Cisco Wireless Network Architecture

1. Introduction to Cisco Wireless Network Architecture

Cisco wireless networks provide flexibility, scalability, and performance for modern IT environments.

Depending on the deployment size and management needs, Cisco offers three main architectures:

  • Autonomous AP Architecture : Each AP operates independently, making it suitable for small networks with minimal management.
  • Split-MAC Architecture : Lightweight APs (LAPs) offload management tasks to a Wireless LAN Controller (WLC), enhancing scalability and performance.
  • Cloud-Based AP Architecture : APs connect to a cloud controller, reducing on-site infrastructure while enabling centralized remote management.

This course explores each architecture’s benefits, traffic flow, and best use cases to help you choose the optimal wireless solution !

2. Autonomous AP Architecture

The Autonomous AP Architecture is a network setup where each AP operates independently. These Autonomous Access Points (APs) provide wireless connectivity to clients and connect directly to the wired network. This type of architecture is also referred to as “Local MAC architecture.”

Cisco wireless network showing an autonomous AP architecture with standalone access points connected through the core, distribution, and access layers

Let me guide you step by step to help you understand how this architecture works.

🔹 Configure Each AP Individually

To set up autonomous APs, you need to configure them one at a time. This is done by accessing each AP individually. Here’s how you can do that:

Cisco wireless network showing individual management of autonomous access points through direct console or remote access
  • Use a console connection (local access).
  • Access the AP remotely via SSH, Telnet, or a Web Interface (HTTP/HTTPS).

⚠️ Remember: The AP must have a management IP address to enable remote access.

Scenario Example

Imagine you’re setting up two SSIDs on your network:

  • One for your employees (VLAN 10).
  • One for your guests (VLAN 20).
Cisco wireless network with autonomous access points broadcasting two SSIDs mapped to VLAN 10 for employees and VLAN 20 for guest Wi-Fi access

To configure this, you’ll need to:

  • Create the VLANs for your wireless networks.
  • Set up the SSIDs (the names of your wireless networks).
  • Adjust the RF settings, such as the channel and transmit power.
  • Define security policies, like access control lists (ACLs) and QoS rules.

🔹 Connecting the AP to the Wired Network

Once your APs are configured, you’ll need to connect them to the wired network. Since autonomous APs tag wireless traffic with VLANs, the switch port must be set to trunk mode to allow multiple VLANs to pass through.

Cisco wireless network with trunk links allowing VLANs 10, 20, and 100, supporting employee and guest SSIDs through autonomous access points connected to the wired infrastructure

For example:

  • VLAN 10 will handle employee traffic.
  • VLAN 20 will handle guest traffic.
  • VLAN 100 will manage administrative access and monitoring.

Ensuring Roaming

In a wireless network, users often move around and connect to different APs. This is called roaming. To make sure users can move seamlessly across the network, you need to ensure that traffic for VLANs 10, 20, and 100 can flow across all switches.

Cisco wireless network illustrating client roaming between autonomous access points, with VLANs 10, 20, and 100 allowed on trunk links across all switches

🔹 Here’s what you need to do:

  • Create VLANs (10, 20, and 100) on every switch that connects to an AP.
  • Configure trunk links between switches so that these VLANs can be carried throughout the network.

Traffic Flow in Autonomous Architecture

Let’s take a closer look at how traffic moves in this architecture.

Case 1: Wireless to Outside Network

When a wireless client connects to the AP and sends traffic to the internet:

  1. The traffic is sent to the AP, which tags it with the correct VLAN.
  2. The AP forwards the traffic to the default gateway.
  3. The gateway routes the traffic to the internet.
Cisco wireless network showing traffic flow from wireless clients on VLAN 10 and VLAN 20 through an autonomous access point to the internet via trunk links and default gateway

Case 2: Wireless to Wireless Communication

When one wireless device sends traffic to another wireless device:

  1. The traffic is first sent to the AP.
  2. The AP forwards the traffic directly to the other device within the same VLAN.
Cisco wireless network showing wireless-to-wireless communication between clients on an autonomous access point using SSIDs mapped to VLAN 10 and VLAN 20 through trunk links

⚠️ Limitations of Autonomous APs

Autonomous APs can be a great choice for small networks, but they come with some challenges:

  • Manual Configuration: Each AP must be set up individually, which takes time.
  • Roaming Complexity: You’ll need to maintain consistent SSID and VLAN configurations across all APs and switches.
  • VLAN Propagation: VLANs must be configured across the entire wired network.
  • Manual RF Tuning: You’ll need to manually adjust the channels and transmit power for each AP.
  • Lack of Centralized Management: There’s no central system to control traffic, QoS policies, or security monitoring.

