Access Points (APs) & Wireless LAN Controllers (WLCs)

1. What Is an Access Point?

An Access Point (AP) is a network device that allows wireless clients — laptops, smartphones, tablets, IoT devices — to connect to a wired LAN using Wi-Fi. It operates at Layer 2 (Data Link) of the OSI model, acting as a bridge between the wireless 802.11 segment and the wired Ethernet infrastructure. APs are the fundamental building block of every wireless network, from a single home router to an enterprise campus with thousands of APs. For an overview of wireless networking, see Wireless LAN Overview.

Example: When you connect your smartphone to the office Wi-Fi, your phone communicates with the nearest AP over radio waves. The AP bridges that wireless frame onto the wired LAN, where it is switched to its destination — a file server, the internet gateway, or another device.

Related pages: IEEE 802.11 Wi-Fi Standards | Lightweight vs Autonomous APs | Frequency Channels | Wi-Fi Security | WLC Getting Started | WLC SSID-VLAN Mapping | RF Channel & Power Planning

2. Types of Access Points

Type Description Management Best For
Autonomous (Standalone) AP Full functionality on its own. Configured individually via CLI or web GUI. All intelligence resides in the AP itself. Per-device (manual) Small offices, homes, SOHO, labs
Lightweight (Controller-based) AP Minimal local intelligence. Receives all configuration, firmware, and policies from a WLC via CAPWAP tunnel. Cannot operate standalone. Centralized via WLC Enterprise, campus, multi-site deployments
Cloud-Managed AP Managed through a cloud dashboard (e.g., Cisco Meraki). No on-premises controller required. Configuration pushed from the cloud. Cloud dashboard Distributed sites, MSP-managed networks
CCNA Exam Focus: The exam primarily tests Lightweight APs + WLC (controller-based) and Autonomous APs. Know the key difference: lightweight APs depend on a WLC for all configuration and cannot forward traffic without an active CAPWAP connection to the controller (in local mode).

See: Lightweight vs Autonomous APs — Full Comparison

3. AP Operating Modes

Lightweight APs can be placed into different operating modes on the WLC to serve specific purposes beyond standard client connectivity.

Mode Description Use Case
Local Default mode. AP serves wireless clients and tunnels all traffic to the WLC via CAPWAP. Standard enterprise client access
FlexConnect AP locally switches client data at the branch. Still managed by WLC but can operate if WAN link to WLC goes down. See FlexConnect AP Configuration. Remote branches, WAN-connected sites
Monitor AP does not serve clients. Passively scans all channels for rogue APs, interference, and security threats. Sends data to WLC for analysis. WIDS/WIPS, rogue AP detection, RF monitoring
Sniffer AP captures all 802.11 frames on a specific channel and forwards them to a packet analyzer (e.g., Wireshark via a remote host). Wireless packet capture and deep troubleshooting
Rogue Detector AP connects to the wired network and listens for rogue AP MAC addresses appearing on the wired side — correlating wireless and wired detection. Rogue AP correlation and containment
Bridge / Mesh Connects two wired network segments wirelessly (point-to-point or mesh backhaul), or forms a wireless mesh network between APs. Building-to-building links, outdoor mesh
SE-Connect AP dedicates its radios to spectrum analysis only, sending raw RF data to a spectrum analyzer tool for interference identification. RF spectrum analysis and interference hunting

4. AP Frequency Bands and Channel Planning

Band Non-Overlapping Channels Range Interference Best For
2.4 GHz 3 (channels 1, 6, 11) Longer — better wall penetration High (Bluetooth, microwaves, neighbors) IoT devices, legacy clients, long range
5 GHz 25+ (varies by country) Medium — less wall penetration Low to moderate High-speed data, offices, dense deployments
6 GHz (Wi-Fi 6E) 59 (entirely new spectrum) Short — highest frequency Very low (no legacy devices) High-density, future-proof enterprise
Critical exam fact: The 2.4 GHz band has only 3 non-overlapping channels — 1, 6, and 11. Using any other channel causes overlap with neighbors, creating co-channel interference that degrades performance for all affected clients. Always use channels 1, 6, and 11 exclusively in 2.4 GHz deployments.

