Can access point enabled with LWAPP, join the controller enabled with CAPWAP?

Yes, Access point enabled with LWAPP can join the controller enabled with CAPWAP.

Give an example of access point model, which can join only CAPWAP & one example which can join either of LWAPP or CAPWAP?

Cisco Aironet 1140 only supports CAPWAP

Cisco Aironet 1130 supports both LWAPP & CAPWAP

When access point starts up, what will be the behavior in regards of LWAPP & CAPWAP?

After 60 seconds of trying to join a controller with CAPWAP, the access point falls

back to using LWAPP. If it cannot find a controller using LWAPP within 60 seconds, it tries

again to join a controller using CAPWAP. The access point repeats this cycle of switching

from CAPWAP to LWAPP and back again every 60 seconds until it joins a controller.

Once the access point downloads the CAPWAP image from the controller, it uses only CAPWAP to communicate with the controller.

What are the basic guidelines for implementing CAPWAP?

If your firewall is currently configured to allow traffic only from access points that

use LWAPP, you must change the rules of the firewall to allow traffic from access

points that use CAPWAP.


Make sure that the CAPWAP UDP ports 5246 and 5247 (similar to the LWAPP UDP

ports 12222 and 12223) are enabled and are not blocked by an intermediate device

that could prevent an access point from joining the controller.

If access control lists (ACLs) are in the control path between the controller and its

access points, you need to open new protocol ports to prevent access points from

being stranded.

How to use USB console port on the cisco 5500 wireless?

The USB console port on the 5500 series controllers connects directly to the USB

connector of a PC using a USB Type A to 5−pin mini Type B cable.

Note: The 4−pin mini Type B connector is easily confused with the 5−pin mini Type B

connector. They are not compatible. Only the 5−pin mini Type B connector can be used.

What is the function of service port on WLC?

In order to configure the basic settings on a 4400 controller using the GUI configuration

wizard, you must connect to the service port of the controller. Next, configure your PC to use

the same subnet as the controller service port; the IP address on service port when configuring

the WLC for the first time is Start Internet Explorer 6.0 SP1 (or later) or Firefox (or later) on your PC, and browse to The GUI Configuration

wizard appears.

How WLC works in terms of packet transfer or what is the mechanism?

All the client (802.11) packets are encapsulated in a LWAPP packet by the LAP and sent

to the WLC. WLC descapsulates the LWAPP packet and acts based on the destination IP

address in the 802.11 packet. If the destination is one of the wireless clients associated to the

WLC, it encapsulates the packet again with the LWAPP and sends it to the LAP of the client,

where it is decapsulated and sent to the wireless client. If the destination is on the wired side

of the network, it removes the 802.11 header, adds the Ethernet header, and forwards the

packet to the connected switch, from where it is sent to the wired client. When a packet

comes from the wired side, WLC removes the Ethernet header, adds the 802.11 header,

encapsulates it with LWAPP, and sends it to the LAP, where it is decapsulated, and the

802.11 packet is delivered to the wireless client.

What is the master controller mode on WLC?

When there is a master controller enabled, all newly added access points with no primary,

secondary, or tertiary controllers assigned associate with the master controller on the same

subnet. This allows the operator to verify the access point configuration and assign primary,

secondary, and tertiary controllers to the access point using the All APs > Details page.

The master controller is normally used only when adding new access points to the Cisco

Wireless LAN solution. When no more access points are being added to the network, Cisco

WLAN solution recommends that you disable the master controller.

What is the function of WLAN on WLC?

WLAN is similar to that of SSID in the access points. It is required for a client to associate

with its wireless network. In order to configure a WLAN on a WLC, refer to the sample

configuration in the document Guest WLAN and Internal WLAN using WLCs Configuration

How does DHCP work with the WLC?

The WLC is designed to act as a DHCP relay agent to the external DHCP server and acts

like a DHCP server to the client. This is the sequence of events that occurs:


Generally, WLAN is tied to an interface which is configured with a DHCP server.

