2.6 Wireless Architectures and AP Modes

Three Wireless Deployment Models

The CCNA tests you on three ways to deploy enterprise Wi-Fi, each trading off scale against simplicity:

An autonomous access point is a full standalone device — it holds its own SSID, security, and RF config. Managing 200 of them individually is unworkable, so enterprises use a controller.

Controller-Based Architecture and Split-MAC

A Wireless LAN Controller (WLC) centralizes the brains; the APs become lightweight access points (LAPs) that handle only real-time radio functions. This division is the split-MAC model. The WLC handles roaming, RF management (auto channel/power), security policies, client authentication, and centralized configuration; the LAP handles beaconing, transmitting/receiving frames, and encryption at the radio. A new LAP with no config can be plugged in anywhere, find the WLC, download its configuration, and join the network.

CAPWAP — the AP-to-WLC Tunnel

Lightweight APs and the WLC communicate through CAPWAP (Control And Provisioning of Wireless Access Points), defined in RFC 5415. CAPWAP forms two logical tunnels, and the exam wants the exact UDP ports:

DTLS (Datagram Transport Layer Security) always protects the control channel; data-channel encryption is optional. CAPWAP succeeded the older LWAPP, which is obsolete on current equipment. A key benefit: because client traffic is tunneled to the WLC, an AP can be on any subnet and still extend a given VLAN/SSID — the tunnel carries it back to the controller. CAPWAP also lets the WLC push a single firmware image and config to every AP at once.

AP Operating Modes

A lightweight AP can run in several modes on the WLC; two matter most for CCNA:

• Local mode is the default. The AP tunnels all client data back to the WLC (centralized switching) and serves clients on its channel while periodically scanning others.
• FlexConnect mode lets the AP switch client traffic locally at the branch even when the WAN link to the WLC is down. This is the right answer for a remote branch with an unreliable connection to the central WLC — clients keep working during a WAN outage.

Other modes you may see listed: Monitor (no client service; dedicated to scanning/IPS and location), Sniffer (captures and forwards 802.11 frames to an analyzer), and Bridge/Mesh (links sites wirelessly). On the exam, the distinguishing question is almost always Local versus FlexConnect: if the requirement mentions surviving a WLC/WAN outage at a branch, choose FlexConnect; if it mentions centralized policy and switching with the WLC always reachable, choose Local.

How a Lightweight AP Joins the WLC

The CCNA expects a high-level grasp of the AP join process because it explains many "AP won't come online" troubleshooting questions. A new lightweight AP boots, gets an IP via DHCP, then must discover a WLC. It learns the controller's management IP through one of several methods: a DHCP Option 43 entry, a DNS lookup of CISCO-CAPWAP-CONTROLLER, a previously remembered controller, or a Layer 3 broadcast on the local subnet. The AP then sends a CAPWAP discovery request, the WLC replies, and the two build the DTLS-secured CAPWAP control tunnel on UDP 5246.

The AP downloads its configuration and, if its software differs, the matching image from the WLC before serving clients.

Because of this sequence, a stuck AP usually points to one of a short list of causes: no DHCP/IP, a firewall blocking UDP 5246/5247, a missing Option 43 or DNS record so the AP cannot find the controller, a software-version mismatch forcing a slow upgrade, or a time/certificate problem breaking DTLS. Knowing the join order lets you diagnose in the right sequence.

Choosing an Architecture

Use this decision guide, which mirrors how exam scenarios are worded:

Key distinctions the exam rewards: autonomous APs do not scale because each is configured by hand; controller-based designs centralize the management/control plane via split-MAC while the AP keeps real-time radio work; cloud-managed designs put the dashboard in the cloud yet still switch user data locally at the AP, so a cloud outage does not stop client traffic. Tie every answer back to where management lives and where data is switched, and the wireless questions become straightforward.