. See Wireless RF Channel and Power Planning	Automatic with WLC RRM (Radio Resource Management) — auto channel/power

Converting between modes. A Cisco AP can be converted from autonomous to lightweight (to join a WLC) and back. Autonomous-to-lightweight conversion wipes the IOS configuration and loads the CAPWAP recovery image. Lightweight-to-autonomous (sometimes called "autonomous recovery") restores a full IOS image via TFTP. Both conversions require physical or console access and are covered separately. See Controller-Based Networking for the CAPWAP architecture overview.

2. Autonomous AP IOS Interface Hierarchy

An autonomous AP exposes four key interface types in IOS. Understanding how they relate explains why every configuration command touches a specific interface or sub-interface:

Interface	Physical / Logical	Purpose
`FastEthernet0`	Physical — wired uplink to switch	The AP's wired LAN port. Connects to a switch access or trunk port. Assigned to a bridge group to link the wired network to wireless clients
`Dot11Radio0`	Physical — 2.4 GHz radio	802.11b/g/n radio interface. SSIDs, channel, power, and encryption are configured here. Sub-interfaces can carry 802.1Q VLAN tags for multi-SSID/VLAN deployments
`Dot11Radio1`	Physical — 5 GHz radio (dual-band APs only)	802.11a/n/ac radio interface. Same configuration model as Dot11Radio0 but for the 5 GHz band. Supports wider channels and higher data rates
`BVI1` (Bridge Virtual Interface)	Logical — Layer 3 management interface	The AP's management IP address lives here. BVI bridges the FastEthernet0 and Dot11Radio interfaces at Layer 2. Assigning an IP to BVI1 gives the AP a routable management address for SSH, Telnet, and the web GUI

  Physical Wired Network (Switch)
         |
  FastEthernet0 ─────────────────────────────┐
                                             │
                                         BVI1 (bridge group 1)
                                             │    └─ Management IP: 192.168.10.20
  Dot11Radio0 (2.4 GHz) ─────────────────────┤
  Dot11Radio1 (5 GHz)   ─────────────────────┘

  Wireless clients (Radio0 or Radio1)
       │
       │  associate to SSID → bridge group 1 → BVI1 → FastEthernet0 → Switch
       ▼
  LAN / DHCP server / default gateway

The Bridge Virtual Interface creates a single Layer 2 domain spanning both the wired and wireless interfaces. A client that associates to the 2.4 GHz radio is bridged through BVI1 to FastEthernet0 and onto the wired LAN — no routing occurs. BVI1 also carries the AP's own management traffic (SSH sessions, pings, DHCP request for its own IP) on that same bridge group.

3. Channel and Power Fundamentals

2.4 GHz Non-Overlapping Channels

The 2.4 GHz band is divided into 11 channels (in North America) spaced 5 MHz apart, each 22 MHz wide. This means only three channels do not overlap with any other:

Channel	Centre Frequency	Overlap-Free	Typical Use
1	2412 MHz	✓ Yes	AP1 in a multi-AP floor plan
2	2417 MHz	✗ Overlaps 1 and 3	Not recommended
3	2422 MHz	✗	Not recommended
4	2427 MHz	✗	Not recommended
5	2432 MHz	✗	Not recommended
6	2437 MHz	✓ Yes	AP2 in a multi-AP floor plan
7–10	2442–2457 MHz	✗	Not recommended
11	2462 MHz	✓ Yes	AP3 in a multi-AP floor plan

Why only channels 1, 6, and 11? Each 802.11b/g/n channel is 22 MHz wide. Channel 1 occupies 2401–2423 MHz. Channel 6 occupies 2426–2448 MHz — the gap between them (2423–2426 MHz) is large enough to prevent co-channel interference. Channel 11 occupies 2451–2473 MHz, similarly separated from channel 6. In a dense deployment with more than three APs in range of each other, adjacent APs must use different non-overlapping channels, or they cause co-channel interference that reduces throughput for all clients in the overlap area. See Wi-Fi Frequency and Channels for a full channel reference.

5 GHz U-NII Bands and DFS Channels

U-NII Band	Frequency Range	Channels	DFS Required	Notes
U-NII-1	5150–5250 MHz	36, 40, 44, 48	No	Indoor use, lower power limit (200 mW). Best choice for enterprise WLANs — no radar scan delay on boot
U-NII-2A	5250–5350 MHz	52, 56, 60, 64	Yes	DFS: AP must scan for radar (weather, military) before transmitting. 60-second quiet period may apply on power-up
U-NII-2C	5470–5725 MHz	100–144	Yes	DFS required. Higher power allowed outdoors. Wide channel selection but radar-aware delay on channel change
U-NII-3	5725–5850 MHz	149, 153, 157, 161, 165	No	No DFS required. Most commonly used for enterprise 5 GHz. Higher power allowed. Channel 36 and 149 are the two most common starting choices

Transmit Power

On Cisco autonomous APs, transmit power is set using a power level index (1–8), not directly in dBm. Level 1 is the maximum configured power for that radio; each subsequent level halves the power (3 dB reduction). For background on RF power and decibels, see Antenna and RF Basics:

Power Level	Relative to Maximum	Typical dBm (2.4 GHz, 100 mW max)	Use Case
1	100% (maximum)	20 dBm (100 mW)	Large open areas, long range needed
2	50%	17 dBm (50 mW)	Standard office — good coverage without excessive overlap
3	25%	14 dBm (25 mW)	Dense deployment — reduce co-channel interference
4–8	12.5% and lower	11 dBm and below	High-density environments, adjacent AP mitigation

The exact dBm values depend on the AP model and regulatory domain. Use show dot11 interface Dot11Radio0 to see the actual power level in dBm currently in use on your specific hardware. Cisco IOS uses the keyword power local followed by the level number: power local 2 sets level 2 (half power).

