Cisco CCNA 200-301 – Wireless Networking Fundamentals Part 2
4. Wireless LAN Controllers and CAPWAP
In this lecture, you’ll learn about wireless LAN controllers and the Caplap protocol. In a large campus, configuring a large amount of wireless access points individually quickly becomes unmanageable. You can see in the example campus here, I’ve got my first wireless AP, which is configured with the corporate WLAN and its settings. And then I’ve set up the same configuration on the second wireless AP. Now, that would be fine and easy to manage if I only had a couple of access points, but what if I had 200 different access points? Well, configuring them all separately would just really be unmanageable. So that is where a WLC comes in. A WLC, the wireless LAN controller can be used as a central point of management, and you can manage all of your access points from there. This is what some of our wireless LAN controllers look like.
So over on the left here, you can see a couple of dedicated hardware WLCS. Different models are available. The bigger, more powerful models support a larger amount of access points. So you can see this smaller one down here at the bottom could be used in a smaller office. You can also get wireless LAN controller blades that fit into your switches or routers. So here’s an example of a blade that goes into a switch, and below there is a blade that fits into a router. Virtual wireless controller is also available, which runs in software and Redundancy is supported. So you’re going to want to double up on your wireless LAN controllers for Redundancy. Standalone access points are known as autonomous access points. So if you don’t have a wireless LAN controller controlling the AP, it’s a standalone or autonomous AP. Access points, which do have a WLC, are known as Lightweight Access Points. And the installed software image determines whether an access point is autonomous or lightweight. So you can get an access point from Cisco, the exact same model, and it can operate in either autonomous mode or in lightweight mode. The way you determine that is by putting the correct software image onto that AP, use either the autonomous image or use the lightweight image. Okay, let’s have a look at the first big way that using a wireless LAN controller makes it easier to manage a large amount of access points, and that is ZTP zero touch provisioning.
With zero touch provisioning, your access points discover the wireless LAN controller and then download their configuration from there. The way that they can discover where the wireless LAN controller is, is either via DHCP. So with this, you plug your access point into the wired network. It sends out a DHCP request to get its IP address, subnet mask and default gateway. And it will also get information about option 43, which gives it the IP address of the wireless LAN controller. So in DHCP, you’ve got your various options that you can configure in there, like IP address, subnet mask, default gateway. Option three is used to tell an access point the IP address of its wireless land controller. Another option you can use is by using DNS to tell the AP where its wireless LAN controller is with Cisco APS, when they boot up, they are set up like this from the factory, that they will look for a DNS record for Cisco caplan controller.
So if they do get their IP address, subnet, mass default gateway and their DNS server, if they have not received option 43 from the DHCP server telling them the IP address of the wireless line controller, they will send out a DNS request asking for the IP address of Cisco Caplap controller. So if you’ve configured an address record on your DNS server for that which includes the IP address of the wireless land controller, your APS can find out how to find it from there. And the other way that this will work is with a local subnet broadcast. So if your wireless Wan controller is on the same IP subnet and VLAN as the wireless access point, the wireless access point can find it by doing a broadcast. Obviously, if a wireless LAN controller is on a different subnet, then that wouldn’t work. So you need to use DHCP or DNS, and it’s typically DHCP that is going to be used for this.
So the lightweight access point will discover the IP address of the wireless LAN controller through one of those methods. It will then connect to the wireless LAN controller and download its configuration from there. That includes what W lands the access point should support and their settings and all the other settings for that access point. The wireless Wan controller also monitors the wireless quality and controls the channels and power of the access points. So because it’s managing all of the different access points, it can set them up so they’re using non interfering channels. It will also set the power levels and the APS to make sure that they don’t interfere with each other. It can also detect rogue APS as well. A rogue AP would be if a hacker has added an access point to the campus which is broadcasting a legitimate SSID, trying to get people to connect in there, and then they’ll be able to do bad things to those clients. Or maybe it’s not a hacker, maybe it’s just something that’s happened by accident, maybe an old AP that is not managed by the WLC.
But you don’t want that to be in your building, you want all of the APS to be managed. The wireless van controller will be able to detect rogue APS, report them to you so that you can correct that. We covered roaming in the last lecture, and this is possible with autonomous APS. So with roaming, your wireless stations can roam across wireless APS supporting the same W lens. So in our example here, we have got the laptop here, and then you walk through the building, you get closer to the other AP and your laptop will then associate wirelessly to the new AP.
Now, you can do that with autonomous APS, but if you’re using authentication, which you definitely should be, then because the authentication is handled separately on the two different APS, you’re going to have a break of service when it roams to the new AP. So if you’re maybe on a phone call and your device maybe you’re using your phone and you’re connected wireless and you’re making a phone call, you’re walking around the building, that’s going to cause a problem because you’re going to have drops as you’re roaming if you’re using a wireless LAN controller. Well, the authentication is offloaded from the APS to the wireless LAN controller. So you can get seamless roaming if you’re using a WLC with no breaks in service. The protocol that is used for the communications between the wireless LAN controller and the access points is Caplapp.
