The Cisco Wireless LAN Controllers

Author: Herbert Haas
herbert AT perihel DOT at
Revision: 0.5
Date: 2007-10-29
Copyright: Copyright (c) 2007 Herbert Haas.


This document summarizes important facts about Cisco's WLAN Controllers (WLCs). It is not a WLAN tutorial. Note that Cisco-related explanations or recommendations are provided as is, without any warranty - please consult for more detailed information. The reader should already be familiar with WLAN fundamentals (see e. g. my WLAN lecture notes). If you find any mistakes please send me an E-Mail, thanks!


1   WLC

1.1   General Facts

  • CDP version 2 is supported on 2X00 and 440X series (not in integrated WLCs such as WiSM, WLCM etc)

  • Virtual Interface used by layer 3 security, DHCP relay, and Mobility Managers

  • up to 17 Radius Servers per WLAN.

  • RFID timeout on WLC should be 8-10 times the tag beacon rate.

  • Max 512 VLANs

  • ESM - 1 for 4402, 2 for 4404, 1 Gbit and 1000 clients per ESM.

  • Can control up to 16 WLANs for each 10X0 series AP and 8 WLANs for the 1130/1200/1230 and 1240 series AP

  • Radius server index -> priority

  • Up to 3 rogues can be concurrently contained by a single AP with a maximum of 4 APs one rouge can be contained

  • All Multicast packets are send at the lowest QoS level.

  • AP Power level settings:

    • 1= Max
    • 2= 50%
    • 3= 25%
    • 4= 6.25% to 12.5%
    • 5= 0.195% to 6.25%
  • The WLC keeps up to 5 controller crash files.

  • An Access List (ACL) can be applied either on a VLAN interface or on a specific WLAN:

    config wlan acl [<Wlan id>] [<ACL name> | none]

    The same is true with MAC filters.

  • Maximum 256 message logs are stored locally (FIFO). Use external syslog server!

1.2   Etherchannel - Link Aggregation

When a WLC (4404 or WiSM) LAG port is connected to a Catalyst 6500 channel group (or Cat 3750G) then note the following rules:

  • Without LAG, each WLC port only supports 48 LAPs. With LAG enabled the total LAP capacity is available to all interfaces! That is if on a 4404 e. g. three interfaces fail the remaining can handle up to 100 LAPs. With LAG only one functional physical port is needed to maintain connectivity!

  • LAG requires the Etherchannel to be configured for the "on" mode on both the WLC and the switch. There is not negotiation protocol supported on the WLC.

  • Therefore it does not matter if the switch is configured with either Link Aggregation Control Protocol (LACP) or the Cisco Port Aggregation Protocol (PAgP). Both LACP and PAgP are not supported on the controllers.

  • On the switch a load-balancing method must be chosen that terminates all IP datagram fragments on a single WLC port pair. On the 4404 there is one Network Processing Unit (NPU) for fragment reassembly for ports 1+2 and another NPU for ports 3+4. (On the 4402 there is only a single NPU for ports 1+2 so there is no problem with load balancing.)

    • The recommended load-balancing method for Catalyst switches is port-channel load-balance src-dest-ip.
  • All WLC ports must belong to the same LAG group! Only one LAG group is supported, therefore the WLC can only be attached to one switch (otherwise disable LAG mode). However it is recommended to terminate the links on different modules on a modular switch. Terminating on two different modules within a single Catalyst 6500 switch provides redundancy and ensures that connectivity between the switch and the controller is maintained when one module fails.

  • HSRP is NOT supported!

  • Any change to the LAG configuration requires a controller reboot.

  • When enabling LAG:

    1. Mgmt and AP-Mgr interfaces move to the LAG port
    2. All dynamic AP-Mgr interfaces are deleted
    3. VLAN interfaces are moved to LAG port
    4. WLANs are disabled and mapped to the Mgmt interface - you need to reassign them to the VLANs!
    5. You can only create interfaces on the LAG logical port 29.

    All packets are transmitted over that physical ports where the packets were received.

  • When disabling LAG:

    1. Mgmt and AP-Mgr interfaces as well as VLAN interfaces move to port 1
    2. You should define secondary ports for all interfaces (for backup)
    3. You must assign AP-Mgr interfaces to each port

    Packets can be forwarded over any port no matter where it originally came in.

