Creating SSIDs and Mapping to VLANs on a Cisco WLC

A single physical wireless network routinely serves multiple user populations — corporate employees, contractors, guests, and IoT devices — each with different trust levels, bandwidth needs, and security requirements. Broadcasting one shared SSID for all of them puts every category of user on the same Layer 2 segment: a guest laptop on the same VLAN as the file server. The solution is SSID-to-VLAN mapping: each SSID is a separate logical network backed by its own VLAN and enforced by its own security policy. The Cisco WLC makes this straightforward — a WLAN object ties an SSID, a dynamic interface (VLAN), and a security policy together into a single configuration unit.

This lab creates three WLANs on an already-running WLC: a Corporate WLAN using WPA3-Personal for staff devices, a Guest WLAN using WPA2-Personal with client isolation, and an IoT WLAN using WPA2-Personal with bandwidth limiting. Each WLAN gets its own dynamic interface and VLAN, ensuring complete Layer 2 separation between user groups. The WLC is already set up and at least one AP is joined — if not, complete Configuring a WLC — Getting Started first. The underlying VLANs and trunk must already exist on the switch — see VLAN Creation and Management and Trunk Port Configuration. For the DHCP pools serving each WLAN's subnet, see DHCP Server Configuration.

1. WLAN, SSID, Dynamic Interface — How They Relate

The Three-Layer Mapping

On a Cisco WLC, the path from a wireless client to a wired VLAN involves three linked objects:

  Wireless Client
       │
       │ connects to SSID: "NetsTuts-Corp"
       ▼
  ┌─────────────────────────────────────────────────────┐
  │  WLAN (WLC object)                                  │
  │  Profile Name:  Corp-WLAN   WLAN ID: 1              │
  │  SSID:          NetsTuts-Corp                       │
  │  Security:      WPA3-Personal / SAE / AES           │
  │  Interface:     corp-clients  ◄── dynamic interface │
  └─────────────────────────────────────────────────────┘
       │
       │ WLC tags traffic with VLAN 30
       ▼
  ┌─────────────────────────────────────────────────────┐
  │  Dynamic Interface: corp-clients                    │
  │  VLAN ID:     30                                    │
  │  IP / Gateway: 192.168.30.1 / 255.255.255.0         │
  │  DHCP Server: 192.168.10.200                        │
  └─────────────────────────────────────────────────────┘
       │
       │ 802.1Q tagged frame (VLAN 30) on WLC trunk
       ▼
  Switch ──► VLAN 30 ──► DHCP pool 192.168.30.0/24

WLAN Object Key Fields

Field	Location in GUI	Purpose
Profile Name	WLANs → WLAN → General	Internal WLC label for this WLAN — used in CLI commands and logging. Not broadcast to clients
SSID	WLANs → WLAN → General	The network name clients see and connect to. May differ from the Profile Name
WLAN ID	Auto-assigned (1–512)	Numeric ID used in WLC CLI commands: `config wlan enable 1`
Interface	WLANs → WLAN → General	The dynamic interface (VLAN) client traffic is forwarded to. This is the SSID-to-VLAN link
Layer 2 Security	WLANs → WLAN → Security → Layer 2	WPA2, WPA3, or WPA2+WPA3 with PSK or 802.1X authentication
Status	WLANs → WLAN → General	Enabled/Disabled — when disabled, the SSID is not broadcast and clients cannot connect

WPA2 vs WPA3 — Security Protocol Comparison

Choosing the right security protocol is critical for any wireless deployment. For a full overview of wireless security concepts see Wi-Fi Security.

Feature	WPA2 (802.11i)	WPA3 (Wi-Fi Alliance 2018)
Personal key exchange	PSK — 4-way handshake (vulnerable to offline dictionary attack if captured)	SAE (Simultaneous Authentication of Equals) — resistant to offline dictionary attacks, forward secrecy
Enterprise auth	802.1X / EAP — RADIUS-based per-user credentials	802.1X / EAP — same as WPA2 plus 192-bit security suite option (WPA3-Enterprise)
Encryption	AES-CCMP (128-bit)	AES-GCMP (128-bit Personal, 256-bit Enterprise)
Open network protection	None — open SSIDs are completely unencrypted	OWE (Opportunistic Wireless Encryption) — encrypts open networks without authentication
Management frame protection	Optional (PMF — 802.11w)	Mandatory — 802.11w always required
Client compatibility	Universal — all Wi-Fi devices since 2004	Requires WPA3-capable client (most post-2019 devices)
Transition mode	—	WPA2+WPA3 mixed mode allows both client types on the same SSID

PSK vs 802.1X (Enterprise) authentication. PSK (Pre-Shared Key) uses a single passphrase shared by all clients — simpler to deploy but all users know the same password and revoking a single user requires changing the key for everyone. 802.1X uses individual per-user credentials validated by a RADIUS server — each user has their own identity, access can be revoked per-user, and the WLC passes authentication to the RADIUS server via EAP. For corporate environments with an Active Directory or ISE deployment, 802.1X is the recommended choice — see AAA & RADIUS Configuration. PSK is appropriate for small deployments, IoT devices, and guest networks.