When the WLC receives a DHCP request from the client on a WLAN, it relays the

request to the DHCP server with its management IP address.


The WLC shows its Virtual IP address, which must be a non−routable address,

usually configured as, as the DHCP server to the client.

How do i change power & channels for a LAP?

Once a LAP registers to a WLC, all the configuration for a LAP is done on the WLC.

There is a built−in feature in WLC called RRM, wherein the WLC internally runs an

algorithm and automatically adjusts the channel and power settings as per the deployment of

LAPs. RRM is turned on by default on the WLC. You need not change the channel and power

settings for a LAP, but you can override the RRM feature and statically assign power and

channel settings for a LAP.

What happens to the wireless network when I perform a software upgrade? Do all the access points (APs) registered to a WLC go down until they are upgraded, or are they upgraded one at a time so that thewireless network can remain up?

Once the WLC is upgraded, it must be rebooted for the changes to take effect. Within this

time, connectivity to the WLC is lost. LAPs registered to a WLC lose their association to the

WLC, so service to the wireless clients is interrupted. When you upgrade the controller’s

software, the software on the controller’s associated access points is also automatically upgraded.

Up to 10 access points can be concurrently upgraded from the controller. Do not power down the controller or any access point during this process; otherwise, you might corrupt the software image.

Can a Cisco IOS Software−based access point (AP) that has been converted to lightweight mode register with Cisco 4100 Series WLCs?

No, Cisco IOS Software−based APs that are converted to lightweight mode cannot register with the Cisco 40xx, 41xx, or 3500 WLCs. These lightweight APs (LAPs) can register only with the Cisco 4400 and the 2000 series WLCs.

Is it possible to go back and make corrections in the WLC configuration wizard at the time of the initial configuration?

Yes, this can be done with the − (hyphen) key. Use this key to re−enter the previous parameter value.

With the “ Management via Wireless” feature enabled on WLCs in a mobility group, I can only access one WLC from that mobility group, but not all. Why?

This is an expected behavior. When enabled, the Management via Wireless feature allows a wireless client to reach or manage only the WLC to which its associated access point is registered. The client cannot manage other WLCs, even though these WLCs are in same mobility groups. This is implemented for security, and recently was tightened down to just the one WLC in order to limit exposure.

Is it possible to assign an integrated controller in a 3750 Switch and a 4400 wireless LAN controller within the same mobility group?

Yes, it is possible to create a mobility group between a Catalyst 3750 Switch with an integrated controller and a 4400 WLC.

Are there any basic requirements to maintain when I use the mobilityanchor feature in order to configure wireless LAN controllers (WLCs) for guest access?

These are the 2 basic requirements that need to be maintained when you use mobility

anchor in order to configure WLCs for guest access.


The mobility anchor of the local WLC must point to the anchor WLC, and the

mobility anchor of the anchor WLC must point only to itself.

Note: You can configure configure redundant anchor WLCs. Local WLC uses them

in the order WLCs are configured.


Make sure you configure the same security policy for the service set identifier (SSID)

on both the local and anchor WLCs. For example, if the SSID is “guest” and you turn

on web authentication on the local WLC, make sure the same SSID and security

policy is also configured on the anchor WLC

If the WLCs in the same mobility group are separated by Network Address Translation (NAT) boundaries, can they communicate mobility messages with each other?


In controller software releases earlier than 4.2, mobility between controllers in the same Mobility Group does not work if one of the controllers is behind a network address translation (NAT) device.


Mobility message payloads carry IP address information about the source controller. This IP address is validated with the source IP address of the IP header. This behavior poses a problem when a NAT device is introduced in the network because it changes the source IP address in the IP header.



In controller software release 4.2 and later, the Mobility Group lookup is changed to use the

MAC address of the source controller. Because the source IP address is changed due to the

mapping in the NAT device, the Mobility Group database is searched before a reply is sent to

get the IP address of the controller that makes the request. This is done with the MAC address

of the controller that makes the request.

