2.6 Wireless Architectures and AP Modes
Key Takeaways
- Autonomous APs are standalone and configured individually — best for very small deployments.
- Lightweight APs (LAPs) are managed by a Wireless LAN Controller (WLC) using CAPWAP.
- Cloud-managed APs (like Cisco Meraki) are managed through a cloud-based dashboard.
- CAPWAP uses UDP 5246 (control) and UDP 5247 (data) to communicate between APs and WLC.
- The WLC handles roaming, RF management, security policies, and centralized configuration.
Wireless Architectures and AP Modes
The CCNA exam tests your understanding of different wireless deployment architectures and when to use each one.
Wireless Architecture Comparison
Autonomous AP Architecture
| Feature | Detail |
|---|---|
| Management | Each AP configured individually |
| Control plane | On the AP |
| Data plane | On the AP |
| Scalability | Poor (managing 50+ APs individually is impractical) |
| Best for | Very small deployments (1-5 APs) |
| Roaming | Limited (no central coordination) |
Controller-Based Architecture (WLC + Lightweight APs)
| Feature | Detail |
|---|---|
| Management | Centralized via Wireless LAN Controller (WLC) |
| Control plane | On the WLC |
| Data plane | Split (some on WLC, some on AP, depending on mode) |
| Scalability | Excellent (one WLC manages hundreds of APs) |
| Best for | Medium to large enterprise deployments |
| Roaming | Seamless (WLC coordinates handoffs) |
CAPWAP (Control and Provisioning of Wireless Access Points):
- Protocol used between lightweight APs and the WLC
- Control channel: UDP 5246 (encrypted with DTLS)
- Data channel: UDP 5247 (optionally encrypted)
- APs download their configuration from the WLC on boot
Cloud-Managed Architecture
| Feature | Detail |
|---|---|
| Management | Cloud dashboard (e.g., Cisco Meraki, DNA Spaces) |
| Control plane | In the cloud |
| Data plane | On the AP (data doesn't go through the cloud) |
| Scalability | Excellent (manage globally from one dashboard) |
| Best for | Distributed sites, MSPs, organizations wanting simplicity |
| Licensing | Subscription-based |
On the Exam: Know that in cloud-managed architectures, the management/control traffic goes to the cloud, but user data traffic is switched locally at the AP. Data does NOT route through the cloud.
AP Modes (Controller-Based)
Lightweight APs connected to a WLC can operate in several modes:
| Mode | Function |
|---|---|
| Local | Default mode. Serves clients and scans channels between data transmissions |
| FlexConnect | Can switch traffic locally even if the WLC connection is lost (for branch offices) |
| Monitor | Does not serve clients. Dedicated to monitoring RF and detecting rogue APs |
| Sniffer | Captures wireless frames and sends them to a packet analyzer |
| Rogue Detector | Monitors for unauthorized APs on the wired network |
| Bridge | Creates point-to-point or point-to-multipoint wireless bridges between buildings |
| SE-Connect | Spectrum analysis mode for RF interference troubleshooting |
WLAN Configuration via GUI (WLC)
The CCNA exam expects you to configure basic WLANs using the WLC web GUI:
Steps to create a WLAN:
- Log into the WLC web interface
- Navigate to WLANs → Create New
- Configure WLAN settings:
- SSID (network name)
- WLAN ID
- Interface/VLAN mapping
- Configure Security:
- Layer 2 security: WPA2 (most common for enterprise)
- Authentication: PSK or 802.1X/EAP
- Configure QoS profile:
- Platinum (voice), Gold (video), Silver (best effort), Bronze (background)
- Enable the WLAN
Network Device Management Access
For managing network devices, multiple access methods exist:
| Method | Port | Security | Use Case |
|---|---|---|---|
| Console | Physical console port | Local, physical access | Initial setup, recovery |
| Telnet | TCP 23 | Unencrypted (avoid) | Legacy management |
| SSH | TCP 22 | Encrypted | Remote management (recommended) |
| HTTP | TCP 80 | Unencrypted | Web GUI management |
| HTTPS | TCP 443 | Encrypted | Secure web GUI management |
| TACACS+ | TCP 49 | Encrypted | Centralized AAA |
| RADIUS | UDP 1812/1813 | Password encrypted | Centralized AAA |
On the Exam: SSH is always preferred over Telnet for remote management because Telnet sends all data (including passwords) in plain text. HTTPS is preferred over HTTP for the same reason.
Which protocol do lightweight access points use to communicate with a Wireless LAN Controller (WLC)?
In a cloud-managed wireless architecture (e.g., Cisco Meraki), where is user data traffic switched?
Which WLC AP mode allows the access point to continue serving clients even if the connection to the WLC is lost?