Category: CCNA

The Cisco Catalyst 9800 Series Wireless Controllers run on IOS-XE, offering improved scalability, security, and programmability. This guide covers the basic setup and configuration of a Cisco 9800 WLC using both CLI and GUI.

---

1. Initial Setup of Cisco 9800 WLC

Before starting, ensure:
✔ You have console or SSH access to the WLC.
✔ The WLC is powered on and connected to the network.
✔ APs can communicate with the WLC via CAPWAP.

Step 1: Access the WLC

You can access the Cisco 9800 WLC through:

• Console Connection: Using a serial cable and a terminal emulator like PuTTY.
• Web GUI: Open a web browser and go to https://<WLC-Mgmt-IP>.
• SSH: If enabled, use ssh admin@<WLC-Mgmt-IP>.

---

2. Basic WLC Configuration Using CLI

Step 2: Set Up Management Interface

configure terminal
interface GigabitEthernet1
 ip address 192.168.1.100 255.255.255.0
 no shutdown
exit

🔹 Assigns an IP to the management interface and brings it up.

Step 3: Configure Hostname and Domain

configure terminal
hostname WLC-9800
ip domain-name example.com
exit

Step 4: Set Up Time and NTP

configure terminal
clock timezone IST 5 30
ntp server 192.168.1.1
exit

🔹 Ensures accurate time synchronization.

Step 5: Create a VLAN Interface

configure terminal
interface Vlan10
 description Wireless VLAN
 ip address 192.168.10.1 255.255.255.0
exit

🔹 Assigns VLAN 10 for wireless clients.

---

3. Configure WLAN and Security

Step 6: Create an SSID (WLAN)

configure terminal
wlan MyWiFi 1 MyWiFi
 no shutdown
exit

🔹 Creates an SSID named “MyWiFi”.

Step 7: Assign VLAN to the WLAN

configure terminal
wlan MyWiFi 1 MyWiFi
 client vlan 10
exit

🔹 Maps WLAN to VLAN 10.

Step 8: Configure WPA2-PSK Security

configure terminal
wlan MyWiFi 1 MyWiFi
 security wpa akm psk
 security wpa psk set-key ascii MySecurePassword
exit

🔹 Enables WPA2-PSK authentication with a secure key.

---

4. Configure APs to Join the WLC

Step 9: Enable CAPWAP and AP Join Settings

configure terminal
ap profile default-ap-profile
 capwap preferred-mode ipv4
exit

🔹 Ensures APs use CAPWAP for communication.

Step 10: Verify APs

show ap summary

🔹 Displays a list of connected APs.

---

5. Enable DHCP for Wireless Clients

Step 11: Configure DHCP on WLC

configure terminal
ip dhcp pool WirelessClients
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 8.8.8.8
exit

🔹 Assigns IPs dynamically to wireless clients.

---

6. Save and Verify Configuration

Step 12: Save Configuration

write memory

🔹 Saves the configuration permanently.

Step 13: Verify WLAN and AP Status

show wlan summary
show ap summary
show wireless client summary

🔹 Displays configured WLANs, connected APs, and wireless clients.

---

7. Configuring WLC Using Web GUI

Login to Web GUI:

Open a web browser and go to https://<WLC-Mgmt-IP>.

Login with admin credentials.

Basic Setup Wizard:

Navigate to Configuration > Setup > Start and follow the wizard.

Create an SSID (WLAN):

Go to Configuration > Tags & Profiles > WLANs

Click Add, enter SSID Name, and choose Security Type (WPA2-PSK).

Assign VLAN & Interface:

Go to Configuration > Interface

Create VLAN 10 and assign it to the SSID.

Enable APs:

Go to Configuration > Wireless > Access Points

Verify APs are registered.

---

8. Troubleshooting Common Issues

Issue	Solution
APs not joining WLC	Check CAPWAP settings, ensure APs can reach WLC.
Clients not getting IPs	Verify DHCP settings and VLAN assignments.
Weak Wi-Fi signal	Adjust AP placement, power levels, and channel settings.
WLC GUI not accessible	Ensure HTTP/HTTPS access is enabled.

