This chapter covers Wireless LAN Controller (WLC) deployment, a core topic in Network Implementation for the CompTIA Network+ N10-009 exam. Understanding WLC architectures, deployment modes, and roaming mechanisms is essential for designing and troubleshooting enterprise wireless networks. Approximately 5-8% of exam questions touch on wireless controllers, focusing on controller-based vs. standalone APs, split-MAC architecture, and roaming types. Mastering this material will help you answer scenario-based questions about WLC placement, high availability, and client mobility.
Jump to a section
Imagine a large airport with multiple runways, gates, and hundreds of flights arriving and departing daily. Without a central air traffic control (ATC) tower, each pilot would have to coordinate with every other pilot, leading to chaos, collisions, and inefficiency. The ATC tower manages all communications, assigns runways and gates, monitors flight paths, and ensures safe and efficient operations. In a wireless LAN, the Wireless LAN Controller (WLC) acts like the ATC tower. Access points (APs) are like the runways and gates—they handle the actual radio transmissions, but they are dumb without the controller. The WLC manages AP configurations, handles client authentication and roaming, monitors RF interference, and enforces security policies. When a client moves from one AP to another (roaming), the WLC coordinates the handoff, similar to how ATC guides a plane from one airspace sector to the next. Without a WLC, each AP would need to be configured individually, and roaming would be slow or break entirely. The WLC centralizes management, making the network scalable, secure, and efficient, just as ATC makes a busy airport safe and orderly.
What is a Wireless LAN Controller and Why Does It Exist?
A Wireless LAN Controller (WLC) is a centralized network device that manages multiple lightweight access points (APs) in a wireless network. In the early days of Wi-Fi, each AP operated independently (autonomous or 'fat' APs), requiring individual configuration and lacking coordination. As enterprises scaled, this became unmanageable. The WLC model emerged to centralize control, simplify management, and enable advanced features like seamless roaming, RF management, and security enforcement.
The exam objective (2.2) focuses on understanding the difference between controller-based and standalone AP deployments, the split-MAC architecture, and the various deployment modes (local, FlexConnect, monitor, etc.). You must know how the WLC and APs communicate (CAPWAP protocol) and how clients roam between APs.
Split-MAC Architecture
In a controller-based WLAN, the WLC and APs split the functions of a traditional autonomous AP. The WLC handles time-sensitive or network-critical functions (often called 'control plane' or 'management plane'), while the APs handle real-time radio functions. The standard split is defined by the LWAPP (Lightweight Access Point Protocol) and later CAPWAP (Control and Provisioning of Wireless Access Points) protocols (RFC 5415).
Functions typically performed by the WLC: - Client authentication (802.1X, PSK, etc.) - Association and reassociation management - Roaming coordination - Security key management - Quality of Service (QoS) enforcement - RF management (channel assignment, power control) - Firmware updates and configuration management - Encryption/decryption (if using WPA2-Enterprise or WPA3)
Functions typically performed by the AP: - Beacon transmission - Probe response - Frame forwarding (data plane) - Real-time encryption/decryption (if using WPA2-PSK or WPA3-PSK) - Fragmentation and reassembly - ACK generation
This split allows the APs to be 'thin' or 'lightweight'—they only need enough processing power to handle real-time wireless frames. The WLC handles the complex logic.
CAPWAP Protocol
CAPWAP (Control and Provisioning of Wireless Access Points) is the IETF standard (RFC 5415) for communication between WLCs and lightweight APs. It supersedes the proprietary LWAPP. CAPWAP operates over UDP, using: - Control channel: Port 5246 (UDP) – encrypted with DTLS (Datagram Transport Layer Security) by default. - Data channel: Port 5247 (UDP) – optionally encrypted.
The AP must discover and join a WLC. Discovery methods include: - DHCP option 43: The DHCP server provides the WLC's IP address in a custom option. - DNS lookup: The AP queries a predefined DNS name (e.g., CISCO-CAPWAP-CONTROLLER.localdomain). - Broadcast: The AP sends a broadcast on the local subnet. - Over-the-air provisioning (OTAP): The AP learns the WLC IP from another AP already joined to the WLC (Cisco proprietary, disabled by default for security).
Once discovered, the AP and WLC perform a DTLS handshake to establish a secure control channel. The AP then downloads its configuration and firmware from the WLC.