2. Lab Topology & Design

Three WLANs are created on NetsTuts-WLC, each mapped to a separate VLAN and dynamic interface. The WLC connects to NetsTuts_SW1 via a trunk carrying all VLANs. A single AP (AP2802i, already joined) broadcasts all three SSIDs simultaneously:

                      NetsTuts-WLC (already running)
                      Management: 192.168.10.50 / VLAN 10
                           |
                   Trunk (VLANs 10,20,30,40,50)
                           |
                     NetsTuts_SW1
                           |
              ─────────────────────────────────
              |                               |
           Gi1/0/2                         Gi1/0/3
          AP2802i                        Admin PC
          (broadcasts 3 SSIDs)           192.168.10.5

  ┌─────────────────────────────────────────────────────┐
  │  WLAN 1: Corp-WLAN                                  │
  │  SSID: NetsTuts-Corp   Security: WPA3+WPA2 / SAE    │
  │  Interface: corp-clients  VLAN 30   192.168.30.0/24 │
  ├─────────────────────────────────────────────────────┤
  │  WLAN 2: Guest-WLAN                                 │
  │  SSID: NetsTuts-Guest  Security: WPA2 / PSK         │
  │  Interface: guest       VLAN 40   192.168.40.0/24   │
  │  Client Isolation: ON   P2P Blocking: ON             │
  ├─────────────────────────────────────────────────────┤
  │  WLAN 3: IoT-WLAN                                   │
  │  SSID: NetsTuts-IoT    Security: WPA2 / PSK          │
  │  Interface: iot-devices VLAN 50   192.168.50.0/24   │
  │  Bandwidth: 1 Mbps down / 512 Kbps up               │
  └─────────────────────────────────────────────────────┘

WLAN	SSID	VLAN	Subnet	Security	Special
Corp-WLAN	NetsTuts-Corp	30	192.168.30.0/24	WPA3+WPA2 / SAE / AES	802.11w PMF mandatory
Guest-WLAN	NetsTuts-Guest	40	192.168.40.0/24	WPA2 / PSK / AES	Client isolation, P2P blocking
IoT-WLAN	NetsTuts-IoT	50	192.168.50.0/24	WPA2 / PSK / AES	Per-client bandwidth limit

3. Step 1 — Add New VLANs to the Switch Trunk

VLANs 40 and 50 are new — they must be created on the switch and added to the WLC trunk before the dynamic interfaces are configured on the WLC. The WLC will reject or silently fail to tag traffic if the VLAN is not allowed on the trunk:

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Create the new VLANs ─────────────────────────────────
NetsTuts_SW1(config)#vlan 40
NetsTuts_SW1(config-vlan)#name GUEST
NetsTuts_SW1(config-vlan)#exit
NetsTuts_SW1(config)#vlan 50
NetsTuts_SW1(config-vlan)#name IOT-DEVICES
NetsTuts_SW1(config-vlan)#exit

! ── Add VLANs 40 and 50 to the WLC uplink trunk ──────────
NetsTuts_SW1(config)#interface GigabitEthernet1/0/48
NetsTuts_SW1(config-if)#switchport trunk allowed vlan add 40,50
NetsTuts_SW1(config-if)#exit

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]

! ── Verify trunk carries all required VLANs ─────────────
NetsTuts_SW1#show interfaces GigabitEthernet1/0/48 trunk

Port        Mode         Encapsulation  Status        Native vlan
Gi1/0/48    on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi1/0/48    10,20,30,40,50

Port        Vlans allowed and active in management domain
Gi1/0/48    10,20,30,40,50

Port        Vlans in spanning tree forwarding state and not pruned
Gi1/0/48    10,20,30,40,50

Using switchport trunk allowed vlan add appends the new VLANs to the existing allowed list without removing VLANs already permitted. Using switchport trunk allowed vlan 40,50 (without add) would replace the entire allowed list with only VLANs 40 and 50 — a common mistake that drops management connectivity immediately. Always use add when extending an existing trunk. Verify with show interfaces trunk that all five VLANs appear in the "Vlans in spanning tree forwarding state" section — if a VLAN appears in "allowed" but not in "forwarding," it may not be active in the switch's VLAN database.

4. Step 2 — Create Dynamic Interfaces on the WLC

One dynamic interface per new VLAN is required. Navigate to CONTROLLER → Interfaces → [New] and create both interfaces before creating the WLANs that reference them:

  ── Interface 1: Guest VLAN ──────────────────────────────
  WLC GUI: CONTROLLER → Interfaces → [New]

  Interface Name:      guest
  VLAN Identifier:     40
  [Apply]

  IP Address:          192.168.40.1
  Netmask:             255.255.255.0
  Gateway:             192.168.40.1
  Primary DHCP Server: 192.168.10.200
  Physical Port:       1
  VLAN ID:             40
  [Apply] → [Save Configuration]

  ── Interface 2: IoT VLAN ────────────────────────────────
  WLC GUI: CONTROLLER → Interfaces → [New]

  Interface Name:      iot-devices
  VLAN Identifier:     50
  [Apply]

  IP Address:          192.168.50.1
  Netmask:             255.255.255.0
  Gateway:             192.168.50.1
  Primary DHCP Server: 192.168.10.200
  Physical Port:       1
  VLAN ID:             50
  [Apply] → [Save Configuration]

The Interface Name is the internal WLC label referenced when assigning interfaces to WLANs — it must be unique and is case-sensitive. The IP Address on the dynamic interface is the default gateway for clients in that VLAN when the WLC performs inter-VLAN routing. The Primary DHCP Server is the IP the WLC uses as the DHCP relay destination — DHCP Discover packets from wireless clients are forwarded here. Creating the dynamic interface before the WLAN ensures the interface appears in the WLAN's interface dropdown. If a WLAN is configured before its dynamic interface exists, it defaults to using the management interface — placing all clients on the management VLAN, a serious security misconfiguration.

Verify All Dynamic Interfaces (WLC CLI)

(NetsTuts-WLC) > show interface summary

 Number of Interfaces.......................... 5

  Interface Name        Port  Vlan Id  IP Address       Type     Ap Mgr
  ─────────────────────────────────────────────────────────────────────
  corp-clients           1    30       192.168.30.1     Dynamic  No
  guest                  1    40       192.168.40.1     Dynamic  No
  iot-devices            1    50       192.168.50.1     Dynamic  No
  management             1    10       192.168.10.50    Static   Yes
  virtual                N/A  N/A      192.0.2.1        Static   No

All five interfaces are present. The three dynamic interfaces show their VLAN IDs (30, 40, 50) and gateway IPs. The management interface shows Ap Mgr: Yes — it handles CAPWAP control traffic. No dynamic interface should ever show Ap Mgr: Yes — that would route AP control traffic to the wrong interface.

