In modern enterprise networks, Wi-Fi is no longer an afterthought—it's the primary access method for most users. The 200-301 exam tests your understanding of the split-MAC architecture that separates real-time frame handling (on the lightweight AP) from control and management (on the wireless LAN controller). This chapter covers how LWAPs discover and join a WLC, how traffic flows through CAPWAP tunnels, and the key differences between local, FlexConnect, and other AP modes. Mastering this topic means you can troubleshoot wireless connectivity issues and design scalable WLANs—skills every network engineer needs.
Jump to a section
Think of a large airport. The control tower (the WLC) manages all air traffic—it decides which runways (channels) planes use, when planes take off or land (client association/roaming), and coordinates emergency procedures (security policies). The actual planes (lightweight APs) are dumb vehicles that just follow instructions: they broadcast their presence on the correct frequency, relay passenger data (client traffic), and report their fuel level (RF statistics) back to the tower. The tower doesn't fly the plane; it tells the pilot where to go. Similarly, the WLC doesn't transmit Wi-Fi frames; it tells the AP which channel to use, what SSID to broadcast, and how to handle security. The connection between tower and plane is a dedicated radio channel (the CAPWAP tunnel). If the tower goes silent, planes can still circle (FlexConnect local switching) but cannot coordinate with other airports. In the original autonomous AP model, each plane had its own pilot and control tower built in—expensive and hard to coordinate. The split-MAC architecture centralizes the brain while keeping the wings distributed, exactly like a modern airport.
What is a Lightweight AP and a WLC?
A Lightweight Access Point (LWAP) is an AP that has no local intelligence for management, configuration, or decision-making. It relies entirely on a Wireless LAN Controller (WLC) for these functions. The LWAP runs a minimal IOS image that supports only the real-time 802.11 operations: beaconing, probing, frame transmission/reception, encryption/decryption, and RF monitoring. All other functions—client authentication, association, mobility, QoS, and configuration—are handled by the WLC.
The WLC is a dedicated appliance (or virtual machine) that acts as the central brain for up to thousands of APs. Cisco offers physical controllers (3504, 5520, 8540) and virtual controllers (vWLC). The WLC manages AP configurations, RF parameters, security policies, and client roaming. It also terminates CAPWAP tunnels from APs and bridges wireless traffic to the wired network.
The Split-MAC Architecture
In traditional autonomous APs, the AP handles both real-time and management functions. In the split-MAC model, these functions are divided:
- Real-time functions on the AP (LWAP): - 802.11 beacon generation and probe response - Frame transmission and reception over the air - Encryption/decryption (AES-CCMP, TKIP) - MAC layer ACKs and retransmissions - RF monitoring for rogue detection and channel scanning
- Management and control functions on the WLC: - 802.11 association and authentication - Client mobility (roaming coordination) - SSID and security policy definition - Channel assignment and power adjustment (RRM) - VLAN assignment and QoS policy - CAPWAP tunnel management
This split reduces AP complexity and cost, centralizes policy, and enables seamless roaming across thousands of APs.
CAPWAP: The Control and Data Tunnels
Control And Provisioning of Wireless Access Points (CAPWAP) is the IETF standard protocol (RFC 5415, 5416) used between LWAP and WLC. It defines two tunnels:
Control Tunnel (UDP 5246): Used for configuration, management, and control messages. Traffic is encrypted using DTLS (Datagram Transport Layer Security) by default. The AP and WLC authenticate each other using digital certificates or a pre-shared key.
Data Tunnel (UDP 5247): Carries all wireless client traffic from the AP to the WLC. This tunnel can be encrypted or not, depending on configuration. By default, data traffic is not encrypted over CAPWAP, but DTLS can be enabled for data as well.
Both tunnels use IPv4 (or IPv6) and are encapsulated in UDP. The AP encapsulates each 802.11 frame into a CAPWAP packet, adding an 8-byte CAPWAP header, then a UDP header, then an IP header. The WLC decapsulates and forwards the frame to the wired network.
LWAP Discovery and Join Process
When an LWAP boots up, it must discover and join a WLC. The process is:
DHCP: The AP obtains an IP address, subnet mask, default gateway, and optionally the WLC IP address via DHCP option 43.
DNS: If no WLC IP is found via DHCP, the AP performs a DNS lookup for "CISCO-CAPWAP-CONTROLLER.localdomain" (or similar).
Discovery: The AP sends a CAPWAP Discovery Request (UDP 5246) to the WLC's IP address (or broadcast on its subnet). The WLC responds with a Discovery Response containing its name, AP capacity, and security credentials.
Join: The AP selects a WLC (based on priority, load, or first response) and sends a Join Request. The WLC authenticates the AP (using certificates or PSK) and sends a Join Response.
Configuration Download: The WLC sends the AP its full configuration: SSIDs, channels, power levels, security settings, etc.
Operational State: The AP begins broadcasting beacons and accepting client associations.
AP Modes: Local, FlexConnect, Monitor, etc.
Cisco LWAPs can operate in several modes, each with different behaviors:
Local Mode (default): The AP tunnels all client traffic to the WLC. The AP is fully controlled by the WLC. It spends about 10% of its time scanning other channels for rogue detection and RRM.
FlexConnect (formerly H-REAP): The AP can locally switch client traffic at the AP (if configured) while still being managed by the WLC. This is used when the WAN link to the WLC is unreliable or low-bandwidth. The AP can operate in standalone mode if the WLC becomes unreachable.
Monitor Mode: The AP does not serve clients; it acts as a dedicated sensor for rogue detection, location tracking, and spectrum analysis.
Sniffer Mode: The AP captures 802.11 frames on a specified channel and forwards them to a remote PC running Wireshark.
SE-Connect Mode: Used for spectrum analysis with a dedicated spectrum analyzer tool.
Bridge Mode: The AP acts as a wireless bridge (point-to-point or point-to-multipoint).
Flex+Bridge Mode: Combines FlexConnect and bridging.
Verification Commands
On the WLC, use the GUI or CLI to verify AP status:
(Cisco Controller) >show ap summary
Number of APs.................................... 8
Global AP User Name.............................. admin
Global AP User Password......................... ****
AP Name Slots AP Model Ethernet MAC Location Country IP Address State
--------------------------------------------------------------------------------------------------------
AP-Office1 2 AIR-CAP3702I-A-K9 aabb.ccdd.0011 Building 1 Floor 2 US 192.168.10.10 Registered
AP-Office2 2 AIR-CAP3702I-A-K9 aabb.ccdd.0012 Building 1 Floor 2 US 192.168.10.11 Registered(Cisco Controller) >show ap config general AP-Office1
AP Name...................................... AP-Office1
MAC Address.................................. aabb.ccdd.0011
Model....................................... AIR-CAP3702I-A-K9
Admin State.................................. Enabled
Operation State.............................. Up
AP Mode...................................... Local
Public IP Address............................ 203.0.113.1
Private IP Address........................... 192.168.10.10
Gateway IP Address........................... 192.168.10.1
CAPWAP Path MTU.............................. 1485
CAPWAP UDP Port.............................. 5246 (Control) / 5247 (Data)
DTLS Encryption.............................. Enabled
Primary Controller Name...................... WLC-1
Primary Controller IP Address............... 10.1.1.1
Secondary Controller Name.................... WLC-2
Secondary Controller IP Address............. 10.2.2.2
Statistics:
Number of Join Attempts.................... 1
Last Join Time............................. 2023-08-15 10:30:00
Number of Disconnect Attempts............. 0On the AP itself (if you can SSH to it), use:
AP-Office1#show capwap state
CAPWAP State: Run
Discovery State: None
Join State: Joined
Image State: None
Configuration State: Downloading
...AP-Office1#show capwap summary
AP IP Address: 192.168.10.10
Controller IP Address: 10.1.1.1
UDP Port (Control/Data): 5246/5247
Encryption: DTLS Enabled
Number of Clients: 15
Channel: 6 (2.4 GHz)
Power: 17 dBmAP boots and obtains IP via DHCP
When a lightweight AP powers on, it first acts as a DHCP client to obtain an IP address, subnet mask, default gateway, and DNS server. The DHCP server can also provide the WLC IP address using DHCP option 43. The AP sends a DHCPDISCOVER, receives a DHCPOFFER, and then a DHCPACK. Without an IP, the AP cannot proceed. If option 43 is present, the AP extracts the WLC IP list. If not, it will try DNS or broadcast discovery. Ensure the DHCP server is configured to supply option 43 with the correct format (sub-option 1, type IP address, length 4 per address).
AP discovers WLC via DNS or broadcast
If DHCP option 43 is missing, the AP performs a DNS lookup for the hostname "CISCO-CAPWAP-CONTROLLER" (by default) in the domain returned by DHCP. For example, if the domain is "example.com", it queries for "CISCO-CAPWAP-CONTROLLER.example.com". If DNS fails, the AP sends a CAPWAP Discovery Request as a UDP broadcast to 255.255.255.255 on port 5246. Any WLC on the same subnet that receives this will respond with a Discovery Response. The AP may also try its configured primary/secondary/tertiary WLC list if previously joined.
AP sends CAPWAP Discovery Request
The AP sends a CAPWAP Discovery Request message to the WLC's IP address (or broadcast). This message includes the AP's hardware details, serial number, and supported capabilities. The WLC responds with a Discovery Response that includes its name, AP capacity, software version, and security information (e.g., certificate hash). The AP may receive multiple responses and selects the best WLC based on priority (configured primary/secondary/tertiary) or load. If no priority is set, it picks the first to respond.