4. Lab Topology & Design

A single Cisco Aironet 1142N is configured as a standalone AP. It connects to NetsTuts_SW1 on an access port in VLAN 10. Two SSIDs are broadcast on both radios simultaneously: a corporate SSID using WPA2-PSK and a guest SSID using WPA2-PSK with a separate passphrase:

                    NetsTuts_SW1
                         |
                     Gi1/0/2 (access, VLAN 10)
                         |
                   FastEthernet0
             NetsTuts-AP1 (Aironet 1142N)
             BVI1: 192.168.10.20 / 255.255.255.0
             Default GW: 192.168.10.1
                         |
              ┌──────────┴──────────┐
         Dot11Radio0          Dot11Radio1
         (2.4 GHz)             (5 GHz)
         Channel 6 (2437 MHz)  Channel 36 (5180 MHz)
         Power Level 2         Power Level 2

  ┌───────────────────────────────────────────────────────┐
  │  SSID 1: NetsTuts-Corp                                │
  │  Security: WPA2 / PSK / AES-CCMP                      │
  │  Broadcast on: Dot11Radio0 AND Dot11Radio1            │
  │  PSK: CorpWifi@2026!                                  │
  ├───────────────────────────────────────────────────────┤
  │  SSID 2: NetsTuts-Guest                               │
  │  Security: WPA2 / PSK / AES-CCMP                      │
  │  Broadcast on: Dot11Radio0 AND Dot11Radio1            │
  │  PSK: Guest@Visit2026                                 │
  └───────────────────────────────────────────────────────┘

Parameter	Value
Hostname	NetsTuts-AP1
Management IP (BVI1)	192.168.10.20 / 255.255.255.0
Default Gateway	192.168.10.1
Switch port	NetsTuts_SW1 Gi1/0/2 — access VLAN 10, PortFast
2.4 GHz channel	6 (2437 MHz)
5 GHz channel	36 (5180 MHz)
Transmit power	Level 2 (50% / ~17 dBm) on both radios
Corporate SSID	NetsTuts-Corp — WPA2/PSK/AES
Guest SSID	NetsTuts-Guest — WPA2/PSK/AES

5. Step 1 — Configure the Switch Access Port

Before connecting the AP, configure its switch port as an access port in the management VLAN with PortFast enabled. Autonomous APs require a single VLAN on their wired port unless trunking for multi-VLAN deployments. See VLAN Creation and Management to ensure VLAN 10 exists before proceeding:

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Configure the AP uplink port ─────────────────────────────────
NetsTuts_SW1(config)#interface GigabitEthernet1/0/2
NetsTuts_SW1(config-if)#description AP: NetsTuts-AP1
NetsTuts_SW1(config-if)#switchport mode access
NetsTuts_SW1(config-if)#switchport access vlan 10
NetsTuts_SW1(config-if)#spanning-tree portfast
%Warning: portfast should only be enabled on ports connected to a single
 host. Connecting hubs, concentrators, switches, bridges, or repeaters
 to this port could cause temporary bridging loops.
 Use with CAUTION

%Portfast has been configured on GigabitEthernet1/0/2 but will only
 have effect when the interface is in a non-trunking mode.
NetsTuts_SW1(config-if)#no shutdown
NetsTuts_SW1(config-if)#exit
NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]

PortFast is applied to the AP port to prevent the 30-second STP listening/learning delay on power-up — without it, the AP cannot reach the network for half a minute after boot, which causes DHCP timeouts. This is safe here because the port connects to a single AP (not another switch). The AP is treated like an end device from STP's perspective.

6. Step 2 — Initial Console Access and Base Configuration

Connect via console cable (9600 baud). On a factory-default Cisco autonomous AP, the default credentials are username: Cisco / password: Cisco (capitalised) or no credentials at all depending on the IOS version. Establish a hostname, enable secret, and a local user for SSH before any network configuration:

ap>enable
ap#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Hostname ──────────────────────────────────────────────────────
ap(config)#hostname NetsTuts-AP1

! ── Enable secret (encrypted) ────────────────────────────────────
NetsTuts-AP1(config)#enable secret NetsTuts@Enable2026

! ── Local user for SSH and web GUI ───────────────────────────────
NetsTuts-AP1(config)#username admin privilege 15 secret Admin@AP2026

! ── Disable Telnet; require local login on VTY ───────────────────
NetsTuts-AP1(config)#line vty 0 4
NetsTuts-AP1(config-line)#login local
NetsTuts-AP1(config-line)#transport input ssh
NetsTuts-AP1(config-line)#exec-timeout 10 0
NetsTuts-AP1(config-line)#exit

! ── Console line ──────────────────────────────────────────────────
NetsTuts-AP1(config)#line con 0
NetsTuts-AP1(config-line)#login local
NetsTuts-AP1(config-line)#exec-timeout 15 0
NetsTuts-AP1(config-line)#exit

! ── Generate RSA key for SSH ──────────────────────────────────────
NetsTuts-AP1(config)#ip domain-name netstuts.com
NetsTuts-AP1(config)#crypto key generate rsa modulus 2048
The name for the keys will be: NetsTuts-AP1.netstuts.com

% The key modulus size is 2048 bits
% Generating 2048 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 3 seconds)

NetsTuts-AP1(config)#ip ssh version 2
NetsTuts-AP1(config)#ip ssh time-out 60
NetsTuts-AP1(config)#ip ssh authentication-retries 3

NetsTuts-AP1(config)#service timestamps log datetime msec localtime
NetsTuts-AP1(config)#service timestamps debug datetime msec localtime
NetsTuts-AP1(config)#no ip http server
NetsTuts-AP1(config)#ip http secure-server

no ip http server disables plain HTTP access to the AP's built-in web GUI; ip http secure-server enables HTTPS only. For hardening details beyond what is covered here, see SSH Configuration and Login Security and Brute-Force Protection.

7. Step 3 — Assign the Management IP via BVI1

The IP address for AP management is assigned to the Bridge Virtual Interface (BVI1), not to FastEthernet0 or the radio interfaces. This is a critical difference from router/switch configuration — do not assign an IP to FastEthernet0:

! ── Static IP on BVI1 ────────────────────────────────────────────
NetsTuts-AP1(config)#interface BVI1
NetsTuts-AP1(config-if)#ip address 192.168.10.20 255.255.255.0
NetsTuts-AP1(config-if)#no shutdown
NetsTuts-AP1(config-if)#exit

! ── Default gateway ───────────────────────────────────────────────
NetsTuts-AP1(config)#ip default-gateway 192.168.10.1
NetsTuts-AP1(config)#end

! ── Verify IP and reachability ────────────────────────────────────
NetsTuts-AP1#show ip interface BVI1
BVI1 is up, line protocol is up
  Internet address is 192.168.10.20/24
  Broadcast address is 255.255.255.255
  MTU is 1500 bytes
  Outgoing access list is not set
  Inbound  access list is not set

NetsTuts-AP1#ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

NetsTuts-AP1#wr
Building configuration...
[OK]

If BVI1 is down in the output of show ip interface BVI1, the FastEthernet0 interface is not up. Check the switch port: show interfaces GigabitEthernet1/0/2 status on the switch — the port must show connected. Also verify no shutdown has been applied to FastEthernet0 on the AP. BVI1 state follows the physical member interfaces in the bridge group — if FastEthernet0 is down, BVI1 will be down too.

