Cisco Lightweight Access Point and WLC Pairing

A Cisco Lightweight Access Point must be paired with a Wireless LAN Controller (WLC). Lightweight APs can be connected to the wired network without any configuration. However, the switch port where the AP connects must be configured with the right VLAN, access mode, and inline power settings.


Cisco Lightweight Access Point States

Cisco Lightweight Access Points enter various phases, from powering on to providing a Basic Service Set (BSS). It enters the following states in a precise sequence called a state machine:

  1. AP Boots – When an AP is powered on, it boots on a small IOS image, allowing it to progress through the remaining states. The AP obtains an IP address from a DHCP server or via static IP address configuration.
  2. WLC Discovery – The AP uses several processes to locate one or more wireless LAN controllers.
  3. CAPWAP Tunnel – AP tries to form a CAPWAP tunnel with the WLCs. The CAPWAP tunnel provides a secure Datagram Transport Layer Security (DTLS) channel for successive AP-WLC control messages. The AP and WLC authenticate one another by exchanging digital certificates.
  4. WLC Join – AP chooses a WLC from a list of possible options and sends it a CAPWAP Join Request message. The WLC sends back a CAPWAP Join Response message.
  5. Download Image – WLC notifies the AP of its software release. If the AP’s software release differs, it downloads a compatible image from the WLC. It then reboots to deploy the new image and returns to Step 1.
  6. Download Config – AP retrieves configuration parameters from the WLC. The existing values can be updated with those received from the WLC.
  7. Run State – WLC puts the AP into the run state after it has been properly initialized. Then, they will start offering a BSS and accept wireless clients.
  8. Reset – When a WLC resets an AP, it destroys all current client connections and CAPWAP tunnels to WLCs. The AP then reboots and repeats the state machine process.

Cisco Lightweight Access Point


Discovering Wireless LAN Controller

The AP sends a unicast CAPWAP Discovery Request to a controller’s IP address over UDP port 5246 or a broadcast to the local subnet to find a WLC. The available WLC sends back a CAPWAP Discovery Response. The discovery process involves the following:

  1. On its local wired subnet, the AP broadcasts a CAPWAP Discovery Request. The controllers on the subnet respond with a CAPWAP Discovery Response.
  2. An AP can be primed with three controllers, primary, secondary, and tertiary WLCs, stored in nonvolatile memory so the AP can remember them even after a reboot. If an AP has been associated with a WLC, it must have retained up to 8 WLC addresses from the previous controller’s list of 32 WLC addresses. The AP contacts numerous controllers to create a WLC candidates list.
  3. The DHCP server can also provide DHCP option 43 to recommend a list of controller IP addresses to the AP.
  4. The AP tries to resolve the name ‘CISCO-CAPWAP-CONTROLLER.domain-name’ with a DNS request. If the name resolves to an IP address, the AP tries to communicate with a WLC at that address.
  5. If not successful, the AP resets itself and restarts the discovery process.


Selecting Wireless LAN Controller

After the discovery, the AP initiates a separate process to choose and join one WLC. The AP sends a CAPWAP Join Request, and the WLC sends a CAPWAP Join Response. They will establish a DTLS tunnel to secure their CAPWAP messages. The WLC selection comprises the following:

  1. If the AP has formerly joined a controller and has been configured or primed with a primary, secondary, and tertiary WLC, it will attempt to connect with those in order.
  2. If the AP is unaware of any candidate controllers, it will attempt to find one. A master controller can reply to the AP’s request.
  3. To load balance APs, it will try to join the least-loaded WLC. During the discovery phase, every controller indicates its ratio of connected APs to its total AP capacity. The WLC with the lowest ratio is the least loaded.

The WLC platform or license indicates the maximum number of supported APs. If the WLC reaches the maximum, it will reject additional APs. The AP priority can be low, medium, high, or critical. The WLC attempts to accommodate high-priority APs. But once overloaded, it rejects the lowest-priority AP to accommodate higher-priority APs.


Maintaining WLC Availability

When an AP joins a Cisco wireless LAN controller, it must remain connected. The APs will fail if the controller fails, affecting the wireless network. A Cisco wireless Access Point can discover multiple controllers. If the connected WLC fails, the AP can join the next least-loaded controller. A wireless client doesn’t have connectivity during this period, so the AP’s primary, secondary, and tertiary controller fields are leveraged in this situation.

When an AP joins a WLC, it sends keepalive messages at regular intervals through the wired network. Keepalives are transmitted every 30 seconds by default. The controller responds to each keepalive as proof that it’s working. If there’s no response, the AP sends four additional keepalives at 3-second intervals. If there’s still no response, the AP assumes the controller has failed and will immediately discover and join another WLC.

By default, an AP may detect a controller failure within 35 seconds. The keepalive timer can be configured between 1-30 seconds. A failure can be recognized after 6 seconds using minimal settings.


WLC High Availability with SSO Redundancy

WLCs support High Availability (HA) with Stateful Switchover (SSO) redundancy. SSO puts controllers into HA pairs, with one controller as an active controller and the other in hot standby mode.

Each AP discovers the HA pair and creates a CAPWAP tunnel to the active controller. The hot standby WLC synchronizes with the active WLC’s CAPWAP tunnels, AP and client states, configurations, and image files.  If the active controller fails, the standby controller will have the latest AP and client status information, keeping the failover process transparent.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: