Cisco Wireless Network Architectures

Hello Valerio

You can add bpduguard and port security on the same port where you have connected an access point, however, you must keep the following in mind.

If the AP is operating in Layer 2 mode (that is, it is not performing routing) then the port-security mac-address sticky command may not be very useful. This is because every wireless client’s MAC address will appear on that interface, and thus you must have enough sticky MAC addresses configured to accommodate the estimated number of users connecting. If the AP is performing routing, then only the MAC address of the AP will appear on the interface, thus the “sticky” command is useful.

As for the bpduguard, it’s always a good idea to enable it on such ports as you should never receive BPDUs on such a port.

For more info, take a look at these related lessons:

I hope this has been helpful!


Hello, thank you for the great explanation, i will read the lessons.

1 Like


This lession mention the WLC must trunk all vlans, but i don’t understand why if the CAPWAP tunnel only needs L3/L4 reachabilty.

For example, in a large company, you could have many branches and the HQ. In the HQ you place the WLC connected to a Core node, so between the WLC and the Core Router you could only use a /30 subnet, and also configure a loopback on the WLC (i don’t know if you could do configure logical interfaces in the WLC). So, a /30 or /31 between WLC <-> Core router, and using vlan 10 , and then the Core router could propagate via an IGP this subnet or loopback address to the other branches.
The LWAP could reach the IP of the WLC via its default gateway (Core branch router).

So why in this lesson says the WLC must trunk all vlans ?

1 Like

Hello Juan

I believe that the WLC by design requires a trunk port to all of the VLANs where access points are connected. This is the case when using LWAP in the Unified WLC deployment.

If however, you use FlexConnect, then it is possible to use an access port and layer 3 connectivity to the APs. If user traffic comes back to the WLC via a CAPWAP tunnel, trunks must be used.

More info can be found at the below Cisco Community forum post.

I understand that the logic of the CAPWAP states that you only need L3 connectivity to make the tunnel work. However, the WLC by design needs those trunks for it to function correctly.

I hope this has been helpful!


1 Like


Can someone please help me understand this?:
“Real-time functions: Transmission of 802.11 frames”

The online course I worked through said that “802.11 to 802.3 communication” is handled by the WLC, and Wendell Odom’s CCNA book also implies the same:
“Or consider roaming for a moment. If at one instant a packet arrives for your phone, and you are associated with AP1, and when the next packet arrives over the wired network you are now connected to AP4, how could that packet be delivered through the network? Well, it always goes to the WLC, and because the WLC keeps in contact with the APs and knows that your phone just roamed to another AP, the WLC knows where to forward the packet.” (This is at the very end of “Appendix K: Analyzing Ethernet LAN Designs.”)

On page 638 of his book, Wendell Odom lists these Real-Time Functions:
• RF Transmit/Receive
• MAC Management
• Encryption

So the “Transmission of 802.11 frames” means taking care of the Physical/L1 side of things, right?

Do I understand it correctly that with lightweight APs, the user traffic goes to the lightweight AP, then through the switches to the WLC, and from the WLC back through the switches to the lightweight AP, and finally the lightweight AP transmits the user traffic to the original user? I assume the function of the CAPWAP Data tunnel is to accomplish communication between the Ethernet (802.11) and wireless (802.3) network.


Hello Attila

Real-time functions, including the transmission of 802.11 frames, refer to the tasks performed by the AP to handle wireless communication. These tasks take place on both the user plane and the control plane and include things like dealing with RF signals, MAC management, and encryption/decryption. These tasks are indeed related to Layers 1 and 2 of the OSI model.

Now specifically with lightweight APs, the user traffic goes through the following steps:

  1. User traffic is sent to the lightweight AP (over the wireless 802.11 network).
  2. The lightweight AP encapsulates the user traffic inside a CAPWAP tunnel and forwards it through the wired Ethernet network (802.3) to the WLC.
  3. The WLC processes the traffic, makes decisions (e.g., access control, quality of service), and forwards the traffic as necessary, either back to the same AP or another AP (in case of roaming).
  4. The receiving AP decapsulates the CAPWAP-encapsulated traffic and transmits it to the user over the wireless 802.11 network.