  • LAG is enabled per default and cannot be disabled on the WiSM and on the integrated WLC inside the Catalyst 3750G.

PAgP switchover takes at least 30 seconds, which is too slow to maintain certain traffic (for example, TCP) when switching from port to the other. There is no workaround for this limitation.

LAG configuration on the switch:

interface GigabitEthernet1/0/18
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP
interface GigabitEthernet1/0/20
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 30 mode on !!! specifying a channel group number forces LAG without PAgP or LACP

1.3   LWAPP Protocol Issues

  • Destination ports:

    • Data: 12222
    • Control: 12223

    For each tunnel the AP is the client and uses a random source port.

    That means a firewall must permit:

    • UDP traffic with destination port 12223 for the Ḿanagement interface
    • UDP traffic with destination port 12223 and 12223 for the AP Manager interface
    • And of course TCP 443 and TCP 22 on the Management port
  • Observed (FYI):

    • From SP=12221 (AP) to DP=12222 (WLC-Data)
    • From SP=12223 (WLC-Control) to DP=52799
  • Inter-controller messages

    • 16666 to 16666 and 16667 to 166667 (mobility traffic)
    • WLCs must not be separated by NAT because the WLC's IP address is also carried inside the (encrypted) packets and compared with the header source address. See Controller Hunt Algorithm for further details.
  • LWAPP discovery response contains:

    • controller name
    • controller type
    • current number of APs (load)
    • AP capacity
    • AP Manager ip address
    • Master Controller status
  • L2 LWAPP uses Ethertype 0xbbbb

1.4   DHCP Issues

1.4.1   LAP Deployment via DHCP

Using DHCP option 43 a DHCP server can announce the IP addresses of WLCs to LAPs. The native LWAPP-APs expect option 43 to be a simple ASCII string while converted APs need a hexadeximal TLV.

It is possible to mix both AP types because every LAP appends DHCP option 60 (the Vendor Class Identifier, VCI) to its DHCP request. A typical DHCP configuration on a Cisco router would therefore look like this:

ip dhcp pool POOL-1000er
  network /24
  option 60 ascii "Airespace.AP1200" ! identifies 1000 series
  option 43 ascii ","
ip dhcp pool POOL-1200er
  network /24
  option 60 ascii "Cisco AP c1200"
  option 43 hex f108ac1a0c59c0a80a09

Note that there must be a dedicated DHCP section for each AP type. The first pool identifies all 1000 series LAPs and assigns the primary WLC IP address and as secondary WLC address. The second pool matches all 1200 series LAPs (such as the 1231 but not the 1240!) and assigns a strange TLV which consists of:

  • Type = f1 (must always be this value!)
  • Length = 08 which announces 8 bytes of value following (2 IP addreses)
  • Value = ac1a0c59 and c0a80a09 which corresponds to the IP addresses and respectively

The VCI strings for all current Cisco APs are listed in the table below. Please note the odd VCI numbering and the dot in some fields. (The strings are really correct, I verified them twice ;-))

Access Point Vendor Class Identifier
1000 Airespace.AP1200
1100 Cisco AP c1100
1130 Cisco AP c1130
1200 Cisco AP c1200
1240 Cisco AP c1240
1300 Cisco AP c1300
1500 Cisco AP.LAP1510

1.4.2   WLC as DHCP Relay

The WLC acts as a DHCP relay device through the virtual interface. The virtual IP is used downstream to the client and the Management-IP is used upstream to the DHCP server!

Debugging: debug dhcp packet enable

1.4.3   Internal DHCP Server

The internal DHCP server is primarily used for WLAN clients; on the VLAN interface you MUST specify the Management interface IP address.

Before WLC software version 4.0 the internal DHCP server could only assign IP addresses to clients and not to LAPs. (Now it is possible but the LAPs should be directly connected to the WLC. Also, you cannot share a DHCP scope between two or more WLCs.)

1.5   Controller Hunt Algorithm

When a LAP boots up it performs three steps:

  1. Get an IP address (DHCP)

  2. Create a List of reachable WLCs. The reachability is verified via an LWAPP discovery request/response mechanism. In order to find valid WLC IP addresses, the LAP does the following:

    1. The LAP sends a L3-LWAPP discovery message to (if L2-LWAPP is configured then only a L2 broadcast is used)
    2. The LAP checks whether IP addresses of any previously joined WLCs are stored in its flash
    3. The LAP asks other LAPs using its radio interface and the Over the Air Provisioning (OTAP) protocol
    4. The LAP checks whether a DHCP server sent WLC addresses via DHCP option 43
    5. The LAP tries a DNS name resolution for the name CISCO-LWAPP-CONTROLLER@local-domain
  3. Select one WLC based on a priority scheme:

    1. Prefer WLCs that are already stored in the flash. (The primary is tried first, the tertiary last.)
    2. Prefer the WLC with the Master Controller Flag set. This flag is included in the header of a discovery response.
    3. Prefer the least loaded WLC. Every WLC announces the number of already connected LAPs via the discovery response.

Note that the Master Controller Mode is disabled after reboot or SW upgrade.

  • On the WLC's AP pages enter the names of the primary, secondary, and tertiary WLC. Do NOT enter their IP addresses! Use the same names as can be seen on the monitor general page.

    When a LAP associates to the primary WLC, this WLC will automatically send the IP addresses of the secondary and tertiary WLCs to the LAP.

  • After a LAP joins a WLC, the LAP learns the IP addresses of other WLCs in that mobility group from its joined WLC.

  • Subsequently, the AP sends LWAPP primary discovery requests to each of the WLCs in the mobility group.

  • The WLCs respond with a primary discovery response to the LAP. This message includes information about the WLC type, the total capacity, and current AP load.

  • As long as the WLC has the AP Fallback parameter enabled, the AP can decide to change over to a less-loaded WLC.

1.5.1   MTU Detection (Jumbograms)

  1. The LAP will send the LWAPP join request as a padded jumbo frame (1596 bytes).
  2. If the join response to the jumbo frame is not received, the LAP sends an LWAPP Join Request as a standard (1500 bytes) frame.
  3. The LAP cycles between jumbo and regular LWAPP join messages until an LWAPP Join Response is received or both sizes have been retransmitted three times. If no LWAPP Join response is received, the LAP abandons the WLC and searches for a new one.

1.6   LAP Failover

  • Place WLCs in the same Mobility Group, then the LAP failover is "seamless" (typically 30-80 seconds switchover delay to the other WLC).

  • What happens when you power down the primary WLC:

    1. Each associated LAP waits for the heartbeat timeout (30 seconds)
    2. Then each LAP sends 7 heartbeats (one per second) to the WLC
    3. Then each LAP searches another WLC using the default process
  • Optionally the heartbeat can be reduced down to 1 second

1.7   REAP

Note: max WAN RTT is 100 ms, the minimum datarate is 128 kbit/s.

Between the access point and the controller, a minimum of a 500 byte MTU is supported.

1.7.1   Legacy REAP Mode

The 1030 REAP can only reside on a single subnet because it cannot perform IEEE 802.1Q VLAN tagging. However, wireless traffic can still be segmented into different SSIDs but on the wired side all traffic is placed into the same VLAN.

When the WLC is not reachable only WLAN 1 is supported by the REAP. You should use a non-AAA based security policy for WLAN 1 such as WPA-PSK.

1.7.2   Hybrid REAP (H-REAP)

The H-REAP mode is supported by the lightweight 1130AG and 1240AG access points. The H-REAP may send data traffic back to the WLC but can also perform local switching.

The main differences to the legacy REAP mode are that H-REAP supports:

  • 802.1Q tagging -- even when the WLC is unreachable up to eight standalone VLANs are supported
  • Layer-3 authentication methods
  • QoS
  • LWAPP fragmentation with more than two fragments
  • NAC
  • Radio Management


  • On the WLC you must configure both centrally switched and locally switched WLANs.

  • For the locally switched WLAN choose WPA-PSK and under the WLAN/Advanced tab check the H-REAP Local Switching check box.

  • On the Wireless/Details page select the H-REAP role.

