Cisco Wireless is designed to provide 802.11 wireless networking solutions for enterprises and service providers. Cisco Wireless simplifies deploying and managing large-scale wireless LANs and enables a unique best-in-class security infrastructure. The operating system manages all data client, communications, and system administration functions, performs radio resource management (RRM) functions, manages system-wide mobility policies using the operating system security solution, and coordinates all security functions using the operating system security framework.
Cisco Wireless solution consists of Cisco wireless LAN controllers and their associated lightweight access points controlled by the operating system, all concurrently managed by any or all of the operating system user interfaces:
An HTTP and/or HTTPS full-featured Web User Interface hosted by Cisco wireless LAN controllers can be used to configure and monitor individual controllers.
A full-featured command-line interface (CLI) can be used to configure and monitor individual Cisco wireless LAN controllers.
An industry-standard SNMP V1, V2c, and V3 interface can be used with any SNMP-compliant third-party network management system.
The Cisco Wireless solution supports client data services, client monitoring and control, and all rogue access point detection, monitoring, and containment functions. It uses lightweight access points, Cisco wireless LAN controllers, and the optional Cisco Prime Infrastructure to provide wireless services to enterprises and service providers.
Unless otherwise noted in this publication, all of the Cisco wireless LAN controllers are referred to as controllers, and all of the Cisco lightweight access points are referred to as access points.
A standalone controller can support lightweight access points across multiple floors and buildings simultaneously and support the following features:
Autodetecting and autoconfiguring lightweight access points as they are added to the network.
Full control of lightweight access points.
Lightweight access points connect to controllers through the network. The network equipment may or may not provide Power over Ethernet (PoE) to the access points.
Some controllers use redundant Gigabit Ethernet connections to bypass single network failures.
Some controllers can connect through multiple physical ports to multiple subnets in the network. This feature can be helpful when you want to confine multiple VLANs to separate subnets.
Figure 1. Single-Controller Deployment. This figure shows a typical single-controller deployment.
Each controller can support lightweight access points across multiple floors and buildings simultaneously. However, full functionality of the Cisco wireless LAN solution occurs when it includes multiple controllers. A multiple-controller system has the following additional features:
Autodetecting and autoconfiguring RF parameters as the controllers are added to the network.
Same-subnet (Layer 2) roaming and inter-subnet (Layer 3) roaming.
Automatic access point failover to any redundant
controller with a reduced access point load.
Figure 2. Typical Multiple-Controller Deployment.
The following figure shows a typical multiple-controller deployment. The figure also shows an optional dedicated management network and the three physical connection types between the network and the controllers.
Operating System Software
The operating system software controls controllers and lightweight access points. It includes full operating system security and radio resource management (RRM) features.
Operating System Security
Operating system security
bundles Layer 1, Layer 2, and Layer 3 security components into a simple, Cisco WLAN
solution-wide policy manager that creates independent security policies for each of up
to 16 wireless LANs.
The 802.11 Static WEP weaknesses can be overcome using the following robust industry-standard security solutions:
802.1X dynamic keys with extensible authentication protocol (EAP).
WEP keys, with or without a preshared key passphrase
RSN with or without a preshared key
Optional MAC filtering
The WEP problem can be further solved using the following industry-standard Layer 3 security solutions:
Local and RADIUS MAC address filtering
Local and RADIUS user/password authentication
Manual and automated disabling to block access to network services. In manual disabling, you block access using client MAC addresses. In automated disabling, which is always active, the operating system software automatically blocks access to network services for a user-defined period of time when a client fails to authenticate for a fixed number of consecutive attempts. This feature can be used to deter brute-force login attacks.
These and other security features use industry-standard authorization and authentication methods to ensure the highest possible security for your business-critical wireless LAN traffic.
Layer 2 and Layer 3 Operation
Lightweight Access Point Protocol (LWAPP) communications between the controller and lightweight access points can be conducted at Layer 2 or Layer 3. Control and Provisioning of Wireless Access Points protocol (CAPWAP) communications between the controller and lightweight access points are conducted at Layer 3. Layer 2 mode does not support CAPWAP.
The IPv4 network layer protocol is supported for transport through a CAPWAP or LWAPP controller system. IPv6 (for clients only) and AppleTalk are also supported but only on Cisco 5500 Series Controllers and the Cisco WiSM2. Other Layer 3 protocols (such as IPX, DECnet Phase IV, OSI CLNP, and so on) and Layer 2 (bridged) protocols (such as LAT and NetBeui) are not supported.
The requirement for Layer 3 LWAPP communications is that the controller and lightweight access points can be connected through Layer 2 devices on the same subnet or connected through Layer 3 devices across subnets. Another requirement is that the IP addresses of access points should be either statically assigned or dynamically assigned through an external DHCP server.
requirement for Layer 3 CAPWAP communications is that the
controller and lightweight access points can be
connected through Layer 2 devices on the same subnet or connected
through Layer 3 devices across subnets.
