Networking Cisco

Cisco Wireless

Cisco proprietary wireless architecture and implementations

Wireless Architecture Types

  • Autonomous AP Architecture - Each AP operates independently with full wireless functionality built-in

    • APs make their own decisions about RF management, security, and client associations
    • Configuration must be done individually on each AP (time-intensive for large deployments)
    • Best suited for small networks with 5-10 APs maximum
    • Example: Cisco Aironet 1815i in autonomous mode

  • Controller-Based Architecture - Centralized Wireless LAN Controller (WLC) manages multiple lightweight APs

    • APs handle only RF transmission/reception while WLC manages all intelligence
    • Uses Control and Provisioning of Wireless Access Points (CAPWAP) protocol for AP-to-WLC communication
    • All client data traffic flows through the WLC (centralized data forwarding)
    • Scalable to hundreds or thousands of APs from single management point

  • Cloud-Based Architecture - APs managed through cloud controller (Cisco Meraki)

    • Combines ease of cloud management with local data forwarding
    • APs can operate independently if cloud connectivity is lost (local survivability)
    • Zero-touch provisioning when APs connect to internet

AP Operating Modes

Mode Description Use Case Data Path
Autonomous Full WLAN functionality in AP Small deployments Direct to wired network
Lightweight Requires WLC for operation Enterprise deployments Through WLC (centralized)
FlexConnect Lightweight AP with local switching Branch offices with WAN links Local switching when WLC unreachable
Monitor RF monitoring only, no client service Security monitoring/rogue detection N/A - monitoring only
Rogue Detector Wired-side rogue AP detection Security enhancement N/A - detection only
Sniffer Packet capture for troubleshooting Network analysis N/A - capture only

CAPWAP Protocol Details

  • Control and Provisioning of Wireless Access Points - Standard protocol (RFC 5415) for AP-WLC communication
  • Uses two separate tunnels between AP and WLC:
    • Control tunnel - UDP port 5246 (AP configuration, statistics, keep-alives)
    • Data tunnel - UDP port 5247 (encrypted client data traffic)
  • CAPWAP tunnels use DTLS encryption for secure communication
  • APs discover WLC through DHCP option 43, DNS resolution, or static configuration
  • Heartbeat interval of 30 seconds (AP sends keep-alive to WLC)

FlexConnect Deep Dive

  • Local Switching - Client traffic switched locally at AP site instead of tunneling to WLC

    • Reduces WAN bandwidth usage (critical for branch offices)
    • Maintains performance when WLS connection is poor/intermittent
    • Connected mode - WLC reachable, centralized policies applied
    • Standalone mode - WLC unreachable, AP uses cached configuration

  • FlexConnect Groups - Logical grouping of FlexConnect APs for policy consistency

    • Enables backup RADIUS server configuration
    • Allows VLAN-to-WLAN mapping synchronization across group
    • Used for local authentication when WLC/primary RADIUS unavailable

Vocabulary

  • CAPWAP - Control and Provisioning of Wireless Access Points protocol
  • WLC - Wireless LAN Controller, centralized management device
  • LAP - Lightweight Access Point, requires controller for operation
  • FlexConnect - Hybrid mode allowing local switching with controller management
  • DTLS - Datagram Transport Layer Security, encryption for CAPWAP tunnels
  • Rogue AP - Unauthorized access point that could compromise network security

Architecture Comparison

Architecture Management Scalability Data Forwarding Best For
Autonomous Per-AP configuration Low (5-10 APs) Local at AP Small offices
Controller-Based Centralized WLC High (1000+ APs) Through WLC Enterprise campus
Cloud-Based Cloud dashboard Medium-High Local at AP Distributed locations

Notes

  • Controller-based architecture creates single point of failure - implement WLC redundancy for mission-critical networks
  • FlexConnect APs require local DHCP server in standalone mode (WLC cannot provide DHCP when unreachable)
  • CAPWAP uses IPv4/IPv6 but cannot traverse NAT without additional configuration (NAT breaks tunnel establishment)
  • When planning controller capacity, remember each WLC has maximum AP and concurrent client limits (varies by model)
  • Rogue Detector mode requires wired connection to same network segment as potential rogue APs (cannot detect wireless-only rogues)
  • Cloud-based APs typically phone home every few minutes - firewall rules must allow outbound HTTPS (TCP 443)
  • For exam purposes, remember that lightweight APs are completely non-functional without WLC connectivity (except FlexConnect in standalone mode)