    • On the same page (right) a H-REAP Configuration section appears: Check VLAN Support and enter the number of the native VLAN. All other VLANs will be configured automatically and correspond to the VLAN interface settings of the WLC.
    • Below, click VLAN Mappings and enter the VLAN number from which the clients will get an IP address when doing local switching.

1.8   RF-Groups and Auto-RF

  • If APs on different WLCs hear validated (same RF group name) neighbors at -80 dBm or stronger they form dynamically an RF group
  • RRM algorithms run at 600 seconds interval by default
  • WLAN status message every 15 seconds 3x is dead timer
  • Up to 20 WLCs can be member of one RF group.
  • Up to 1000 LAPs may be used in total.
  • You need at least 4 LAPs so that Auto-RF (Radio Resource Management, RRM) can work.
  • Every 10 minutes one WLC (the Group Leader) decides if a channel/power adjustment is necessary.

The Group Leader is dynamically elected and cannot be chosen by an administrator. The RF group leader analyzes the real-time radio data collected by the group and calculates a master power and channel plan with -65 dBm on the cell borders.

1.8.1   Configurable RF Parameters

Auto-RF uses fixed and some configurable parameters. The following parameters can be configured:

Parameter Default Value Description
Interference 10% Specifies the maximum percentage of interference every LAP may detect.
Clients 12 Specifies the maximum number of clients that may be associated on every LAP. Range: 1-75
Noise -70 dBm Specifies the maximum noise power level on every LAP. Range: −127 to 0 dBm
Coverage 12 dB @ 2.4 GHz, 16 dB @ 5 GHz Specifies the lowest allowable SNR on every LAP. If the measured SNR drops below this coverage parameter then a coverage hole exists and the transmit power of the surrounding LAPs will be increased. Range: 3 to 50 dB
Utilization 80% Specifies the percentage of time a LAP may consume for transmissions.
Coverage Exception 25% Specifies the percentage of clients per LAP that experience a SNR below the coverage level but cannot roam to another LAP.
Data Rate 1000 Kbit/s Specifies the lowest allowable data rate a LAP can use for sending or receiving data. Range: 1 to 1000 Kbit/s
Client Min Exception Level 3 Specifies the maximum number of clients on a LAP that may experience a lower SNR as specified by the Coverage parameter. That is, the Client Min Exception Level indicates the number of clients necessary to trigger a Coverage Alarm if the Coverage Exception is also violated at the same time. A coverage alarm causes an SNMP trap. Range: 1 to 75

Additionally, an administrator can configure a (country-specific) channel list, as well as some monitor intervals. The table below shows the default monitor values:

Measurement Interval
Noise 180 s
Traffic Load 60 s
Receive Signal Power 60 s
Coverage (SNR) 180 s

Note that Noise=180s means that every AP must perform a noise scan through all channels within 180 seconds then send a report to the WLC (when LAP in local mode).

Country Code
WLC software version 4.0 only allows to configure one country code per WLC. Since version 4.1 one WLC can be configured for up to 20 county codes (to control LAPs in various different regulatory domains).

1.8.2   Unconfigurable RF Parameters

The following parameters are set by the manufacturer or created dynamically and cannot be changed:

Power Threshold and Neighbor Count
The WLC reduces the transmit power of the LAPs such that at maximum Neighbor Count LAPs can detect other LAPs at a receive power greater than Power Threshold.
Power Update Contribution
This setting specifies which quantity should trigger a recalculation of the power settings. These quantities are: load (L), signal (S), noise (N), and interference (I).
Power Assignment Leader
This variable tells which WLC is the actual RF Group Leader. The MAC address of the RF Group Leader is determined.
Last Power Level Assignment
This value indicates the last time a power level assignment had been performed.