When you are operating the Cisco wireless LAN solution in Layer 2 mode, you must configure a management interface to control your Layer 2 communications.
When you are operating the Cisco wireless LAN solution in Layer 3 mode, you must configure an AP-manager interface to control lightweight access points and a management interface as configured for Layer 2 mode.
Cisco Wireless LAN Controllers
When you are adding lightweight access points to a multiple-controller deployment network, it is convenient to have all lightweight access points associate with one master controller on the same subnet. That way, the you do not have to log into multiple controllers to find out which controller newly-added lightweight access points associated with.
One controller in each subnet can be assigned as the
master controller while adding lightweight access points. As long as a master controller
is active on the same subnet, all new access points without a primary, secondary, and
tertiary controller assigned automatically attempt to associate with the master
controller. This process is described in Cisco Wireless LAN Controller Failover Protection.
You can monitor the master controller using the Cisco Prime Infrastructure Web User Interface and watch as access points associate with the master controller. You can then verify the access point configuration and assign a primary, secondary, and tertiary controller to the access point, and reboot the access point so it reassociates with its primary, secondary, or tertiary controller.
Lightweight access points without a primary, secondary, and tertiary controller assigned always search for a master controller first upon reboot. After adding lightweight access points through the master controller, you should assign primary, secondary, and tertiary controllers to each access point. We recommend that you disable the master setting on all controllers after initial configuration.
When you use Cisco Prime Infrastructure in your Cisco wireless LAN solution, controllers periodically determine the client, rogue access point, rogue access point client, radio frequency ID (RFID) tag location and store the locations in the Cisco Prime Infrastructure database.
enterprise-class high-performance wireless switching platforms that support
802.11a/n and 802.11b/g/n
protocols. They operate under control of the operating system, which includes
the radio resource management (RRM), creating a Cisco UWN solution that can
automatically adjust to real-time changes in the 802.11 RF environment.
Controllers are built around high-performance network and security hardware,
resulting in highly reliable 802.11 enterprise networks with unparalleled
The Cisco 2500 Series
Wireless Controller works in conjunction with Cisco lightweight access points
and the Cisco Prime Infrastructure to provide system-wide wireless LAN
functions. The Cisco 2500 Series controller provides real-time communication
between a wireless access points and other devices to deliver centralized
security policies, guest access, wireless intrusion prevention system (wIPS),
context-aware (location), RF management, quality of services for mobility
services such as voice and video, and OEAP support for the teleworker solution.
The Cisco 5500 Series
Wireless LAN Controller is currently available in one model: 5508. The Cisco
5500 Series Wireless Controller is a highly scalable and flexible platform that
enables systemwide services for mission-critical wireless networking in
medium-sized to large enterprises and campus environments.
The Cisco 5500 Series
Controller can be equipped with one or two power supplies. When the controller
is equipped with two power supplies, the power supplies are redundant, and
either power supply can continue to power the controller if the other power
The Cisco Flex 7500 Series
Controller enables you to deploy full featured, scalable, and secure
FlexConnect network services across geographic locations. Cisco Flex 7500
Series Controller virtualizes the complex security, management, configuration
and troubleshooting operations within the data center and then transparently
extends those services to each store. Deployments using Cisco Flex 7500 Series
Controller are easier for IT to set up, manage and scale.
The Cisco Flex 7500 Series
Controller is designed to meet the scaling requirements to deploy the
FlexConnect solution in branch networks. Cisco Wireless supports two major
deployment models: FlexConnect and monitor mode. FlexConnect is designed to
support wireless branch networks by allowing the data to be switched locally
while the access points are being controlled and managed by a centralized
controller. It aims at delivering a cost effective FlexConnect solution on a
For a FlexConnect
only deployment, the following restrictions apply:
Multicast-unicast is the only available default mode.
and IGMP snooping are not supported.
IPv6 and Generic
Attribute Registration Protocol (GARP) are supported but not multicast data.
Cisco 8500 Series Controllers were introduced in the 7.3 release with support for local mode, FlexConnect, and mesh modes. The Cisco 8500 Series Controller is a highly scalable and flexible platform that enables mission-critical wireless networking in large-scale service provider and large-campus deployments.
The DC powered 8510 controller is not available with any of the country-specific power cords. Therefore, we recommend that you use a 12 gauge wire and connect to the DC power supply.
Local mode only deployment—Multicast-multicast is the default mode.
Local and FlexConnect mode deployment:
If you require IPv6 on FlexConnect mode APs, disable global multicast and change to multicast-unicast mode. IPv6 and Generic Attribute Registration Protocol (GARP) works, but multicast data and video streaming are not supported across the controller.
If you do not require IPv6 and GARP on FlexConnect APs, change the mode to multicast-multicast and enable global multicast and IGMP/MLD snooping. IPv6, GARP, multicast data, and VideoStream are supported on FlexConnect APs.
