This file shows some example configurations for a basic wireless network which includes two APs and a WLC connected to a switch.

There are three VLANs in the network:

  • VLAN 10: Management,
  • VLAN 100: Internal,
  • VLAN 200: Guest,

Switch Configuration

Configuration for the switch that connects the APs and the WLC. Configured via CLI.

First, we create and name the VLANs

  • (config)#vlan 10
  • (config-vlan)#name Management
  • (config-vlan)#vlan 100
  • (config-vlan)#name Internal
  • (config-vlan)#vlan 200
  • (config-vlan)#name Guest

Next, we configure the interfaces connected to APs as access ports. In this example, ports F0/7 & F0/8 are the AP ports, but we will also configure an additional port, F0/6, as access. We can use this extra port to connect to the WLC’s GUI with a laptop/PC.

  • (config)#int range f0/6 - 8
  • (config-if-range)#switchport mode access
  • (config-if-range)#switchport access vlan 10
  • (config-if-range)#spanning-tree portfast

Now we configure the interfaces connected to the WLC — there are multiple. We must configure them as a static LAG (Link Aggregation Group), i.e. we will form an EtherChannel between the switch and the WLC. It must be static LAG, no PAgP or LACP.

In this example the WLC is connected on interfaces F0/1 & F0/2.

  • (config-if-range)#int range f0/1 - 2
  • (config-if-range)#channel-group 1 mode on

Then configure the port-channel (EtherChannel) interface as a trunk:

  • config-if-range)#interface port-channel 1
  • (config-if)#switchport mode trunk
  • (config-if)#switchport trunk allowed vlan 10,100,200

Next, we configure the SVI for each VLAN, these will serve as the default gateway for each VLAN:

  • (config)#int vlan 10
  • (config-if)#ip address
  • (config-if)#int vlan 100
  • (config-if)#ip address
  • (config-if)#int vlan 200
  • (config-if)#ip address

Then we need a DHCP pool for each VLAN. Note that each the default router for each is set to the SVI IP address for that VLAN. Also not the option 43 ... command; this is used to tell the APs the IP address of their WLC. In this case, because the APs and WLC are in the same subnet, it isn’t actually necessary. Even without this the APs will broadcast CAPWAP discovery messages to find the WLC.

  • (config)#ip dhcp pool VLAN10

  • (dhcp-config)#network

  • (dhcp-config)#default-router

  • (dhcp-config)#option 43 ip

  • (config)#ip dhcp pool VLAN100

  • (dhcp-config)#network

  • (dhcp-config)#default-router

  • (config)#ip dhcp pool VLAN10

  • (dhcp-config)#network

  • (dhcp-config)#default-router

Last for the switch configuration, we’ll set it up as an NTP server.

  • (config)#ntp master

WLC Configuration

While most WLC configuration is typically performed via GUI, there is some preliminary configuration that must be done in the CLI.

Much of this is performed in a configuration ‘wizard’. You won’t be running CLI commands, rather you’ll just need to respond to questions the WLC prompts you with.

First, the WLC may ask if you want to “terminate autoinstall?” Autoinstall can be used to automatically download WLC configurations from a TFTP server. This can be handy, but we’re not using it here, so enter ‘yes’ and press enter, or just press enter; yes is the default option here.

Then you will be prompted to configure a ‘System Name’ (hostname) and a username and password.

Next you will be asked if you want to enable Link Aggregation (LAG). Since that’s what we did on the switch, we’d better enable it here too. Be careful, the default option is no, so you need to type ‘yes’ and press enter.

Next you’ll enter the following information for the WLC’s virtual management interface. Note that we will be using a pre-shared key (PSK) so we don’t need a RADIUS server. If there is no input for a prompt then the default option (the capitalized option) was selected.

Management Interface IP Address:
Management Interface Netmask:
Management Interface Default Router:
Management Interface VLAN Identifier (0 = untagged): 10
Management Interface DHCP Server IP Address:

Virtual Gateway IP Address:
Multicast IP Address:
Mobility/RF Group Name: BRi
Network Name (SSID): Internal

Configure DHCP Bridging Mode [yes][NO]: no
Allow Static IP Addresses [YES][no]: yes
Configura a RADIUS Server now? [YES][no]: no
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.

Enter Country Code list (enter 'help' for a list of countries) [US]: {see note}

Enable 802.11b Netowrk [YES][no]:
Enable 802.11a Netowrk [YES][no]:
Enable 802.11g Netowrk [YES][no]:
Enable Auto-RF [YES][no]:

Configure a NTP server now? [YES][no]: yes
Enter the NTP server's IP address:
Enter a polling interface between 3600 adn 604800 secs: 3600

Configuration correct? If yes, system will save it and reset [yes][NO]: yes
Configuration saved!
Resetting system with new configuration...


Enter Country Code ...: The country you input here must be of a nation within the regulatory domain of the device you are using. If you’re running into problems here, look online for Cisco’s documentation on wireless compliance. Usually, using the country code for the nation you purchased the device in should work, but this may be a bigger issue if you are configuring second-hand devices.

Configuring in the GUI

Now that VLAN 10 is configured as a management VLAN, we can configure the WLC with a GUI from a PC connected to the extra access port we configured on the switch (F0/6), instead of a direct connection to the WLC’s console port.

To do this, simply connect to the WLC’s IP address (, in this example) with a web browser.