5. Step 3 — Create the Corporate WLAN (WPA3+WPA2)

Navigate to WLANs → Create New → [Go]. The Corporate WLAN uses WPA3-Personal (SAE) in transition mode with WPA2 fallback so both legacy and new clients can connect:

  ── General Tab ───────────────────────────────────────────
  Type:           WLAN
  Profile Name:   Corp-WLAN
  SSID:           NetsTuts-Corp
  WLAN ID:        1
  Status:         Enabled   ✓
  Broadcast SSID: Enabled   ✓

  ── Security / Layer 2 Tab ────────────────────────────────
  Layer 2 Security:    WPA+WPA2
  WPA Policy:          Disabled
  WPA2 Policy:         Enabled   ✓
  WPA2 Encryption:     AES       ✓
  Auth Key Mgmt:       SAE+PSK   (transition mode — WPA3+WPA2)
  PMF:                 Required  (mandatory for WPA3 clients)
                                 Optional for WPA2 clients in transition
  PSK Format:          ASCII
  PSK:                 NetsTuts@Corp2026!

  ── QoS Tab ───────────────────────────────────────────────
  Quality of Service:  Platinum (Voice)
  WMM Policy:          Required

  ── Advanced Tab ──────────────────────────────────────────
  Allow AAA Override:  Disabled
  P2P Blocking:        Disabled
  Client Exclusion:    Enabled  (Timeout: 60 sec)
  Session Timeout:     1800 sec (30 min)
  DHCP Server Override: Disabled

  ── General Tab → Interface ──────────────────────────────
  Interface / Interface Group(G): corp-clients

  [Apply] → [Save Configuration]

SAE+PSK in the Auth Key Mgmt field enables WPA3/WPA2 transition mode: WPA3-capable clients use SAE (Simultaneous Authentication of Equals) which provides forward secrecy and resistance to offline dictionary attacks. WPA2-only clients fall back to PSK. PMF Required is enforced for WPA3 clients (802.11w Management Frame Protection is mandatory in WPA3); setting it to Optional in transition mode allows WPA2 clients that do not support PMF to still connect. QoS: Platinum gives corporate traffic the highest priority queue for voice and video applications. Client Exclusion with 60-second timeout temporarily blocks clients that fail authentication repeatedly — provides basic brute-force protection similar to the login block-for feature on IOS routers.

6. Step 4 — Create the Guest WLAN (WPA2 with Isolation)

The Guest WLAN uses WPA2-PSK with a simpler passphrase. Client isolation prevents guests from communicating directly with each other or discovering other wireless devices on the network. P2P blocking prevents peer-to-peer traffic between guest clients:

  ── General Tab ───────────────────────────────────────────
  Type:           WLAN
  Profile Name:   Guest-WLAN
  SSID:           NetsTuts-Guest
  WLAN ID:        2
  Status:         Enabled   ✓
  Broadcast SSID: Enabled   ✓

  ── Security / Layer 2 Tab ────────────────────────────────
  Layer 2 Security:    WPA+WPA2
  WPA2 Policy:         Enabled   ✓
  WPA2 Encryption:     AES       ✓
  Auth Key Mgmt:       PSK
  PMF:                 Optional
  PSK Format:          ASCII
  PSK:                 GuestAccess@2026

  ── Security / Layer 3 Tab ────────────────────────────────
  Layer 3 Security:    None  (no web auth for this lab)
  Passthrough:         Disabled

  ── Advanced Tab ──────────────────────────────────────────
  P2P Blocking:        Drop   ◄─── blocks client-to-client traffic
  Client Exclusion:    Enabled (Timeout: 30 sec)
  Session Timeout:     3600 sec (1 hour — auto-disconnect guests)
  DHCP Server Override: Disabled
  Client Load Balancing: Enabled

  ── General Tab → Interface ──────────────────────────────
  Interface / Interface Group(G): guest

  [Apply] → [Save Configuration]

P2P Blocking: Drop prevents any wireless client on this SSID from sending traffic directly to another wireless client on the same SSID — guest devices are isolated from each other at Layer 2. Without this, a guest could scan and attack other guests on the same network. Session Timeout: 3600 seconds forces guests to re-authenticate after one hour — prevents indefinite lingering connections and frees IP addresses. Note the difference between P2P Blocking (prevents client-to-client wireless traffic) and client isolation at the VLAN level (handled by the switch with Private VLANs or inter-VLAN routing ACLs). P2P Blocking acts at the WLC/AP level before frames reach the switch.

7. Step 5 — Create the IoT WLAN (WPA2 with Bandwidth Limiting)

IoT devices typically require only minimal bandwidth. Configuring per-client bandwidth contracts prevents any single IoT device from consuming excessive network resources. Rate limiting is configured through a Bandwidth Contract on the QoS tab:

  ── General Tab ───────────────────────────────────────────
  Type:           WLAN
  Profile Name:   IoT-WLAN
  SSID:           NetsTuts-IoT
  WLAN ID:        3
  Status:         Enabled   ✓
  Broadcast SSID: Enabled   ✓

  ── Security / Layer 2 Tab ────────────────────────────────
  Layer 2 Security:    WPA+WPA2
  WPA2 Policy:         Enabled   ✓
  WPA2 Encryption:     AES       ✓
  Auth Key Mgmt:       PSK
  PMF:                 Optional
  PSK Format:          ASCII
  PSK:                 IoTNetwork@2026

  ── QoS Tab ───────────────────────────────────────────────
  Quality of Service:          Bronze (Background)
  WMM Policy:                  Allowed
  Bandwidth Contract:
    Per Client Bandwidth:      Downstream:  1000 Kbps (1 Mbps)
                               Upstream:     512 Kbps

