Wireless LANs are everywhere—offices, campuses, hospitals, and homes. For the CCNA 200-301 exam, you must understand the architectural options for deploying WLANs, from autonomous access points to cloud-managed solutions. This chapter covers WLAN architecture models, controller-based deployments, and the key protocols that make them work. Exam objective 2.9 tests your ability to compare and contrast these architectures and select the right one for a given scenario.
Jump to a section
Imagine a pizza restaurant that delivers to a large city. In the early days, each delivery driver (Access Point) had a paper map and a mobile phone (autonomous mode). The driver decided the best route, handled customer calls directly, and managed their own inventory of pizzas. This worked for a few deliveries but became chaotic as the city grew—drivers got lost, orders conflicted, and there was no central oversight.
To solve this, the restaurant introduced a central dispatch office (Wireless LAN Controller). Now, drivers still drive the delivery route (forwarding data), but the dispatch office handles all routing decisions, load balancing, and coordination. Drivers receive turn-by-turn instructions from dispatch and report back after each delivery. This is the split-MAC architecture: the controller handles management and control, while the AP handles real-time forwarding.
For even larger operations, the restaurant might outsource dispatch to a cloud service (Cloud-managed WLAN). Drivers still report to the cloud, but the restaurant no longer maintains its own dispatch office. The cloud service monitors traffic, updates maps, and even predicts busy times. This reduces on-premises hardware but requires a reliable internet connection—if the cloud goes down, drivers are stranded.
Finally, consider a food truck (Mesh AP) that can set up anywhere without a pre-planned route. It uses other food trucks as relay points to communicate with the central kitchen. This is how wireless mesh networks extend coverage without wired backhaul.
What is WLAN Architecture and Why It Exists
WLAN architecture defines how Access Points (APs) are managed and how they forward traffic. In the early days, each AP operated independently—a model called *autonomous* or *fat AP*. Autonomous APs are fully self-contained: they handle all 802.11 MAC functions, security, and management. They are configured individually via CLI or web GUI, much like a standalone router. For small deployments (home or small office), this works fine. But in an enterprise with hundreds of APs, managing them one by one is a nightmare. Imagine having to log into each AP to change the SSID or update a security key—that’s the reality of autonomous APs.
Cisco’s solution is the *split-MAC* architecture, where a Wireless LAN Controller (WLC) handles management and control functions, while APs handle real-time 802.11 MAC functions. This separation allows centralized configuration, firmware upgrades, and security policies. The AP and WLC communicate using the Control and Provisioning of Wireless Access Points (CAPWAP) protocol, which is based on IETF standards (RFC 5415). CAPWAP replaces the older, proprietary LWAPP (Lightweight Access Point Protocol).
How CAPWAP Works Step by Step
CAPWAP operates over UDP. Control messages use UDP port 5246, and data messages use UDP port 5247. The protocol supports two modes of operation: *split-MAC* (the default for Cisco) and *local-MAC* (used in some vendor implementations). In split-MAC, the AP handles real-time frame exchange (beacons, probe responses, data frame encryption/decryption), while the WLC handles association, authentication, and management.
When a lightweight AP (LAP) boots, it goes through a discovery and join process:
Discovery Phase: The LAP sends a CAPWAP Discovery Request message as a broadcast (or unicast to a known WLC IP). It listens for responses from WLCs. The AP can also use DHCP option 43 or DNS to find the WLC.
Join Phase: The AP selects a WLC and sends a Join Request. The WLC responds with a Join Response, which includes a session ID and security parameters. The AP and WLC then establish a DTLS (Datagram Transport Layer Security) tunnel for control traffic. Data traffic can be encrypted or not, depending on configuration.
Image Data Phase: If the AP’s firmware is outdated, the WLC sends a new image. The AP downloads it and reboots.
Configuration Phase: The WLC sends the AP’s configuration (SSIDs, security settings, radio parameters). The AP applies it.
Run Phase: The AP is operational. It sends CAPWAP Keepalive messages (default every 30 seconds) to maintain the connection. If the WLC doesn’t hear from the AP for a configurable timeout (default 30 seconds), it marks the AP as disconnected.
WLAN Deployment Models
Cisco defines several deployment models for WLC placement:
Centralized (Split-MAC): The WLC is in a central location (e.g., data center). All traffic from APs tunnels back to the WLC via CAPWAP. The WLC then forwards traffic to the wired network. This model simplifies security (all traffic inspected at a central point) but can create a bottleneck and adds latency.
Distributed (FlexConnect): Formerly known as H-REAP (Hybrid Remote Edge Access Point). The AP can switch traffic locally (at the remote site) while still being managed centrally by the WLC. This is ideal for branch offices where WAN links are slow or unreliable. If the WAN link goes down, FlexConnect APs can still serve clients in standalone mode. FlexConnect supports both central and local switching per SSID.