See: Frequency Channels Explained | 802.11 Standards — Band Comparison | RF Channel & Power Planning

5. AP Security Features

  • WPA2/WPA3 Encryption: WPA2 uses AES-CCMP (128-bit). WPA3 adds SAE (Simultaneous Authentication of Equals) which eliminates offline dictionary attacks. Wi-Fi 6 (802.11ax) mandates WPA3. See Wi-Fi Security.
  • 802.1X / EAP (Enterprise Authentication): Clients authenticate to a RADIUS server before gaining network access. Each user gets individual credentials — no shared PSK. Required for WPA2/WPA3-Enterprise. See AAA Authentication Methods and 802.1X Port Authentication.
  • Client Isolation: Prevents wireless devices connected to the same SSID from communicating directly with each other — essential for guest networks and public Wi-Fi.
  • MAC Filtering: Permits or denies clients based on MAC address. Provides minimal security as MAC addresses can be spoofed — should not be the only control.
  • Rogue AP Detection: WLC continuously monitors for unauthorized APs impersonating legitimate SSIDs. Can trigger automatic containment.
  • Management Frame Protection (MFP): Protects 802.11 management frames (probe, auth, association) from spoofing and denial-of-service attacks.

See: Wi-Fi Security | WPA2 vs WPA3 Deep Dive | RADIUS Authentication | 802.1X Port Authentication

6. Power over Ethernet (PoE) for APs

Most enterprise APs are powered via Power over Ethernet (PoE) — they receive both data and electrical power through a single Ethernet cable from a PoE-capable switch. This eliminates the need for separate power outlets at every AP location, which is critical for ceiling and wall-mounted installations in large buildings.

PoE Standard IEEE Standard Max Power Typical Use
PoE 802.3af 15.4W per port Basic APs, IP phones, cameras
PoE+ 802.3at 30W per port Dual-radio APs, video phones, PTZ cameras
PoE++ 802.3bt 60–90W per port Wi-Fi 6 tri-radio APs, laptops, digital signage
Design note: Wi-Fi 6 APs with multiple radios and integrated IoT modules often require PoE+ (802.3at) or PoE++ (802.3bt). Verify the AP's power requirement before deploying to ensure the PoE switch port can supply sufficient wattage.

7. What Is a Wireless LAN Controller (WLC)?

A Wireless LAN Controller (WLC) is a centralized platform — hardware appliance or virtual instance — that manages, configures, and monitors multiple lightweight APs in medium-to-large wireless deployments. Rather than configuring each AP individually, the network admin configures the WLC once and it pushes all settings to every AP simultaneously. See WLC Getting Started for the initial setup lab.

  • Centralized provisioning: Push SSID, security, VLAN, and RF settings to hundreds of APs from a single interface.
  • Firmware management: Upgrade all APs automatically when a new WLC firmware is loaded.
  • Security enforcement: WPA2/3, 802.1X, rogue AP detection, and MFP applied globally.
  • Seamless roaming: WLC coordinates client handoffs between APs, maintaining sessions and re-keying security credentials transparently.
  • RF management: Auto channel assignment and transmit power control (RRM — Radio Resource Management) to optimize coverage and minimize interference. See RF Channel & Power Planning.
  • Monitoring and reporting: Centralized dashboard showing AP health, client counts, RSSI, channel utilization, and security alerts. Events forwarded to syslog.

Cisco WLC Hardware Examples

WLC Model Form Factor AP Capacity Typical Use
Cisco 3504 WLC Hardware appliance Up to 150 APs Small-medium enterprise
Cisco 5520 WLC Hardware appliance Up to 1,500 APs Large enterprise / campus
Cisco 8540 WLC Hardware appliance Up to 6,000 APs Very large enterprise / service provider
Cisco vWLC Virtual machine Up to 200 APs Virtual / cloud deployments
Cisco Catalyst 9800 Hardware or virtual Up to 6,000 APs Modern enterprise — IOS-XE based, current platform

8. CAPWAP — The AP-to-WLC Protocol

CAPWAP (Control and Provisioning of Wireless Access Points — RFC 5415) is the protocol that creates a secure tunnel between each lightweight AP and its WLC. It carries both control traffic (configuration, management commands) and data traffic (client frames, depending on mode). Both UDP ports must be permitted through any ACL or firewall between the AP and WLC.