That stands for Control and Provisioning of Wireless Access Points. It’s an open standard protocol that enables your wireless LAN controller to manage the APS. With Capwap, the communications are encrypted inside a DTLs capwap tunnel and it uses UDP ports 5246 and 5247. So if you’ve got a firewall between your wireless LAN controller and an AP, make sure that those ports are open on the firewall. With a wireless LAN controller, some of the work is moved from the APS to the wireless LAN controller.
That’s where they’re now called lightweight APS because they’re not doing the same workload that we’d be doing if there were an autonomous AP. Real time traffic is still handled by the AP in order to provide suitable performance. So this real time traffic, if that was going to the wireless line controller and back again, that would add some additional delay, which would drop the performance level. So for that real time traffic, where it can’t really have any delay, that’s still going to be handled by the AP, the rest of the traffic and responsibilities are going to be handled by the wireless LAN controller. And this functionality is known as Split Mac.
So the operations that will be handled by the AP are the client handshake when it’s connecting the beacons where the AP announces information about its W lands and their SSIDs performance monitoring. So the AP will do the actual performance monitoring, checking the quality in its coverage area. That information will, however, be sent to the WLC and the WLC is going to be taking action based on that information.
Encryption and decryption is also handled by the AP and any clients that are in power save mode, most communications from the AP to them will also be handled by the AP. Okay, next up, let’s look at the operations which will be handled by the wireless LAN controller. Authentication. So, when you are going on to the wireless network and you enter in your password or your username and password, that authentication will be controlled by the wireless LAN controller, the roaming control, also by the WLC, 8211 to eight two three communication. So all traffic that is going from the wireless to the wired land is going to be passing through the wireless LAN controller. You’ll see some more information about this layer because we need to talk about that more because it is important also the radio frequency management. So making sure that neighboring APS are not communicating on the same channel and causing interference. The WFC will handle that and also the security management and the QoS management. Okay, so let’s look at those traffic flows.
So first off, looking at the traffic flow with an autonomous AP, so where we’re not using a wireless LAN controller, and you can see here we’ve got a wireless client and it is connecting to communicating with the wired network. So the traffic goes to the AP, it will then tag it with the correct VLAN and send it on to the upstream switch. It’s different when we’re using wireless LAN controller. Now, you can see what happens is the client sends its packet up to the access point, then the access point will send it to the wireless LAN controller. Then the wireless LAN controller sends it back to the switch again and then it goes to the final destination. So you saw with an autonomous AP, it goes from the AP to the switch and then directly to the final destination.
But when we are using a wireless LAN controller, it goes through the Caplap Tunnel to the WLC and then it gets hair pinned back out onto the network. Again, you can see all the traffic is passing through the wireless LAN controller, as well as that production traffic between your different endpoints, the management traffic where the wireless LAN controller is controlling the APS, that also passes through the CAPL Tunnel as well. So you can see from here there’s going to be a lot of traffic that is going through the wireless LAN controller. If you’ve got 100 APS and we’re all communicating with devices on the wired network, rather than it going through the most direct path to get there, it’s all going through the wireless LAN controller.
So because of this, you want that wireless LAN controller have enough bandwidth to support the throughput that’s going through it. So typically you’re not going to have just a single physical connection from a wireless van controller onto the switch it’s connected to. You’re going to want to have multiple physical connections there to give you enough bandwidth and you’re going to bundle them together into an Ether channel. And the terminology in 800 and 211 and from Cisco is that is now called lag link aggregation. It’s just the same as an Ether channel. Okay, last thing to tell you about is flex connect. So again, as we were just talking on that last slide, all of the traffic between the devices on your wireless network and the wired network are going through the wireless LAN controller. This is not a problem if they’re all in the same campus and you do have enough bandwidth on that connection between the wireless LAN controller and the switch.
But if the access point was in, say, a small remote office and your wireless LAN controller was in the main office, that would cause a problem. Because if we had a wireless client here and it was communicating with that other wireless client, we don’t want that traffic to go all the way over the one linked in New York and then all the way back again. That’s going to add quite a bit of significant delay. So what we can use there is Flex Connect. With Flex Connect, traffic is forward locally, so you can see that the packet does not go over the Catwalk tunnel all the way in New York and back again. We are just going to forward that locally. So it’s useful for small branch offices which aren’t big enough. You don’t want to go to the expense of putting a wireless Lankan controller in there.
You don’t want them to be an autonomous AP because you want to still have the central management. Well, in that case, you can use Flex Connect. Okay, that was everything I needed to tell you here. See you in the next Flex.