Autonomous APs are a good option for small networks where simplicity is key. However, as your network grows, you’ll find it harder to manage because everything has to be configured manually. That’s when other solutions, like Cloud-Based APs or Split-MAC APs, become much more efficient.

3. Split-MAC Architecture

Unlike autonomous APs that operate independently, the Split-MAC Architecture divides tasks between the Access Point (AP) and the Wireless LAN Controller (WLC).

In this model, the Access Point becomes a Lightweight Access Point (LAP) because its workload is shared with the WLC.

Why is it called “Split-MAC”?

Let’s start with the name. The “Split-MAC” architecture separates responsibilities between the LAP and the WLC.

The LAP handles real-time tasks while the WLC takes care of management tasks. This division simplifies the management of your wireless network and allows centralized control over all the APs.

This concept is crucial for your CCNA, so make sure you clearly understand how responsibilities are divided between the LAP and WLC.

Cisco wireless network showing Split-MAC architecture where the Lightweight AP handles real-time tasks and the Wireless LAN Controller manages centralized control and configuration

Roles of the LAP and WLC

Let’s break down the specific responsibilities of each:

Real-Time Tasks (LAP responsibilities):

  • Sending beacons and responding to probes.
  • Transmitting 802.11 frames.
  • Performing packet acknowledgments and retransmissions.
  • Encrypting and decrypting wireless traffic.

Management Tasks (WLC responsibilities):

  • Authenticating and associating clients.
  • Enforcing security policies, such as access control and QoS.
  • Managing client reassociation to enable seamless roaming.
  • Optimizing RF settings, like power levels and channel assignments.

By separating these roles, the WLC takes care of the heavy lifting in managing your wireless network, while the LAP focuses on fast, real-time operations.

CAPWAP Protocol

The CAPWAP (Control And Provisioning of Wireless Access Points) protocol allows the LAP and WLC to communicate. It’s the backbone of this architecture and ensures that both devices work together efficiently. CAPWAP replaced the older LWAPP protocol by introducing stronger security features.

Cisco wireless network showing CAPWAP protocol operation between Lightweight AP and Wireless LAN Controller, with control traffic secured on UDP port 5246 and client data on UDP port 5247

Here’s how CAPWAP operates:

  • Control Tunnel (UDP Port 5246):
    • This tunnel manages and configures LAPs. The control traffic is encrypted with DTLS to ensure security.
  • Data Tunnel (UDP Port 5247):
    • This tunnel carries client data. By default, it’s unencrypted, but you can enable encryption if needed.

💡 If you’re curious to dive deeper, CAPWAP is defined in multiple RFCs (5415-5418).

Split-MAC Architecture Example

To help you visualize, look at the example below :

Cisco wireless network example showing centralized management through a Wireless LAN Controller using CAPWAP tunnels to configure multiple Lightweight Access Points in a Split-MAC architecture

Imagine you have several lightweight APs, each connected to a WLC. Instead of configuring each AP individually, you only need to configure the WLC. The WLC will then use the CAPWAP control tunnel to automatically manage and configure the LAPs.

This centralized approach saves you a lot of time, especially in large networks.

💡 Remember that the WLC manages Lightweight APs, and the LAP sends traffic first to the WLC before forwarding it to the destination.

Configuration Example

🔹 LAP establishes a CAPWAP tunnel with the WLC to receive its configuration.

In this setup, the LAP broadcasts two SSIDs:

  • An Employee Wireless Network on VLAN 10.
  • A Guest Wireless Network on VLAN 20.

Port Configuration

🔹 LAP Port:

  • Configure it as an access port on VLAN 100 (Management).
  • This ensures the LAP can communicate with the WLC for management traffic.

🔹 WLC Port:

  • Configure it as a trunk port allowing VLANs 10, 20, and 100.
  • On this link, set up an EtherChannel. This is essential because all wireless traffic flows through the WLC before being sent to the wired network, and the EtherChannel helps handle the high volume of data efficiently.

In summary: The WLC trunk port requires access to all VLANs, while the LAP only needs connectivity to the management VLAN (VLAN 100).

How the LAP Finds the WLC

You might wonder: How does the LAP find the WLC when I connect it to the network?

Cisco wireless network showing how a Lightweight Access Point locates the Wireless LAN Controller using DHCP Option 43, DNS resolution of cisco-capwap-controller, or a local broadcast request

When the LAP boots, it searches for the WLC using the following methods:

  1. DHCP: The DHCP server provides the WLC’s IP address via Option 43.
  2. DNS: The LAP resolves the hostname cisco-capwap-controller to find the WLC’s IP address.
  3. Broadcast: The LAP sends a local subnet broadcast to discover the WLC.

