Wireless LAN Controller (WLC) – Overview

1. The Problem WLCs Solve — Managing Scale

In a small network with one or two autonomous access points (APs), an administrator can log into each AP individually and configure it directly. Each AP operates independently — managing its own radio settings, SSIDs, security policies, and client associations. This works at small scale but breaks down completely in enterprise environments.

A medium-sized enterprise campus might deploy 100–500 APs. A large enterprise or university might deploy thousands. Managing each individually — updating firmware, changing SSIDs, rotating passwords, monitoring rogue devices — would require enormous administrative effort and would be inherently inconsistent. A Wireless LAN Controller (WLC) centralises all of this management into a single point of control.

Challenge	Without WLC (Autonomous APs)	With WLC (Lightweight APs)
Configuration management	Log into each AP individually — hundreds of separate management sessions	Single pane of glass — configure all APs from one WLC GUI or CLI
Firmware updates	Update each AP manually — inconsistent versions, high risk of human error	WLC pushes firmware to all APs simultaneously — consistent versions guaranteed
SSID and security policy	Configure each AP separately — policies drift over time	Define once on WLC — pushed to all APs automatically
RF management	Set channel and power manually per AP — risk of interference between neighbouring APs	WLC runs RRM (Radio Resource Management) — automatically adjusts channel and power to minimise interference
Client roaming	Roaming between APs requires re-authentication — slow, disruptive for voice/video	WLC tracks client state — fast roaming between APs without full re-authentication
Rogue AP detection	No centralised visibility — each AP sees only its own RF environment	WLC aggregates RF data from all APs — detects rogues across the entire wireless domain

2. Autonomous vs Lightweight APs

Understanding the difference between these two AP architectures is fundamental to understanding how WLCs work.

2.1 Autonomous APs

An autonomous AP (also called a standalone AP or fat AP) contains all the intelligence needed to operate completely independently. It handles every aspect of wireless operation on its own — including beacon transmission, client authentication, frame encryption/decryption, and forwarding decisions.

  Autonomous AP architecture:

  [Wireless Client] ←── 802.11 frames ──► [Autonomous AP]
                                                 │
                                          All processing here:
                                          - Beacon generation
                                          - Client authentication
                                          - 802.11 ↔ 802.3 translation
                                          - Frame encryption/decryption
                                          - Forwarding to local LAN
                                                 │
                                          [Switch / LAN]

  Each AP is a complete, self-contained wireless device.
  Configuration: SSH/Telnet/HTTPS directly to each AP's IP address.
  No dependency on any external controller.

2.2 Lightweight APs (LWAP)

A lightweight AP (LWAP) — also called a thin AP — offloads most of its intelligence to the WLC. The AP handles only the real-time, time-critical functions that must happen at the radio — everything else is managed by the controller.

  Lightweight AP architecture:

  [Wireless Client] ←── 802.11 frames ──► [Lightweight AP]
                                                 │
                                          Handles locally:
                                          - Beacon transmission
                                          - Probe responses
                                          - Frame reception/transmission
                                          - Basic 802.11 management
                                                 │
                                          CAPWAP tunnel (control + data)
                                                 │
                                          [WLC — handles remotely]
                                          - Authentication decisions
                                          - Encryption keys
                                          - SSID / VLAN policies
                                          - RF management
                                          - Firmware management
                                          - Client forwarding policy

Feature	Autonomous AP	Lightweight AP
Intelligence location	Fully in the AP	Split between AP and WLC (split-MAC)
Requires WLC	No — operates independently	Yes — cannot function without WLC connection
Configuration	Direct login per AP	Centralised via WLC — AP has no local CLI for policy
Scalability	Poor — each AP managed independently	Excellent — thousands of APs managed from one WLC
Roaming support	Basic — Layer 3 roaming requires re-authentication	Fast roaming — WLC maintains client state across APs
Also called	Fat AP, standalone AP, controller-less AP	Thin AP, LWAP, controller-based AP

See: Lightweight vs Autonomous APs

3. Split-MAC Architecture

The split-MAC architecture is the fundamental design principle behind WLC-based wireless networks. The 802.11 MAC (Media Access Control) functions are divided between the lightweight AP and the WLC. Time-critical real-time functions stay at the AP; management and policy functions are centralised at the WLC.