8. Step 4 — Define Both SSIDs Globally

On autonomous IOS APs, SSIDs are defined globally under dot11 ssid [name] configuration mode. The SSID block contains authentication type, key management, and the WPA PSK. The SSID is then applied to radio interfaces in a separate step:

! ── Corporate SSID definition ────────────────────────────────────
NetsTuts-AP1(config)#dot11 ssid NetsTuts-Corp
NetsTuts-AP1(config-ssid)#authentication open
NetsTuts-AP1(config-ssid)#authentication key-management wpa version 2
NetsTuts-AP1(config-ssid)#wpa-psk ascii CorpWifi@2026!
NetsTuts-AP1(config-ssid)#mbssid guest-mode
NetsTuts-AP1(config-ssid)#exit

! ── Guest SSID definition ─────────────────────────────────────────
NetsTuts-AP1(config)#dot11 ssid NetsTuts-Guest
NetsTuts-AP1(config-ssid)#authentication open
NetsTuts-AP1(config-ssid)#authentication key-management wpa version 2
NetsTuts-AP1(config-ssid)#wpa-psk ascii Guest@Visit2026
NetsTuts-AP1(config-ssid)#mbssid guest-mode
NetsTuts-AP1(config-ssid)#exit

Command	Purpose	Notes
`authentication open`	Sets 802.11 authentication to Open System (not Shared Key)	Required even when using WPA2 — WPA2 security is at a higher layer. Shared Key (WEP-based challenge) is obsolete and insecure
`authentication key-management wpa version 2`	Enables WPA2 (RSN / 802.11i) key management	Without `version 2`, the AP uses WPA1 (TKIP). Always specify `version 2` for AES-CCMP / WPA2. See Wi-Fi Security for WPA2 background
`wpa-psk ascii [passphrase]`	Sets the WPA2 pre-shared key in plain ASCII	ASCII passphrases are 8–63 characters. Alternatively, `wpa-psk hex` accepts a 64-character hexadecimal PSK derived from the passphrase via PBKDF2
`mbssid guest-mode`	Enables MBSSID (Multiple BSSID) and broadcasts the SSID in beacon frames	Without this, the SSID is hidden. Required when running multiple SSIDs on a single radio interface

9. Step 5 — Configure Dot11Radio0 (2.4 GHz)

The 2.4 GHz radio interface is assigned channel 6 (2437 MHz), power level 2, the AES-CCMP cipher, both SSIDs, and bridge group membership:

NetsTuts-AP1(config)#interface Dot11Radio0
NetsTuts-AP1(config-if)#no shutdown

! ── Channel: 6 (2437 MHz) ────────────────────────────────────────
NetsTuts-AP1(config-if)#channel 2437

! ── Transmit power: Level 2 (~17 dBm / 50 mW) ───────────────────
NetsTuts-AP1(config-if)#power local 2

! ── Encryption: AES-CCMP (WPA2) ──────────────────────────────────
NetsTuts-AP1(config-if)#encryption mode ciphers aes-ccm

! ── Attach both SSIDs to this radio ──────────────────────────────
NetsTuts-AP1(config-if)#ssid NetsTuts-Corp
NetsTuts-AP1(config-if)#ssid NetsTuts-Guest

! ── MBSSID — required for multiple SSIDs ─────────────────────────
NetsTuts-AP1(config-if)#mbssid

! ── Bridge group — links radio to BVI1 and FastEthernet0 ─────────
NetsTuts-AP1(config-if)#bridge-group 1
NetsTuts-AP1(config-if)#bridge-group 1 subscriber-loop-control
NetsTuts-AP1(config-if)#bridge-group 1 spanning-disabled
NetsTuts-AP1(config-if)#bridge-group 1 block-unknown-source
NetsTuts-AP1(config-if)#no bridge-group 1 source-learning
NetsTuts-AP1(config-if)#no bridge-group 1 unicast-flooding
NetsTuts-AP1(config-if)#exit

Bridge-Group Sub-Command	Purpose
`subscriber-loop-control`	Prevents wireless clients from creating bridging loops by limiting how many MAC addresses are learned per client association
`spanning-disabled`	Disables STP on this bridge group — STP is not needed for the AP's internal bridge and its BPDUs would interfere with the wired network's STP
`block-unknown-source`	Drops frames with unknown source MAC addresses, preventing MAC flooding attacks from wireless clients
`no source-learning`	Disables MAC address learning on the bridge group — the AP does not build its own MAC table; clients are reached via the wired switch
`no unicast-flooding`	Prevents the AP from flooding unicast frames to all bridge-group members when the destination MAC is unknown — reduces unnecessary wireless airtime consumption

2.4 GHz channel values in IOS. The channel command on Cisco autonomous APs accepts the channel centre frequency in MHz, not the channel number. Channel 1 = 2412, Channel 6 = 2437, Channel 11 = 2462. You can also use channel least-congested to let the AP scan and pick the least-used channel automatically on boot — useful in environments where other APs are already in use and interference varies. For full channel and power planning guidance, see Wireless RF Channel and Power Planning.

10. Step 6 — Configure Dot11Radio1 (5 GHz)

The 5 GHz radio is configured identically in terms of SSIDs, cipher, and bridge group, but uses channel 36 (5180 MHz) from the U-NII-1 band — a non-DFS channel that does not require a radar scan delay before transmitting:

NetsTuts-AP1(config)#interface Dot11Radio1
NetsTuts-AP1(config-if)#no shutdown

! ── Channel 36 (5180 MHz) — U-NII-1, no DFS required ────────────
NetsTuts-AP1(config-if)#channel 5180

! ── Transmit power: Level 2 ──────────────────────────────────────
NetsTuts-AP1(config-if)#power local 2

! ── Encryption: AES-CCMP ─────────────────────────────────────────
NetsTuts-AP1(config-if)#encryption mode ciphers aes-ccm

! ── Both SSIDs ───────────────────────────────────────────────────
NetsTuts-AP1(config-if)#ssid NetsTuts-Corp
NetsTuts-AP1(config-if)#ssid NetsTuts-Guest

