JT
JT Exams
Log inStart Free Trial
NetworkingCCNA

CCNA Wireless Architecture: Autonomous APs, Lightweight APs & WLC

Wireless LAN architecture is a significant topic area on CCNA 200-301 exam. You need to understand the two main AP deployment models — autonomous and lightweight — as well as the Wireless LAN Controller (WLC), the CAPWAP protocol, and the various AP operational modes. This guide covers how each architecture works, their trade-offs, and the specific details that appear on the exam.

8 min
4 sections · 6 exam key points
5 practice questions

Autonomous APs: self-contained wireless

An autonomous access point is a fully independent unit — it handles all wireless functions itself: beacon transmission, client authentication, client association, encryption, and forwarding. Each AP is configured individually via CLI or web GUI. This is manageable for one or two APs but becomes operationally painful with dozens or hundreds of devices.

Autonomous APs connect to the wired network as an access port (single VLAN) or with a trunk port for multiple SSIDs mapped to different VLANs. There is no central controller — each AP makes its own forwarding decisions. Roaming between autonomous APs requires the client to re-associate and potentially re-authenticate, which can cause noticeable connectivity gaps.

Autonomous APs are still used in small deployments where cost and simplicity matter more than centralized management. A SOHO router with built-in Wi-Fi is essentially an autonomous AP.

Lightweight APs and the split-MAC architecture

Lightweight APs (LAPs) split the wireless functions between the AP and a Wireless LAN Controller (WLC). This split-MAC architecture assigns time-sensitive functions (sending and receiving frames, encryption, beaconing) to the AP and management functions (authentication, association, roaming decisions, configuration) to the WLC.

This design enables centralized management: you configure SSIDs, security policies, QoS profiles, and RF settings once on the WLC, and it pushes those settings to all associated APs. Adding a new AP means it contacts the WLC, downloads its configuration, and starts serving clients — no individual AP configuration required.

Lightweight APs use the CAPWAP (Control and Provisioning of Wireless Access Points) protocol to communicate with the WLC. CAPWAP runs over UDP and creates two tunnels: a control tunnel (management traffic, encrypted with DTLS) and a data tunnel (client data frames forwarded to the WLC). In some deployments, the data tunnel is bypassed and the AP forwards client traffic locally (FlexConnect local switching).

WLC functions and AP discovery

The WLC is the central management point for the wireless network. It handles: AP configuration distribution, client authentication (802.1X/RADIUS integration), roaming between APs, RF management (transmit power, channel selection), QoS policy application, and WLAN security enforcement.

When a lightweight AP boots, it must discover and join a WLC. The discovery process uses several methods in order: (1) previously learned WLC IP in NVRAM, (2) local subnet broadcast, (3) DNS lookup for CISCO-CAPWAP-CONTROLLER, (4) DHCP option 43 (WLC IP delivered via DHCP), (5) OTAP (Over-the-Air Provisioning, deprecated). In production, DHCP option 43 or DNS are the most reliable methods.

Once the AP discovers the WLC, it forms the CAPWAP control tunnel, exchanges certificates for mutual authentication, receives its configuration, and starts serving clients. The AP registers to the WLC and appears in the WLC's AP inventory.

AP operational modes

Lightweight APs support multiple operational modes configurable from the WLC: Local mode is the default — the AP serves clients on its configured channels while also scanning other channels between beacon intervals for rogue AP detection. Monitor mode dedicates the AP to RF monitoring only — it scans all channels continuously for rogues, interference, and security threats, but serves no clients.

Sniffer mode configures the AP to capture all 802.11 frames on a channel and forward them to a packet capture tool (like Wireshark). FlexConnect (formerly Hybrid REAP) allows the AP to switch client traffic locally when the WLC connection is lost — important for branch offices over WAN links. Bridge mode connects two wired networks wirelessly (point-to-point or mesh). SE-Connect mode is used with Cisco CleanAir for spectrum analysis.

Autonomous vs Lightweight AP comparison

AspectAutonomous APLightweight AP
ConfigurationPer-AP (CLI or web GUI)Centralized on WLC
Control planeIn the APSplit: AP handles real-time, WLC handles management
WLC requiredNoYes
Protocol to WLCN/ACAPWAP over UDP
RoamingClient re-authenticatesSeamless (WLC manages handoff)
ScalabilityLow (manual config per AP)High (hundreds of APs per WLC)
FlexConnectN/ASupported (local switching when WLC unreachable)

Key exam facts — CCNA

  • Lightweight APs use CAPWAP (UDP) to communicate with WLC — two tunnels: control (DTLS encrypted) and data
  • AP discovery order: NVRAM → broadcast → DNS → DHCP option 43 → OTAP
  • Local mode (default): serves clients + passive scanning. Monitor mode: RF scanning only, no clients
  • FlexConnect: AP switches client traffic locally if WLC connection is lost
  • Roaming: WLC manages handoff between APs transparently — client stays associated without re-authenticating
  • Split-MAC: real-time functions at AP; authentication, association, config at WLC

Common exam traps

A lightweight AP can work without a WLC if the WLC goes down

In standard local mode, a lightweight AP stops serving clients if it loses CAPWAP connectivity to the WLC. FlexConnect mode is the exception — it's specifically designed to allow local switching when the WLC is unreachable.