  Split-MAC function division:

  ┌──────────────────────────────────────────────────────────────────┐
  │                  LIGHTWEIGHT AP handles:                         │
  │  (real-time / time-critical — must happen at the radio)          │
  │                                                                  │
  │  • Beacon frames (periodic broadcast of SSID, capabilities)      │
  │  • Probe responses (reply to client probe requests)              │
  │  • 802.11 frame transmission and reception                       │
  │  • Physical layer operations (radio channel, power, modulation)  │
  │  • ACK (acknowledgement) frames — must respond within microsecs  │
  │  • Real-time packet forwarding (data plane, localised)           │
  └──────────────────────────────────────────────────────────────────┘

  ┌──────────────────────────────────────────────────────────────────┐
  │                  WLC handles:                                    │
  │  (management / policy — can tolerate slight delay)               │
  │                                                                  │
  │  • Authentication and association decisions                      │
  │  • Encryption key management (WPA2/WPA3 key exchange)           │
  │  • SSID to VLAN mapping policies                                 │
  │  • RF management (RRM — channel, power assignment)               │
  │  • Rogue AP detection and containment                            │
  │  • Roaming state maintenance (client handoff between APs)        │
  │  • QoS policy enforcement                                        │
  │  • Firmware and configuration distribution to all APs            │
  └──────────────────────────────────────────────────────────────────┘

Why split-MAC? 802.11 ACK frames must be transmitted within microseconds of receiving a data frame — the round-trip to a central WLC would introduce too much latency. Time-critical functions stay at the AP. Authentication decisions and policy enforcement can tolerate the milliseconds of WLC processing time.

4. CAPWAP — Control and Provisioning of Wireless Access Points

CAPWAP (Control and Provisioning of Wireless Access Points) is the IETF-standard protocol (RFC 5415) that defines the tunnel between a lightweight AP and its WLC. CAPWAP carries two types of traffic: control messages (AP management, configuration, authentication) and data traffic (client data frames forwarded to the WLC).

CAPWAP Ports and Transport

  CAPWAP uses UDP — two separate ports:

  UDP 5246  →  CAPWAP Control channel
              (AP–WLC management: configuration, authentication,
               software updates, radio resource management)
              DTLS encrypted — all control traffic is secured

  UDP 5247  →  CAPWAP Data channel
              (Client data frames tunnelled from AP to WLC)
              DTLS encryption optional (not always enabled for data)

CAPWAP Tunnel Operation

  Client data flow in centralised (local) mode:

  Step 1 — Client sends a Wi-Fi frame to the AP:
  [Client] ──── 802.11 frame ────► [Lightweight AP]

  Step 2 — AP encapsulates the 802.11 frame inside CAPWAP:
  [Lightweight AP] wraps frame:
  [Outer Ethernet][Outer IP][UDP 5247][CAPWAP header][Original 802.11 frame]

  Step 3 — Encapsulated frame travels across the wired network to the WLC:
  [Lightweight AP] ──── CAPWAP UDP tunnel ────► [WLC]

  Step 4 — WLC decapsulates: removes CAPWAP, processes the 802.11 frame,
  forwards the inner payload to the appropriate VLAN/subnet:
  [WLC] ──── 802.3 Ethernet frame ────► [Switch / Core network / Internet]

  Return path (WLC → Client):
  [Core] → [WLC] → CAPWAP encapsulation → AP → 802.11 transmission → Client

  All client traffic passes through the WLC — the WLC sees and controls
  every frame, enabling centralised policy enforcement and monitoring.

CAPWAP Tunnel Establishment — AP Join Process

  When a lightweight AP powers up for the first time (or loses its WLC):

  Step 1 — AP obtains IP address (DHCP)
  Step 2 — AP discovers the WLC IP address via one of:
           a) DHCP Option 43 (WLC IP in DHCP offer)
           b) DNS lookup: "CISCO-CAPWAP-CONTROLLER.local-domain"
           c) Subnet broadcast (same Layer 2 domain as WLC)
           d) Previously learned WLC address (stored in flash)
           e) Static configuration on AP

  Step 3 — AP sends CAPWAP Discovery Request to WLC(s)
  Step 4 — WLC replies with CAPWAP Discovery Response
  Step 5 — AP selects best WLC (load-based or configured)
  Step 6 — DTLS handshake — mutual certificate authentication
  Step 7 — AP sends CAPWAP Join Request (includes AP model, serial, capabilities)
  Step 8 — WLC sends CAPWAP Join Response (configuration, firmware version)
  Step 9 — If firmware mismatch: WLC pushes correct firmware to AP → AP reboots
  Step 10 — AP comes back up, joins WLC, enters operational state
  Step 11 — WLC pushes SSID config, VLAN mapping, RF settings to AP
  Step 12 — AP begins transmitting beacons — wireless clients can associate

DHCP Option 43: The most reliable way to point APs to their WLC across Layer 3 boundaries (different subnets) is via DHCP Option 43, which embeds the WLC IP address(es) in the DHCP offer sent to the AP. Without it, AP-WLC discovery is limited to the local Layer 2 segment (broadcast domain).