WLC Deployment Modes
The N10-009 exam expects you to differentiate the following modes:
1. Local Mode (Default): - AP tunnels all client traffic back to the WLC via CAPWAP. - The WLC performs encryption/decryption (if using central switching). - Used for maximum control and security. - Client data is encapsulated and sent to the WLC, which forwards it to the wired network. - Supports all advanced features (roaming, QoS, RF management).
2. FlexConnect (formerly Hybrid Remote Edge Access Point or H-REAP): - Designed for branch offices where a WLC is at a central site. - AP can switch client traffic locally (at the branch) or tunnel to the WLC. - If the WAN link fails, the AP can operate in standalone mode (connected locally). - Reduces latency and WAN bandwidth usage. - Two sub-modes: - FlexConnect Local Switching: Client data is bridged locally at the AP. - FlexConnect Central Switching: Client data is tunneled to the WLC. - The AP still uses the WLC for authentication and management.
3. Monitor Mode: - AP is used only for monitoring and security scanning (no client traffic). - It listens on all channels for rogue APs, interference, and intrusion detection. - No SSIDs are broadcast.
4. Sniffer Mode: - AP acts as a dedicated packet sniffer on a specific channel. - Captures 802.11 frames for analysis using tools like Wireshark.
5. Rogue Detector Mode: - AP monitors the wired network for rogue APs by listening to traffic. - Works in conjunction with monitor mode APs.
6. SE-Connect (Spectrum Expert Connect): - AP captures spectrum analysis data for interference detection. - Used with Cisco Spectrum Expert software.
7. Bridge Mode (Mesh): - AP acts as a wireless bridge for point-to-point or point-to-multipoint connections. - Used for outdoor or mesh deployments.
Roaming Types
Roaming is the process of a client moving from one AP to another without losing connectivity. The exam tests three types:
Layer 2 Roaming: - The client moves between APs on the same VLAN/subnet. - The client's IP address remains unchanged. - Fast and seamless; the WLC updates its client database. - No need for a new DHCP lease.
Layer 3 Roaming: - The client moves between APs on different VLANs/subnets. - The client must obtain a new IP address via DHCP (unless a mobility anchor is used). - More complex; the WLC must coordinate with other WLCs (if multiple controllers). - Can cause brief interruption.
Mobility (Inter-Controller Roaming): - The client roams between APs connected to different WLCs. - Requires a mobility group (a set of WLCs that share client information). - Uses mobility tunnels (CAPWAP or proprietary) to forward client traffic to the original WLC (anchor). - The anchor WLC maintains the client's IP address and forwards traffic to the foreign WLC.
High Availability and Redundancy
WLCs can be deployed in redundancy pairs or groups: - Primary/Secondary/Tertiary: APs are configured with a list of WLCs. If the primary fails, the AP joins the secondary. - N+1 Redundancy: One backup WLC serves multiple primary WLCs. - Mobility Groups: Up to 24 WLCs can be grouped for seamless roaming and load balancing. - Stateful Switchover (SSO): In Cisco WLCs, two controllers operate in an active/standby pair with synchronized state (client sessions, configurations).
Configuration Basics
While the exam doesn't require CLI configuration, you should understand the general steps and commands. A typical WLC setup involves:
Initial setup via console:
System Name: WLC-1
Management IP: 10.1.1.10/24
Gateway: 10.1.1.1
Service Interface IP: 192.168.1.10/24Creating a WLAN (SSID):
(Cisco Controller) >config wlan create 1 Corporate
(Cisco Controller) >config wlan security wpa akm psk set-key 1 MySecurePassphrase
(Cisco Controller) >config wlan enable 13. Assigning APs to the WLC: - APs automatically join via DHCP option 43 or DNS. - Verify with:
(Cisco Controller) >show ap summary4. Configuring interfaces: - Management interface: for AP and WLC management traffic. - Service port: out-of-band management. - Dynamic interfaces: VLANs for client data.
Interaction with Related Technologies
DHCP: APs obtain IP addresses from DHCP; clients may use DHCP from the WLC or external server.
DNS: Used for AP discovery.
RADIUS: WLC forwards authentication requests to a RADIUS server (e.g., for 802.1X).
SNMP: For monitoring WLC and AP status.
QoS: WLC can mark DSCP values for voice/video traffic.
Exam-Relevant Numbers and Defaults
CAPWAP control port: UDP 5246; data port: UDP 5247.