⚠️ To prevent unauthorized APs from joining, X.509 certificates are used to authenticate connections between the LAP and the WLC.

Traffic Flow in Split-MAC Architecture

To recap, we’ve split the responsibilities between the Lightweight Access Point (LAP) and the Wireless LAN Controller (WLC). The LAP handles real-time tasks, while the WLC manages configuration and other management tasks. The CAPWAP protocol ensures communication between them through two tunnels:

  • Control Tunnel: Handles management and control data.
  • Data Tunnel: Transports wireless client traffic.

A properly configured switched network is essential for this setup. Specifically:

  • Trunk ports should be used for the interface connecting to the WLC to support multiple VLANs.
  • Access ports should be used for interfaces connecting to Lightweight APs.

How does wireless client traffic flow through the network?

Case 1: Traffic from Wireless Devices to the Outside Network

Cisco wireless network diagram showing traffic flow from wireless clients connected to a Lightweight AP, routed through a CAPWAP tunnel to the Wireless LAN Controller, then forwarded to the internet via the access layer on VLAN 100

Steps:

  1. Wireless devices connected to the Lightweight AP generate traffic destined for devices outside the local network.
  2. The LAP encapsulates this traffic and forwards it to the WLC through the CAPWAP data tunnel.
  3. The WLC decapsulates the traffic, tags it with the appropriate VLAN based on its configuration, and sends it out toward its destination.

Case 2: Traffic Between Wireless Devices

Cisco wireless network showing wireless-to-wireless communication where traffic between clients on a Lightweight AP is tunneled through the CAPWAP data tunnel to the WLC, even within the same VLAN (VLAN 10 or 20)

Steps:

  1. When wireless devices within the same network need to communicate:
    • The traffic is encapsulated by the LAP and sent to the WLC through the CAPWAP data tunnel.
  2. The WLC:
    • Decapsulates the traffic.
    • Tags it with the correct VLAN.
    • Sends it back out, directing it to the appropriate LAP to reach the destination wireless device.

⚠️ Even when wireless devices communicate within the network, their traffic is routed through the WLC first for VLAN tagging and forwarding.

Advantages of Split-MAC Architecture

The Split-MAC architecture provides several advantages:

  • Centralized Management: The WLC handles the configuration and monitoring of all LAPs, reducing manual configuration.
  • Seamless Roaming: Wireless clients can move between APs without noticeable delays.
  • RF Optimization: The WLC automatically adjusts RF settings such as power and channel assignments.
  • Self-Healing: If an AP fails, the WLC increases the power of surrounding APs to eliminate coverage gaps.

4. Cloud-Based AP Architecture

When you need the simplicity of autonomous APs combined with centralized management but without requiring an on-site Wireless LAN Controller (WLC) the Cloud-Based AP Architecture becomes an ideal solution !

In this setup, Access Points (APs) connect to a cloud platform for configuration and monitoring. One popular example is Cisco Meraki Cloud, a platform that simplifies the deployment and management of wireless networks by offering an intuitive web-based dashboard.

Cisco wireless network using cloud-based architecture where Cisco Meraki Cloud handles management tasks while on-site access points perform real-time wireless operations across the local infrastructure

This architecture shifts the controller functionality to the cloud, eliminating the need for a physical WLC at the site. As a result, deploying and managing multiple APs is streamlined through a centralized web dashboard.

The cloud platform oversees tasks such as:

  • Assigning channels to each AP.
  • Configuring transmit power.
  • Fully managing AP settings for seamless operation.

⚠️ Wireless client traffic does not traverse the cloud. Instead, client data is sent directly to the destination much like when using autonomous APs.

💡 For instance, communication between two devices, such as PCs, remains local and does not need to get through the cloud.

Cloud Based AP Architecture overview scaled

This architecture offers a balance between the simplicity of autonomous APs and the centralized control of Lightweight APs.

5. Conclusion

Wireless architectures are essential to meet the diverse needs of modern networks, each offering specific advantages depending on the size and complexity of the deployment.

  • Autonomous AP Architecture is well-suited for small networks due to its simplicity, but its lack of centralized management can quickly become a limitation in larger environments.
  • Split-MAC Architecture, with its centralized approach and lightweight APs, is ideal for enterprise networks requiring simplified management, automatic RF optimization, and seamless roaming.
  • Cloud-Based AP Architecture combines the best of both worlds, offering centralized cloud management while maintaining a simplified on-site infrastructure, making it an excellent choice for organizations seeking a modern, flexible, and scalable solution.

To choose the best architecture, it’s important to consider the size of the network, management requirements, budget, and future scalability.