! ── MBSSID ───────────────────────────────────────────────────────
NetsTuts-AP1(config-if)#mbssid

! ── Bridge group (same group as Radio0 and FastEthernet0) ────────
NetsTuts-AP1(config-if)#bridge-group 1
NetsTuts-AP1(config-if)#bridge-group 1 subscriber-loop-control
NetsTuts-AP1(config-if)#bridge-group 1 spanning-disabled
NetsTuts-AP1(config-if)#bridge-group 1 block-unknown-source
NetsTuts-AP1(config-if)#no bridge-group 1 source-learning
NetsTuts-AP1(config-if)#no bridge-group 1 unicast-flooding
NetsTuts-AP1(config-if)#exit

Both Dot11Radio0 and Dot11Radio1 are placed in the same bridge group 1. This means a client on the 5 GHz radio and a client on the 2.4 GHz radio are in the same Layer 2 domain and can communicate directly through the AP's internal bridge. Both are also bridged to FastEthernet0 and therefore to the wired LAN. If VLAN separation between SSIDs is required in a more advanced deployment, sub-interfaces and 802.1Q trunking on FastEthernet0 are used instead of this flat bridge model.

11. Step 7 — Add FastEthernet0 to the Bridge Group and Save

FastEthernet0 must also be placed in bridge group 1 to complete the Layer 2 path from wireless clients to the wired LAN. Without this, the bridge is incomplete and clients cannot reach the switch:

NetsTuts-AP1(config)#interface FastEthernet0
NetsTuts-AP1(config-if)#no shutdown
NetsTuts-AP1(config-if)#bridge-group 1
NetsTuts-AP1(config-if)#bridge-group 1 spanning-disabled
NetsTuts-AP1(config-if)#no bridge-group 1 source-learning
NetsTuts-AP1(config-if)#exit

! ── Confirm BVI1 is up ────────────────────────────────────────────
NetsTuts-AP1(config)#end
NetsTuts-AP1#show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
BVI1                   192.168.10.20   YES manual up                    up
Dot11Radio0            unassigned      YES unset  up                    up
Dot11Radio1            unassigned      YES unset  up                    up
FastEthernet0          unassigned      YES unset  up                    up

NetsTuts-AP1#write memory
Building configuration...
[OK]

The output confirms the bridge is complete: BVI1 is up with the management IP, and all three physical interfaces (FastEthernet0, Dot11Radio0, Dot11Radio1) are up with no IP addresses of their own — their Layer 3 presence is provided by BVI1. If FastEthernet0 shows down/down, the switch port is not active — verify PortFast and VLAN assignment on the switch with show interfaces Gi1/0/2 status.

12. Verification

show dot11 associations

NetsTuts-AP1#show dot11 associations

802.11 Client Stations on Dot11Radio0:
SSID [NetsTuts-Corp]:
MAC Address      IP Address       Device   Name             Parent   State
a4.c3.f0.11.22.33 192.168.10.31  802.11n  CORP-LAPTOP1     self     Assoc

SSID [NetsTuts-Guest]:
MAC Address      IP Address       Device   Name             Parent   State
b8.27.eb.aa.bb.cc 192.168.10.55  802.11n  -                self     Assoc

802.11 Client Stations on Dot11Radio1:
SSID [NetsTuts-Corp]:
MAC Address      IP Address       Device   Name             Parent   State
00.1a.2b.3c.4d.5e 192.168.10.32  802.11ac CORP-LAPTOP2     self     Assoc

show dot11 associations lists all currently associated clients, grouped by radio and SSID. The State: Assoc confirms the client has fully associated. An IP address is shown if the AP has seen ARP traffic from the client. If a client shows Auth instead of Assoc, it has completed 802.11 authentication but not yet association — usually a PSK mismatch or encryption cipher incompatibility.

show dot11 interface Dot11Radio0

NetsTuts-AP1#show dot11 interface Dot11Radio0

Dot11Radio0 Link is up
  Hardware is 802.11N 2.4GHz Radio, address is a0.e0.af.11.22.33
  MTU is 1500, BW is 54000 Kbit
  Current Channel: 6, Frequency: 2437 MHz
  Current Tx Power Level: 2 = 17 dBm
  Antenna Gain: 2 dBi internal
  Radio Standard:  802.11n
  Encryption: AES-CCM
  Mode: Mixed (802.11b/g/n)
  Beacon Period: 100 TU
  DTIM Period: 2
  SSIDs: NetsTuts-Corp, NetsTuts-Guest
  Associated clients: 2

Key fields to verify: Current Channel: 6, Frequency: 2437 MHz confirms channel 6 is active. Current Tx Power Level: 2 = 17 dBm shows the actual power in dBm for this hardware. Encryption: AES-CCM confirms WPA2-CCMP is active (not TKIP). SSIDs lists both broadcast SSIDs. If only one SSID appears, verify mbssid guest-mode is present in both the global SSID definition and under the radio interface.

show interfaces Dot11Radio0

NetsTuts-AP1#show interfaces Dot11Radio0
Dot11Radio0 is up, line protocol is up
  Hardware is 802.11N Radio, address is a0:e0:af:11:22:33 (bia a0:e0:af:11:22:33)
  MTU 1500 bytes, BW 54000 Kbit/sec, DLY 5000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation 802.11, loopback not set
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:01, output 00:00:01, output hang never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  5 minute input rate 3000 bits/sec, 4 packets/sec
  5 minute output rate 11000 bits/sec, 12 packets/sec
     1284 packets input, 89640 bytes, 0 no buffer
     3870 packets output, 1021476 bytes, 0 underruns

show ip interface BVI1

NetsTuts-AP1#show ip interface BVI1
BVI1 is up, line protocol is up
  Internet address is 192.168.10.20/24
  Broadcast address is 255.255.255.255
  Helper address is not set
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  BGP Policy Mapping is disabled
  Input features: MCI Check
  IPv4 WCCP Redirect inbound is disabled
  IPv4 WCCP Redirect outbound is disabled
  IPv4 WCCP Redirect exclude is disabled

