Open In App

Physical Infrastructure Connections of WLAN Components

Last Updated : 30 Nov, 2022
Like Article

The IETF Control and Provisioning of Wireless Access Points Protocol (CAPWAP) standard are used by Lightweight Cisco Access Points for the purpose of communicating with wireless controllers and other lightweight access points on your network.


The functional design of the Cisco Unified Wireless Network solution, the Cisco Centralized WLAN Architecture, uses CAPWAP as its foundational protocol. It controls APs and WLANs, wraps and transmits WLAN client communications between APs and WLAN controllers, and manages and configures APs and WLANs (WLCs). The cornerstone of CAPWAP is the Lightweight Access Point Protocol (LWAPP), but Datagram Transport Layer Protection improves security (DTLS). CAPWAP, which makes use of the User Datagram Protocol (UDP), is compatible with both Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6). The data transferred between the LAP and WLC is compressed using new IP packets by CAPWAP. Traffic that has been tunneled is subsequently switched or routed using the campus network.

Control messages sent over CAPWAP are used to set up and monitor AP operations. Control messages are sent over the control tunnel after authentication and encryption to ensure that APs are securely managed only by the correct WLC. The only tunnel protected by default is the CAPWAP (Wireless Access Point Control and Provisioning) control tunnel. Client data is sent over to the CAPWAP data tunnel, but encryption is optional. DHCP queries contain client data and are not encrypted by default. Last but not least, 802.11 beacons are sent wirelessly from the LAP, so they are not encrypted or sent over CAPWAP.

A CAPWAP tunnel is required because the network is built with WLCs and LAPs. Each LAP is connected to the WLC via one he CAPWAP tunnel for a total of 32 tunnels. CAPWAP encapsulates wireless communications in an additional IP header so that tunneled packets can be routed through a Layer 3 network. So the LAPs and WLCs are on any IP subnet as long as they have access to the subnet. LAPs and WLCs are not restricted from sharing Layer 2 VLANs or Layer 3 IP subnets. A lightweight AP only requires one access link with a single VLAN when operating in local mode. All other data is sent to the WLC over the CAPWAP tunnel.

Wireless Controller Port:

The physical connection to the switched network infrastructure exists through the wireless controller port. The device’s physical ports include controller ports.  The main physical controller ports are as follows:

  • Service Port (SP): Used for out-of-band management, initial boot, and system recovery. A computer must be connected to the service port when configuring the controller via the GUI. 
  • Redundant Port (RP): Additional controllers can be connected to this port to enable redundant operation.
  • Distribution Ports: Management and all access point traffic pass through these ports. The distribution port is connected when the switch port is in trunk mode. The 4400 and 5500 series controllers contain 4 and 8 distribution ports respectively.
  • The console port is used for out-of-band management, system recovery, and early boot operations.


Ports are aggregated by the controller through a Link Aggregation Group (LAG). The 802.3ad port aggregation standard is only partially implemented. All ports of the controller’s distribution system are combined into a single 802.3ad port channel, reducing the number of IP addresses required to configure the controller’s ports. LAG provides link redundancy between the two devices, doubling bandwidth and expanding port flexibility. A logical channel can be created by combining a number of physical ports under the control of the Link Aggregation Control Protocol (LACP), part of the IEEE specification (802.3az) (LAG). WLC Interface: Cisco Wireless Controller’s internal logic interface provides the necessary connectivity. These interfaces must be configured with an IP address, subnet mask, default gateway, and dynamic host.

WLC Interface:

The Cisco Wireless Controller provides the necessary connectivity through an internal logical interface. These interfaces must be configured with an IP address, subnet mask, default gateway, and Dynamic Host Configuration Protocol (DHCP) server. Each interface is then assigned a physical port and VLAN ID.

WLC PORTS (Physical Interfaces):

Some ports may or may not be present, depending on the WLC model. All WLCs have a console port and a distribution system port.

1. Redundancy Port: This port is used for deployment architectures that support High Availability (HA) when two WLCs are available. In this configuration, the Redundant Port acts as a physical connection between the two WLCs via an Ethernet cable. Role negotiation between primary and secondary controllers is done through redundant ports that are also used to synchronize configuration and operational data. Redundancy Port checks peer availability by sending a UDP keepalive message from the standby hot WLC to the active WLC every 100ms days. Finally, the redundant port IP address is always, which is the first two bytes.

2. Service Port: In the event of a network failure, the service port is used for system recovery and maintenance and for out-of-band management of the controller. Note that service ports do not support VLAN trunking or VLAN tagging and should be connected to access ports on the switch. Additionally, this may prevent the administrator from accessing the controller’s management interface (more on this later), so it is not recommended to connect the service port to his VLAN, which is the same as the wired client’s network.