1.9   Mobility and Mobility Groups

  • Up to 24 WLCs can be member of one mobility group (or up to 12 WiSMs = 3600 LAPs).
  • Traffic to Client (roamed) via the Anchor system and via EoIP to Foreign
  • Traffic from Client via the Foreign System.
  • Uses ports 16666 and 16667
Normal Mobility Event (Roam)
'Client Announce', 'No handoff'
Mobility Anchor Event
'Anchor Export Request', 'Anchor Export Request ACK', 'Export Foreign', 'Export Anchor'

1.9.1   From Foreign Controller Perspective

Output of the show debug mobility enable shows:

  1. Send: Mobile Announce
  2. Send: Anchor Export Request
  3. Receive: Received Anchor Export Ack
  4. Role: Export Foreign
  5. Action: Plumbing duplex mobility tunnel to

Hint: Look for receipt of final message in tunnel sequence "Received Anchor Export Ack".

1.9.2   From Anchor Controller Perspective

Output of the show debug mobility enable shows:

  1. Receive: Mobile Announce
  2. Receive: Anchor Export Request
  3. Send: Anchor Export Ack
  4. Message: Export Anchor, Plumbing duplex mobility tunnel

1.9.3   Fast Secure Roaming

A EoIP tunnel is created for every roaming client!

1.9.4   Auto-Anchoring / Guest Tunneling

This feature allows to restrain client traffic to a specific subnetwork no matter about their physical location. For example the whole guest WLAN traffic can be tunneled to an Anchor WLC placed in a DMZ of a firewall. Obviously the firewall must permit LWAPP traffic.


  • A subset of the WLCs of the mobility group can be configured as anchors for a WLAN. Configure the same set of WLCs on all WLCs of the mobility group! Each WLC sends a controller status message every 15 seconds. After three missing status messages that WLC is considered inactive.

  • As soon as the first client for an auto-anchored WLAN associates to the initial contact WLC, this WLC sends an announcement message to all other WLCs in the mobility group. If this announcement remains unanswered the WLC chooses any (usually the first) Anchor WLC in the list (of configured Anchor WLCs) and establishes an EoIP tunnel to that anchor.

    Note: Each SSID requires a tunnel from the WLC to an Anchor WLC.

    The anchor WLCs may send a handoff message as announcement response to equally distribute the EoIP tunnels (usually on a round robin basis.)

  • Client traffic always travels a symmetric path.

  • Every WLC creates one EoIP tunnel for all associated clients (for that remotely anchored WLAN).

  • The mobility anchor of the local controller must point to the anchor controller, and the mobility anchor of the anchor controller must point to itself.

  • Each anchor controller supports up to 40 EoIP tunnels from various WLCs.

  • A 2000 series WLC cannot be configured as anchor.

  • Auto-anchored WLANs do not support IPsec and L2TP Layer 3 security policies. Web Authentication is supported and performed by the Anchor WLC.

1.10   WLAN Override

  • If not all SSIDs should be visible from every AP
  • Simply select all SSIDs that should be supported by one or more selected APs
  • Either from the WLC: Wireless > Radios 802.11b/g/n enable WLAN Override and selet the desired SSIDs from the list
  • Easier: From the WCS configure an appropriate AP Configuration Template

1.11   AP Groups

  • Idea: when you have multiple locations, want to support the same SSID everywhere, but map that SSID in different (typically location-specific) VLANs.

  • Configuration from the Controller:

    1. Controller > Interfaces - Add your desired VLAN interface for that location.
    2. WLANs - Select your WLAN and assign a default VLAN interface or a dummy VLAN interface which is not assigned in any switch's VLAN database (so it will not provide connectivity)
    3. WLANs > Advanced - Create a new AP Group and an associated SSID to VLAN mapping
    4. Wireless > All APs - Select your APs in that locations, and under the Advanced tab, add this AP to your AP Group.

1.12   Aggressive load balancing

  • Normally (without Aggressive Load Balancing) clients automatically prefer another AP when the current AP has already 12 clients associated. This leads to an automatic load balancing.
  • Aggressive Load Balancing tries to evenly distribute all clients of one WLC. By default the threshold is 3 clients per LAP.
  • Requires client to be 'heard' for at least 5 seconds
  • WLC monitors acceptable RSSI and SNR value
  • Controller will list up to 8 possible APs per client
  • Association response contains status code=17 to prevent the client to associate
  • A Window value can be used to configure a tolerance. A client is only denied from association if the desired AP has more clients associated than the best alternative AP has plus this window value. Default: 0.