Verification Command Summary

Command	What It Shows	Key Field to Check
`show dot11 associations`	All associated wireless clients per radio and SSID with MAC, IP, and state	State must be Assoc — not Auth (PSK/cipher issue) or Disassoc
`show dot11 interface Dot11Radio0`	Radio operating parameters: channel, frequency, power level (dBm), encryption, SSIDs	Channel, Tx Power, Encryption (must be AES-CCM), both SSIDs listed
`show dot11 interface Dot11Radio1`	Same as above for the 5 GHz radio	Channel 36 / 5180 MHz, AES-CCM, both SSIDs
`show interfaces Dot11Radio0`	Interface counters, data rates, error counts	Line protocol up, no CRC errors, input/output rate confirms traffic is flowing
`show ip interface BVI1`	BVI1 IP address and status	BVI1 is up, correct IP address assigned
`show ip interface brief`	All interfaces and their IPs and status in one table	BVI1 up/up with IP; Radio0, Radio1, Fa0 up/up with no IP (correct)
`show running-config`	Full configuration — verify dot11 ssid blocks, radio settings, bridge groups	Both SSID blocks present with correct PSK and key-management; bridge-group 1 on all three interfaces

13. Troubleshooting Autonomous AP Issues

Problem	Symptom	Cause	Fix
AP management IP unreachable after configuration	Cannot ping 192.168.10.20 from admin PC; SSH connection refused	BVI1 is down because FastEthernet0 is not in bridge group 1, or the switch port is not up, or PortFast was not applied and STP is still converging	On the AP: `show ip interface brief` — check BVI1 state. Verify `bridge-group 1` is present under FastEthernet0 with `show running-config` `\| section FastEthernet0`. On the switch: `show interfaces Gi1/0/2 status` — must show connected. Check VLAN 10 exists and is active on the switch.
SSIDs not visible in Wi-Fi scan	Clients cannot see NetsTuts-Corp or NetsTuts-Guest in their Wi-Fi scan	Radio interface is shut down (`shutdown` applied), `mbssid guest-mode` is missing from the SSID definition, or the SSID is not attached to the radio interface with the `ssid` command	Check radio status: `show interfaces Dot11Radio0` — must be up/up. Verify SSID attachment: `show dot11 interface Dot11Radio0` — both SSIDs must appear in the SSIDs field. If missing, re-enter `ssid NetsTuts-Corp` under the radio interface. Verify `mbssid` is applied to the radio with `show running-config \| section Dot11Radio0`.
Clients associate but get no IP address	Wireless client shows "connected, no internet" with APIPA address (169.254.x.x)	FastEthernet0 is not in bridge group 1, blocking the path from the wireless client to the DHCP server on the wired LAN. Alternatively, the DHCP server has no pool for 192.168.10.0/24, or the switch port is in the wrong VLAN	Verify bridge group on FastEthernet0: `show running-config` `\| section FastEthernet0` must include `bridge-group 1`. Add if missing. Check DHCP server has a pool for 192.168.10.0/24 with `show ip dhcp pool` on the DHCP server device. Confirm the AP switch port is VLAN 10: `show interfaces Gi1/0/2 switchport` on the switch.
WPA2 authentication fails — wrong password error on client	Client prompts for password, but correct PSK is rejected. Client shows authentication failure	PSK mismatch between AP and client, or the AP is running WPA1 (TKIP) instead of WPA2 because `authentication key-management wpa version 2` was entered without the `version 2` keyword, or the encryption cipher on the radio is set to TKIP instead of AES-CCMP. See Wi-Fi Security for WPA/WPA2 differences	Verify SSID security: `show running-config` `\| section dot11 ssid` — look for `authentication key-management wpa version 2` (not just `wpa`). Verify cipher: `show running-config \| section Dot11Radio0` — must show `encryption mode ciphers aes-ccm`. Re-enter the PSK in the SSID block if the passphrase may have been typed incorrectly.
5 GHz radio not transmitting — long delay on power-up	Dot11Radio1 comes up but is silent for 60+ seconds before beaconing. Clients cannot connect immediately after AP reboot	Channel 52, 56, 60, or 64 (U-NII-2A) or channels 100–144 (U-NII-2C) are configured. These DFS channels require a 60-second radar scan before the AP may transmit. The channel is listed as a DFS channel in your regulatory domain	Change the 5 GHz channel to a non-DFS channel: `interface Dot11Radio1` → `channel 5180` (channel 36) or `channel 5825` (channel 165). U-NII-1 (channels 36–48, 5180–5240 MHz) and U-NII-3 (channels 149–165, 5745–5825 MHz) do not require DFS in most regulatory domains. Verify with `show dot11 interface Dot11Radio1` — DFS status is shown if applicable.
Only one SSID visible when two are configured	Clients can see NetsTuts-Corp but NetsTuts-Guest does not appear in the scan, despite both being configured	`mbssid` is not applied to the radio interface (even if `mbssid guest-mode` is in the SSID definition, the radio interface must also have `mbssid`), or the second SSID is not attached to the radio with a `ssid` command	Check radio config: `show running-config \| section interface Dot11Radio0` — must contain `mbssid` as a standalone command, and both `ssid NetsTuts-Corp` and `ssid NetsTuts-Guest`. If `mbssid` is missing from the radio interface block, enter `interface Dot11Radio0` → `mbssid`. Both commands are required: one in the global SSID block (`mbssid guest-mode`) and one in the radio interface (`mbssid`).

Key Points & Exam Tips

An autonomous AP stores its full IOS configuration locally in flash and is managed directly via CLI or web GUI. It does not require a WLC — all SSID, radio, and security settings are configured on the AP itself. See Lightweight vs Autonomous AP for a comparison.
The BVI (Bridge Virtual Interface) is the management IP interface on an autonomous AP — not FastEthernet0. Do not assign an IP address to FastEthernet0 or the radio interfaces. The BVI bridges all member interfaces (FastEthernet0, Dot11Radio0, Dot11Radio1) at Layer 2.
SSIDs on autonomous APs are defined globally under dot11 ssid [name] configuration mode. To broadcast an SSID from a radio interface, it must be explicitly attached to the radio with the ssid [name] command under the radio interface. Defining the SSID globally is not enough.
WPA2 requires two commands in the SSID block: authentication open (sets the 802.11 authentication frame type — not WEP) and authentication key-management wpa version 2. Missing version 2 defaults to WPA1/TKIP.
For multiple SSIDs on one radio, both mbssid guest-mode in the SSID global configuration and mbssid under the radio interface are required. One without the other results in only the primary SSID being broadcast.
The 2.4 GHz band has only three non-overlapping channels: 1, 6, and 11 (centre frequencies 2412, 2437, 2462 MHz). In a multi-AP deployment, adjacent APs must use different non-overlapping channels. On Cisco autonomous APs, the channel command takes the frequency in MHz, not the channel number. See Wi-Fi Frequency and Channels.
Transmit power on Cisco autonomous APs uses a level index (1–8). Level 1 is maximum power; each level halves the power (3 dB reduction). Level 2 is half power (typically ~17 dBm / 50 mW for a 2.4 GHz radio with 20 dBm maximum). See Antenna and RF Basics.
Avoid DFS channels (52–64, 100–144 in 5 GHz) in environments requiring fast AP restart times — DFS channels require a 60-second radar scan before the AP can begin transmitting. Use U-NII-1 (channels 36–48) or U-NII-3 (channels 149–165) for non-DFS operation.
All three interfaces (FastEthernet0, Dot11Radio0, Dot11Radio1) must be assigned to the same bridge group 1 to complete the Layer 2 path between wireless clients and the wired LAN through BVI1.
On the CCNA exam: know the BVI concept, the two-step SSID configuration (global definition + radio attachment), WPA2 command syntax (authentication open + authentication key-management wpa version 2 + wpa-psk ascii), non-overlapping 2.4 GHz channels, and the difference between autonomous and lightweight AP data/control plane models.