You are correct in understanding that the CAPWAP data tunnel is used for communication between the Ethernet (802.3) and wireless (802.11) networks. The WLC plays a crucial role in managing lightweight APs, user traffic, and overall network performance. Does that make sense?

I hope this has been helpful!


1 Like

Comparing Auntomous design VS Split-MAC design (CAPWAP Tunnel) :

It’s pretty clear for me Autonomous design requires VLAN implementation everywhere (besides other configs such as mgmt, tx power, ch assignation, etc etc that you do per Autonomous AP basis). in Access Layer (between Access switches and APs) , trunks between Access switches and Distribution Switches and then on trunks between Distribution and Core.

In the other design, Split-MAC is also clear for me because of this CAPWAP tunnel we move the mgmt functions to the WLC and the real time remains in the AP.

But its not 100% clear for me, the switched tunnel vs routed tunnel. For me switched means no L3 involved, if we say a switched tunnel we dont need an IP add configured on both AP and WLC ? how the tunnel is established in a switched tunnel ? lets say we use VLAN 10 for Mgmt , so we configure it in the LWAP , and also in the WLC, but if guess in this case we would need to configure VLAN 10 all across the network such as an autonomous design…

The routed tunnel is more clear for me because im acostumed to other kind of tunnels such as GRE , while you reach the ip add of the other side its ready to go then the tunnel is established.

Hello Juan

When talking about CAPWAP tunnels, there is really no distinction concerning routed or switched tunnels. CAPWAP tunnels are created between an AP and its WLC over an underlay network that can traverse routers, switches, multiple subnets etc, just as long as the AP can reach the WLC. The CAPWAP tunnel is specially created to carry the multiple VLANs that correspond to the SSIDs that an AP may be serving.

Rene states in the lesson that “Tunneled traffic can be switched or routed” and this phrase may be the source of your question. The idea here is that the underlay network that carries the CAPWAP tunnel can be either routed or switched. Rene goes on to say that this:

…means the lightweight APs and WLC don’t have to be in the same VLAN. This is useful since APs are typically on the access layer, and the WLC is in a central location (core layer or data center attached to the core).

So it’s not referring to the tunnel as a Layer 2 or Layer 3 entity, but in the way the tunnel is encapsulated and transmitted over the underlying (layer 2 or layer 3) infrastructure. Does that make sense?

I hope this has been helpful!


Thanks @lagapidis

But why is necessary to tag all vlans between WLC and Core ? for establishing the capwap lwap uses the mgmt ip add to reach the wlc , you only need to tag the mgmt vlans for each lwap, but the ssid vlan why ? its because the vlan must be present at both ends of the tunnel for encapsulation/dencapsulation purpose ?

lets say SSID “my-wifi” VLAN 100 configured on LWAP 1 , CAPWAP is already established, so LWAP 1 wants to forward traffic to VLAN 200 configured on LWAP 2 (this lwap also has established capwap) LWAP 1 encapsulates VLAN 100 traffic into the CAPWAP tunnel using udp 5247, 2 WLC receives the CAPWAP pckt and deencapsutale it, it see that is destined for VLAN 200 (LWAP 2) 3. WLC encapsulates it traffic VLAN 200 into a new CAPWAP pckt and forward it to LWAP 2, 4. LWAP 2 deencapsulte it and forward it to the client ?

Hello Juan

To establish the tunnel between LWAP and WLC, all you need is the IP address because the CAPWAP tunnel is created over the underlay network infrastructure that exists between the WLC and LWAP. As long as those two can reach each other, the CAPWAP tunnel can be established.

Why do we need all VLANs between WLC and the core? Well, it depends upon where you are performing your routing. If the routing takes place at the core network, then this must be done in order for the clients connected to each SSID to reach the default gateway of each VLAN. The default gateway will actually exist within the core itself. However, you can change that topology and make the WLC itself the default route for every VLAN/SSID. In that case, you wouldn’t need a trunk between the WLC and the core network. The scenario you described in your post assumes routing takes place in the WLC.