Note: The WLC only uses the user timeout and session timeout settings to terminate client sessions if aggressive load balancing is disabled.

1.13   Standard IDS Signatures on WLC

  • Bcast Deauth
  • NULL probe resp
  • Floods of Assoc, Reassoc, Probe, Disassoc, Deauth, EAPoL, Mgmt Frame
  • Res mgmt 6&7, D, E&F
  • Netstumbler 3.2.0, 3.2.3, 3.3.0, generic
  • Wellenreiter
  • FakeAP
  • AP impersonation
  • Spoofed deauth frame
  • FATA Jack
  • Honeypot AP
  • Monkey Jack
  • MITM
  • Broadcast deauth frame
  • Valid stations, invalid SSID
  • Invalid OUIs
  • WEP Weak IV detection

1.14   Web Authentication

  • The maximum number of local users in the local database:

    • Absolute maximum: 2048
    • Default-maximum: 512 [Security>General]

The configured datavase size is shared by local management users (including lobby ambassadors), net users (including guest users), MAC filter entries, and disabled clients.

1.15   Client exclusion policy, number of trials

Excessive 802.11 Association Failures
Clients are excluded on the sixth 802.11 association attempt, after five consecutive failures.
Excessive 802.11 Authentication Failures
Clients are excluded on the sixth 802.11 authentication attempt, after five consecutive failures.
Excessive 802.1X Authentication Failures
Clients are excluded on the fourth 802.1X authentication attempt, after three consecutive failures.
IP Theft or IP Reuse
Clients are excluded if the IP address is already assigned to another device.
Excessive Web Authentication Failures
Clients are excluded on the fourth web authentication attempt, after three consecutive failures.

1.16   Rogue AP/Client Containment

  • Up to 4 APs can be used for containment of a rogue
  • Using more AP for containment
  • Only up to 3 rogues to be concurrently contained by any single access point

1.17   Quality of Service (QoS)

1.17.1   Downstream (from WLC to client)

  1. The WLC receives a marked packet destined for a WLAN client. The WLC encapsulates this packet with an LWAPP header and copies the inner 802.1P and DSCP values to the outer (Ethernet and IP) headers. The downstream switched or routed network can act on these labels.
  2. A LAP does not mark any packets with a QoS label. (This is also true for autonomous APs.) But the LAP recognizes the DSCP label (actually the outer) in incoming packets and can perform some configured queuing methods (e. g. WMM or 802.11e) when it forwards these frames on the wireless port.

1.17.2   Upstream (from client to WLC)

  1. When a WMM or 802.11e capable client (e. g. a 7920) send traffic to the LAP it already marks every packet with a DSCP label.
  2. The LAP encapsulates the IP packet with LWAPP and maps the 802.11e priority to the outer DSCP field (in the tunnel IP header). Note that there is no 802.1P tag for the frames running upstream to the WLC.
  3. Eventually, the WLC decapsulates the packets and forwards them to the upstream network. For every packet the WLC maps the (inner) DSCP value to an 802.1P tag.

1.17.3   AVVID (Re-)Markings

  • The LWAPP Control packets are always marked with DSCP=56 and 802.1p=7.
  • The new marking recommendation for Voice Control us DSCP 24 (not 26).
Traffic Type Cisco AVVID IP DSCP Cisco AVVID 802.1p UP IEEE 802.11e UP
Network Control 56 7 7
Reserved 48 6 --
Voice 46 (EF) 5 6
Video 34 (AF41) 4 5
Voice Control 26 (AF 31) 3 4
Background Gold 18 AF21) 2 2
Background Silver 10 (AF11) 1 1
Best effort 0 (BE) 0 0,3

2   Addendum

2.1   Disable Mode Button

When autonomous APs are upgraded into lightweight mode the WLC can tell them to disable the Mode button:

config ap reset-button {enable | disable} {ap-name | all}

The reset button on converted APs is enabled by default.

2.2   Check Certificate Issues

Especially to troubleshoot upgraded APs (i. e. from autonomous to lightweight) sometimes the Discovery and Join handshake must be observed:

debug lwapp errors enable
debug pm pki enable           !!! This shows certificate problems in detail (also the signature!)

show auth-list