AP joins the WLC with DTLS handshake
After selecting a WLC, the AP sends a Join Request. The WLC initiates a DTLS handshake over UDP 5246 to establish an encrypted control channel. The AP and WLC authenticate each other using X.509 certificates (by default) or a pre-shared key. Once DTLS is established, the WLC sends a Join Response with a session ID. The AP then enters the Configure state, where it downloads its full configuration from the WLC. The configuration includes SSIDs, security settings, RF parameters, and QoS policies.
AP enters Run state and serves clients
After configuration download, the AP transitions to the Run state. It begins transmitting beacons on the assigned channels, responding to probes, and accepting client associations. Client traffic is encapsulated in CAPWAP data packets and sent to the WLC. The WLC handles authentication, association, and forwarding. The AP periodically sends keepalive messages to the WLC. If the WLC becomes unreachable (e.g., after 30 seconds of no keepalives), the AP will attempt to reconnect to a backup WLC or enter standalone mode (if FlexConnect).
Verify AP status with show commands
Use the WLC CLI or GUI to verify the AP is registered and operational. Key commands: `show ap summary` lists all APs with their state (Registered, Disabled, etc.). `show ap config general <AP-name>` shows detailed configuration and CAPWAP status. `show ap join stats detailed <AP-name>` shows join history and any errors. On the AP, `show capwap state` shows the current CAPWAP state (Run, Join, etc.). If the AP is not joining, check for IP reachability, DTLS certificate issues, or mismatched controller names.
In a typical enterprise deployment, a company like a university with 500+ APs across multiple buildings uses a pair of WLCs for redundancy (active/standby or active/active with APs split). The APs are deployed in Local mode, tunneling all traffic back to the WLC, which sits in a central data center. This centralizes policy enforcement, simplifies guest access, and enables seamless roaming. However, if the WAN link to a remote branch office is slow or unreliable, FlexConnect mode is used. For example, a bank with 50 branch offices each having 2-3 APs deploys FlexConnect APs that locally switch client traffic to the branch LAN, while still being managed from a central WLC. This avoids sending all traffic over the WAN. The FlexConnect AP can also operate in standalone mode if the WLC becomes unreachable, ensuring branch users stay connected. Another scenario is a large conference center that uses Monitor mode APs to detect rogue APs and perform location tracking of devices. The WLC aggregates all rogue reports and can trigger location alerts. Misconfiguration is common: if DHCP option 43 is missing or incorrectly formatted, APs fail to discover the WLC. Also, if the WLC's AP certificate is not trusted (e.g., self-signed not imported), the DTLS handshake fails. Performance considerations: each WLC has a maximum AP capacity (e.g., 3504 supports up to 150 APs). Exceeding this causes join failures. Also, CAPWAP data tunnel encryption adds CPU overhead; in high-throughput environments, DTLS for data is often disabled to save resources.
For CCNA 200-301, exam objective 2.9 (Describe the characteristics of WLC and lightweight APs) focuses on understanding the split-MAC architecture, CAPWAP protocol, and AP join process. The exam does not ask for exact configuration commands but expects you to know the sequence of events and the roles of each component. Common wrong answers: (1) Thinking the AP makes forwarding decisions independently—it does not in Local mode; all traffic goes to the WLC. (2) Confusing CAPWAP control (UDP 5246) with data (UDP 5247)—many candidates swap the ports. (3) Believing that APs always need a WLC to function—FlexConnect APs can operate standalone if the WLC is unreachable. (4) Assuming DTLS is mandatory for data—it is optional and disabled by default. Key values: CAPWAP control port 5246, data port 5247; AP discovery uses DHCP option 43 or DNS name "CISCO-CAPWAP-CONTROLLER.localdomain"; AP join states: Discovery, Join, Configure, Run. Decision rule for scenario questions: If the question involves a remote site with limited WAN bandwidth, think FlexConnect. If it's about central management and security, think Local mode. If the AP fails to join, check for Layer 3 reachability, DHCP option 43, and DTLS certificate issues.
Lightweight APs rely on a WLC for management and control; they handle only real-time 802.11 functions.
CAPWAP uses two UDP tunnels: control (port 5246, encrypted with DTLS) and data (port 5247, optionally encrypted).
AP discovery methods: DHCP option 43, DNS lookup for CISCO-CAPWAP-CONTROLLER.localdomain, or broadcast.
AP join process: Discovery → Join (DTLS handshake) → Configure → Run.
AP modes include Local (default, all traffic tunneled), FlexConnect (local switching, standalone capable), Monitor (sensor only), and Sniffer (packet capture).