  ── Advanced Tab ──────────────────────────────────────────
  P2P Blocking:        Drop
  Client Exclusion:    Enabled (Timeout: 60 sec)
  Session Timeout:     86400 sec (24 hours — IoT devices stay connected)
  DHCP Addr. Assignment: Required  (IoT devices must use DHCP — no static IPs)
  DTIM Period:         3  (longer beacon interval saves IoT device battery)

  ── General Tab → Interface ──────────────────────────────
  Interface / Interface Group(G): iot-devices

  [Apply] → [Save Configuration]

QoS: Bronze places IoT traffic in the lowest priority queue — it does not compete with corporate voice and video traffic. Per-client bandwidth limiting (1000 Kbps downstream, 512 Kbps upstream) caps each IoT device's throughput — a compromised or malfunctioning device cannot flood the network. DTIM Period: 3 means the AP sends a Delivery Traffic Indication Message every 3 beacon intervals instead of every 1 — battery-constrained IoT devices can sleep longer between wake cycles. DHCP Required rejects clients that attempt to use static IP addresses on this WLAN, ensuring all devices receive IPs from the DHCP server and are tracked in the DHCP binding table, which DHCP Snooping relies on for validation.

8. Verification

show wlan summary (WLC CLI)

(NetsTuts-WLC) > show wlan summary

Number of WLANs.................................. 3

WLAN ID  WLAN Profile Name / SSID               Status    Interface Name    PMF
───────  ─────────────────────────────────────  ────────  ───────────────  ─────
1        Corp-WLAN / NetsTuts-Corp              Enabled   corp-clients     Req
2        Guest-WLAN / NetsTuts-Guest            Enabled   guest            Opt
3        IoT-WLAN / NetsTuts-IoT                Enabled   iot-devices      Opt

All three WLANs are enabled and mapped to their correct dynamic interfaces. PMF: Req on Corp-WLAN confirms Management Frame Protection is required (mandatory for WPA3). PMF: Opt on Guest and IoT WLANs means PMF is supported but not required, allowing older clients without PMF support to connect. If a WLAN shows the wrong interface (e.g., management instead of corp-clients), edit the WLAN and correct the interface assignment — clients will immediately be placed on the wrong VLAN.

show wlan 1 (WLC CLI — Corp WLAN Detail)

(NetsTuts-WLC) > show wlan 1

WLAN Identifier.................................. 1
Profile Name..................................... Corp-WLAN
Network Name (SSID).............................. NetsTuts-Corp
Status........................................... Enabled
MAC Filtering.................................... Disabled
Broadcast SSID................................... Enabled
AAA Policy Override.............................. Disabled
Number of Active Clients......................... 4
Exclusionlist Timeout............................ 60 seconds
Session Timeout.................................. 1800 seconds
WMM.............................................. Required
QoS..............................................  Platinum
Security
  802.11 Authentication:......................... Open System
  Static WEP Keys................................ Disabled
  802.1X......................................... Disabled
  Wi-Fi Protected Access (WPA/WPA2).............. Enabled
    WPA (SSN IE)................................. Disabled
    WPA2 (RSN IE)................................ Enabled
      WPA2 Encryption:........................... AES
      Auth Key Mgmt (AKM):
        PSK...................................... Enabled
        SAE...................................... Enabled
  PMF........................................... Required
Interface........................................ corp-clients
WLAN ACL......................................... unconfigured
DHCP Server......................................  192.168.10.200

The show wlan [id] command provides the complete security and interface configuration for a single WLAN. Key confirming fields: SAE: Enabled and PSK: Enabled confirms WPA3/WPA2 transition mode. PMF: Required confirms WPA3 management frame protection. Number of Active Clients: 4 confirms corporate devices are connecting and being placed on the corp-clients interface. Interface: corp-clients confirms the VLAN 30 mapping. DHCP Server: 192.168.10.200 shows where DHCP relays are forwarded.

show client summary (WLC CLI)

(NetsTuts-WLC) > show client summary

Number of Clients................................ 7

MAC Address       AP Name    WLAN  SSID             Status    Protocol
────────────────  ─────────  ────  ───────────────  ────────  ────────
a4:c3:f0:11:22:33 AP2802i    1     NetsTuts-Corp    Associated 11ac
00:1a:2b:3c:4d:5e AP2802i    1     NetsTuts-Corp    Associated 11ax
b8:27:eb:aa:bb:cc AP2802i    2     NetsTuts-Guest   Associated 11n
c4:29:96:dd:ee:ff AP2802i    3     NetsTuts-IoT     Associated 11n

show client summary confirms clients are connecting to the correct WLANs. The WLAN column shows the WLAN ID — verify each client is on the expected WLAN ID (1=Corp, 2=Guest, 3=IoT). The Protocol column shows the 802.11 protocol in use — 11ax (Wi-Fi 6) and 11ac (Wi-Fi 5) clients on the Corp WLAN suggest modern devices capable of WPA3. An 11n client on the IoT WLAN is typical for legacy sensors. If a client appears on the wrong WLAN (e.g., IoT device on Corp WLAN), the device is connecting to the wrong SSID — check device wireless settings.

show client detail [MAC] (WLC CLI)

(NetsTuts-WLC) > show client detail a4:c3:f0:11:22:33

Client MAC Address............................... a4:c3:f0:11:22:33
Client Username.................................. N/A
AP MAC Address................................... a0:e0:af:xx:yy:zz
AP Name.......................................... AP2802i
WLAN..............................................  1
SSID..............................................  NetsTuts-Corp
BSSID............................................  a0:e0:af:xx:yy:01
IP Address.......................................  192.168.30.15
Association State................................ Associated
PMF State........................................  Required
Authentication Algorithm......................... SAE
Encryption Cipher................................ CCMP-128 (AES)
QoS Level........................................  Platinum
VLAN.............................................  30
Data Rate.......................................  433.3 Mbps

The per-client detail view confirms every security parameter for an individual connection. Authentication Algorithm: SAE confirms this client used WPA3 (not WPA2 PSK). PMF State: Required confirms management frame protection is active. VLAN: 30 confirms the client is on the corp-clients interface. IP Address: 192.168.30.15 confirms DHCP worked correctly for this VLAN. If a corporate client shows Authentication Algorithm: PSK instead of SAE, the device does not support WPA3 and is using the WPA2 fallback in transition mode — acceptable, but note it for a device upgrade schedule.