Can we place the lightweight access point (LAP) under Network Address Translation (NAT)? Does LWAPP from access point (AP) to WLC work through NAT boundaries?

Yes, you can place the LAP under NAT. On the AP side, you can have any type of NAT configured, but, on the WLC side, you can have only 1:1 (static NAT) configured. PAT cannot be configured on the WLC side because LAPs cannot respond to WLCs if the ports are translated to ports other than 12222 or 12223, which are meant for data and control messages.

Can I place the Lightweight Access Point (LAP) under Network Address Translation (NAT)? Does CAPWAP from access point (AP) to WLC work through NAT boundaries?

Yes, you can place the LAP under NAT. On the AP side, you can have any type of NAT configured. But on the WLC side, you can have only 1:1 (Static NAT) configured.

PAT cannot be configured on the WLC side because LAPs cannot respond to WLCs if the ports are translated to ports other than 5246 or 5247, which are meant for control and data messages.

Select the Enable NAT Address check box and enter the external NAT IP address if you want to be able to deploy your Cisco 5500 Series Controller behind a router or other gateway device that is using one−to−one mapping network address translation (NAT).

Can I upgrade the WLC from one major version to another directly?

You can upgrade or downgrade the WLC software only between two releases. In order to

upgrade or downgrade beyond two releases, you must first install an intermediate release.

We have finished our initial deployment of LAPs. When our clients move from one end of the building to the other, they stay associated with the AP to which they were closest. The clients do not appear to be handed off to the next−closest AP until the signal strength from the initial AP is completely depleted. why?

Coverage area of an AP is entirely controlled by the WLC. The WLC talks between its APs and manages their signal strength on the basis of how each AP senses other APs. However the client movement from one AP to other is entirely controlled by the client. The radio within the client determines when the client wants to move from one AP to the other.

No setting on the WLC, AP, or the rest of your network can influence client’s decision to roam to a different AP.

How do I prevent loops on the WLC?

You can enable STP on the WLC to prevent loops. From the WLC GUI click Controller, then navigate to the Advanced submenu located on the left side of the application. Click the Spanning Tree option, and choose Enable for Spanning Tree Algorithm located on the right side of the application.

By default, STP need not be enabled to prevent loops

Is there any way to recover my password for WLC?


We don’t have any option.


If you forget your password in WLC version 5.1 and later, you can use the CLI from the controller’s serial console in order to configure a new user name and password. Complete these steps in order to configure a new user name and password. After the controller boots up, enter Restore−Password at the user prompt.

Note: For security reasons, the text that you enter does not appear on the controller console.


At the Enter User Name prompt, enter a new user name.


At the Enter Password prompt, enter a new password.


At the Re−enter Password prompt, re−enter the new password.

The controller validates and stores your entries in the database.


When the User prompt reappears, enter your new username.

When the Password prompt appears, enter your new password.

The controller logs you in with your new username and password.

I have set up a guest Wireless LAN and the WLC is physically separated from my internal LAN. I decided to use the internal DHCP feature of this WLC but my wireless clients do not get IP addresses from the WLC. How do the wireless guest users get IP addresses from the WLC when they are connected on a physically separate network?

Check if the DHCP scope is enabled on the WLC. In order to check this, click the Controller Menu and click Internal DHCP server from the left−hand side.


Generally, the DHCP server is specified on the interface, which maps to the WLAN.

Make sure that the management interface address of the WLC is specified as the

DHCP server on the interface that maps to the guest user WLAN. Alternatively, you

can enable the DHCP Server override option on the WLANs > Edit page and specify

the management interface address of the WLC in the DHCP server IP Addr field..

I have a 4400 Series WLC & LAPs registered to the WLC. I have configured WLANs for the clients to connect on the WLC. The problem is that the WLC does not broadcast SSIDs that I configured for the WLANs. Why?