CAPWAP Channel UDP Port Purpose
Control channel UDP 5246 AP-WLC management: config push, firmware, keepalives, commands — DTLS encrypted
Data channel UDP 5247 Client data frames tunneled from AP to WLC (Local mode) — optionally DTLS encrypted

CAPWAP Tunnel — What Flows Where

  Wireless Client
       │  (802.11 frames)
       ▼
  ┌─────────────┐     CAPWAP Tunnel (UDP 5246/5247)    ┌─────────────┐
  │  Lightweight │◀──────────────────────────────────▶│    WLC      │
  │     AP       │  Control: config, firmware, RRM    │             │
  │              │  Data: client frames (Local mode)  │  Switches   │
  └─────────────┘                                     │  client     │
                                                       │  traffic to │
                                                       │  wired LAN  │
                                                       └─────────────┘
DTLS encryption: The CAPWAP control channel is always DTLS-encrypted. The data channel is optionally encrypted — enabling DTLS on the data channel adds security but increases CPU load on both the AP and WLC. In Local mode, all client data travels through this encrypted tunnel.

CAPWAP vs LWAPP

CAPWAP replaced the older Cisco-proprietary LWAPP (Lightweight Access Point Protocol) as the industry-standard successor. CAPWAP is an IETF open standard (RFC 5415); LWAPP was Cisco-only. All modern Cisco APs and WLCs use CAPWAP.

9. WLC Deployment Modes

Mode Data Forwarding WAN Dependency Best For
Local Mode All client traffic tunneled to WLC via CAPWAP — centrally switched at the WLC High — AP cannot forward client traffic if WAN/WLC link fails Campus, headquarters, data center-connected sites
FlexConnect Client traffic locally switched at the AP. Control still via WLC. Survives WAN outage for configured SSIDs. See FlexConnect AP Configuration. Low — AP continues operating locally if WLC is unreachable Remote branches, retail, WAN-connected sites
Mobility Express One master AP acts as both controller and AP. Other APs join it as lightweight APs None — self-contained, no external WLC needed Small offices, retail locations, SMB
Fabric / SD-Access AP integrated into Cisco DNA Center fabric. Traffic uses VXLAN overlays Moderate — fabric controller provides management Modern enterprise software-defined networks

Local Mode vs FlexConnect — Key Differences

  LOCAL MODE                          FLEXCONNECT MODE
  ┌──────────┐                        ┌──────────┐
  │  Client  │                        │  Client  │
  └────┬─────┘                        └────┬─────┘
       │ 802.11                            │ 802.11
       ▼                                   ▼
  ┌──────────┐   CAPWAP data tunnel   ┌──────────┐
  │    AP    │──────────────────────▶│    AP    │
  │  (Local) │  (all client frames    │ (Flex)   │
  └──────────┘   sent to WLC)         └────┬─────┘
                                           │ Local switching
                       ┌───────────────────┘
                       ▼
                  ┌──────────┐
                  │   WLC    │  ◀── Only control/mgmt
                  │          │       traffic via CAPWAP
                  └──────────┘
FlexConnect exam tip: In FlexConnect mode, if the WAN link to the WLC goes down, APs in "standalone mode" continue to authenticate clients locally and switch traffic — but only for SSIDs pre-configured to survive the outage. New policy changes cannot be pushed until the WLC is reachable again.