The virtual wireless
LAN controller is software that can run on hardware that is compliant with an
industry standard virtualization infrastructure. Virtual Wireless LAN
controllers provide flexibility for users to select the hardware based on their
When you take a
snapshot of the virtual wireless LAN controller, the VMware suspends activities
for about 15 seconds. During this time, the APs are disconnected from the
virtual wireless LAN controller.
The Cisco Wireless Services
Module 2 (WiSM2) provides medium-sized to large single-site WLAN deployments
with exceptional performance, security, and scalability to support
mission-critical wireless business communications. It helps to lower hardware
costs and offers flexible configuration options that can reduce the total cost
of operations and ownership for wireless networks.
Controller on Cisco Services-Ready Engine (SRE)
The Cisco wireless
controller application on the Cisco Services-Ready Engine (SRE) enables
systemwide wireless functions in small to medium-sized enterprises and branch
offices. Delivering 802.11n
performance and scalability, the Cisco wireless controller on the
SRE is an entry-level controller that provides low total cost of ownership and
investment protection by integrating seamlessly with the existing network. The
Cisco SRE modules are router blades for the Cisco Integrated Services Routers
Generation 2 (ISR G2), which allows you to provision the Cisco Wireless
Controller applications on the module remotely at any time. This can help your
organization to quickly deploy wireless on-demand, reduce operating costs, and
consolidate the branch office infrastructure.
provides real-time communication between Cisco Aironet access points, the Cisco
Prime Infrastructure, and the Cisco Mobility Services Engine (MSE) to deliver
centralized security policies, wireless intrusion prevention system (wIPS)
capabilities, award-winning RF management, context-aware capabilities for
location tracking, and quality of service (QoS) for voice and video.
The Cisco UWN solution can control up to 512 WLANs for lightweight access points. Each WLAN has a separate WLAN ID (1 through 512), a separate profile name, and a WLAN SSID and can be assigned with unique security policies. The lightweight access points broadcast all active Cisco UWN solution WLAN SSIDs and enforce the policies defined for each WLAN.
We recommend that you assign one set of VLANs for WLANs and a different set of VLANs for management interfaces to ensure that controllers operate with optimum performance and ease of management.
If management over wireless is enabled across the Cisco UWN solution, you can manage the system across the enabled WLAN using CLI and Telnet, HTTP/HTTPS, and SNMP.
You can upload and download operating system code, configuration, and certificate files to and from the controller using the GUI, CLI, or .
Power over Ethernet
Lightweight access points can receive power through their Ethernet cables from 802.3af-compatible Power over Ethernet (PoE) devices, which can reduce the cost of discrete power supplies, additional wiring, conduits, outlets, and installation time. PoE frees you from having to mount lightweight access points or other powered equipment near AC outlets, which provides greater flexibility in positioning the access points for maximum coverage.
When you are using PoE, you run a single CAT-5 cable from each lightweight access point to PoE-equipped network elements, such as a PoE power hub or a Cisco WLAN solution single-line PoE injector. When the PoE equipment determines that the lightweight access point is PoE-enabled, it sends 48 VDC over the unused pairs in the Ethernet cable to power the access point.
The PoE cable length is limited by the 100BASE-T or 10BASE-T specification to 100 m or 200 m, respectively.
Cisco Wireless LAN Controller Memory
The controller contains two kinds of memory: volatile RAM, which holds the current, active controller configuration, and NVRAM (nonvolatile RAM), which holds the reboot configuration. When you are configuring the operating system in the controller, you are modifying volatile RAM; you must save the configuration from the volatile RAM to the NVRAM to ensure that the controller reboots in the current configuration.
Knowing which memory you are modifying is important when you are doing the following tasks:
Using the configuration wizard
Clearing the controller configuration
Resetting the controller
Logging out of the CLI
Cisco Wireless LAN Controller Failover Protection
During installation, we recommend that you connect all lightweight access points to a dedicated controller, and configure each lightweight access point for final operation. This step configures each lightweight access point for a primary, secondary, and tertiary controller and allows it to store the configured mobility group information.
During the failover recovery, the following tasks are performed:
The configured access point attempts to contact the primary, secondary, and tertiary controllers, and then attempts to contact the IP addresses of the other controllers in the mobility group.
DNS is resolved with the controller IP address.
DHCP servers get the controller IP addresses (vendor-specific option 43 in DHCP offer).
In multiple-controller deployments, if one controller fails, the access points perform the following tasks:
If the lightweight access point has a primary, secondary, and tertiary controller assigned, it attempts to associate with that controller.
If the access point has no primary, secondary, or tertiary controllers assigned or if its primary, secondary, or tertiary controllers are unavailable, it attempts to associate with a master controller.
If the access point finds no master controller, it attempts to contact stored mobility group members by the IP address.
If the mobility group members are available, and if the lightweight access point has no primary, secondary, and tertiary controllers assigned and there is no master controller active, it attempts to associate with the least-loaded controller to respond to its discovery messages.
When controllers are deployed, if one controller fails, active access point client sessions are momentarily dropped while the dropped access point associates with another controller, allowing the client device to immediately reassociate and reauthenticate.