You may get a warning the the ‘connection is not secure’. This is because your PC doesn’t trust the certificate on the WLC, but this isn’t really an issue. There should be a button to ignore the warning and proceed anyway. It may be buried past an ‘Advanced’ or similar option.

You’ll land on a login screen, where you can use the username and password you configured on the WLC earlier in this section.

Once logged in you’ll be greeted by a dashboard with some basic information about the WLC, including interfaces currently in use, temperatures, resource usage, joined APs, etc.


There are way too many options and controls in this GUI to cover them all here. We’ll take a look only at the ones we need for this example, but feel free to explore Cisco’s documentation if you are curious about other features/options.

Configuring Interfaces

Go to the ‘Controller’ tab at the top of the screen, then click on ‘Interfaces’ on the left. This will show you a list of the logical (i.e. not physical) interfaces on the WLC. For more info on WLC Ports & Interfaces, check the section below.

We need to create some new interfaces for the VLANs we’ve set up. We only need to set up the Internal and Guest interfaces, because we already configured the Management interface in the CLI.

  • First let’s make one for the Internal WLAN, and map it to VLAN 100
    1. In the ‘Interfaces’ menu, click the ‘New’ button in the top-right.
    2. In the next menu, enter the interface name (‘Internal’) and the corresponding VLAN ID (‘100’).
    3. Click ‘Apply’ to create the interface and move on to full configuration.
    4. Enter the IP address, netmask, default gateway, & DHCP server address. That’s all we need to configure in this example, but there are more options available for different networks.
    5. Click ‘Apply’ to finish configuring this interface.
  • Next, the Guest Interface:
    1. Like last time, click ‘New’
    2. Enter the Interface name (‘Guest’) and VLAN ID (‘200’)
    3. Click ‘Apply’
    4. Enter the IP address, netmask, default gateway, & DHCP server address
    5. Click ‘Apply’

Configuring the WLANs

Click the ‘WLANs’ tab at the top of the screen. There should already be a WLAN named ‘Internal’ in the list; we made that in the CLI. However, this WLAN needs to be edited before we can use it. Currently, it’s configured to use 802.1X for authentication, but this won’t work for PSK authentication.

If you click on the WLAN ID (i.e. the ‘1’ in the left most column) you should be able to edit the WLAN.

  • Currently, the WLAN is mapped to the Management interface. It needs to be mapped to the Internal interface, so go ahead and change it.
  • Next, in the ‘Security’ tab, under the ‘Authentication Key Management’ section of the ‘Layer 3’ tab, change the selection from 802.1X to PSK.
  • Now there will be a field to specify the passkey in, as well as a drop down to specify if the key is in ASCII or Hexadecimal. ASCII will allow for more human-readable passwords, so we’ll go with that. Type in a password at least eight characters long (it will give you an error if you try a shorter one) and click ‘Apply’.
  • In the ‘QoS’ tab we can change some QoS settings. Most importantly, we can select what QoS markings we want applied to WiFi traffic. The options given are Bronze (background), Silver (best-effort), Gold (video), & Platinum (voice). We’ll leave it at silver for now. 1
  • Click ‘Apply’ to finish editing.

Now we need to create the Guest WLAN. There should be a dropdown with ‘create new’ as the selected option; click the ‘Go’ button next to it to start making a new WLAN.

  • The type will be WLAN, the profile name and SSID should both be ‘Guest’, and the ID will be 2.
  • In the ‘General’ tab, set the status to enabled, and map the WLAN to the Guest interface.
  • Configure PSK as the authentication method, like in the Internal WLAN.
  • Click ‘Apply’ to save the WLAN.

WLC Ports & Interfaces

The terms ‘port’ and ‘interfaces’ are often used interchangeably, but in the context of WLCs they have more particular meanings:

  • WLC Ports are the physical ports that cables can be connected to.
  • WLC Interfaces are the logical interfaces within the WLC (i.e. SVIs on a switch).

WLCs have a few different kinds of ports:

  • Service Port: A dedicated management port. Used for out-of-band management. Must connect to a switch access port because it only supports one VLAN. This port can be used to connect to the device while it is booting, perform system recovery, etc.
  • Distribution System Ports: These are the standard network ports that connect to the ‘distribution system’ (wired network) and are used for data traffic. These ports usually connect to switch trunk ports, and if multiple distribution ports are used they can form a LAG.
  • Console Port: A standard console port. Can be either RJ45 or USB.
  • Redundancy Port: Used to connect to another WLC to form a high availability (HA) pair.

WLCs also have a few different kinds of interfaces:

  • Management Interface: used for management traffic such as Telnet, SSH, HTTP, HTTPS, RADIUS authentication, NTP, Syslog, etc. CAPWAP tunnels are also formed to/from the WLC’s management interface.
  • Redundancy Management Interface: When two WLCs are connected by their redundancy ports, one WLC is ‘active’ and the other is ‘standby’. This interface can be used to connect to and manage the ‘standby’ WLC.
  • Virtual Interface: This interface is used when communication with wireless clients to relay DHCP requests, perform client web authentication, etc.
  • Service Port Interface: If the service port is used, this interface is bound to it and used for out-of-band management.
  • Dynamic Interfaces: These are the interfaces used to map a WLAN to a VLAN. For example, traffic from the ‘Internal’ WLAN will be sent to the wired network from the WLC’s ‘Internal’ dynamic interface.


  1. This is both more intuitive and more confusing that normal QoS markings…