See: FlexConnect AP Configuration (Step-by-Step)

10. AP Discovery and Join Process

When a lightweight AP first boots, it has no WLC configuration. It must discover and join a WLC before it can serve any wireless clients. This process happens automatically through several discovery mechanisms, tried in order:

  1. Previously joined WLC (NVRAM): The AP stores the last WLC it joined. On reboot it tries this address first.
  2. DHCP Option 43: The DHCP server includes the WLC's IP address in Option 43. This is the most common and reliable method in production. See DHCP Server Configuration.
  3. DNS lookup: AP queries DNS for CISCO-CAPWAP-CONTROLLER.<local-domain> — the resolved IP is the WLC address.
  4. Local subnet broadcast: AP broadcasts a CAPWAP discovery request on the local subnet. Works only if the WLC is on the same Layer 2 segment.
  5. Cisco WLC over IP: Multicast discovery (if configured).

DHCP Option 43 Configuration (Cisco IOS DHCP Server)

ip dhcp pool AP-MGMT
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 10.1.1.10
 option 43 hex f1040a0a0a64    ! f1=type, 04=length(4 bytes), 0a0a0a64=10.10.10.100 (WLC IP)

See DHCP Server Configuration for the full DHCP pool and Option 43 setup, and DHCP Relay if the AP and WLC are on different subnets.

CAPWAP Join Sequence — Step by Step

  1. AP powers on and obtains IP address via DHCP (including Option 43 if configured).
  2. AP sends CAPWAP Discovery Request to WLC IP (unicast) or broadcast.
  3. WLC responds with CAPWAP Discovery Response.
  4. AP and WLC perform DTLS handshake — mutual certificate-based authentication.
  5. AP sends CAPWAP Join Request; WLC accepts and sends Join Response.
  6. WLC pushes configuration: SSID, VLAN, security policies, radio settings, firmware.
  7. AP downloads firmware image if its version differs from the WLC's expected version (may reboot).
  8. AP sends CAPWAP Configuration Status Request; WLC confirms with Configuration Status Response.
  9. AP comes online — CAPWAP keepalives maintain the tunnel. AP begins serving wireless clients.
  AP Boots
     │
     ▼
  Get IP via DHCP (Option 43 → WLC IP)
     │
     ▼
  CAPWAP Discovery Request → WLC
     │
     ▼
  DTLS Handshake (certificate authentication)
     │
     ▼
  CAPWAP Join Request / Join Response
     │
     ▼
  WLC pushes config + firmware (AP may reboot)
     │
     ▼
  AP Registered — Serving Clients ✅

11. SSID, VLAN, and AP Group Configuration

In a WLC-managed network, SSIDs are mapped to VLANs to segment different types of traffic. For example, a corporate SSID might map to VLAN 10 (employee network) while a guest SSID maps to VLAN 99 (internet- only). The WLC pushes these mappings to all APs centrally. See WLC SSID-VLAN Mapping for the step-by-step lab.

Typical Enterprise SSID Architecture

  ┌─────────────────────────────────────────────────────┐
  │               WLC — SSID to VLAN Mapping            │
  │                                                     │
  │  SSID: "Corp-WiFi"   → VLAN 10  (employees)        │
  │  SSID: "Guest-WiFi"  → VLAN 99  (internet only)    │
  │  SSID: "IoT-Devices" → VLAN 50  (IoT segment)      │
  │                                                     │
  │  All APs broadcast all three SSIDs simultaneously   │
  │  Traffic tagged to correct VLAN at the AP trunk port│
  └─────────────────────────────────────────────────────┘

AP Groups

AP Groups allow you to assign different SSIDs and VLAN mappings to subsets of APs. For example, APs in the warehouse might only broadcast the IoT SSID, while APs in the office broadcast all three.

  • Default AP group: All APs that have not been assigned to a custom group.
  • Custom AP groups: Subset of APs with their own SSID-to-VLAN mapping overrides.
  • Configured on WLC: Wireless → AP Groups → Create, then assign APs and WLANs.

See: WLC SSID-VLAN Mapping (Step-by-Step) | Guest WLAN & Web Authentication

12. Roaming and Mobility

Roaming occurs when a wireless client moves from one AP to another while maintaining an active connection. The WLC plays a central role in coordinating this seamlessly.