5. AP Operational Modes

Cisco lightweight APs support multiple operational modes. The mode determines what function the AP performs in the network — not all APs need to serve clients.

Mode	Function	Client Service
Local (Centralised)	Default mode. AP serves wireless clients normally. All client data is tunnelled to the WLC via CAPWAP. The AP offers client service on its configured channels and scans other channels during off-channel periods for rogue detection and RRM.	Yes
FlexConnect	Designed for remote sites with a WAN link back to the WLC. AP can locally switch client traffic to the local LAN (and locally authenticate clients) even when the WAN link to the WLC is down. When WLC is reachable, it still provides centralised management. See Section 6.	Yes (even without WLC)
Monitor	AP dedicates 100% of its radio time to scanning all channels for rogue APs, security threats, and RF interference. Does not serve any wireless clients — purely a sensor.	No
Rogue Detector	AP connects to the wired network only (no radio). Listens for rogue AP MAC addresses on the wired LAN that match MAC addresses detected over-the-air by other APs — confirms the rogue is connected to the wired network.	No
Sniffer	Captures all 802.11 frames on a specific channel and forwards them to a packet analyser (e.g., Wireshark) for analysis. Does not serve clients while in this mode.	No
Bridge / Mesh	Provides a wireless backhaul bridge between buildings or network segments. One AP acts as root bridge (connected to wired LAN); others act as non-root bridges, extending the network wirelessly.	Optional
SE-Connect	Spectrum Expert Connect — dedicated to spectrum analysis. Forwards raw RF spectrum data to a Cisco Spectrum Expert client for detailed RF interference analysis.	No

6. Centralised Mode vs FlexConnect Mode

These are the two primary deployment modes for client-serving APs and represent a key CCNA topic. The choice between them depends on the network topology — specifically whether the AP has a reliable high-bandwidth link to the WLC.

6.1 Centralised Mode (Local Mode)

  Centralised mode — all client traffic tunnelled to WLC:

  [Wireless Client]
         │ 802.11
         ▼
  [Lightweight AP]  ← local mode AP (e.g., branch office or campus)
         │
         │ CAPWAP tunnel (all client data + control)
         │
  [WAN / IP Network]
         │
  [WLC at HQ / Data Centre]
         │
  [Core Switch / Internet]

  Client data flow:
  Client ──► AP ──► CAPWAP ──► WLC ──► Core ──► Internet/resources

  Characteristics:
  ✓ Full centralised policy enforcement — WLC sees all traffic
  ✓ Seamless roaming — WLC maintains client mobility state
  ✓ Centralised visibility — WLC can monitor/filter all wireless traffic
  ✗ All traffic hairpins through WLC — bandwidth and latency concern on WAN
  ✗ If WLC or WAN link fails → AP cannot serve clients
  ✗ Not suitable for remote branch sites with low-bandwidth WAN links

6.2 FlexConnect Mode (Formerly H-REAP)

  FlexConnect mode — AP can locally switch traffic:

  [Wireless Client]
         │ 802.11
         ▼
  [FlexConnect AP]  ← at remote branch site
         │              │
         │              │ Local switching (no CAPWAP for data)
         │              ▼
         │        [Branch LAN Switch]
         │              │
         │        [Local Internet / Local Resources]
         │
         │ CAPWAP control only (management, config updates)
         │ (only control traffic goes to WLC)
         ▼
  [WAN link to WLC at HQ]
  [WLC] — manages AP configuration and policy only

  Client data flow (connected mode):
  Client ──► FlexConnect AP ──► Local Switch ──► Local Internet/resources
                                (data does NOT go to WLC)
  WLC still provides: config management, firmware, authentication policy

  Client data flow (standalone mode — WAN/WLC unreachable):
  Client ──► FlexConnect AP ──► Local Switch ──► Local resources
  AP operates independently using cached config (no WLC needed for data)

FlexConnect States

State	WLC Reachable?	Client Authentication	Data Forwarding
Connected	Yes	WLC handles (or AP handles locally if configured)	Locally switched — traffic does not traverse WAN to WLC
Standalone	No — WAN down	AP authenticates locally using cached credentials	Locally switched using cached VLAN/policy config from WLC