Verification Command Summary

Command	What It Shows	Primary Use
`show wlan summary`	All WLANs with status, interface mapping, and PMF state	Confirm all three WLANs are enabled and mapped to correct dynamic interfaces
`show wlan [id]`	Full security and interface configuration for a single WLAN	Verify security settings (SAE/PSK/PMF) and DHCP relay target for a specific WLAN
`show interface summary`	All WLC interfaces with VLAN IDs and IP addresses	Confirm dynamic interfaces are present with correct VLANs before assigning to WLANs
`show client summary`	All connected clients with AP, WLAN ID, SSID, and 802.11 protocol	Verify clients are connecting to the correct WLAN and confirm client counts per SSID
`show client detail [MAC]`	Complete per-client security details — auth algorithm, encryption, PMF, VLAN, IP, data rate	Confirm individual client is using correct security (SAE vs PSK) and is on correct VLAN
`show interfaces trunk` (SW1)	Trunk port VLAN allowed list and forwarding state	Verify all client VLANs (30,40,50) are in forwarding state on WLC uplink trunk

9. Troubleshooting SSID and VLAN Mapping Issues

Problem	Symptom	Cause	Fix
Clients on wrong subnet after connecting	Guest clients get 192.168.30.x addresses instead of 192.168.40.x. Client is on the wrong VLAN	Guest-WLAN is mapped to corp-clients interface (VLAN 30) instead of guest interface (VLAN 40) — wrong interface selected during WLAN creation	Edit Guest-WLAN: WLANs → Guest-WLAN → General tab → Interface → change to "guest". Apply and save. Clients already connected will receive a new DHCP lease on reconnect.
SSID not visible to clients after creation	New WLAN is created but does not appear in client Wi-Fi scan	WLAN Status is Disabled, Broadcast SSID is unchecked, or the AP has not received the updated configuration from the WLC yet	Check WLAN status: WLANs → confirm green status icon. Enable: `config wlan enable [id]` on WLC CLI. Verify Broadcast SSID is checked. Allow 30–60 seconds for AP to receive and apply WLAN config. On WLC CLI: `show wlan [id]` → confirm "Status: Enabled".
WPA3 clients cannot connect but WPA2 clients can	Corporate devices supporting WPA3 fail authentication; WPA2 devices succeed on the same SSID	PMF is set to Required but the WPA3 SSID was not created with SAE enabled in Auth Key Mgmt. Or the AP firmware does not support WPA3 and needs an upgrade from the WLC	Verify SAE is enabled: `show wlan 1` → check "SAE: Enabled". If SAE is not listed, edit the WLAN and add SAE to Auth Key Mgmt. Check AP firmware version: `show ap config general AP2802i` → Software Ver must support WPA3 (requires 8.10+ on most Cisco APs).
Guest clients can see other guests' devices	Guest A can ping or discover Guest B's device despite P2P Blocking being configured	P2P Blocking is set to "Disable" instead of "Drop" on the Guest WLAN, or clients are on different APs and the traffic is being switched at the VLAN level on the wired network before WLC can block it	Verify P2P Blocking: WLANs → Guest-WLAN → Advanced tab → P2P Blocking → must be "Drop". Note: P2P Blocking only prevents direct wireless client-to-client traffic on the same AP. For true isolation between clients across APs, also configure a private VLAN or ACL on the switch for VLAN 40 to block intra-VLAN traffic.
IoT clients not getting DHCP after adding VLAN 50	IoT devices associate but receive APIPA addresses (169.254.x.x) — DHCP fails	VLAN 50 not in the trunk allowed list on the switch, or DHCP server has no pool for 192.168.50.0/24, or iot-devices dynamic interface pointing to wrong DHCP server IP	Check trunk: `show interfaces Gi1/0/48 trunk` → VLAN 50 must be in forwarding state. Add if missing: `switchport trunk allowed vlan add 50`. Verify DHCP pool for 192.168.50.0/24 exists on the DHCP server. Check WLC interface: `show interface detailed iot-devices` → confirm DHCP server IP is correct.
Bandwidth limiting not enforced on IoT WLAN	IoT devices exceed configured 1 Mbps limit — bandwidth contracts appear to have no effect	Per-client bandwidth contracts require the QoS profile on the WLAN to be set to Bronze or Silver — Platinum QoS overrides bandwidth contracts. Or the feature is not supported on the current WLC/AP firmware version	Verify QoS on IoT-WLAN: WLANs → IoT-WLAN → QoS tab → Quality of Service must be "Bronze". Also confirm bandwidth contract values are saved: downstream 1000 Kbps, upstream 512 Kbps. Test with a speed test from an IoT VLAN device and monitor with `show client detail [MAC]`.