The question is, what is considered best practice in this? Well, typically we don’t want to overburden the WLC with routing, especially in a large network where it would have to act as router to all wireless clients. If the WLC has to handle, say, 50 or 60 clients, then you should be OK with routing at the WLC. However, if you have a network with thousands of wireless clients, it is best to leave routing to a different device, and this is why you need the trunk. That way the WLC will only be burdened with the management of the LWAPs and not routing as well.

Creating a trunk and performing routing on the core network is considered best practice, even in smaller networks. Does that make sense?

I hope this has been helpful!


1 Like

Thanks @lagapidis

Taking the following diagram in mind :

The only purpose for vlan 11 in AP1 is for associating a subnet such as 192.168.11.x ? that has allocated the ip host used to establish CAPWAP with WLC ?

In this case the link Core ↔ WLC is a trunk with all vlans passing through it including the vlan used for 192.168.10.x (i guess it could be and interface vlan X lets say, so AP1 can reach through the Core , DG an the core itself resolves the routing because it also has the directly connected network… therefore AP1 can establish CAPWAP and encapsulates mgmt traffic UDP 5246 and data traffic UDP 5247 (i guess both ends, LWAP and WLC encapsulate when they want to send to the other end , and dencapsulte when they receive from the other end).

The last one, this excerpt from this lesson, the one in bold , i think CAPWAP is routed, this phrase was generic regarding any tunnel or CAPWAP ?

Tunneled traffic can be switched or routed

Thanks for your patience (i dont have any WLAN experience because the environment i work on daily basis does not require this knowledge but im interested in it).

Hello Juan

Yes that is correct, and I believe your subsequent explanation is correct as well. Routing between the AP and the WLC is achieved within the core network, while the CAPWAP tunnel uses that routing to terminate on the WLC and the AP. The core network is the underlay network which can be routed/switched, while the CAPWAP tunnel is the overlay network.

As I mentioned in my previous post, the idea here is that the underlay network that carries the CAPWAP tunnel can be either routed or switched. Also, the CAPWAP tunnel may terminate on the WLC and be routed there, or (ideally), it should be switched to the core network to be routed within the core.

No problem at all, that’s what we’re here for, to help people learn new things!! I hope this discussion has been helpful and if you have any further clarification questions, feel free to ask them!

I hope this has been helpful!


1 Like

@lagapidis I hope you doing well.

About this :

Management functions:
    Client authentication
    Security management
    Association and reassociation (roaming)
    Quality of Service (QoS)

Real-time functions:
    Transmission of 802.11 frames
    MAC management

Im trying to order and meaningful to the above.

Client auth, Sec Mgm and Encryption … Client Auth could be 802.1x ? What is Sec Mgm ?

What is MAC Management ?

Thanks in advance

Hello Juan

I have created a NetworkLessons note that expands upon the idea of the management and real-time functions. Take a look at it, and if you have further questions, let us know!

I hope this has been helpful!


i need some help in vlan based bandwidth restriction. Could you please explain how to create policy to restrict bandwidth on vlan. we have cisco 4500X,3750 & 3850

Hello Mohammed

There are several options that you can apply depending upon what you actually want to achieve. Your options, depending upon your ultimate goal include making some of the following choices:

First, you must decide if you want to apply shaping or policing. Shaping will limit bandwidth while attempting not to drop any packets by implementing buffering. Policing will drop any packets that surpass the bandwidth restriction you have set.

Next, you must decide where do you want to apply these policies? At the SVI which serves as a default gateway for VLAN? At each interface of a particular VLAN? On the VLAN as a whole? What you answer will affect the complexity of the configuration.

Finally, what kind of clients will be using these VLANs? Since you’re writing this in a Wireless Network Architectures thread, I assume you may have wireless clients. You may want to consider applying bandwidth restriction at the client itself, something that is much simpler than on a per VLAN basis for example.

If you want to take a look at some of the configs involved with shaping and policing, take a look at the following lessons:

If you want to take a look at QoS features that function solely at Layer 2, take a look at this lesson:

This information should be enough to get you started. Let us know how you get along and if you have any more specific questions.

I hope this has been helpful!