Maximum APs per WLC: varies by model (e.g., Cisco 5520 supports up to 1500 APs).
Maximum clients per WLC: up to 20,000 for high-end models.
Mobility group: up to 24 WLCs.
FlexConnect APs can support up to 16 VLANs locally.
Default DTLS encryption: enabled for control channel.
Common Exam Traps
Confusing CAPWAP ports: Candidates often swap control and data ports or think they are TCP. They are UDP.
Thinking FlexConnect APs always tunnel traffic: They can switch locally.
Believing all WLCs perform encryption: In some split-MAC implementations, encryption is done at the AP (e.g., WPA2-PSK).
Assuming Layer 3 roaming always requires a new IP: With mobility anchors, the original IP can be preserved.
Mixing up LWAPP and CAPWAP: CAPWAP is the standard; LWAPP is Cisco's older proprietary protocol.
AP Discovery of WLC
When a lightweight AP powers up, it must find a WLC to join. The AP sends discovery requests using methods like DHCP option 43 (the DHCP server provides the WLC IP), DNS resolution (the AP looks up a predefined hostname), or a local subnet broadcast. The AP sends a CAPWAP Discovery Request message to the WLC's IP address (UDP 5246). The WLC responds with a Discovery Response containing its capabilities and load. The AP then selects a WLC (based on priority, load, or configured order) and sends a Join Request. The WLC authenticates the AP (via MAC address or certificate) and sends a Join Response, establishing a secure DTLS tunnel.
AP Downloads Config and Firmware
After joining, the AP checks its firmware version against the WLC's image. If outdated, the AP downloads the new firmware from the WLC via TFTP or CAPWAP. The AP then reboots and rejoins. Next, the AP downloads its configuration, including SSIDs, security settings, and RF parameters. The WLC pushes the configuration to the AP. The AP then starts broadcasting beacons and probe responses. During this step, the AP also calibrates its radios based on the WLC's RF management settings (e.g., channel assignment, power levels).
Client Association and Authentication
A wireless client sends a Probe Request; the AP responds with a Probe Response containing supported SSIDs and capabilities. The client selects an SSID and sends an Authentication request. For open networks, this is a simple exchange. For secured networks (e.g., WPA2-Enterprise), the AP forwards the authentication to the WLC, which communicates with a RADIUS server. The WLC handles the 802.1X/EAP handshake. Upon successful authentication, the WLC derives encryption keys and sends them to the AP. The client then associates and completes the 4-way handshake to obtain session keys.
Client Data Forwarding
Once associated, client data frames are handled according to the switching mode. In local mode, the AP encapsulates all client traffic in CAPWAP data packets (UDP 5247) and sends them to the WLC. The WLC decapsulates, applies policies (ACLs, QoS), and forwards the traffic to the wired network. In FlexConnect local switching mode, the AP bridges client traffic directly to the local VLAN without tunneling. The WLC still handles authentication and management. The WLC also maintains a client database with MAC address, IP, VLAN, and session state.
Client Roaming Between APs
When a client moves and detects a stronger signal from another AP, it sends a Reassociation Request to the new AP. The new AP informs the WLC (or the WLC detects the reassociation). For Layer 2 roaming (same VLAN), the WLC updates its client entry and optionally sends a multicast to update switch CAM tables. For Layer 3 roaming (different VLAN), the WLC may need to anchor the client's traffic to the original WLC if using mobility. The process involves the new AP and WLC exchanging mobility messages. The goal is to minimize packet loss; typical handoff time is under 50 ms for voice traffic.
Enterprise Scenario 1: Large Office Campus with Centralized Control
A financial company with 5000 employees across a 10-building campus deploys 500 APs managed by two Cisco 5520 WLCs in a mobility group. The WLCs are in a redundant pair at the data center. All APs operate in local mode, tunneling all traffic to the WLCs. This centralizes security enforcement—the WLCs apply ACLs, perform 802.1X authentication against a RADIUS server, and enforce QoS for VoIP traffic. The network team uses the WLC's RF management to automatically adjust channels and power levels to avoid interference. The WLCs handle inter-AP roaming seamlessly. A common issue is that if the WAN link to a remote building fails, APs in that building lose connectivity to the WLC, causing a complete outage. To mitigate this, the company uses FlexConnect for remote buildings, allowing APs to switch traffic locally during WAN failure.