---

9. Summary

✅ Basic WLC setup: Management IP, VLANs, DHCP.
✅ Configure SSID & Security: WPA2-PSK authentication.
✅ Ensure APs join WLC: CAPWAP enabled, VLANs mapped.
✅ Save and verify configuration.

This guide covers the essential steps to configure a Cisco Wireless LAN Controller (WLC) for basic wireless connectivity.

---

1. Initial Setup of Cisco WLC

Before configuring the WLC, ensure:
✔ You have console access via CLI (Command Line Interface) or GUI (Graphical User Interface).
✔ The WLC is powered on and connected to the network.
✔ The APs can communicate with the WLC via CAPWAP.

Step 1: Connect to the WLC

You can access the WLC using:

• Console Connection: Using a serial connection and tools like PuTTY or Tera Term.
• Web GUI: Open a web browser and go to https://<WLC-IP-Address>
• SSH: If enabled, use ssh admin@<WLC-IP-Address>

Step 2: Configure Basic Settings (Using CLI)

Use the setup wizard or enter the following manually:

config time ntp server 192.168.1.1  # Set NTP server
config time timezone IST -5 30      # Set timezone
config country IN                   # Set country code
config mgmt ip 192.168.1.100 255.255.255.0 192.168.1.1  # Assign management IP
config save                          # Save configuration

---

2. Configuring Basic Wireless Settings

Now, configure the WLAN (SSID) and associate it with an interface.

Step 3: Create a VLAN & Interface

config interface create VLAN10 10
config interface address VLAN10 192.168.10.1 255.255.255.0 192.168.10.254
config interface vlan VLAN10 10
config interface port VLAN10 1
config interface dhcp VLAN10 primary 192.168.10.2
config save

Step 4: Create a Wireless SSID

config wlan create 1 MyWiFi VLAN10
config wlan security wpa2 enable 1
config wlan security wpa2 aes enable 1
config wlan security wpa2 psk set-key 1 MySecurePassword
config wlan enable 1
config save

---

3. Configure APs to Join the WLC

Ensure APs are set to CAPWAP mode and can discover the WLC.

Step 5: Enable AP Management

config ap mgmt-vlan enable
config ap primary-base WLC-Name 192.168.1.100 AP-MAC
config save

Step 6: Verify AP Connection

show ap summary

---

4. Enabling DHCP for Wireless Clients

The WLC can use an external DHCP server or its own DHCP service.

Step 7: Enable DHCP on WLC

config dhcp create-pool MyPool
config dhcp address range 192.168.10.50 192.168.10.100 MyPool
config dhcp dns-servers 8.8.8.8 MyPool
config dhcp enable MyPool
config save

---

5. Save and Verify Configuration

Step 8: Save Configuration

config save

Step 9: Verify Settings

show wlan summary
show interface summary
show ap summary

---

6. Access WLC GUI for Management

Open a web browser and go to:
https://<WLC-IP-Address>

Log in using admin credentials.

Navigate to WLANs > Create a New WLAN to manage SSIDs.

Configure Security Settings (WPA2/WPA3, 802.1X).

Save and apply the settings.

---

7. Troubleshooting Common Issues

Issue	Solution
APs not joining WLC	Ensure APs have correct CAPWAP settings and IP connectivity.
Clients not getting IPs	Check DHCP configuration on WLC or external DHCP server.
Weak signal or coverage issues	Adjust AP placement, power levels, and channel settings.
WLC unreachable via GUI	Ensure HTTP/HTTPS access is enabled on the WLC.

---

8. Summary

✅ Basic WLC setup: IP, timezone, country, VLANs.
✅ Create SSID & Security: WPA2/WPA3 authentication.
✅ Configure APs: Ensure APs join the WLC correctly.
✅ Enable DHCP: Assign IPs dynamically to wireless clients.
✅ Save and verify the configuration.

Cisco Access Points (APs) operate in different modes based on deployment needs. These modes define how the AP interacts with the Wireless LAN Controller (WLC) and how traffic is handled.