3. SFP/Ethernet Distribution System Ports: The WLC’s most important port is the distribution system port. This is to connect internal logical interfaces (explained later) and wireless client traffic to the rest of the network. High-end WLCs, such as his WLC 5500 series mentioned earlier, are equipped with multiple of his SFP-based distribution system ports that allow an engineer to connect his WLC to his network, his backbone in a variety of ways. By using the right SFP, you can connect your fiber optic or ethernet copper interface to its SFP port. Low-end WLCs such as the WLC2504 and the older WLC2100 series only offer Ethernet ports as only a few access points are supported. For example, the WLC2125 has up to 8 FastEthernet ports and supports up to 25 access points, while the WLC2504 offers up to 4 Gigabit Ethernet ports and can support up to 75 access points.

WLC PORTS (Logical Interfaces):

Understanding the function of each logical interface is essential to successfully installing and operating a Cisco WLC-based wireless network. The WLC’s logical interfaces are used for various tasks such as managing controllers, access points, user data, and managing wireless SSIDs broadcast by access points.

1. Management Interface: The management interface is the default interface for controlling and using the WLC. Through the WLC’s administrative interface, the access point also communicates with it. The IP address of the administration interface, which is the only pingable IP address, is used by the administrator to manage her WLC.

The administrator can access her WLC’s configuration GUI by entering the management interface IP address in a web browser to log into the system.

2. AP-Manager Interface: Once the lightweight access points have joined the controller, all Layer 3 communications take place through one or more AP-manager interfaces that the controller may have. His IP address in the AP management is used as the tunnel source when sending CAPWAP/LWAPP packets from the controller to the access point and as the destination IP address when sending packets from the access point to the controller. Although models like the WLC2504 and WLC5508 lack a standalone AP-manager interface, setting one up and utilizing it is optional. Certain models have a setting in the management interface settings called “enable dynamic AP management,” which enables simultaneous usage of the management interface as an AP manager interface. Although each AP-manager interface is capable of supporting up to 48 access points, according to the documentation published by Cisco, the most recent firmware upgrade allows the smaller WLC model (2504) to support up to 75 access points. We are here to help. This limit has reportedly been raised to 75 because it is now accepted. A dual management/AP manager interface is present. A number of AP-manager interfaces should be set up if you install more access points.

3. Virtual Interface: Virtual interfaces provide DHCP relay functionality, guest web authentication, VPN termination, and other services used to manage and support wireless clients. The virtual interface performs two main functions:

  • Acts as a temporary DHCP server for wireless clients that obtain IP addresses from a DHCP server. 
  • Used at this point to direct the user to her web authentication login page (if configured). 

Controllers and wireless clients are the only parties that can communicate using the IP address of the virtual interface. It does not appear on packets exiting the distribution port and traveling to the local network as a source or destination address. Finally, virtual interface IP addresses must be unique across the network. Therefore, is a commonly used IP address for virtual interfaces. For roaming between controllers to work properly without losing connectivity, each controller in the mobility group must be configured with the same virtual interface IP address.

4. Service Port Interface: The controller is managed out-of-band through the service port interface. If your management workstation is on a remote subnet, you may need to add IPv4 routes to manage the controller from the remote workstation. Note that the manager/AP-manager interface and service port IP addresses cannot be on the same subnet. WLC2124 and WLC2504 are small WLC devices without a service port interface.

5. Dynamic Interface: The easiest way to describe how they work is to think of dynamic interfaces as VLAN interfaces on your wireless network (SSID). One dynamic interface is configured per WLAN/SSID. A dynamic interface is assigned to a specific VLAN network after a wireless network or SSID has been assigned. As already mentioned, dynamic interfaces can be assigned to different physical distribution ports, allowing traffic from specific WLANs to be routed to the wired network through specific distribution ports. In this case, each distribution port carries only one VLAN on one access link. Another option is to map all dynamic interfaces to one distribution port and let it act as a trunk port, broadcasting all WLANs and VLANs. This is a common configuration technique for small networks. The final requirement is that each dynamic interface must be on a unique IP subnet or VLAN from all other interfaces. The WLC2504 controller can manage up to 16 SSIDs, thus supporting up to 16 VLANs and up to 16 dynamic interfaces.

Distribution Port – Link Aggregation:

The 802.3ad port standard allows you to combine many distribution ports of all WLCs into one port. An administrator can do this to create a single comprehensive connection between the local switch and the WLC. For example, the WLC2504 has 4 Gigabit Ethernet ports and can be combined with adjacent switches to create a 4 Gigabit Ethernet connection with your wired network. To enable link aggregation, an EtherChannel must be set up on the local switch. WLC does not support Link Aggregation Control Protocol (LACP) or Cisco’s own Port Aggregation Protocol (PAgP), so it is important to set the switch to his LAG. Only one LAG group is supported per controller.


The Cisco Wireless LAN Controller Interface was introduced in this article. We explored the functionality of all interfaces and ports on the WLC, including Ethernet distribution ports, service ports, redundancy ports, management interfaces, AP-manager interfaces, virtual interfaces, and dynamic interfaces.

Like Article
Suggest improvement
Share your thoughts in the comments

Similar Reads