Enterprise Scenario 2: Retail Chain with Branch Offices
A national retailer with 200 stores uses a WLC cluster at headquarters and FlexConnect APs at each store. Each store has 4 APs. The WLC manages authentication and pushes configuration, but client traffic is switched locally at the store to avoid tunneling over the WAN. This reduces latency and bandwidth usage. The APs can operate independently if the WAN goes down. A misconfiguration pitfall: setting FlexConnect APs to central switching when the WAN has high latency causes poor performance for time-sensitive applications like credit card processing. The network engineer must choose local switching for those applications. Also, if the WLC is unreachable, new clients cannot authenticate unless the AP has cached credentials (FlexConnect local authentication).
Enterprise Scenario 3: University with High-Density Wireless
A university with 30,000 students deploys 1500 APs across dormitories, lecture halls, and outdoor areas. They use multiple WLCs (e.g., Cisco 8540) in a mobility group. In high-density areas like lecture halls, the WLC is configured for client load balancing and band steering (pushing dual-band clients to 5 GHz). The WLC also monitors for rogue APs. A common problem: during large events, the WLC's CPU spikes due to excessive client association requests. The solution is to use APs with local mode but enable client limit per AP and aggressive load balancing. The network team must also ensure that the mobility group is properly configured so that students roaming between buildings maintain their IP addresses (Layer 3 roaming with anchor controllers).
What N10-009 Tests on This Topic
Objective 2.2: 'Given a scenario, deploy the appropriate wireless LAN controller (WLC) solution.' The exam expects you to:
Compare controller-based vs. standalone AP deployment.
Identify the split-MAC functions (what the WLC does vs. what the AP does).
Understand CAPWAP ports and discovery methods.
Differentiate WLC deployment modes (local, FlexConnect, monitor, etc.).
Recognize roaming types (Layer 2, Layer 3, inter-controller).
Know high availability options (primary/secondary, mobility groups).
Most Common Wrong Answers and Why
'CAPWAP uses TCP ports 5246 and 5247.' Candidates often assume TCP because many management protocols use TCP. But CAPWAP uses UDP for low-latency control and data. The exam explicitly tests UDP vs. TCP.
'FlexConnect APs always tunnel traffic to the WLC.' They can be configured for local switching. The exam presents scenarios where a branch office has a WAN link; the correct answer is often FlexConnect with local switching to save bandwidth.
'The WLC always performs encryption/decryption.' In many deployments, encryption is done at the AP (especially for PSK). The split-MAC model can vary; the exam tests that the WLC handles authentication and key management, but the AP may do real-time encryption.
'Layer 3 roaming always requires a new IP address.' With mobility anchors, the client can keep its IP even across subnets. The exam may ask about 'anchor' vs. 'foreign' controllers.
Specific Numbers and Terms
CAPWAP control port: 5246 UDP; data port: 5247 UDP.
DTLS is used for control channel encryption.
DHCP option 43 is a common discovery method.
Maximum mobility group size: 24 WLCs.
FlexConnect local switching supports up to 16 VLANs per AP.
The default WLC mode is 'local'.
Edge Cases and Exam Favorites
Rogue AP detection: Monitor mode APs are used to detect rogues, not local mode.
Mesh networks: Bridge mode is for mesh; not to be confused with FlexConnect.
AP fails to join: Often due to missing DHCP option 43 or DNS misconfiguration.
Client roaming delay: Layer 3 roaming without mobility anchor causes DHCP renewal, which is slower.
How to Eliminate Wrong Answers
If the question mentions 'centralized control' and 'tunneling', think local mode.
If the scenario is a branch with limited WAN bandwidth, think FlexConnect local switching.
If the question asks about AP discovery, look for DHCP option 43 or DNS.
If the question mentions 'seamless roaming across subnets', consider mobility groups and anchor controllers.
If the question involves 'security scanning' or 'rogue detection', the AP mode is monitor, not local.
CAPWAP uses UDP ports 5246 (control) and 5247 (data); DTLS encrypts the control channel.
Split-MAC architecture: WLC handles management/control; AP handles real-time frame processing.
AP discovery methods: DHCP option 43, DNS, broadcast, OTAP (Cisco proprietary).
WLC deployment modes: local (tunnel all), FlexConnect (local or central switching), monitor (rogue detection), sniffer, bridge.
Layer 2 roaming: same subnet, no IP change. Layer 3 roaming: different subnet, may need DHCP or mobility anchor.