---

1. Overview of Cisco AP Modes

AP Mode	Description	Use Case
Local Mode	Default mode; APs tunnel all traffic to the WLC using CAPWAP.	Campus networks, centralized deployments.
FlexConnect Mode	APs can locally switch traffic without tunneling to WLC, useful for remote sites.	Branch offices, sites with limited WAN bandwidth.
Monitor Mode	AP does not serve clients; instead, it scans the RF environment for rogue APs and security threats.	Wireless intrusion detection (WIDS/WIPS).
Sniffer Mode	AP captures and forwards packets to a protocol analyzer (e.g., Wireshark) for analysis.	Troubleshooting and performance monitoring.
Bridge Mode	AP acts as a point-to-point or point-to-multipoint bridge, extending network coverage.	Outdoor wireless links, building-to-building connections.
Flex+Bridge Mode	Combines FlexConnect and Bridge Mode for remote sites requiring local switching.	Remote sites with specific network needs.
SE-Connect Mode	AP functions as a spectrum analyzer, providing detailed RF analysis.	RF troubleshooting, interference detection.
OfficeExtend (OEAP) Mode	Securely extends corporate Wi-Fi to remote users over the internet.	Teleworkers, work-from-home employees.
Mesh Mode	APs form a wireless mesh network, extending connectivity without a wired backbone.	Smart cities, outdoor networks, large campuses.

---

2. Detailed Explanation of Each Mode

a. Local Mode (Default)

• APs tunnel all client traffic to the WLC using CAPWAP (Control and Provisioning of Wireless Access Points).
• Centralized traffic control and security enforcement.
• WLC handles all authentication, policy enforcement, and QoS.
• Best for: Enterprise/campus networks with strong WAN connectivity.

b. FlexConnect Mode (Formerly HREAP)

• APs locally switch traffic when connected to a WAN but can revert to centralized WLC control when needed.
• If the WAN link to the WLC goes down, APs continue to function and authenticate clients.
• Reduces WAN bandwidth usage by keeping local traffic within the branch site.
• Best for: Branch offices, remote sites with limited WAN connectivity.

c. Monitor Mode

• AP does not serve clients but scans the RF environment for rogue APs, interference, and security threats.
• Detects unauthorized devices and helps enforce wireless security policies.
• Works as part of Cisco Wireless Intrusion Prevention System (WIPS).
• Best for: Security monitoring in high-risk environments.

d. Sniffer Mode

• AP captures all wireless traffic and forwards it to a packet analyzer like Wireshark.
• Useful for troubleshooting and monitoring network performance.
• Requires a wired connection to a device running packet analysis software.
• Best for: Wireless network debugging, performance tuning, and security analysis.

e. Bridge Mode

• AP acts as a wireless bridge, connecting two wired networks over a wireless link.
• Supports Point-to-Point (P2P) and Point-to-Multipoint (P2MP) configurations.
• Often used in outdoor environments to connect separate buildings.
• Best for: Campus networks, industrial sites, outdoor connectivity.

f. Flex+Bridge Mode

• Hybrid of FlexConnect and Bridge Mode, allowing APs to function in both local switching and bridging roles.
• Useful for remote locations where both functionalities are needed.
• Best for: Remote industrial sites, hybrid network setups.

g. Spectrum Expert Connect (SE-Connect) Mode

• AP functions as a dedicated spectrum analyzer, providing real-time RF analysis.
• Identifies interference sources like microwaves, Bluetooth devices, or rogue APs.
• Works with Cisco tools like Cisco Spectrum Expert or CleanAir.
• Best for: RF troubleshooting, interference detection.

h. OfficeExtend (OEAP) Mode

• Designed for remote workers to securely extend corporate Wi-Fi to their homes.
• AP connects over VPN (DTLS encryption) to a central WLC.
• Maintains corporate SSIDs, policies, and authentication.
• Best for: Work-from-home users, teleworkers.

i. Mesh Mode

• APs form a self-healing, self-optimizing wireless mesh network.
• Eliminates the need for Ethernet backhaul, allowing APs to connect wirelessly.
• Used in outdoor deployments, smart cities, and large campus environments.
• Best for: Large-scale wireless deployments without a wired infrastructure.