Key Points & Exam Tips

Each WLAN on a Cisco WLC is a combination of an SSID, a security policy, and a dynamic interface (VLAN). The dynamic interface is the critical link that places wireless clients on the correct VLAN and subnet. Always create the dynamic interface before creating the WLAN that references it.
If a WLAN is created without selecting a dynamic interface, it defaults to the management interface — placing all wireless clients on the management VLAN. This is a serious security misconfiguration that requires immediate correction.
New VLANs must be created on the switch and added to the WLC trunk before configuring the corresponding dynamic interface on the WLC. Use switchport trunk allowed vlan add — not switchport trunk allowed vlan — to avoid removing existing VLANs.
WPA3-Personal uses SAE (Simultaneous Authentication of Equals) instead of PSK. SAE provides forward secrecy and resistance to offline dictionary attacks. WPA2+WPA3 transition mode (SAE+PSK in Auth Key Mgmt) allows both WPA3 and WPA2 clients on the same SSID — the recommended approach when deploying WPA3 in mixed environments.
PMF (Protected Management Frames, 802.11w) is mandatory for WPA3 and optional for WPA2. In WPA3+WPA2 transition mode, set PMF to Required for WPA3 clients and Optional for WPA2 clients. Setting PMF to Disabled blocks WPA3 clients entirely.
P2P Blocking on the WLAN prevents direct wireless client-to-client traffic within the same SSID — essential for guest WLANs. It operates at the AP/WLC level. For isolation between clients on different APs using the same SSID, additional switch-level controls (private VLAN or ACL on the client VLAN) are required.
Per-client bandwidth contracts on the QoS tab cap individual device throughput — important for IoT WLANs. QoS must be set to Bronze or Silver for bandwidth limiting to be enforced; Platinum QoS bypasses bandwidth contracts.
The WLC supports up to 512 WLANs per controller (model-dependent). Each AP broadcasts a maximum of 16 SSIDs at any given time — exceeding this limit on a single AP means not all WLANs will be broadcast. Use AP Groups to assign specific WLANs to specific APs.
show wlan summary confirms WLAN status and interface mapping. show client detail [MAC] confirms per-client authentication algorithm (SAE or PSK), VLAN assignment, and IP address — the most important post-connection verification commands.
On the CCNA exam: know the WLAN-to-dynamic-interface-to-VLAN mapping chain, the difference between WPA2 PSK and WPA3 SAE, why transition mode is needed, what P2P Blocking does, and why VLAN configuration on the switch trunk must be done before WLC interface creation.

Next Steps: Three SSIDs are now active with proper VLAN isolation. To add enterprise authentication replacing PSK with per-user credentials backed by RADIUS, the next step is configuring 802.1X — see 802.1X Port Authentication and point the WLC to a RADIUS/ISE server in the WLC Security settings. For optimal RF performance across the three SSIDs, see Wireless RF Channel & Power Planning. For the DHCP pools serving each wireless subnet, revisit DHCP Server Configuration. For the VLAN and trunk infrastructure supporting SSID isolation, see VLAN Creation and Management and Trunk Port Configuration. For the WLC initial setup this lab builds on, see Configuring a WLC — Getting Started.

TEST WHAT YOU LEARNED

1. A network administrator creates a new WLAN on the WLC for the Guest network but forgets to select the guest dynamic interface — it remains set to the management interface. What is the result for guest clients?

A. Guest clients cannot connect — the WLC rejects SSID configurations that use the management interface for client traffic B. Guest clients connect successfully but receive IP addresses from the management VLAN subnet (192.168.10.0/24) and are placed on the same Layer 2 segment as the WLC itself, the DHCP server, and administrative PCs — a serious security breach. They can potentially reach management infrastructure directly C. Guest clients receive no IP address — the management interface does not perform DHCP relay for client WLANs D. The WLC automatically detects the misconfiguration and assigns a quarantine VLAN to guest clients

Correct answer is B. The management interface is a fully functional WLC interface — it has an IP, a VLAN, and a DHCP relay configuration. If a WLAN is mapped to the management interface, the WLC will forward client traffic tagged with the management VLAN. Guest clients will receive DHCP addresses from the management subnet (assuming the DHCP server has a scope for it), giving them network access on the same VLAN as WLC management, the DHCP server, and administrative workstations. This is one of the most common and dangerous WLC misconfigurations. The WLC does not prevent this — it accepts the management interface as a valid WLAN interface. Always verify the interface assignment in show wlan summary after WLAN creation.

2. What is the key security advantage of WPA3-Personal (SAE) over WPA2-Personal (PSK) for a corporate WLAN, and what does "forward secrecy" mean in this context?

A. WPA3 is faster than WPA2 — the performance improvement is the primary reason to upgrade B. WPA3 uses a longer PSK — the increased passphrase length is the security improvement C. WPA3 uses AES-256 while WPA2 uses AES-128 — the stronger encryption is the key difference D. WPA3-SAE replaces the 4-way PSK handshake with a zero-knowledge proof exchange (Dragonfly) that never transmits the actual key material over the air — an attacker who captures the handshake cannot perform an offline dictionary attack. Forward secrecy means each session generates unique key material, so capturing past traffic and later obtaining the PSK cannot decrypt previously recorded sessions

Correct answer is D. WPA2-PSK vulnerability: the 4-way handshake can be captured from the air and attacked offline — tools like hashcat can test billions of password combinations per second against the captured handshake without any interaction with the network. If the PSK is a weak passphrase, it can be cracked in hours. WPA3-SAE (Simultaneous Authentication of Equals, based on the Dragonfly Key Exchange) solves both problems. The authentication exchange does not expose the PSK or key material that can be used offline — an attacker must interact with the AP directly for each guess, which is rate-limited. Forward secrecy means each session negotiates a unique session key derived from ephemeral values; capturing the PSK later provides no ability to decrypt previously recorded sessions. Both properties together make offline attacks against WPA3-SAE impractical.

3. Why must new VLANs be added to the switch trunk with `switchport trunk allowed vlan add` rather than `switchport trunk allowed vlan` (without "add")?

A. switchport trunk allowed vlan [list] without add replaces the entire allowed VLAN list with only the specified VLANs. If existing VLANs (10, 20, 30) are not included in the new command, they are immediately removed from the trunk — dropping management connectivity to the WLC and any clients on those VLANs. add appends to the existing list safely B. The add keyword is required for VLANs above ID 100 — VLANs below 100 can be added without it C. Without add, the switch only allows the VLAN in one direction on the trunk — adding it explicitly enables bidirectional forwarding D. Both commands have identical behaviour — the add keyword is optional and provided only for clarity

Correct answer is A. This is a well-known operational pitfall that causes immediate outages. switchport trunk allowed vlan 40,50 sets the allowed VLAN list to exactly {40, 50} — all previously allowed VLANs (10, 20, 30) are removed. The WLC management interface is on VLAN 10. Removing VLAN 10 from the trunk immediately disconnects the WLC GUI, SSH, and all AP CAPWAP control sessions. The APs lose their WLC connection and begin the discovery process. Clients on VLAN 30 lose connectivity. Recovery requires console access to the switch. The safe commands are: switchport trunk allowed vlan add 40,50 to append, or switchport trunk allowed vlan remove 40 to remove a specific VLAN. Always verify the trunk state with show interfaces trunk after any trunk modification.