CAPWAP is only used for configuration — client data goes directly to the switch

In local mode, CAPWAP tunnels both control AND data traffic to the WLC. The WLC forwards client data to the wired network. Only in FlexConnect local switching does client data bypass the CAPWAP tunnel.

Monitor mode APs can serve clients while also monitoring the RF environment

Monitor mode dedicates the AP entirely to RF scanning. It does not serve any wireless clients. Local mode performs passive scanning between beacon intervals while still serving clients.

Practice questions — Wireless Architecture

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which protocol do lightweight APs use to communicate with a Wireless LAN Controller?

A.CDP
B.CAPWAP
C.LWAPP
D.LLDP

Explanation: CAPWAP (Control and Provisioning of Wireless Access Points) is the protocol lightweight APs use to communicate with WLCs. It runs over UDP and creates separate control (DTLS-encrypted) and data tunnels. LWAPP was the predecessor, replaced by CAPWAP.

Q2.An AP is configured in Monitor mode. What is the primary function of this AP?

A.Serve clients on the primary channel only
B.Provide local switching when the WLC is unreachable
C.Scan all wireless channels for rogue APs and interference without serving clients
D.Capture frames and forward them to a packet analyzer

Explanation: Monitor mode dedicates the AP to continuous RF scanning on all channels for rogue AP detection, interference, and security threats. The AP does not serve any clients in this mode.

Q3.What is the purpose of FlexConnect AP mode?

A.To allow APs to function as WLCs
B.To enable local client data switching when the WLC connection is lost
C.To provide point-to-point wireless bridging between buildings
D.To enable spectrum analysis for RF troubleshooting

Explanation: FlexConnect (formerly Hybrid REAP) allows an AP to switch client traffic locally on the LAN even if the CAPWAP connection to the WLC is lost. This is critical for branch office APs connected to the WLC over a WAN link.

Q4.When a lightweight AP boots and has no WLC IP in NVRAM, what is the next AP discovery method?

A.DNS lookup for CISCO-CAPWAP-CONTROLLER
B.Local subnet broadcast
C.DHCP option 43
D.OTAP

Explanation: The AP discovery order is: NVRAM (previously learned WLC IP) → local subnet broadcast → DNS → DHCP option 43 → OTAP. After checking NVRAM and finding nothing, the AP sends a local broadcast.

Q5.In a split-MAC architecture, which function is handled by the lightweight AP (not the WLC)?

A.Client authentication
B.SSID configuration
C.Transmitting and receiving 802.11 frames
D.Roaming decisions

Explanation: In split-MAC, time-sensitive real-time functions (transmitting beacons, receiving frames, encryption) stay at the AP. Management functions (client authentication, association management, configuration, roaming decisions) are handled by the WLC.

Frequently asked questions — Wireless Architecture

What is the difference between autonomous and lightweight APs?

Autonomous APs are fully self-contained and configured individually — no WLC needed. Lightweight APs use split-MAC architecture, offloading management functions to a WLC and receiving configuration centrally via CAPWAP. Lightweight APs enable seamless roaming, central policy management, and scalability across hundreds of APs.

How does CAPWAP work between a lightweight AP and WLC?

CAPWAP creates two UDP tunnels between the AP and WLC: a control tunnel (encrypted with DTLS) for management messages and configuration, and a data tunnel for client data frames. In local mode, all client traffic is forwarded through the CAPWAP data tunnel to the WLC, which forwards it to the wired network.

What happens to wireless clients when a lightweight AP loses connectivity to the WLC?

In standard local mode, the AP stops serving clients — it cannot operate without the WLC connection. In FlexConnect mode, the AP continues local switching and keeps clients connected. For branch offices with WAN links to the WLC, FlexConnect is essential to maintain wireless service during WAN outages.

How does seamless roaming work with lightweight APs?

When a client moves from one AP to another within the same WLC domain, the WLC manages the roaming handoff. The WLC updates its client database, redistributes the client's association to the new AP, and maintains the client session — the client stays connected without re-authenticating. This is L2 roaming; L3 roaming (across IP subnets) requires additional protocols.

What is DHCP option 43 and why is it used for AP discovery?

DHCP option 43 is a vendor-specific DHCP option that can contain the IP address of the WLC. When a lightweight AP boots and sends a DHCP request, the DHCP server includes the WLC IP in option 43. The AP uses this IP to contact the WLC. This is the most reliable AP discovery method in production networks and eliminates the need for DNS configuration.

Practice this topic

CCNApractice questions

Test yourself on Wireless Architecture

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

WLAN Configuration

CCNA

Wireless Security (WPA)

CCNA

Network Components

CCNA

VLAN Types

CCNA