Centralised vs FlexConnect Comparison

Feature	Centralised (Local Mode)	FlexConnect
Data path	All data tunnelled via CAPWAP to WLC	Data locally switched at branch; only control to WLC
WAN bandwidth usage	High — all wireless data crosses WAN	Low — only control traffic crosses WAN
WLC dependency	Complete — AP dead without WLC	Partial — survives WLC outage in standalone mode
Best for	Campus or data centre — high-bandwidth link to WLC	Remote branch — low-bandwidth WAN, local Internet breakout
Visibility	WLC sees all client traffic	WLC sees only control traffic; data is local
Also known as	Local mode	H-REAP (legacy name), FlexConnect

See: FlexConnect AP Configuration Lab

7. WLC Physical and Virtual Deployment

Cisco WLCs are available in several form factors to suit different deployment scales — from small branch office deployments to large enterprise campuses managing thousands of APs.

WLC Type	Form Factor	Scale	Use Case
Cisco Catalyst 9800 Series	Physical appliance or IOS XE software image	Up to 10,000+ APs	Large enterprise campus — dedicated hardware controller
Embedded WLC (EWC)	WLC function embedded in a Catalyst switch or AP	Up to ~200 APs	Medium deployments — no separate controller hardware needed
Cisco 3504 / 5520 / 8540 WLC	Dedicated physical appliance (legacy)	150–6,000 APs depending on model	Legacy enterprise deployments — being replaced by 9800 series
Virtual WLC (vWLC)	VM image (VMware, KVM, Hyper-V)	Up to ~3,000 APs	Virtualised data centres — software-defined infrastructure
Cisco DNA Center (cloud-managed)	On-premise or cloud management platform	Thousands of APs	Intent-based networking — centralised management with automation

8. WLC Interfaces — Port Types

A WLC has several logical interface types, each serving a different purpose. Understanding these interfaces is essential for WLC configuration and the CCNA exam.

Interface	Purpose	Notes
Management interface	Primary in-band management interface for WLC GUI (HTTPS), CLI (SSH/Telnet), SNMP, NTP, syslog, and CAPWAP AP communication	Must have an IP address on the management VLAN; used for all WLC-to-AP CAPWAP tunnels by default
AP-Manager interface	Handles CAPWAP control traffic between APs and WLC when a separate AP management IP is desired	On Cisco 9800 series, the management interface handles AP management — a separate AP-Manager interface is not required
Virtual interface	A special IP address (typically 1.1.1.1 or 192.0.2.1) used for web authentication redirect (guest portals), DHCP relay, and client mobility anchor operations	Must be the same on all WLCs in a mobility group; should NOT be routable on the network
Dynamic interface	Maps a WLAN (SSID) to a specific VLAN on the wired network. One dynamic interface per SSID–VLAN mapping is the typical design	Each dynamic interface has an IP address that serves as the default gateway for clients on that SSID's VLAN (if DHCP is provided by the WLC)
Service port	Out-of-band management port — physical Ethernet port for management access even when the network is down	Not capable of carrying wireless data; used for initial configuration and emergency access

9. SSID to VLAN Mapping

One of the most important WLC functions is mapping each SSID (wireless network name) to a corresponding wired VLAN. This allows different types of wireless users — employees, guests, IoT devices — to be segmented into separate Layer 2 domains just as they would be on the wired LAN.

  SSID to VLAN mapping on a WLC:

  WLC Dynamic Interfaces (one per SSID/VLAN pair):
  ┌────────────────────────────────────────────────────────────┐
  │  Dynamic interface: Corp-SSID  → VLAN 10  (10.10.10.0/24)│
  │  Dynamic interface: Guest-SSID → VLAN 20  (10.20.20.0/24)│
  │  Dynamic interface: IoT-SSID   → VLAN 30  (10.30.30.0/24)│
  └────────────────────────────────────────────────────────────┘

  Client connects to "Corp-WiFi" SSID:
  → AP associates client → CAPWAP to WLC
  → WLC maps client to VLAN 10 (corp dynamic interface)
  → Client receives IP from 10.10.10.0/24 DHCP pool
  → Client traffic exits WLC on VLAN 10 trunk to core switch

  Client connects to "Guest-WiFi" SSID:
  → AP associates client → CAPWAP to WLC
  → WLC maps client to VLAN 20 (guest dynamic interface)
  → Client receives IP from 10.20.20.0/24 DHCP pool
  → Client traffic exits WLC on VLAN 20 — isolated from corporate network

  The WLC uplink to the switch must be an 802.1Q trunk carrying all VLANs:
  [WLC] ──── 802.1Q trunk (VLAN 10, 20, 30, mgmt) ────► [Core Switch]

Guest SSID isolation: The guest SSID VLAN should be routed directly to the Internet (or through a firewall/web filter) without access to the corporate network. This is typically achieved by not advertising the guest VLAN in the internal routing table and routing guest traffic through a dedicated Internet path or DMZ.