5. Switch Configuration for Wireless Networks
In this lecture you’ll learn how to configure your switches to support your wireless network. I’ll start off first with the configuration for autonomous standalone APS where we’re not using a wireless line controller. And then I’ll show you the config when we are using a wireless line controller. Okay, so before I show you the configuration, there is a difference depending on whether it it is an autonomous or a lightweight AP. So let’s review the traffic flow again so you can understand why we do have that difference. And I’ll start off with the autonomous AP.
So you can see in our example here I’ve got a couple of wireless Lans, the guest W LAN and the corporate WLAN and we’ve got wireless AP with a couple of clients connected in there and it’s connected into the wired network. First off, let’s say that a wireless client which is in the corporate W LAN sends in a frame to the wireless AP so it comes in on the corporate WLAN with the corporate SSID. The wireless AP is aware of that. It then sends it to the upstream switch which it is connected to and when it does that it is going to tag it with the associated VLAN. So it’s going to be tagged for the corporate VLAN.
Then that will then be sent on to the final destination by the switch just as if it was any other normal packet. Then let’s say that the laptop which is connected in to the guest WLAN it sends in a frame to the wireless AP. Well, in that case the wireless AP knows it’s coming in on the guest WLAN which is associated with the guest VLAN. So it will tag it with the guest VLAN and send it on to the upstream switch. And again the upstream switch will forward that as it would any other packet. So you can see when we’re using an autonomous AP the AP is going to be tagging the frames and sending them on to the switch. And because there can be traffic going for different VLANs there, we’re going to need to have a trunk configured between the AP and the switch to support those different VLANs. So let’s look and see how we would configure it.
Again, it’s the same example. We’ve got two wireless Lans and we’ve got the corporate WLAN with VLAN 21 and the guest WLAN which is mapped to VLAN 22. So we will create our VLANs first. So at global config on the switch I have said VLAN 21 name corporate and then VLAN 22 name guest. Then I need to configure the port on the switch which is connected into the AP. So in our example it’s interface gigabit Ethernet 10 one I need to configure it as a trunk. So I say switch. Port trunk. NCAP one q. Now, depending on the model of switch you might not need to put in this command. Some of the newer switches only support one q anyway, they don’t support ISL. So if only one Q is supported, it will give you an error message when you put in this command because it is all it supports.
But if it is a switch which supports both one Q and ISL, you need to specify it’s one Q you’re using to say switchboard trunk NCAP one Q then say switchboard mode trunk and switchboard trunk allowed VLAN 21 and 22 for the VLANs that are coming in from the AP. Okay, so that is our switch configuration, where we’re using standalone autonomous APS. Next up, let’s look at what we do when we do have a wireless LAN controller and there’s a different traffic flow now, so here we’ll go through the same example again. And the laptop, which is in the corporate W LAN, it sends in a frame to the wireless AP. Now, the wireless AP does not now tag it with the corporate VLAN and send it on to the attached switch, which will send it to its final destination. No, the wireless AP is going to send it to the wireless LAN controller through the Capwap tunnel. So at this point, the wireless AP is not tagging the traffic. The frame gets sent through to the wireless LAN controller.
The wireless LAN controller then sees that it is for the corporate view on because that information was included when it was sent from the AP. And it is a wireless LAN controller which will tag it with the corporate view on, send it back to the switch again, and the switch will then send it on to its final destination as it would any normal packet. So, when we are using a wireless LAN controller, the configuration now is it’s a wireless LAN controller which is going to be tagging the frame. So the link between the switch and a wireless LAN controller needs to be configured as a trunk. But the link between the AP and the switch, that is not configured as a trunk, it is configured as an access port. So we’re going to configure a management VLAN for traffic coming from the AP to the wireless LAN. All frames are going to go through there with the same VLAN.
So we’re not differentiating between the corporate and the guest VLANs. On this link from the wireless AP to the switch, the all traffic is going to get sent up on the management VLAN. It’s then going to go to the wireless range controller. When it gets hair pinned back out, that’s when the VLAN tag is put on. So when we’re using a wireless Van controller, the link from his switch to the wireless Van controller is configured as a trunk port, but the link from his switch to the AP is configured as an access port. So let’s look at our configuration. So, in our example, we’ve got the same two VLANs again. So we need to create the VLANs. So on the switch here, a global config. We say vuan 21 name corporate and then Vuon 22 name guest. Then, because we are using a wireless one controller, we also need to configure a von for management as well. So I’ve said VLAN ten name WLC Management. And VLAN eleven name? AP Management.