The Admin Status and the Broadcast SSID parameters are disabled by default. Complete these steps in order to enable Admin Status and Broadcast SSID:

Go to the WLC GUI and choose Controller > WLANs. The WLANs page appears.

This page lists the WLANs that are configured. Select the WLAN for which you want to enable broadcasting of the SSID and click Edit.


In the WLAN > Edit page, check Admin Staus in order to enable the WLAN. Also,

check Broadcast SSID in order to ensure that the SSID is broadcast in the beacon

messages sent by the AP.

Wireless LAN Clients associated with the lightweight access points are not able to get IP addresses from the DHCP server. How do I proceed?

The DHCP server for a client is usually marked on the interface, which maps to the WLAN to which the client. Check if the interface is configured appropriately.

My 1131 lightweight access point (LAP) does not register with my 4402 wireless LAN controller (WLC). What can be the possible reason for this?

One common reason is that the Lightweight Access Point Protocol (LWAPP) Transport Mode is configured on the WLC. A 4402 WLC can operate in both Layer 2 and Layer 3 LWAPP mode. Whereas, an 1131 LAP can only operate in Layer 3 mode. Layer 2 mode is not supported on the 1131 LAP. So, if the WLC is configured with the LWAPP Transport Mode of Layer 2, then your LAP does not join the WLC. In order to overcome this problem, change the LWAPP Transport Mode of the WLC from Layer 2 to Layer 3. In order to change the LWAPP Transport Mode using the GUI, go to the WLC page and locate the second selection in the main field which is LWAPP Transport Mode. Change this to Layer 3 and reboot the WLC. Now, your LAP is able to register with the WLC.

Why are our access points (APs) that are registered to other WLCs that are in the same RF group shown as rogues?

This can be due to Cisco bug ID CSCse87066 ( registered customers only) . LWAPP APs in the same RF group are seen as rogue APs by another WLC for one of these reasons:

The AP sees more than 24 neighbors. The neighbor list size is 24, so the 25th AP is reported as a rogue.

AP1 can hear the client that communicates to AP2, but AP2 cannot be heard. Therefore, it cannot be validated as a neighbor.

The workaround is to manually set the APs to known internal on the WLC and/or WCS.

Complete these steps on the WLC in order to manually set the APs to known internal:

  1. Go to the WLC GUI and choose Wireless.
  2. Click Rogue Aps in the left side menu.
  3. From the Rogue−AP list, choose the specific access point and clickEdit.
  4. From the Update Status menu, choose Known internal.
  5. Click Apply. This bug is fixed in version

we  have a couple of Access Control Servers (ACS) that authenticate the wireless clients associated to wireless LAN controllers (WLCs). One ACS acts as a primary authenticating server and the other as a failover server. If the primary server fails, the WLC falls back to secondary for authenticating the wireless clients. Once the primary server comes back up, the WLC does not fallback to the primary server. Why?

This is an expected behavior. These steps occur when a client is authenticated through the WLC in multiple ACS deployments:

Upon boot up, the WLC determines the active ACS. When this active ACS does not respond to the RADIUS request from the WLC, the WLC searches and makes a failover to the secondary ACS.


Even when the primary ACS comes back up, the WLC does not fall back to it until the ACS to which the WLC is currently authenticating fails.


In such cases, reboot the WLC in order for the WLC to identify the primary ACS again and fallback to it. This fallback does not occur immediately after reboot. It might take some time.



  1. If all the APs are getting IPs from DHCP server and once the lease got expired, new IP is assigning to the devices. When tool is polling with old IP, getting the error for ping failed.
    So How we bind static IPs on all the APs. Could you tell me the procedure.


    1. Sahil,
      As per my understanding,
      You want to assign static ip to access point, instead of getting ip from DHCP server.
      1. Login to access point
      2. At left hand side menu, click on Express Set-Up option
      3. On this page, in “configuration server protocol” option: select static ip option
      Below are the options to fill IP, Subnet Mask, Default Gateway
      Reference Link

      Let me know, if you are looking for something else


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s