Intra-Controller Roaming (Layer 2)

Both the old and new AP are managed by the same WLC. When the client roams:

  • Client re-associates with the new AP.
  • WLC updates its internal client database — same IP address retained.
  • Traffic immediately flows through the new AP's CAPWAP tunnel.
  • Roaming is transparent and nearly instantaneous (<50 ms with 802.11r).

Inter-Controller Roaming

Client moves between APs managed by different WLCs. WLCs must be in the same Mobility Group and have a mobility tunnel established between them to exchange client state information.

Fast Roaming Protocols (802.11r/k/v)

Protocol Function Benefit
802.11r (FT) Fast BSS Transition — pre-negotiates security keys with the target AP before roaming Reduces roam time to <50 ms; critical for VoIP and real-time apps
802.11k Radio Resource Management — AP provides neighbor AP list to clients Client makes faster, smarter roaming decisions without full scan
802.11v BSS Transition Management — AP proactively steers clients to better APs Load balancing; moves sticky clients off congested APs
Best practice: Enable all three (802.11k/r/v) together on modern WLC deployments — Cisco calls this combination Optimized Roaming. Standard roaming without these takes 50–300 ms; with 802.11r it drops below 50 ms — the difference between a dropped VoIP call and a seamless handoff.

See: 802.11 Roaming Protocols — Deep Dive

13. Hands-On: Adding an AP to a Cisco WLC

  1. Connect and power the AP:
    Connect AP to the access switch port on the correct VLAN. Use PoE or PoE+ switch port — verify the switch port can supply enough wattage for the AP model.
  2. Configure the DHCP scope with Option 43: 
    ip dhcp pool AP-MGMT
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 10.1.1.10
 option 43 hex f1040a0a0a64   ! WLC IP: 10.10.10.100
    See DHCP Server Configuration for the full setup.
  3. AP discovers and joins WLC:
    AP obtains IP via DHCP, reads Option 43, sends CAPWAP discovery to WLC. DTLS handshake completes. WLC pushes firmware and configuration. AP may reboot if firmware update is needed.
  4. Verify AP joined successfully: 
    ! WLC CLI
(Cisco Controller)> show ap summary
Number of APs: 3
AP Name          Slots  AP Model     Ethernet MAC       Location   Port  Country
--------------------------------------------------------------------------------
Engineering_AP1  2      AIR-AP2802I  a4:c3:f0:11:22:33  Floor-2    1     US
Reception_AP1    2      AIR-AP2802I  a4:c3:f0:44:55:66  Lobby      1     US
Warehouse_AP1    2      AIR-AP3802I  a4:c3:f0:77:88:99  WH-North   1     US
  5. Rename the AP for identification: 
    (Cisco Controller)> config ap name Engineering_AP1 a4:c3:f0:11:22:33
  6. Assign AP to an AP group and configure SSID mapping:
    WLC GUI: Wireless → AP Groups → [Group Name] → APs → Add AP
    Then: WLANs → WLAN Interfaces → Map SSID to VLAN interface
  7. Verify AP radio and client status: 
    (Cisco Controller)> show ap config general Engineering_AP1
(Cisco Controller)> show client summary

See: WLC Getting Started | Autonomous AP Configuration

14. WLC Integration with Other Network Services

  • RADIUS/AAA: WLC acts as a RADIUS client — forwards 802.1X client credentials to the RADIUS server (Cisco ISE, FreeRADIUS, Microsoft NPS). Server returns ACCEPT/REJECT + VLAN assignment. See: RADIUS Authentication | AAA Authentication Methods | AAA RADIUS Configuration
  • DHCP: The WLC can act as a DHCP relay agent or internal DHCP server for wireless clients. In large deployments, dedicated DHCP servers (or Cisco ISE) handle IP assignment. See: DHCP Relay | DHCP Server Configuration
  • DNS: Wireless clients receive DNS server addresses via DHCP. The WLC itself uses DNS for WLC-to-WLC communication and AP discovery fallback.
  • Syslog: WLC sends AP events, client associations, authentication failures, and rogue AP alerts to a central syslog server for monitoring. See: show logging | Syslog Configuration
  • NTP: WLC and APs must have synchronized time for certificate validation, logging accuracy, and 802.1X EAP authentication. See: NTP Synchronisation | NTP Configuration
  • SNMP: WLC exposes SNMP MIBs for integration with network management systems (NMS). Enables centralized monitoring from platforms like Cisco Prime or SolarWinds. See: SNMP v2c/v3 Configuration

