This page builds on Wireless Networks. Review there if things aren’t making sense here.

There are three main wireless AP deployment methods:

Autonomous APs

Autonomous APs are self-contained and don’t rely on a Wireless LAN Controller (WLC).

They must be configured individually. They can be configured by console cable (CLI), or remotely with Telnet or SSH, or via a HTTP/HTTPS web GUI.

  • An IP address must be configured for remote management.
  • Several of the particular RF parameters, e.g. transmission power, channels, etc., must be manually configured.
  • Security & QoS configurations are also handled individually on each AP.

There is no central monitoring or management of Autonomous APs. Each AP operates entirely on its own.

Every Autonomous AP should have its own connection to the DS (Distribution System i.e. wired network) through a trunk link. Even if all the traffic to and from its connected stations is in the same VLAN, the management traffic (SSH, Telnet, etc.) should be in its own VLAN. This means there will always be at least two VLANs on an AP, necessitating a trunk connection.

In a network of Autonomous APs, data has a fairly direct path to the wired network, or to other wireless clients associated with the same AP.

Generally, VLANs in Autonomous APs must span the entire network of APs (or else things get weird when roaming between APs). This is bad as it creates large broadcast domains, makes configuring the VLANs labor-intensive, and causes the network to be heavily reliant on STP disabling links. ^[Modern network design focuses a lot on reducing the amount of STP that is used in a network, as by disabling links with STP you reduce the overall bandwidth of the network.]

Autonomous APs can be used in small networks, but they are not viable in medium-to-large networks.


Remember that Autonomous APs can function in the additional AP operation modes i.e. repeater, workgroup bridge, & outdoor bridge.

Lightweight APs

Some of the functions of an AP can be split off to a Wireless LAN Controller (WLC).

The AP, in this circumstance known as a ‘Lightweight AP’ handles real-time operations like transmitting/receiving RF traffic, encryption/decryption, sending out beacon & probe messages, etc.

Other functions are handled by the WLC, e.g. RF management, Security/QoS management, client authentication, client association, roaming management, etc.

This is called split-MAC architecture ^[Split Media Access Control Architecture, in full.] The WLC also used to centrally configure the lightweight APs.

The WLC can be located in the same subnet & VLAN as the lightweight APs it manages, or it can be in a different subnet & VLAN.

The WLC and the lightweight APs authenticate each other using digital certificates installed on each device (X.509 standard certificates), ensuring that only authorized APs can join the network.


A WLC will communicate with its lightweight APs using a protocol called CAPWAP. This is based on an older protocol called LWAPP.1

Two tunnels2 are created between each AP and the WLC:

  • Control Tunnel UDP port 5246: Used to configure APs and manage operations. All traffic in this tunnel is encrypted by default.
  • Data Tunnel UDP port 5247: All traffic from wireless clients is sent through this tunnel to the WLC. It does not go directly to the wired network.3
    • Traffic in this tunnel is not encrypted by default, though it can be configured to be encrypted with DTLS.4

Because all traffic from wireless clients is tunneled to the WLC with CAPWAP, lightweight APs are connected to the wired network with access ports, not trunks.

Benefits of Lightweight APs

  • Scalability: With a WLC (or multiple in very large networks) it’s much simpler to build and manage a network with hundreds or thousands of APs.
  • Dynamic channel assignment: WLCs can automatically select which channel each AP should use.
  • Transmit power optimization: The WLC can automatically set the appropriate transmit power for each AP
  • ’Self-healing’ wireless coverage: If an AP stops functioning, the WLC can increase the transmission power of nearby APs to fill the gap in coverage.
  • Seamless roaming: Clients can roam between APs with no noticeable delay or drop in connection.
  • Client load balancing: If a client is in range of two APs, the WLC can associate the client with the least-used AP, to balance the load among APs.
  • Consistent Security/QoS Management: Centralized management means network-wide consistency.

Operational Modes.

  • Local: This is the default mode where the AP offers one or more BSSs for clients to associate with.
  • FlexConnect: Similar to Local mode, however the AP can switch between wired and wireless networks if the tunnels to the WLC go down i.e. if the WLC can’t be reached the AP will start behaving like an autonomous AP.
  • Sniffer: The AP does not offer a BSS, but instead listens and captures 802.11 frames and sends them to a device running analysis software like WireShark.
  • Monitor: The AP does not offer a BSS. It receives 802.11 frames to detect ‘rogue’ devices. If a client is found to be a rogue device de-authentication messages can be sent to disassociate it from the AP.
  • Rogue Detector: The AP doesn’t even use its radio(s). It listens to traffic on the wired network only, but it receives a list of suspected rogue clients and AP MAC addresses from the WLC. By correlating this information to ARP messages it receives on the wired network it can detect rogue devices.
  • SE-Connect (Spectrum Expert Connect): The AP does not offer a BSS. It analyzed RF signals on all channels. The data it gathers can be used in analysis software, such as Cisco Spectrum Expert, for various purposes such as identifying sources of interference.
  • Bridge/Mesh: Similar to an Autonomous AP’s outdoor bridge mode. The lightweight AP can be a dedicated bridge between sites, even at long distances. A mesh can be formed between the access points.
  • Flex plus Bridge: Adds flex connect functionality to the Bridge/Mesh mode. APs can locally forward traffic even if connection to the WLC is lost.

WLC Deployments

In a split-MAC architecture, there are four main WLC deployment models:

  • Unified: The WLC is a hardware appliance in a central location of the network
  • Cloud-based: The WLC is a VM running on a server, usually in a private cloud (i.e. in a data center somewhere). This is not the same as the cloud-based AP architecture discussed previously.
  • Embedded: The WLC is integrated within a network switch.
  • Mobility Express: The WLC is integrated within an AP.


The WLC is a discrete, physical device on the network, deployed in a central location. A unified WLC can support up to about 6000 APs. If a network needs more than 6000 APs you can add additional WLCs to the network.


The WLC is a VM running on a server, typically in a private cloud in an off-site data center. These can typically support about 3000 APs, and more WLC VMs can be deployed for greater capacity.

To reiterate, these are not the same as cloud-based AP architectures. This is only referring to where the WLC is in a lightweight AP architecture.


The WLC is embedded within a switch. An embedded WLC can support up to about 200 APs. You can add more switches with embedded WLCs if you need more capacity.

Cisco Mobility Express

In this case the WLC is embedded within an AP. Mobility express WLCs can support up to about 100 APs. You can add more Mobility Express embedded APs as needed.

Cloud-based APs

Cloud-base AP architecture is somewhere in between autonomous and split-MAC architecture. Fundamentally, it consists of autonomous APs which are centrally managed in the cloud.


Cisco Meraki is a popular cloud-based Wi-Fi solution, so it’s probably the best one to study while preparing for a Cisco exam. This website, being focused on the CCNA, will focus on Meraki where specific examples are called for.

The Cisco Meraki dashboard can be used to configure APs, monitor the network, generate performance reports, etc. It can also control what channels APs use, their transmission power, and more.

However, data traffic is not sent to the cloud. It is forwarded directly to the wired network, like when using autonomous APs.


  1. CAPWAP: Control And Provisioning of Wireless Access Points, LWAPP: Lightweight Access Point Protocol.

  2. Similar to VPN tunnels.

  3. Well, it sort of does. The tunnel itself is on the wired network, but the data can’t be forwarded anywhere but the WLC.

  4. (Datagram Transport Layer Security); similar to TLS, except DTLS uses UDP where TLS uses TCP.