Next Steps: A single autonomous AP is now broadcasting two SSIDs on both radios. To understand how this differs from a centralised WLC deployment and when to choose each approach, see Configuring a WLC — Getting Started. To extend the autonomous AP to multi-VLAN operation using 802.1Q trunking on FastEthernet0 with sub-interfaces on the radio, the next configuration involves VLAN-mapped SSIDs. For the VLAN and switch infrastructure that supports this, see VLAN Creation and Management, Trunk Port Configuration, and WLC SSID and VLAN Mapping (for the WLC equivalent). For hardening SSH access to this AP, see SSH Configuration. For wireless troubleshooting methodology, see Troubleshooting Wireless Connectivity.

TEST WHAT YOU LEARNED

1. An administrator configures a Cisco autonomous AP and assigns an IP address to FastEthernet0, but the AP is unreachable by ping from the admin PC. What is the most likely cause?

A. FastEthernet0 requires a secondary IP address to be reachable — a primary address alone is insufficient B. The IP address must be in the same subnet as the management VLAN but FastEthernet0 uses a different broadcast domain than BVI1 C. On autonomous IOS APs, the management IP must be assigned to BVI1, not FastEthernet0. FastEthernet0 should have no IP address — it is a bridge member. An IP on FastEthernet0 may conflict with the bridge or simply not be used for management traffic routed through the bridge D. FastEthernet0 requires ip address dhcp syntax — static addresses are not supported on the wired interface of an autonomous AP

Correct answer is C. On Cisco autonomous APs, the Bridge Virtual Interface (BVI1) is the Layer 3 management interface. BVI1 is the logical bridge that connects FastEthernet0, Dot11Radio0, and Dot11Radio1 at Layer 2. Management traffic (pings, SSH, HTTPS) uses BVI1. FastEthernet0 is a bridge member and should not have an IP address — if it does, it bypasses the bridge and creates unexpected routing behaviour. The correct configuration is: interface BVI1 → ip address 192.168.10.20 255.255.255.0. FastEthernet0 should only have bridge-group 1 configured. Always verify with show ip interface brief — BVI1 should be up/up with the management IP, and FastEthernet0 should show "unassigned".

2. A small office has three Cisco autonomous APs all operating in the 2.4 GHz band. The administrator assigns channels 1, 5, and 11. Will this cause interference, and why?

A. Yes — channel 5 (2432 MHz) overlaps with both channel 1 (occupies 2401–2423 MHz) and channel 6 (occupies 2426–2448 MHz). Any client on channel 5 will cause co-channel and adjacent-channel interference with both the channel 1 and channel 6 APs. The correct non-overlapping set for three APs is channels 1, 6, and 11 B. No — channels 1, 5, and 11 are the three standard non-overlapping channels used in enterprise deployments C. No — channel separation is only relevant in the 5 GHz band; all 2.4 GHz channels can be used simultaneously without interference D. Yes — channels 1, 5, and 11 overlap because only channels 1, 9, and 13 are non-overlapping in the North American regulatory domain

Correct answer is A. In the 2.4 GHz band (2400–2483.5 MHz), each channel is 22 MHz wide and channels are spaced 5 MHz apart. Channel 1 occupies approximately 2401–2423 MHz. Channel 6 occupies 2426–2448 MHz — leaving a 3 MHz guard band. Channel 11 occupies 2451–2473 MHz. Channel 5 occupies 2422–2444 MHz — it overlaps with both channel 1 (shares 2422–2423 MHz) and channel 6 (shares 2426–2444 MHz). Using channel 5 with channel 1 creates adjacent-channel interference, degrading throughput for clients on both channels. The only three non-overlapping 2.4 GHz channels in North America are 1, 6, and 11 — and these are the only three that should ever be assigned in a multi-AP deployment. On a Cisco autonomous AP, the IOS channel command uses the frequency in MHz: channel 1 = channel 2412, channel 6 = channel 2437, channel 11 = channel 2462.

3. An administrator configures two SSIDs on an autonomous AP. `show dot11 associations` shows clients on the first SSID but the second SSID is never visible in any client's Wi-Fi scan. Both SSID blocks are defined globally. What is the most likely missing configuration?

A. The second SSID requires a separate WPA2 key — two SSIDs cannot share the same PSK on a single AP B. The second SSID requires a sub-interface on FastEthernet0 to be visible — flat bridging only supports one SSID C. The AP requires a reboot after adding the second SSID definition before the radio begins broadcasting it D. The second SSID is not attached to the radio interface with a ssid [name] command under Dot11Radio0, and/or the mbssid command is missing from the radio interface. Both are required for a second SSID to be broadcast — the global SSID definition alone is not sufficient

Correct answer is D. On Cisco autonomous APs, SSID configuration is a two-step process. Step 1: define the SSID globally with dot11 ssid [name], including authentication and security settings. Step 2: attach the SSID to the radio interface with ssid [name] under interface Dot11Radio0. Missing either step means the SSID is not broadcast from that radio. Additionally, for multiple SSIDs to be broadcast simultaneously (MBSSID), the mbssid command must appear as a standalone line under the radio interface itself — not just mbssid guest-mode in the global SSID block. Both configurations are required: mbssid guest-mode in the SSID definition and mbssid in the radio interface. Verify with: show running-config | section interface Dot11Radio0 — look for both ssid NetsTuts-Corp, ssid NetsTuts-Guest, and mbssid as separate lines.