See: WLC SSID & VLAN Mapping Lab | VLANs Overview | 802.1Q VLAN Tagging | Access & Trunk Ports

10. WLC Management Access

A WLC provides multiple ways for administrators to connect and manage the device and its associated APs.

10.1 Web GUI (HTTPS)

The primary management method for most administrators. Access is via a web browser at the WLC management interface IP address over HTTPS (port 443). The GUI provides dashboards for AP status, client monitoring, WLAN configuration, RF management, and security policies.

  Access WLC Web GUI:
  Browser: https://<WLC-management-IP>
  Default credentials (new device): admin / admin (change immediately)

  Cisco Catalyst 9800 Web UI sections:
  ├── Dashboard     (overview: APs online, client count, RF health)
  ├── Monitoring    (AP detail, client list, rogue detection, event log)
  ├── Configuration (WLANs/SSIDs, interfaces, RF profiles, security)
  ├── Administration (backup/restore config, firmware upgrade, licenses)
  └── Troubleshooting (debug tools, packet capture, client trace)

10.2 CLI (SSH)

  SSH to WLC management interface:
  $ ssh admin@<WLC-management-IP>

  Cisco WLC CLI prompt:
  (Cisco Controller) >
  (Cisco Controller) > help         ! list available commands
  (Cisco Controller) > show summary  ! summary of WLC status and AP count

  Common WLC show commands:
  show ap summary               ! list all joined APs with status
  show ap config general <ap>  ! detailed config for a specific AP
  show wlan summary             ! list all configured WLANs/SSIDs
  show interface summary        ! list all WLC interfaces
  show client summary           ! list associated wireless clients
  show rf-profile summary       ! list RF profiles
  show sysinfo                  ! WLC model, firmware version, uptime

10.3 SNMP and Syslog

  WLC supports SNMP v1/v2c/v3 for monitoring integration with NMS:
  - SNMP traps: AP join/leave events, client association, rogue detection
  - SNMP polling: AP count, client count, channel utilisation

  Syslog: WLC forwards event logs to a syslog server
  Configuration (CLI):
  config logging syslog host <syslog-server-IP>
  config logging syslog level informational

See: Syslog Overview | SNMP Overview

11. Radio Resource Management (RRM)

RRM (Radio Resource Management) is one of the most valuable WLC features. It is an automated system that continuously monitors the RF environment across all APs and dynamically adjusts channel assignments and transmit power to optimise coverage and minimise co-channel interference. See also Wi-Fi Overview.

  RRM functions:

  Dynamic Channel Assignment (DCA):
  - Monitors neighbouring APs and detected interference on each channel
  - Reassigns APs to least-congested channels automatically
  - Avoids co-channel interference (two APs on the same channel
    within range of each other)
  - For 2.4 GHz: uses non-overlapping channels 1, 6, 11
  - For 5 GHz: uses many more non-overlapping channels (20/40/80 MHz)

  Transmit Power Control (TPC):
  - Monitors signal strength reports from APs and neighbours
  - Reduces AP transmit power when adjacent APs overlap too much
    (reduces co-channel interference)
  - Increases power when a coverage hole is detected (AP fails or
    signal too weak in an area)

  Coverage Hole Detection:
  - APs report client signal strength (RSSI) to WLC
  - WLC identifies areas where clients are connecting at very low RSSI
    (edge of coverage) → potential coverage hole
  - WLC increases nearby AP power or triggers alert

  RRM operates continuously — no administrator intervention required for
  routine RF optimisation. Manual overrides are available for specific APs.

12. High Availability and Redundancy

In an enterprise wireless deployment, the WLC is a critical infrastructure component. If the WLC fails, all APs in local mode lose connectivity and cannot serve clients. High availability is achieved through WLC redundancy mechanisms.