Default DTLS encryption is enabled for control traffic but disabled for data traffic.
Verify AP status with 'show ap summary' and 'show ap config general <AP-name>' on the WLC.
These come up on the exam all the time. Here's how to tell them apart.
Autonomous AP
Runs full IOS with independent management
No external controller required
All configuration done locally via CLI or web
Traffic is bridged or routed locally
Harder to manage at scale
Lightweight AP (LWAP)
Runs minimal IOS; depends on WLC for control
Requires a WLC for management and configuration
Configuration is pushed from the WLC
Traffic is tunneled to WLC (except FlexConnect)
Centralized management, easier at scale
Mistake
Lightweight APs can make autonomous forwarding decisions.
Correct
In Local mode, all client traffic is tunneled to the WLC; the AP does not forward frames locally. Only FlexConnect mode allows local switching.
Candidates confuse LWAP with autonomous APs, which have full local intelligence.
Mistake
CAPWAP uses TCP for reliable delivery.
Correct
CAPWAP uses UDP (ports 5246 and 5247). Reliability is handled by CAPWAP itself (e.g., sequence numbers, retransmissions).
Many assume control protocols use TCP; but CAPWAP is designed for low-latency tunneling over UDP.
Mistake
An AP can only join a WLC via DHCP option 43.
Correct
APs can also discover a WLC via DNS (CISCO-CAPWAP-CONTROLLER.localdomain) or by sending a broadcast discovery request on the local subnet.
Candidates often memorize only one method and forget the alternatives.
Mistake
Data traffic in CAPWAP is always encrypted by default.
Correct
By default, DTLS encryption is enabled only for control traffic (port 5246). Data traffic (port 5247) is not encrypted unless explicitly configured.
The term 'secure tunnel' leads to the assumption that both are encrypted.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CAPWAP (Control and Provisioning of Wireless Access Points) is the IETF standard that evolved from Cisco's proprietary LWAPP (Lightweight Access Point Protocol). LWAPP was the original protocol used in older Cisco WLCs and APs. CAPWAP is more secure (DTLS) and supports IPv6. Cisco now uses CAPWAP for all LWAP communications. For the CCNA exam, you only need to know CAPWAP. LWAPP is legacy and not tested.
There are three methods: (1) DHCP option 43 – the DHCP server provides a list of WLC IP addresses. (2) DNS – the AP queries for 'CISCO-CAPWAP-CONTROLLER.<domain>'. (3) Broadcast – the AP sends a CAPWAP Discovery Request to 255.255.255.255 on UDP 5246. The AP tries these in order: first DHCP option 43, then DNS, then broadcast. If the AP has previously joined a WLC, it may also try its configured primary/secondary/tertiary WLC IPs.
FlexConnect (formerly H-REAP) is an AP mode that allows the AP to locally switch client traffic at the AP while still being managed by a WLC. It is ideal for remote or branch offices where the WAN link to the central WLC is slow or unreliable. In FlexConnect mode, the AP can operate in standalone mode if the WLC becomes unreachable, ensuring local users stay connected. The trade-off is that some features (like central authentication or guest access) may not be available.
In Local mode, no – the AP requires a WLC to function. If the WLC is unreachable, the AP will continuously try to reconnect and will not serve clients. However, in FlexConnect mode, the AP can operate in standalone mode (if configured) when the WLC is unreachable, continuing to serve clients with locally switched traffic. Also, some APs can be converted to autonomous mode with a different IOS image, but that is not typical.
DTLS (Datagram Transport Layer Security) provides encryption and authentication for the CAPWAP control tunnel (UDP 5246). It ensures that management and control messages between the AP and WLC are confidential and tamper-proof. By default, DTLS is enabled for control traffic but disabled for data traffic. You can enable DTLS for data as well, but it adds CPU overhead. DTLS uses X.509 certificates or pre-shared keys for mutual authentication.
On the WLC, use 'show ap summary' to list all APs and their state. Use 'show ap config general <AP-name>' to see the primary/secondary/tertiary controller names and IP addresses. On the AP (via SSH), use 'show capwap state' to see the current WLC IP and state. Also, 'show capwap summary' shows the controller IP and UDP ports. If the AP is connected to the wrong WLC, check the AP's configured controller priority or the DHCP option 43 list.
Cisco LWAPs support several modes: Local (default, tunnels all traffic), FlexConnect (local switching, standalone capable), Monitor (rogue detection only, no client access), Sniffer (captures frames to a remote PC), SE-Connect (spectrum analysis), Bridge (point-to-point/multipoint bridging), and Flex+Bridge (FlexConnect + bridging). The mode is configured on the WLC and pushed to the AP. Changing the mode requires the AP to reboot.
You've just covered WLC and Lightweight APs — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?