Cloud-based: The controller is a cloud service (e.g., Cisco Meraki). APs connect to the cloud over the internet. Management is via a web dashboard. This model reduces on-premises hardware but depends on internet connectivity.
Mesh: APs form a wireless mesh network, using one or more APs as root nodes connected to the wired network. Other APs relay traffic wirelessly. This is useful for outdoor or hard-to-wire areas.
IOS CLI Verification Commands
On a WLC (assuming Cisco 9800 or older 5500/8500 series), you can verify AP status and CAPWAP state. Here are key commands:
show ap summaryExample output:
AP Name Slots AP Model Ethernet MAC Location Country IP Address State ...
AP-01 2 AIR-CAP3702I-A-K9 0011.2233.4455 Building 1 Floor 2 US 10.1.1.10 RegisteredThe State column shows "Registered" when the AP has successfully joined the WLC.
show capwap client rcbThis shows the CAPWAP state machine on the AP (if you SSH into the AP, though usually you manage from the WLC).
show ap config general <AP-name>Displays detailed configuration for a specific AP.
Interaction with Related Protocols
WLAN architecture interacts with several other protocols:
DHCP: APs typically receive IP addresses via DHCP. DHCP option 43 can provide the WLC IP address list.
DNS: APs can use a DNS name (e.g., CISCO-CAPWAP-CONTROLLER) to discover the WLC.
802.1X: For enterprise security, WLCs act as the authenticator in 802.1X/EAP.
RADIUS: WLCs communicate with RADIUS servers for authentication, authorization, and accounting.
QoS: CAPWAP can mark packets to preserve QoS across the tunnel.
Key Timers and Defaults
CAPWAP Keepalive interval: 30 seconds (configurable)
CAPWAP Echo interval: 30 seconds (for DTLS keepalive)
AP join timeout: 30 seconds (if no response, AP retries)
AP fallback: If an AP loses connection to its primary WLC, it tries backup WLCs in order.
Trap Patterns on the Exam
Confusing CAPWAP ports: Control = UDP 5246, Data = UDP 5247. Many candidates swap them or think it’s TCP.
Thinking all traffic must go through WLC: In FlexConnect, local switching is possible.
Assuming autonomous APs are always inferior: They are simpler for small deployments.
Mixing up LWAPP and CAPWAP: LWAPP is legacy; CAPWAP is current.
Identify Deployment Requirements
Determine the scale (number of APs, clients), physical layout (single site vs. multiple branches), and WAN connectivity. For a single office with <50 APs, a centralized WLC works. For remote branches with limited WAN bandwidth, FlexConnect is better. If you have no on-site IT staff, cloud-managed is ideal. Also consider security policies—centralized traffic inspection vs. local switching.
Choose WLC Placement Model
Select centralized, distributed (FlexConnect), cloud, or mesh. For centralized, place the WLC in a data center or wiring closet. For FlexConnect, configure the AP to switch traffic locally at the remote site while still being managed centrally. For cloud, ensure internet connectivity. For mesh, designate root APs (wired) and non-root APs (wireless relay).
Configure WLC Discovery on APs
APs discover WLCs via three methods: (1) DHCP option 43—configure the DHCP server to return the WLC IP list in a specific hex format. (2) DNS—AP queries a predefined name (e.g., CISCO-CAPWAP-CONTROLLER.localdomain). (3) Static—manually configure the WLC IP on the AP via console. For Cisco APs, the default is to broadcast a discovery request.
Configure CAPWAP on WLC
On the WLC, enable CAPWAP (default). Configure AP join policies: specify which APs are allowed (by MAC address or certificate). Set up DTLS encryption for control traffic (default) and optionally for data traffic. Configure the CAPWAP keepalive interval (default 30 seconds). Use commands like `config ap policy` and `config network capwap`.
Verify AP Join Status
After APs are powered on and discover the WLC, use `show ap summary` to see if APs are in 'Registered' state. If an AP shows 'Not Joined' or 'Downloading', check the CAPWAP state with `show ap config general <AP-name>`. Common issues: incorrect WLC IP, firewall blocking UDP 5246/5247, or AP certificate mismatch.
Configure SSID and Security
On the WLC, create WLANs (SSIDs). For each WLAN, assign a VLAN (interface), security method (WPA2/3, 802.1X, PSK), and QoS policy. For FlexConnect, you can specify local switching per WLAN. Use `config wlan create <id> <ssid>` and `config wlan security` commands. Verify with `show wlan summary`.