HA Method	Description	Failover Time
N+1 Redundancy	A backup WLC is deployed alongside the primary. APs are configured with a primary and secondary WLC. If the primary fails, APs re-join the secondary WLC after the CAPWAP keepalive timeout expires.	Seconds to minutes — APs must re-join and re-download configuration
SSO (Stateful Switchover)	Two WLCs form an active/standby pair. The standby WLC receives real-time state synchronisation from the active WLC (AP join info, client associations). On failover, the standby takes over instantly — APs and clients do not notice the switchover.	Sub-second — stateful failover; no AP re-join required
FlexConnect Standalone	FlexConnect APs can continue serving clients locally even when the WLC is unreachable — using cached configuration. New clients can associate using locally cached credentials.	No failover needed — AP continues independently

13. WLC Summary — Key Facts

Topic	Key Fact
WLC purpose	Centralises management of all lightweight APs — SSIDs, security, RF, firmware, roaming, client policy. See Controller-Based Networking.
Lightweight AP dependency	Cannot operate independently — requires WLC for configuration and authentication (except FlexConnect standalone mode). See Lightweight vs Autonomous APs.
Split-MAC	Real-time functions (beacons, ACKs) at AP; management/policy (authentication, encryption keys, RF management) at WLC
CAPWAP protocol	IETF RFC 5415; UDP 5246 (control) and UDP 5247 (data); DTLS-encrypted control plane
AP discovery	DHCP Option 43, DNS, broadcast, static config, or previously learned WLC address
Local (centralised) mode	All client data tunnelled via CAPWAP to WLC; WLC forwards to appropriate VLAN; AP dead without WLC
FlexConnect mode	Client data locally switched at branch; only control traffic to WLC; survives WLC/WAN outage in standalone mode
Management interface	Primary WLC management and CAPWAP endpoint; requires IP on management VLAN — accessed via HTTPS GUI or SSH CLI
Dynamic interface	Maps each SSID to a VLAN; one per SSID–VLAN pair. See 802.1Q VLAN Tagging.
Virtual interface	Used for web auth (guest portal) and DHCP relay; must be same IP on all WLCs in mobility group; not routable on the network
WLC uplink to switch	Must be an 802.1Q trunk carrying all SSID VLANs. See Access & Trunk Ports.
RRM	Automatic channel and power optimisation across all APs; Dynamic Channel Assignment + Transmit Power Control

14. WLC Concepts Quiz

1. What is the primary function of a Wireless LAN Controller (WLC) in a controller-based wireless network?

A. To physically transmit and receive 802.11 radio signals on behalf of all APs B. To centralise the management, configuration, and policy enforcement for all lightweight APs — providing a single point of control for SSIDs, security policies, firmware updates, RF management, and client roaming across all APs in the deployment. C. To replace the core switch by routing all wireless and wired traffic in the network D. To provide DHCP services exclusively to wireless clients

Correct answer is B. A WLC is the centralised brain of a controller-based wireless network. It does not transmit radio signals itself — that is the AP's job. Instead, the WLC manages every lightweight AP under its control: pushing SSID configurations, security policies (WPA2/WPA3, 802.1X), firmware updates, RF parameters (channel, power), and maintaining client mobility state for seamless roaming. Without a WLC, lightweight APs cannot function — they have no local policy intelligence of their own.

2. What protocol carries traffic between a lightweight AP and its WLC, and what UDP ports does it use?

A. GRE (Generic Routing Encapsulation) on TCP port 1723 B. LWAPP — UDP ports 12222 and 12223 (legacy) C. IPsec on UDP port 500 D. CAPWAP (Control and Provisioning of Wireless Access Points) — UDP 5246 for the control channel (management, configuration, DTLS-encrypted) and UDP 5247 for the data channel (client data frames tunnelled to the WLC).

Correct answer is D. CAPWAP (RFC 5415) is the IETF-standard protocol replacing the older proprietary LWAPP protocol. CAPWAP uses two UDP channels: port 5246 for control traffic (AP management, configuration pushes, CAPWAP keepalives, AP join/leave messages) — this channel is protected with DTLS encryption. Port 5247 carries client data frames (the actual Wi-Fi payload tunnelled from AP to WLC). CAPWAP operates over UDP, making it transport-agnostic and able to traverse Layer 3 networks (routed networks) between AP and WLC.