4. A WPA3-capable laptop fails to connect to the Corp WLAN while an older WPA2-only laptop connects successfully to the same SSID. The Corp WLAN is configured with SAE+PSK transition mode. What is the most likely cause?

A. The WPA3 laptop has the wrong PSK — WPA3 clients use a different passphrase than WPA2 clients B. The AP is too old to serve WPA3 clients — WPA2 is handled by the WLC but WPA3 requires newer AP hardware C. PMF (Protected Management Frames) is set to Required on the Corp WLAN. The WPA3 laptop supports PMF (it is required for WPA3). However, if the laptop's PMF implementation has a compatibility issue, or if the SSID was originally created with PMF Disabled and not updated when SAE was added, WPA3 clients are rejected. Check PMF setting: it must be Required (or at minimum Optional) for SAE to function D. WPA3 clients require a separate SSID — SAE and PSK cannot coexist on the same WLAN profile

Correct answer is C. WPA3-SAE has a hard dependency on Protected Management Frames (PMF, 802.11w). If PMF is Disabled on the WLAN, WPA3 clients cannot authenticate even with the correct PSK. WPA2-PSK clients can connect without PMF, explaining why the older laptop succeeds. The correct PMF setting for WPA3+WPA2 transition mode is: PMF = Required for WPA3 associations, with the WLAN accepting both PMF Required (WPA3 clients) and PMF Optional (WPA2 clients that support it) and PMF Disabled (legacy WPA2 clients). In Cisco WLC, this is typically expressed as PMF = Optional at the WLAN level, which satisfies both. If PMF is set to Disabled, SAE clients are entirely blocked. Verify with show wlan 1 → "PMF" field should be Required or Optional, never Disabled when SAE is enabled.

5. What is the maximum number of SSIDs a single Cisco lightweight AP can broadcast simultaneously, and what should an administrator do if more WLANs are needed than this limit?

A. 32 SSIDs — no workaround is needed as this exceeds any practical deployment requirement B. 8 SSIDs — additional VLANs must be handled by deploying additional APs exclusively for the overflow SSIDs C. 4 SSIDs per radio (8 total across 2.4 GHz and 5 GHz) — the limit is per-radio not per-AP D. A single Cisco LAP can broadcast up to 16 SSIDs simultaneously. If more WLANs are configured on the WLC than this limit, not all will be broadcast. The solution is AP Groups — a WLC feature that assigns different subsets of WLANs to different APs or groups of APs, so each AP only broadcasts the SSIDs relevant to its location

Correct answer is D. The 16 SSID per-AP limit is a fundamental 802.11 architectural constraint — each additional SSID adds overhead to beacon frames and increases the airtime consumed by management traffic. Beyond 3–4 SSIDs per AP, RF performance begins to degrade measurably. Cisco recommends limiting active SSIDs to 4–5 per AP for best performance. AP Groups solve the management challenge: a warehouse AP might only broadcast the IoT and Corp SSIDs, while a conference room AP broadcasts Corp and Guest SSIDs, and a lobby AP broadcasts only Guest. All WLANs are still configured centrally on the WLC — AP Groups control which subset each AP advertises. This keeps beacon overhead low while maintaining centralised management.

6. P2P Blocking is enabled (set to Drop) on the Guest WLAN. Guest Client A (IP 192.168.40.10) is on AP1. Guest Client B (IP 192.168.40.11) is on AP2. Can Client A reach Client B, and why or why not?

A. Yes, Client A can likely still reach Client B. P2P Blocking prevents direct wireless client-to-client traffic on the same AP. When clients are on different APs, traffic from Client A travels up the CAPWAP tunnel to the WLC, is then forwarded to the switch on VLAN 40, and switched back to AP2 where it reaches Client B — bypassing the P2P block. True cross-AP isolation requires an ACL or private VLAN on the switch for VLAN 40 B. No — P2P Blocking applies across all APs on the same WLC for the same WLAN, not just same-AP traffic C. No — the WLC drops all traffic between clients that share the same dynamic interface regardless of which AP they are on D. Yes, but only if both APs are running Local mode — FlexConnect mode enforces P2P Blocking across APs

Correct answer is A. This is an important limitation of WLC P2P Blocking that is often misunderstood. P2P Blocking on Cisco WLC prevents one wireless client from directly sending frames to another wireless client on the same AP and same SSID. It works at the AP level: the AP checks the destination MAC and if it belongs to another associated client, it drops the frame before it goes anywhere. However, when two clients are on different APs, the traffic path is: Client A → AP1 → CAPWAP tunnel → WLC → switch (VLAN 40) → AP2 CAPWAP tunnel → Client B. The traffic traverses the wired network as regular VLAN-tagged frames. The switch sees this as normal intra-VLAN traffic between two legitimate ports and forwards it. The WLC does not have the context to block it at this point. For full guest isolation across APs, configure a private VLAN or an intra-VLAN ACL on the switch for VLAN 40 to block traffic between hosts on that subnet.