4. What is the correct IOS command sequence to set WPA2-PSK with AES on a Cisco autonomous AP SSID named "NetsTuts-Corp", and what happens if `version 2` is omitted from the key-management command?

A. authentication wpa2 psk followed by psk ascii [passphrase] — omitting version 2 has no effect since WPA2 is assumed when the radio is set to encryption mode ciphers aes-ccm B. The correct sequence is: authentication open → authentication key-management wpa version 2 → wpa-psk ascii [passphrase]. If version 2 is omitted (i.e., authentication key-management wpa), the AP uses WPA1 with TKIP instead of WPA2 with AES-CCMP — many modern clients will refuse to connect or downgrade security unexpectedly C. security wpa2 psk pass-phrase [passphrase] — this is the single command that enables both WPA2 authentication and AES encryption simultaneously D. authentication open → wpa-psk ascii [passphrase] — the key-management command is optional if AES is already configured on the radio interface

Correct answer is B. Three commands are required in the global SSID block for WPA2-PSK. First, authentication open sets the 802.11 Authentication frame type to Open System — this is required even for WPA2; it does not mean the network is open or unencrypted. It simply means the AP does not use the obsolete WEP Shared Key challenge-response. Second, authentication key-management wpa version 2 enables WPA2 (802.11i / RSN) key management. Without version 2, IOS uses WPA version 1 which employs TKIP by default — a weaker cipher that was deprecated and is rejected by many modern clients and regulatory requirements. Third, wpa-psk ascii [passphrase] sets the pre-shared key. Additionally, encryption mode ciphers aes-ccm must be configured on the radio interface to enable AES-CCMP encryption for frames. The IOS AES cipher name is aes-ccm (Counter Mode with CBC-MAC), not aes-ccmp.

5. An autonomous AP is configured with its 5 GHz radio on channel 56 (5280 MHz). After every power cycle, the SSID is unavailable for approximately 60–90 seconds before clients can connect. What is causing this delay and how should it be resolved?

A. The AP is performing a firmware integrity check on boot — this is normal and cannot be shortened B. The 2048-bit RSA key generation for SSH is running on each boot — disable SSH to eliminate the delay C. The spanning-tree PortFast is not configured on the switch port — STP convergence is blocking the AP's wired uplink for 30+ seconds, and the radio also delays while waiting for an IP D. Channel 56 (5280 MHz) is a DFS (Dynamic Frequency Selection) channel in the U-NII-2A band. Before transmitting, the AP must complete a mandatory radar scan of 60 seconds to check for weather radar or military radar on that frequency. To eliminate this delay, change the channel to a non-DFS channel such as channel 36 (5180 MHz, U-NII-1) or channel 149 (5745 MHz, U-NII-3): interface Dot11Radio1 → channel 5180

Correct answer is D. Dynamic Frequency Selection (DFS) is an FCC and international regulatory requirement for 5 GHz channels in the U-NII-2A band (52–64, 5260–5320 MHz) and U-NII-2C band (100–144, 5500–5720 MHz). These frequency ranges are shared with weather radar, military radar, and other radar systems. Before an AP may transmit on a DFS channel, it must listen for 60 seconds (the Channel Availability Check period) to confirm no radar system is operating. If radar is detected at any time, the AP must immediately vacate the channel and not return for 30 minutes. This radar scan happens on every power cycle, causing the 60-second startup delay. Non-DFS channels in U-NII-1 (channels 36, 40, 44, 48 / 5180–5240 MHz) and U-NII-3 (channels 149, 153, 157, 161, 165 / 5745–5825 MHz) have no radar scan requirement and begin transmitting immediately on boot. For production deployments where fast recovery from a power outage is important, always use non-DFS channels.

6. In a Cisco autonomous AP bridge group configuration, what is the purpose of `bridge-group 1 spanning-disabled` applied to the radio interface, and what risk does it mitigate?

A. It disables STP on the AP's internal bridge group, preventing the AP from sending BPDUs to the wired switch. Without this, the AP's bridge generates BPDUs that reach the switch and could confuse or interfere with the switch's STP topology calculation, potentially causing unnecessary port state changes or even STP reconvergence events on the wired network B. It disables the AP's ability to span between two wired networks — preventing the AP from being used as an unintended wireless bridge between two separate switch segments C. It disables PortFast on the bridge-group member interfaces, preventing premature forwarding before the bridge has converged D. It prevents wireless clients from sending STP BPDUs over the air, which could cause the wired switch to add the AP radio as a spanning-tree root candidate

Correct answer is A. The AP's IOS bridge software can run its own STP instance on the bridge group. If spanning-tree is active on the bridge group, the AP will generate and forward BPDUs out FastEthernet0 into the wired switch. The wired switch then sees an unexpected STP participant on the AP port. This can cause the switch to adjust its STP topology, trigger port state changes, or in the worst case participate in STP elections in ways that disrupt network operation. Since the AP's bridge group is a simple three-port bridge (Fa0, Radio0, Radio1) with no loops, STP is unnecessary. bridge-group 1 spanning-disabled tells the AP's IOS bridge not to run STP on this bridge group, eliminating BPDU generation. This is why the command appears in every standard Cisco autonomous AP configuration template — it prevents unintended STP interaction with the wired infrastructure.

7. A technician sets `power local 1` on the 2.4 GHz radio of an AP deployed in a dense open-plan office with three neighbouring APs using the same channel. What is the likely outcome, and what should the power level be changed to?

A. Power level 1 is maximum power, which is always preferred — higher power means better coverage and faster data rates for all clients in the area B. Power level 1 is minimum power (the scale is inverted — higher numbers mean more power). The technician should set power local 8 for maximum coverage C. Power level 1 is maximum power. In a dense deployment with nearby APs, high power increases the coverage cell size — creating large overlapping zones where clients on the same channel from adjacent APs interfere with each other. Co-channel interference reduces throughput for all clients. The correct approach is to reduce power (e.g., power local 3 or power local 4) to shrink the coverage cell and reduce overlap with neighbouring same-channel APs D. Power level 1 causes the radio to operate in monitor mode — it must be changed to power local 2 or higher for normal client-serving operation

Correct answer is C. On Cisco autonomous APs, power local 1 is the maximum transmit power (not minimum). Each subsequent level halves the output power: level 1 = 100%, level 2 = 50%, level 3 = 25%, and so on. In a dense open-plan office with multiple APs, running all APs at maximum power is a common mistake that degrades performance. High power creates large RF cells that overlap significantly. Clients at the far edge of the overlap zone hear two or more APs on the same channel at similar power levels — this is co-channel interference. When multiple APs on the same channel are simultaneously within client range, clients contend for airtime with all of them, not just the nearest one. The 802.11 CSMA/CA protocol forces all clients within earshot to defer when any transmission is detected. The solution in dense deployments is to reduce transmit power so each AP's cell is smaller, reducing the number of APs that overlap at any given client location. The correct power level depends on the AP density and office layout — typically level 2 (50%) or level 3 (25%) for dense environments.