3. In the split-MAC architecture, which functions are handled by the lightweight AP, and which are handled by the WLC?

A. AP handles real-time functions: beacon transmission, probe responses, ACK frames, and frame transmission/reception. WLC handles management functions: authentication decisions, encryption key management, SSID/VLAN policy, RF management, firmware distribution, and roaming state. B. AP handles everything — the WLC only provides a backup configuration store C. WLC handles all 802.11 functions including beacon transmission; the AP is just a radio antenna D. Both AP and WLC share all functions equally — either can handle any 802.11 operation

Correct answer is A. Split-MAC divides 802.11 functions based on timing requirements. Functions that must happen within microseconds (ACK frames, beacon transmission, probe responses) stay at the AP because the round-trip delay to a WLC would violate 802.11 timing requirements. Functions that can tolerate milliseconds of delay (authentication decisions, key exchange, policy enforcement) are centralised at the WLC. This design allows one WLC to intelligently manage hundreds or thousands of APs while keeping real-time radio operations local.

4. A company has a main campus with a WLC and 20 remote branch offices, each with 2–3 APs connected via low-bandwidth WAN links. The company wants branch APs to continue serving clients if the WAN link goes down. Which AP mode should be used at the branch offices?

A. Local (centralised) mode — it provides the most centralised control B. Monitor mode — it provides the best coverage visibility C. FlexConnect mode — APs locally switch client traffic (reducing WAN bandwidth consumption) and enter standalone mode when the WAN/WLC is unreachable, continuing to serve clients using cached configuration and credentials. D. Autonomous mode — completely independent of the WLC

Correct answer is C. FlexConnect is designed exactly for this remote branch scenario. In centralised (local) mode, all wireless client data would traverse the WAN link to the WLC — consuming expensive WAN bandwidth for local Internet access. More critically, if the WAN link goes down, all branch APs in local mode would stop serving clients. FlexConnect addresses both problems: client data is locally switched at the branch (no WAN consumption for data), and when the WAN/WLC is unreachable, the AP enters standalone mode using its cached SSID/VLAN/security config, allowing branch users to continue working.

5. How does a lightweight AP discover and join its WLC when the AP is on a different subnet from the WLC?

A. The AP broadcasts on UDP port 5246 — routers forward the broadcast to all subnets automatically B. The most reliable method is DHCP Option 43, which embeds the WLC IP address(es) in the DHCP offer sent to the AP. Other methods include DNS (CISCO-CAPWAP-CONTROLLER.domain), a previously stored WLC IP in flash, or static configuration on the AP. C. APs can only join a WLC on the same subnet — Layer 3 CAPWAP is not supported D. The AP uses Cisco Discovery Protocol (CDP) to find the WLC IP address across routed boundaries

Correct answer is B. When an AP and WLC are on different subnets (common in enterprise deployments), the AP cannot simply broadcast to find the WLC. DHCP Option 43 is the standard enterprise solution: the DHCP server includes the WLC management IP address(es) in the DHCP offer to the AP, providing the WLC address at the same time the AP gets its own IP address. DNS resolution of the special hostname "CISCO-CAPWAP-CONTROLLER.local-domain" is another method. CDP operates only at Layer 2 (same VLAN) and cannot span routed boundaries, so option D is incorrect.

6. What is the purpose of the WLC virtual interface, and what IP address is typically assigned to it?

A. The virtual interface is the primary management IP used for SSH access and AP CAPWAP tunnels B. The virtual interface is used for SNMP traps and syslog forwarding C. The virtual interface provides redundancy — it takes over from the management interface if it fails D. The virtual interface is used for web authentication redirect (guest captive portals), DHCP relay, and client mobility anchor operations. It is typically assigned a non-routable IP (commonly 1.1.1.1 or 192.0.2.1) that must match on all WLCs in the same mobility group.

Correct answer is D. The WLC virtual interface is a special logical construct — it is not a routable management IP and is not used for AP communication. Its primary use is web authentication: when a client associates with a guest SSID that requires a captive portal login, the WLC intercepts the client's HTTP request and redirects it to the virtual interface IP, which serves the login page. It is also used for DHCP relay and as the anchor point for client mobility (roaming between WLCs). The virtual interface IP must be the same on all WLCs in a mobility group but must NOT be routable on the network — if it were, external traffic could reach the login page unintentionally.

7. An administrator configures three SSIDs on a WLC: one for employees (VLAN 10), one for guests (VLAN 20), and one for IoT devices (VLAN 30). What type of WLC interface must be created for each SSID, and what must be configured on the switch port connecting to the WLC?