15. Troubleshooting Common AP/WLC Issues

Issue Likely Cause Diagnostic Steps & Solution
AP doesn't get an IP address DHCP pool exhausted; wrong VLAN on switch port; cable or PoE issue Check show ip dhcp binding; verify switch port VLAN with show interfaces switchport; check cable and PoE switch port status
AP can't find WLC Option 43 misconfigured or missing; DNS not resolving CAPWAP hostname; WLC unreachable via routing Verify Option 43 hex value; test ping <WLC-IP> from AP subnet; check routing between AP management VLAN and WLC. See DHCP Server Configuration.
CAPWAP tunnel fails to establish UDP 5246/5247 blocked by ACL or firewall; certificate mismatch; time sync issue Allow UDP 5246/5247 between AP and WLC; verify NTP is synchronized; check certificate trust on both AP and WLC. See NTP Configuration.
AP stuck in "Downloading" state Firmware version mismatch — AP is downloading image from WLC Wait for download to complete (may take 3–10 minutes); check network stability; verify CAPWAP data channel is not blocked
AP shows "Associated" but not "Registered" WLC license limit reached; AP count exceeds WLC capacity Check show license on WLC; verify AP count against licensed capacity; add AP license if needed
Clients connect but get no IP SSID-to-VLAN mapping incorrect; DHCP server not reachable for that VLAN; DHCP relay not configured Verify WLAN interface mapping on WLC; check DHCP relay (ip helper-address) on the SVI for the client VLAN. See DHCP Server Configuration.
Poor wireless performance / slow speeds Co-channel interference; too many clients per AP; mixed-mode legacy clients; transmit power too high causing CCI Review channel assignments; enable RRM auto-RF; check for 802.11b clients; reduce transmit power if APs are too close together. See RF Channel & Power Planning.

Key WLC Verification Commands

Command What It Shows
show ap summary All joined APs, model, MAC, location, status
show ap join stats summary all CAPWAP join statistics for all APs — useful for diagnosing join failures
show wlan summary All configured WLANs (SSIDs), their IDs, status, and security
show client summary All currently associated wireless clients and their AP, VLAN, IP
show client detail <MAC> Detailed info for a specific client: auth state, RSSI, data rate, VLAN
show ap config general <AP-name> Detailed config for a specific AP: mode, group, radio settings, uptime
debug capwap ap <MAC> events Real-time CAPWAP events for a specific AP — join attempts, keepalives

See: Troubleshooting Wireless Connectivity (Step-by-Step)

16. Common Misconceptions About APs and WLCs

  • "A lightweight AP can still forward client traffic if the WLC goes down (Local mode)."
    In Local mode, lightweight APs tunnel all client data to the WLC. If the CAPWAP tunnel drops, the AP stops forwarding client traffic entirely. Only FlexConnect APs can continue local switching during a WLC outage. See FlexConnect AP Configuration.
  • "CAPWAP tunnels all traffic including management and data on the same port."
    CAPWAP uses two separate UDP ports: 5246 for the control/management channel and 5247 for the data channel. Both must be permitted through any ACL or firewall between the AP and WLC.
  • "Disabling SSID broadcast makes the network secure."
    Hiding the SSID provides almost no security. Client devices still broadcast probe requests for hidden SSIDs, revealing the network name. Any attacker with a wireless scanner can discover it in seconds. Use WPA3 and 802.1X instead.
  • "More APs always means better Wi-Fi."
    Adding too many APs in a small area causes co-channel interference (CCI) — APs on the same channel interfere with each other, degrading performance. AP placement and transmit power tuning are more important than raw AP count. See RF Channel & Power Planning.
  • "WLC manages all AP functionality including the physical radio."
    The WLC manages the control plane (configuration, policy, SSID, security). The AP's radio hardware (transmitting and receiving 802.11 frames) operates locally on the AP — this is the data plane. Even in Local mode, 802.11 frames are processed by the AP's radio before being encapsulated in CAPWAP.