7. What is the purpose of setting QoS to Bronze on the IoT WLAN, and what happens if it is accidentally set to Platinum?

A. Bronze enables DTLS encryption on the IoT CAPWAP tunnel — Platinum disables it for performance B. Bronze limits the IoT WLAN to 802.11b/g data rates only — Platinum enables 802.11ac and Wi-Fi 6 C. Bronze places IoT traffic in the lowest priority queue so it never competes with corporate voice and video. Platinum assigns the highest priority queue. If IoT is accidentally set to Platinum, sensor traffic shares the highest-priority queue with voice calls — degrading call quality. Additionally, Platinum QoS bypasses per-client bandwidth contracts, making the 1 Mbps limit ineffective D. Bronze enables multicast for IoT device discovery protocols — Platinum is unicast only

Correct answer is C. Cisco WLC QoS levels map to 802.11e/WMM access categories. Platinum (highest) maps to WMM Voice (AC_VO) — traffic is queued with minimal latency and maximum priority. Gold maps to WMM Video (AC_VI). Silver maps to WMM Best Effort (AC_BE). Bronze (lowest) maps to WMM Background (AC_BK) — traffic can be deferred when higher-priority queues are busy. Setting IoT devices to Platinum creates two problems: (1) IoT sensor data competes directly with voice packets for the highest-priority queue, potentially causing jitter and packet loss on voice calls. (2) Platinum QoS bypasses the per-client bandwidth contract feature, so the 1 Mbps throttle is not enforced — a malfunctioning IoT device could flood the wireless medium at full rate without restriction. Bronze is correct because it keeps IoT traffic out of the way of latency-sensitive applications while bandwidth contracts enforce throughput limits.

8. `show client detail` for a corporate user shows "Authentication Algorithm: PSK" instead of "SAE". The Corp WLAN is configured for WPA3+WPA2 transition mode. Is this a problem, and what does it mean?

A. Yes, this is a misconfiguration — PSK should never appear when SAE is configured. Recreate the WLAN profile from scratch B. This is not a misconfiguration error but means the client does not support WPA3 and connected using WPA2-PSK fallback — which is the designed behaviour of transition mode. The connection is still encrypted with AES and is secure for a WPA2 device. The administrator should note this device for a future upgrade to a WPA3-capable model C. This means the PSK was entered incorrectly — SAE would be shown if the correct PSK was used D. PSK is always shown first before SAE upgrades — wait 30 seconds and re-check the client detail

Correct answer is B. WPA3+WPA2 transition mode exists precisely to handle mixed client environments during the migration period. When a client connects, it negotiates the highest security level it supports. A WPA3-capable device negotiates SAE (shown as "Authentication Algorithm: SAE"). A WPA2-only device falls back to PSK (shown as "Authentication Algorithm: PSK"). Both are valid connections on the same SSID — this is the purpose of transition mode. The WPA2-PSK connection is still AES-encrypted and reasonably secure (assuming a strong PSK). The risk is that WPA2-PSK handshakes can be captured and attacked offline, unlike SAE. Tracking which devices are using PSK vs SAE via show client detail gives the administrator visibility into which devices need hardware upgrades to achieve full WPA3 security across the fleet.

9. An IoT WLAN is configured with "DHCP Address Assignment: Required." An IoT sensor ships preconfigured with static IP 192.168.50.50. What happens when this sensor tries to connect?

A. The sensor connects normally — "DHCP Required" only affects devices that do not send a DHCP request, not devices with pre-configured static IPs B. The sensor connects but is quarantined in a restricted VLAN until it obtains a DHCP address C. The WLC reassigns the static IP to the DHCP pool and forces a new IP on the sensor D. The sensor associates at Layer 2 (Wi-Fi connection succeeds) but the WLC blocks Layer 3 traffic from the sensor until it sends a DHCP Discover. Since the sensor never sends one (it has a static IP configured), its traffic is permanently blocked — the sensor has no effective network connectivity despite being associated. Fix: either disable DHCP Required on the IoT WLAN or reconfigure the sensor to use DHCP

Correct answer is D. The "DHCP Address Assignment Required" setting on a Cisco WLC WLAN instructs the WLC to block forwarding of data traffic from any client that has not obtained an IP address through DHCP on that WLAN. The 802.11 association (Layer 2) succeeds normally — the sensor authenticates with the PSK and associates to the AP. However, the WLC watches for a DHCP exchange from the client. If the client never sends a DHCP Discover (because it has a statically configured IP), the WLC considers it non-DHCP and blocks its data traffic. This setting is useful for enforcing that all IoT devices use DHCP (ensuring they appear in the DHCP binding table for DHCP Snooping and inventory purposes), but it breaks any device with a static IP configuration. The administrator must either reconfigure the sensor firmware to use DHCP, or disable this option if static IPs are required.

10. The WLAN summary shows Corp-WLAN, Guest-WLAN, and IoT-WLAN all as Enabled. However, clients report that only "NetsTuts-Corp" is visible in their Wi-Fi scan — the other two SSIDs are not shown. What is the most likely single cause for both SSIDs being invisible?

A. The WLC has a 1-SSID licence — additional WLANs require a licence upgrade before they broadcast B. The AP is too far from the clients — weak signal causes the SSIDs to not appear in the scan C. The AP has not received the updated WLAN configuration from the WLC yet — or more likely, Broadcast SSID is unchecked on both Guest-WLAN and IoT-WLAN. A hidden SSID is enabled on the WLC but does not appear in client Wi-Fi scans. The WLAN status shows "Enabled" regardless of whether the SSID is being broadcast — these are separate settings D. The AP is in Local mode and only broadcasts the first configured WLAN — switch to FlexConnect mode to enable multiple SSID broadcasting

Correct answer is C. This is a common configuration oversight. The WLC WLAN has two independent on/off controls: Status (Enabled/Disabled) and Broadcast SSID (checked/unchecked). Status controls whether the WLAN is active at all. Broadcast SSID controls whether the SSID name appears in 802.11 beacon frames and probe responses. An Enabled WLAN with Broadcast SSID unchecked is a "hidden" network — clients who know the exact SSID name can still manually connect, but the network does not appear in any device's Wi-Fi scan. The show wlan summary output shows Status: Enabled for all WLANs, but does not directly show the Broadcast SSID setting. To verify: show wlan [id] and check "Broadcast SSID" field, or open each WLAN in the GUI and confirm the Broadcast SSID checkbox is checked on the General tab.

Back to Home