A. A dynamic interface must be created on the WLC for each SSID–VLAN mapping. The switch port connected to the WLC must be configured as an 802.1Q trunk carrying VLANs 10, 20, and 30 (plus the management VLAN). B. A management interface per SSID; the switch port must be a routed port C. No additional interfaces needed — the management interface handles all VLANs; switch port is an access port D. Virtual interfaces, one per SSID; switch port is a standard access port

Correct answer is A. Dynamic interfaces are the WLC mechanism for mapping SSIDs to VLANs. Each SSID is bound to a dynamic interface, and each dynamic interface maps to a specific VLAN on the wired network. When a client associates with an SSID, the WLC places that client's traffic into the corresponding VLAN via the dynamic interface. Since the WLC must carry traffic for multiple VLANs simultaneously (10, 20, 30, and management), the physical uplink from the WLC to the core switch must be an 802.1Q trunk that carries all these VLANs. An access port can only carry one VLAN and would not work.

8. In centralised (local) AP mode, what is the data path for a wireless client browsing the Internet?

A. Client → AP → local switch → Internet (data is locally switched at the AP) B. Client → AP → DNS server → WLC → Internet C. Client → AP (802.11) → CAPWAP tunnel → WLC → core switch → Internet. All client data is encapsulated in CAPWAP and tunnelled to the WLC, which decapsulates and forwards it to the appropriate VLAN on the wired network. D. Client → AP → IPsec tunnel → WLC → RADIUS server → Internet

Correct answer is C. In centralised (local) mode, the AP does not locally switch any client traffic. Every data frame from a wireless client is encapsulated by the AP inside a CAPWAP data tunnel (UDP 5247) and sent across the wired network to the WLC. The WLC decapsulates the frame, removes the CAPWAP header, and forwards the inner Ethernet/IP packet to the appropriate VLAN on the core switch — which then routes it toward the Internet. Return traffic follows the reverse path: core switch → WLC → CAPWAP encapsulation → AP → 802.11 transmission → client. This "hairpin" through the WLC is why centralised mode is not ideal for remote sites with low-bandwidth WAN links.

9. What is RRM, and what two main functions does it perform automatically in a WLC-managed wireless network?

A. Rogue Router Management — detects and removes rogue routers from the network; assigns IP addresses and blocks unauthorised gateways B. Radio Resource Management — automatically assigns channels to APs (Dynamic Channel Assignment) to minimise co-channel interference, and adjusts AP transmit power (Transmit Power Control) to optimise coverage without overlap. C. Remote Router Management — manages connected routers via SNMP and adjusts routing tables automatically D. Roaming Resource Management — manages client handoff between APs and maintains session state during roaming

Correct answer is B. RRM (Radio Resource Management) is the WLC's automated RF optimisation engine. Its two primary functions are Dynamic Channel Assignment (DCA) — the WLC continuously monitors the RF environment across all APs and automatically assigns each AP to the least congested channel, avoiding co-channel interference between neighbouring APs; and Transmit Power Control (TPC) — the WLC adjusts each AP's transmit power to optimise coverage, reducing power when APs overlap excessively (reducing interference) and increasing power when coverage holes are detected. RRM operates continuously without administrator intervention, adapting to environmental changes.

10. A lightweight AP has been operating normally for weeks. After a network change, the AP shows as "Disconnected" in the WLC dashboard. The AP's LED is flashing. What are the most likely causes to investigate first?

A. The AP's 802.11 radio has failed — replace the AP hardware B. The AP needs a manual firmware update before it can rejoin the WLC C. The WLC management interface IP has changed and must be updated in every AP's local flash manually D. Most likely causes: (1) IP connectivity lost between AP and WLC — check physical link, PoE, switch port config, VLAN/trunk settings. (2) CAPWAP UDP 5246/5247 blocked by an ACL introduced during the network change. (3) AP failed to get an IP via DHCP — check DHCP server and Option 43. (4) WLC management interface IP changed — AP cannot find WLC; update DHCP Option 43 or DNS record.

Correct answer is D. A flashing LED and "Disconnected" state means the AP is powered and trying to join but cannot establish a CAPWAP connection to the WLC. After a network change, the most common causes are: (1) A switch configuration change broke connectivity — check the AP's switch port (VLAN, trunk, access VLAN, PoE status). (2) A new ACL was applied that blocks CAPWAP UDP 5246 or 5247. (3) A DHCP change means the AP gets a different IP or no longer receives DHCP Option 43 with the WLC address. (4) The WLC management interface IP changed — the AP is sending CAPWAP Join Requests to the old IP. Verify with show ap summary on the WLC and packet captures on the AP's switch port to see if CAPWAP traffic is reaching the WLC.

← Back to Home