Mobility groups allow up to 24 WLCs to share client context for seamless roaming.
FlexConnect local switching supports up to 16 VLANs per AP.
High availability: primary/secondary/tertiary WLC list, N+1 redundancy, SSO (stateful switchover).
The default WLC mode is local; FlexConnect is for branch offices.
Monitor mode APs do not serve clients; they scan for rogues and interference.
These come up on the exam all the time. Here's how to tell them apart.
Local Mode
All client traffic is tunneled to the WLC via CAPWAP.
WLC performs encryption/decryption (central switching).
Requires low-latency link between AP and WLC.
Best for maximum security and control.
AP cannot operate if WLC is unreachable.
FlexConnect Mode
Client traffic can be switched locally at the AP.
AP can perform local encryption (for PSK).
Tolerates higher latency and WAN failures.
Reduces bandwidth usage on WAN links.
AP can continue serving clients if WLC is unreachable (standalone mode).
Mistake
CAPWAP uses TCP for reliable delivery.
Correct
CAPWAP uses UDP (control: port 5246, data: port 5247). Reliability is handled by the protocol itself (e.g., sequence numbers and retransmissions for control messages).
Mistake
All client traffic in a controller-based WLAN must go through the WLC.
Correct
In FlexConnect local switching mode, client traffic is bridged directly at the AP without going through the WLC. Only management and control traffic go to the WLC.
Mistake
The WLC always performs encryption and decryption of client data.
Correct
In split-MAC architecture, encryption/decryption can be done at the AP (e.g., for WPA2-PSK). The WLC handles authentication and key management, but the actual data encryption may be offloaded to the AP.
Mistake
Layer 3 roaming always requires the client to obtain a new IP address.
Correct
With mobility groups and anchor controllers, the client can retain its original IP address even when roaming to a different subnet. The anchor WLC tunnels traffic to the foreign WLC.
Mistake
A WLC can only manage APs on the same subnet.
Correct
APs can be on different subnets or even across WAN links. Discovery methods like DHCP option 43 and DNS allow APs to find a WLC anywhere on the network.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
CAPWAP uses UDP port 5246 for control messages and UDP port 5247 for data traffic. The control channel is encrypted with DTLS by default. The exam often tests that these are UDP, not TCP. Some older proprietary implementations (LWAPP) used different ports, but CAPWAP is the IETF standard (RFC 5415).
An AP discovers a WLC using one of several methods: (1) DHCP option 43, where the DHCP server provides the WLC's IP address; (2) DNS lookup of a predefined hostname (e.g., CISCO-CAPWAP-CONTROLLER.localdomain); (3) local subnet broadcast; (4) over-the-air provisioning (OTAP), where the AP learns from another AP (Cisco proprietary, disabled by default).
In local mode, all client traffic is tunneled to the WLC for processing and forwarding, providing centralized control but requiring a reliable low-latency link. In FlexConnect mode, the AP can switch client traffic locally at the branch office, reducing WAN bandwidth usage and allowing operation even if the WLC is unreachable. FlexConnect is ideal for remote sites.
Split-MAC architecture divides the functions of a traditional autonomous AP between the WLC and the lightweight AP. The WLC handles time-sensitive functions like authentication, roaming, and RF management (control plane). The AP handles real-time frame exchanges like beacons, probes, and encryption/decryption (data plane). This allows simpler APs and centralized management.
Layer 3 roaming occurs when a client moves between APs on different subnets. Without a mobility anchor, the client must obtain a new IP address via DHCP, causing a brief interruption. With a mobility group, the client can retain its original IP by anchoring traffic to the original WLC, which tunnels data to the new WLC. This provides seamless roaming across subnets.
A mobility group is a set of up to 24 WLCs that share client session information, enabling seamless Layer 2 and Layer 3 roaming. When a client roams between APs managed by different WLCs in the same mobility group, the controllers exchange mobility messages to forward client traffic and maintain the client's IP address. Mobility groups are configured with a common mobility group name and security key.
Yes, a FlexConnect AP can operate in standalone mode if the WLC becomes unreachable. It will continue to serve existing clients and allow new authentications if local authentication is configured (cached credentials). However, the AP will not receive configuration updates or participate in RF management. Once the WLC is reachable again, the AP rejoins.
You've just covered Wireless LAN Controller Deployment — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?