8. What is the functional difference between an autonomous AP and a lightweight AP (LAP) in terms of where the 802.11 MAC control functions reside, and what does this mean for configuration?

A. There is no functional difference — both APs process the full 802.11 MAC stack locally. The only difference is that a lightweight AP is managed via WLC GUI instead of the AP CLI B. In an autonomous AP, all MAC functions (association, authentication, encryption, power management, beaconing, roaming) are handled locally by the AP itself. In a lightweight AP using split-MAC architecture, the real-time MAC functions (frame acknowledgement, beaconing, probing) stay at the AP, but higher-layer functions (authentication, association, roaming context, RF management) are processed centrally by the WLC. This means a LAP has no local SSID or security configuration — all policy is centralised on the WLC C. A lightweight AP handles all MAC functions locally and sends only management frames to the WLC; user data frames are processed entirely at the AP without WLC involvement D. An autonomous AP offloads encryption to the switch, while a lightweight AP performs all encryption locally in the AP hardware

Correct answer is B. The split-MAC architecture is the defining characteristic of the CAPWAP/lightweight AP model. The 802.11 MAC is split between the AP hardware and the WLC. Time-sensitive, real-time functions must stay at the AP: sending beacons on schedule, acknowledging frames (ACK), probing, and sending/receiving physical layer frames. These cannot tolerate the latency of a round-trip through the CAPWAP tunnel to the WLC. Higher-layer, less time-sensitive functions are centralised at the WLC: processing association requests, running EAP authentication, key derivation, roaming context transfer, and RF management (RRM). The practical result: a lightweight AP has no SSID configuration, no WPA2 policy, and no per-client security settings in its own flash. All of that lives on the WLC. If the WLC fails, lightweight APs lose their SSID configuration and clients disconnect (in Local mode). An autonomous AP, by contrast, continues operating independently through WLC outages since its entire configuration is self-contained in local flash.

9. After completing the autonomous AP configuration in this lab, a corporate laptop connects to NetsTuts-Corp and receives an IP address. However, the laptop cannot reach any wired hosts or the internet. The gateway 192.168.10.1 is also unreachable. What is the most likely cause?

A. WPA2-AES encryption is blocking traffic to the wired network — a WEP fallback must be enabled for wired hosts to communicate with wireless clients B. The AP's ip default-gateway is incorrect — the AP is dropping routed traffic because it cannot reach its own gateway C. The DHCP server assigned an address in the wrong subnet — clients need to be in 192.168.10.0/24 to reach the gateway at 192.168.10.1 D. FastEthernet0 is not assigned to bridge group 1. Without FastEthernet0 in the bridge group, the bridge is incomplete: Dot11Radio0 and BVI1 are bridged together but FastEthernet0 is isolated. Wireless clients are bridged to BVI1 but frames cannot pass to the wired switch — all traffic from wireless clients is silently dropped at the boundary between the radio bridge and the wired interface

Correct answer is D. The autonomous AP's bridge group creates a single Layer 2 domain. For wireless clients to reach the wired LAN, all three interfaces must be in the same bridge group: Dot11Radio0 (and Dot11Radio1), BVI1, and FastEthernet0. If FastEthernet0 is missing from bridge group 1, the bridge has no wired exit point. Wireless clients associate successfully (Layer 2 association is between client and AP, not involving FastEthernet0), and DHCP may even succeed if the DHCP server is responding to the AP's own relay (though typically DHCP would also fail in this scenario since DHCP Discover frames from the wireless client cannot reach the wired DHCP server either). The symptom — IP address obtained but no connectivity beyond the AP — is the classic sign of a broken bridge. Fix: interface FastEthernet0 → bridge-group 1. Verify the complete bridge with show bridge 1 — all three interfaces should appear as members.

10. A company is growing from 3 standalone APs to 25 APs across multiple floors. The network administrator must update the corporate WPA2 passphrase on all APs. With autonomous APs, this requires logging into each AP individually via CLI or web GUI. What is the primary architectural advantage of migrating to a WLC-based deployment for this task?

A. WLC-based APs use stronger WPA3-SAE by default, while autonomous APs are limited to WPA2-PSK — the security improvement is the primary benefit B. WLC-based APs automatically synchronise configuration changes between themselves using OSPF over the CAPWAP control channel, making the WLC optional once initial configuration is pushed C. In a WLC-based deployment, all WLAN policy is configured once on the WLC and automatically pushed to all associated APs over CAPWAP. Changing the corporate PSK requires a single WLAN edit on the WLC — all 25 APs receive the update immediately. This centralised management scales to hundreds of APs with the same single-change effort. Autonomous APs require manual login and change on each device individually — a significant operational burden beyond ~5 APs D. WLC-based APs can receive configuration updates over the air from a cloud management server without requiring a wired connection, while autonomous APs always require a console cable for configuration changes

Correct answer is C. This question highlights the fundamental operational trade-off between autonomous and centralised wireless deployment models. Autonomous APs are cost-effective and straightforward for very small deployments (1–5 APs) where configuration rarely changes. The operational burden scales linearly with the number of APs — 25 APs means 25 individual logins for any change. A WLC-based deployment shifts SSID configuration, security policy, and RF management to a central point. WLAN objects on the WLC are pushed to all associated APs via CAPWAP control messages. A PSK change, SSID rename, or security policy update requires one change on the WLC and propagates to all APs automatically — typically within seconds. This is the core value proposition of centralised wireless management. Beyond PSK management, the WLC also provides centralised RF management (RRM auto-channel and power), fast roaming context transfer between APs, client visibility across the entire wireless network, and centralised firmware management — capabilities that are impractical or impossible with autonomous APs at scale.

Back to Home