17. Key Points & Exam Tips

  • APs bridge wireless clients to the wired LAN at Layer 2. They do not route traffic. See Wireless LAN Overview.
  • Lightweight APs require a WLC and use CAPWAP (UDP 5246 control / 5247 data) for all communication. Both ports must be allowed in any ACL or firewall between AP and WLC.
  • Autonomous APs are standalone — configured individually, no WLC needed, suited for small deployments. See Lightweight vs Autonomous APs.
  • In Local mode, all client traffic is tunneled to the WLC. In FlexConnect, client traffic is switched locally at the AP — AP survives WLC outage.
  • AP discovery order: NVRAM → DHCP Option 43 → DNS → local broadcast. Configure Option 43 via DHCP Server Configuration.
  • DHCP Option 43 carries the WLC IP address — must be configured in hex format on Cisco IOS DHCP servers.
  • Only 3 non-overlapping channels in 2.4 GHz: 1, 6, and 11. See Frequency Channels.
  • 802.11r reduces roam time to <50 ms. Deploy with 802.11k and 802.11v for full Optimized Roaming. See 802.11 Standards.
  • PoE (802.3af = 15.4W), PoE+ (802.3at = 30W), PoE++ (802.3bt = 60–90W) — match PoE standard to AP power requirement.
  • CAPWAP replaced LWAPP. CAPWAP is an IETF standard (RFC 5415); LWAPP was Cisco-proprietary.
  • WLC integrates with NTP, syslog, SNMP, RADIUS, and DHCP relay for full enterprise management.
  • Use WPA3 and 802.1X/AAA for enterprise wireless security. See WPA/WPA2/WPA3.

Related pages: 802.11 Wi-Fi Standards | Lightweight vs Autonomous APs | Frequency Channels | Wi-Fi Security | RADIUS Authentication | WLC Getting Started | WLC SSID-VLAN Mapping | FlexConnect AP Configuration | Autonomous AP Configuration | Guest WLAN & Web Auth | RF Channel & Power Planning | Wireless Troubleshooting

18. Access Points & WLC Quiz

1. A branch office has a FlexConnect AP with three SSIDs configured. The WAN link to the WLC goes down. What happens to wireless clients connected to those SSIDs?

Correct answer is B. FlexConnect APs are specifically designed for branch/remote sites. When the WAN link (and CAPWAP tunnel) to the WLC fails, the AP enters standalone mode and continues locally switching client traffic for SSIDs configured to survive the outage. This is the core advantage of FlexConnect over Local mode, where a WLC outage would immediately stop all client data forwarding. See FlexConnect AP Configuration.

2. A network admin configures DHCP Option 43 so that newly deployed APs can automatically find the WLC. Which protocol and port does the AP use to establish the management tunnel after discovering the WLC?

Correct answer is D. After discovering the WLC via DHCP Option 43, the AP establishes a CAPWAP (Control and Provisioning of Wireless Access Points) tunnel. The CAPWAP control channel uses UDP port 5246 and is always DTLS-encrypted. The data channel uses UDP port 5247. LWAPP was the older Cisco-proprietary predecessor to CAPWAP and is no longer used in modern deployments. Ensure UDP 5246/5247 are permitted in any ACL between the AP and WLC.

3. An AP is placed in Monitor mode on the WLC. What is the primary effect on wireless clients?

Correct answer is C. In Monitor mode, the AP's radios are entirely dedicated to passively scanning all channels for rogue APs, interference sources, and security threats. The AP does not associate or serve any wireless clients. It is a dedicated WIDS/WIPS sensor that sends all collected data to the WLC for analysis and alerting. Events are forwarded to syslog for persistent monitoring.