400-500 words. Describe 2-3 specific enterprise network scenarios. Include: what problem this solves, how a network engineer deploys it in production, common scale and performance considerations, and what happens when it is misconfigured. Write from the perspective of someone who has built real networks.
400-500 words. The most important section. Include: (1) Exactly what 200-301 tests on this topic with the specific exam objective, (2) The 3-4 most common wrong answers and WHY candidates choose them, (3) Specific values, defaults, and command outputs that appear on the exam, (4) Calculation traps if this is a subnetting/metric topic, (5) A decision rule or elimination strategy for scenario questions.
Autonomous APs handle all functions independently; no controller needed.
Lightweight APs require a WLC and use CAPWAP (UDP 5246 control, 5247 data).
CAPWAP discovery can use DHCP option 43, DNS, or static IP.
FlexConnect allows local switching at remote sites while central management.
Cloud-managed WLANs (e.g., Meraki) reduce on-premises hardware but need internet.
Mesh APs extend coverage without wired backhaul; root APs connect to wired network.
WLC placement models: centralized, distributed (FlexConnect), cloud, mesh.
These come up on the exam all the time. Here's how to tell them apart.
Autonomous AP
No controller needed; standalone operation
Configured individually via CLI/GUI
All MAC functions handled locally
Best for small deployments (<10 APs)
No centralized management or monitoring
Lightweight AP (CAPWAP)
Requires WLC; uses CAPWAP protocol
Centrally configured and managed via WLC
Split-MAC: real-time functions on AP, management on WLC
Best for enterprise deployments (50+ APs)
Centralized management, security, and firmware updates
Mistake
CAPWAP uses TCP for reliability.
Correct
CAPWAP uses UDP. Control (5246) and data (5247) are both UDP. DTLS provides encryption for control.
Many assume control protocols use TCP, but CAPWAP uses UDP with its own reliability mechanisms.
Mistake
All traffic from lightweight APs must go through the WLC.
Correct
In FlexConnect mode, traffic can be switched locally at the AP, bypassing the WLC. Central switching is only one option.
Candidates often generalize from centralized deployment, not realizing FlexConnect exists.
Mistake
Autonomous APs are obsolete and never used in enterprises.
Correct
Autonomous APs are still used in very small deployments or as home APs. They are simpler but lack central management.
Cisco pushes controller-based solutions, but autonomous APs have their place.
Mistake
CAPWAP and LWAPP are the same protocol.
Correct
LWAPP is the legacy proprietary protocol; CAPWAP is the IETF standard replacement. Cisco now uses CAPWAP.
Older study materials may mention LWAPP; candidates confuse the two.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Autonomous APs are fully self-contained: they handle all 802.11 functions, security, and management independently. They are configured individually. Lightweight APs (LAPs) rely on a Wireless LAN Controller (WLC) for management, configuration, and control. LAPs use CAPWAP to communicate with the WLC. Autonomous APs are simpler but not scalable; lightweight APs are enterprise-grade but require a WLC.
APs use three methods: (1) DHCP option 43 – the DHCP server returns a list of WLC IP addresses in a specific hex format. (2) DNS – the AP queries a predefined name like CISCO-CAPWAP-CONTROLLER.localdomain. (3) Static – the AP is manually configured with the WLC IP via console. If none works, the AP broadcasts a CAPWAP Discovery Request.
FlexConnect (formerly H-REAP) is a Cisco WLAN deployment model where APs can switch traffic locally at a remote site while still being managed centrally by a WLC. It is ideal for branch offices with limited WAN bandwidth or unreliable connections. If the WAN fails, FlexConnect APs can operate in standalone mode, continuing to serve clients. You configure per-SSID whether traffic is switched locally or tunneled to the WLC.
CAPWAP uses UDP. Control messages go to port 5246, and data messages to port 5247. Control traffic can be encrypted using DTLS (Datagram Transport Layer Security). Data traffic encryption is optional. Firewalls must allow these UDP ports between APs and the WLC.
Technically yes, but they are managed separately. Autonomous APs are configured individually, while lightweight APs are managed by the WLC. Mixing them adds complexity. In practice, enterprises standardize on one model. Cisco also offers 'universal' APs that can operate in either mode by changing the IOS image.
DTLS (Datagram Transport Layer Security) provides encryption and integrity for CAPWAP control messages. It is enabled by default. Data traffic can also be encrypted with DTLS, but this is optional and adds overhead. DTLS uses UDP port 5246 for control and 5247 for data.
On the WLC, use the command `show ap summary`. The AP should appear with a state of 'Registered'. If it shows 'Not Joined' or 'Downloading', check for connectivity issues, CAPWAP port blocking, or certificate problems. You can also use `show ap config general <AP-name>` for detailed status.
You've just covered WLAN Architecture — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?