---

3. Choosing the Right AP Mode

Scenario	Recommended AP Mode
Large enterprise/campus network	Local Mode
Branch office with limited WAN	FlexConnect Mode
Security monitoring	Monitor Mode
Wireless troubleshooting	Sniffer Mode / SE-Connect Mode
Building-to-building connectivity	Bridge Mode
Work-from-home employees	OfficeExtend Mode
Outdoor deployments / Smart cities	Mesh Mode

---

4. Summary

• Local Mode: Best for centralized enterprise networks.
• FlexConnect: Ideal for branch offices with limited WAN.
• Monitor & Sniffer Modes: Used for security and troubleshooting.
• Bridge Mode: Connects remote wired networks over Wi-Fi.
• OfficeExtend: Secure Wi-Fi for remote employees.
• Mesh Mode: Extends wireless coverage without Ethernet cabling.

1. Introduction to Cisco Wireless Network Architecture

Cisco offers a scalable, secure, and flexible wireless architecture that integrates wired and wireless networks using centralized management, intelligent access points, and robust security features.

Cisco’s wireless architecture is built around the Wireless LAN Controller (WLC) and Access Points (APs) that operate in different modes. The architecture ensures efficient management, security, and scalability in enterprise networks.

---

2. Cisco Wireless LAN Controller (WLC) Deployment Models

Cisco provides different WLC deployment models based on network size, scalability, and management requirements.

a. Centralized WLC Deployment (Unified Model)

• Best for: Enterprises, large organizations, campuses.
• Architecture:
  • A centralized WLC manages multiple lightweight APs.
  • All wireless traffic is tunneled back to the WLC via CAPWAP (Control and Provisioning of Wireless Access Points) protocol.
  • Centralized policy enforcement and security control.
• Pros:
  • Simplified management.
  • Strong security policies.
  • Easy firmware updates and monitoring.
• Cons:
  • Requires higher bandwidth between APs and WLC.
  • Can be a single point of failure (unless HA is configured).

b. Distributed (FlexConnect) Deployment

• Best for: Branch offices, remote sites with limited WAN bandwidth.
• Architecture:
  • Uses FlexConnect APs (formerly HREAP – Hybrid Remote Edge AP).
  • APs can locally switch traffic instead of tunneling everything to the WLC.
  • Can function even if WLC connectivity is lost (local authentication and switching).
• Pros:
  • Reduces WAN dependency.
  • Efficient for remote sites.
• Cons:
  • Requires additional configurations for security and QoS.

c. Cloud-Based WLC Deployment (Cisco Meraki)

• Best for: Organizations needing cloud-managed wireless networking.
• Architecture:
  • WLC functionality is hosted in the Cisco Meraki Cloud.
  • APs are managed via a cloud dashboard.
• Pros:
  • Easy remote management.
  • Scalable and requires minimal on-prem hardware.
• Cons:
  • Requires internet connectivity for management.
  • Subscription-based model.

d. Embedded Wireless Controller (EWC) on Catalyst Switches/APs

• Best for: Small to medium businesses (SMBs).
• Architecture:
  • WLC functionality is embedded in a Catalyst 9000 switch or a high-end AP (like Catalyst 9800).
  • Eliminates the need for a separate WLC appliance.
• Pros:
  • Cost-effective for SMBs.
  • Simplifies network architecture.
• Cons:
  • Limited scalability compared to standalone WLCs.

---

3. Cisco Access Point (AP) Modes in Wireless Architectures

Cisco APs can operate in different modes depending on deployment needs:

AP Mode	Description	Use Case
Local Mode	Default mode; tunnels traffic to the WLC.	Enterprise networks with centralized control.
FlexConnect Mode	Allows local switching at the AP level.	Branch offices with limited WAN bandwidth.
Monitor Mode	Scans for rogue APs and security threats.	Wireless intrusion detection.
Sniffer Mode	Captures packets for analysis.	Troubleshooting and performance monitoring.
Bridge Mode	Enables AP-to-AP bridging.	Outdoor point-to-point or point-to-multipoint links.
Flex+Bridge Mode	Hybrid of FlexConnect and Bridge mode.	Remote sites with specific network needs.