4. A new Wi-Fi 6 AP requires 25.5W to power all its radios. Which PoE standard must the switch port support?

Correct answer is A. The AP requires 25.5W, which exceeds the maximum 15.4W provided by standard PoE (802.3af). PoE+ (802.3at) provides up to 30W per port — sufficient for this AP. PoE++ (802.3bt) at 60–90W would also work but is overkill. Deploying this AP on an 802.3af-only port would result in the AP operating at reduced capacity or not powering on at all.

5. What is the correct order of AP discovery methods a lightweight AP attempts when first booting, from first to last?

Correct answer is C. Lightweight APs attempt WLC discovery in this order: (1) Previously joined WLC stored in NVRAM, (2) DHCP Option 43 received from the DHCP server, (3) DNS lookup for CISCO-CAPWAP-CONTROLLER.<domain>, (4) Local subnet broadcast. A first-time AP has no NVRAM entry, so it proceeds directly to Option 43. DHCP Option 43 is the most commonly used production method. See DHCP Server Configuration.

6. In Local mode, a WLC manages 50 APs and one of the APs loses its CAPWAP tunnel due to a network fault. What immediately happens to clients associated with that AP?

Correct answer is D. In Local mode, lightweight APs encapsulate all client data frames in CAPWAP and forward them to the WLC for centralized switching. If the CAPWAP tunnel is lost, there is no local forwarding path — the AP cannot forward any client traffic. This is a fundamental limitation of Local mode and the primary reason FlexConnect exists for remote/branch sites. See FlexConnect AP Configuration.

7. Which 802.11 roaming protocol allows the WLC to proactively steer a client that is "sticking" to a distant, congested AP toward a closer, less loaded one?

Correct answer is B. 802.11v (BSS Transition Management) allows the AP/WLC to send a BSS Transition Management Request to a client — essentially suggesting or directing it to roam to a better AP. This is the mechanism used for load balancing and steering sticky clients. 802.11k helps clients discover neighbor APs quickly; 802.11r speeds up the actual security re-authentication during the roam. See 802.11 Standards for the full roaming protocol comparison.

8. An engineer runs show ap summary on the WLC and sees an AP in "Downloading" state for 15 minutes. What is the most likely cause and correct action?

Correct answer is C. When an AP joins the WLC for the first time, or after a WLC firmware upgrade, the AP's image may not match the WLC's expected version. The WLC automatically pushes the correct firmware to the AP — this download takes several minutes depending on image size and network speed. After downloading, the AP reboots and rejoins the WLC. "Downloading" is expected and normal — not an error state. Monitor progress with show logging on the WLC.

9. A campus Wi-Fi deployment has multiple WLCs in a Mobility Group. A student walks from Building A (AP on WLC-1) to Building B (AP on WLC-2) without losing their VoIP call. What enables this seamless experience?

Correct answer is A. When multiple WLCs are configured in the same Mobility Group, they establish mobility tunnels between each other. During inter-controller roaming, the new WLC (WLC-2) contacts the original WLC (WLC-1) and obtains the client's complete session state — IP address, security keys, QoS policies. The client retains its original IP address and active session, making the roam transparent to the VoIP call. See 802.11 Standards for 802.11r roaming details.

10. A security administrator wants to prevent wireless clients on the Guest SSID from accessing the internal corporate LAN while still providing internet access. Which combination of features achieves this?

Correct answer is D. Proper guest network isolation requires: (1) A dedicated VLAN for guest clients — separates Layer 2 from the corporate network, (2) Client isolation — prevents guests from communicating with each other on the same AP, (3) Firewall/ACL rules on the guest VLAN's gateway that permit only internet-bound traffic and block access to corporate subnets. MAC filtering is easily bypassed, hiding the SSID provides no real security, and placing guests on the same VLAN as employees defeats the entire purpose of isolation. See Guest WLAN & Web Authentication and Wi-Fi Security.

← Back to Home