Now in my example, VLAN Ten WLC management is for the administrator to manage the wireless line controller. So you’re going to need to go on to the Admin GUI for the wireless LAN controller to configure it. You’re going to need connectivity to it. So we’ve got a VLAN set up for that. In this example, we’re using VLAN ten. We also have traffic between the access points and the wireless land controller, that is the cap lock traffic. And in this example we have configured a different VLAN for that. I’ve said VLAN eleven. Name? AP Management. So the traffic that is coming from the AP to the wireless van controller which has come from the clients, that is going to be in the AP management vuan. Also traffic management traffic coming from the wireless van controller when it’s managing the APS that is also going to be in the AP management VLAN. In this example, I used two different VLANs.
I used one for when you the administrator is managing the wireless rank controller and I used a different VLAN for traffic between the wireless range controller and the APS. They would both have their own separate IP subnets as well. So you can do that, you can separate them out into two different VLANs and IP subnets, or you could just use one VLAN for both. So I could have just configured VLAN Ten name management and I could have used that one VLAN and one IP subnet both for managing the wireless range controller as the administrator and also for traffic between the wireless range controller and the APS. It’s optional, you can do it either way. Okay, so I’ve got all of my VLANs configured now. Now I’m ready to configure my ports which are connected to the AP and the wireless LAN controller. I’ll do the wireless LAN controller first. So again, when the traffic gets here, pinned back out through the wireless LAN controller, back to the switch again, the wireless LAN controller is going to be tagging that traffic. So to be able to support the different VLANs, it needs to be configured as a trunk port. So I’ve got interface Gigabit, Ethernet 10, two switch port trunk NCAP, one Q switchboard mode trunk and then switchport trunk allowed VLAN 1011, 21 and 22. So that is the corporate and the guest VLAN and also the management vuan as well.
They’re all allowed on that link between the switch and the wireless LAN controller. Then lastly I need to do my configuration for the switch port which is connected to the AP. The configuration there, I say interface Gigabit ethernet 10, one switchboard mode access and then switchboard access von Eleven which was the AP management VLAN. So now all traffic coming from the attached wireless clients, no matter what wireless land they’re in, is going to be sent up to the switch in that one VLAN, and it will then go to the wireless LAN controller.
From there, when the traffic is sent up to the wireless LAN controller, it does include information about what wireless LAN it is in. So because of that, the wireless LAN controller, when it sends the traffic back switch again, it knows what VLAN to tag it with. Okay. And this traffic is going up to the wireless range controller in that caplab tunnel. Okay, that was everything I needed to show you about the switch configuration. See it in the next lecture.
Interesting posts
The Growing Demand for IT Certifications in the Fintech Industry
The fintech industry is experiencing an unprecedented boom, driven by the relentless pace of technological innovation and the increasing integration of financial services with digital platforms. As the lines between finance and technology blur, the need for highly skilled professionals who can navigate both worlds is greater than ever. One of the most effective ways… Read More »
CompTIA Security+ vs. CEH: Entry-Level Cybersecurity Certifications Compared
In today’s digital world, cybersecurity is no longer just a technical concern; it’s a critical business priority. With cyber threats evolving rapidly, organizations of all sizes are seeking skilled professionals to protect their digital assets. For those looking to break into the cybersecurity field, earning a certification is a great way to validate your skills… Read More »
The Evolving Role of ITIL: What’s New in ITIL 4 Managing Professional Transition Exam?
If you’ve been in the IT service management (ITSM) world for a while, you’ve probably heard of ITIL – the framework that’s been guiding IT professionals in delivering high-quality services for decades. The Information Technology Infrastructure Library (ITIL) has evolved significantly over the years, and its latest iteration, ITIL 4, marks a substantial shift in… Read More »
SASE and Zero Trust: How New Security Architectures are Shaping Cisco’s CyberOps Certification
As cybersecurity threats become increasingly sophisticated and pervasive, traditional security models are proving inadequate for today’s complex digital environments. To address these challenges, modern security frameworks such as SASE (Secure Access Service Edge) and Zero Trust are revolutionizing how organizations protect their networks and data. Recognizing the shift towards these advanced security architectures, Cisco has… Read More »
CompTIA’s CASP+ (CAS-004) Gets Tougher: What’s New in Advanced Security Practitioner Certification?
The cybersecurity landscape is constantly evolving, and with it, the certifications that validate the expertise of security professionals must adapt to address new challenges and technologies. CompTIA’s CASP+ (CompTIA Advanced Security Practitioner) certification has long been a hallmark of advanced knowledge in cybersecurity, distinguishing those who are capable of designing, implementing, and managing enterprise-level security… Read More »
Azure DevOps Engineer Expert Certification: What’s Changed in the New AZ-400 Exam Blueprint?
The cloud landscape is evolving at a breakneck pace, and with it, the certifications that validate an IT professional’s skills. One such certification is the Microsoft Certified: DevOps Engineer Expert, which is validated through the AZ-400 exam. This exam has undergone significant changes to reflect the latest trends, tools, and methodologies in the DevOps world.… Read More »