---

4. Best Practices for Cisco Wireless Deployment

• Choose the right WLC deployment model based on scalability and network design.
• Use AP modes effectively (e.g., FlexConnect for branches, Local Mode for campus).
• Ensure strong security using WPA3, 802.1X authentication, and rogue AP detection.
• Optimize channel planning and power levels for better performance.
• Use Cisco Prime Infrastructure or Cisco DNA Center for advanced monitoring and automation.

1. Introduction to Wireless Security

Wireless security is crucial to protect networks from unauthorized access, data theft, and cyber threats. Unlike wired networks, wireless networks use radio waves, making them more vulnerable to attacks such as eavesdropping, spoofing, and denial-of-service (DoS).

2. Common Wireless Security Threats

• Eavesdropping: Attackers intercept wireless signals to capture sensitive data.
• Rogue Access Points: Unauthorized APs used to steal data or launch attacks.
• Man-in-the-Middle (MITM) Attacks: Attackers intercept communication between devices.
• Denial-of-Service (DoS): Flooding a network with traffic to disrupt service.
• MAC Spoofing: An attacker changes their device’s MAC address to bypass security.

3. Wireless Authentication Methods

To prevent unauthorized access, wireless networks use different authentication methods:

a. Open System Authentication (OSA)

• No security mechanism; any device can connect.
• Used in public hotspots (e.g., cafes, airports).
• Highly insecure.

b. Pre-Shared Key (PSK) Authentication

• A shared password is used to authenticate devices.
• Common in home and small office networks.
• Used in WPA2-PSK and WPA3-SAE (Simultaneous Authentication of Equals).

c. IEEE 802.1X Authentication (Enterprise Mode)

• Uses a RADIUS (Remote Authentication Dial-In User Service) server.
• Requires usernames and passwords or digital certificates.
• Used in corporate and enterprise networks.
• Supports multiple Extensible Authentication Protocol (EAP) types, including:
  • EAP-TLS (Transport Layer Security): Uses digital certificates for strong security.
  • EAP-TTLS (Tunneled TLS): Secure tunnel for authentication credentials.
  • PEAP (Protected EAP): Uses TLS to encrypt authentication.

4. Wireless Security Protocols

To secure wireless communication, different encryption standards are used:

• WEP (Wired Equivalent Privacy): Weak encryption, easily hacked.
• WPA (Wi-Fi Protected Access): Improved security but outdated.
• WPA2 (Wi-Fi Protected Access 2): Strong encryption using AES, widely used.
• WPA3: Latest standard, provides better security with features like forward secrecy and protection against brute-force attacks.

Wireless LAN (WLAN) based on IEEE 802.11 standards uses different types of Service Sets to define how devices communicate within a wireless network. These service sets specify the architecture and functionality of the network. Below are the key types:

1. Basic Service Set (BSS)

• The fundamental building block of an 802.11 network.
• Consists of a single access point (AP) and multiple client devices (stations).
• Identified by a Basic Service Set Identifier (BSSID), which is typically the MAC address of the AP.
• Communication between clients must go through the AP.

2. Extended Service Set (ESS)

• A collection of multiple BSSs interconnected by a Distribution System (DS) (usually a wired network).
• Provides seamless roaming, allowing devices to move between APs without losing connectivity.
• Uses a common SSID (Service Set Identifier) to identify the network.

3. Independent Basic Service Set (IBSS) – Ad Hoc Mode

• A peer-to-peer wireless network without an access point.
• Devices communicate directly with each other.
• Used for temporary or small networks, such as file sharing between laptops.

4. Mesh Basic Service Set (MBSS)

• A wireless mesh network where APs (mesh nodes) communicate with each other to extend coverage.
• No centralized controller; devices dynamically route data through the network.
• Used in large-scale deployments like smart cities or campus-wide Wi-Fi.

5. Distribution System (DS)

• Connects multiple BSSs to form an ESS.
• Can be wired (Ethernet) or wireless (Mesh networks).