Tuesday, December 2, 2025

LWAPP (Lightweight Access Point Protocol)

 LWAPP was Cisco’s original tunneling + control protocol used between lightweight APs and a Wireless LAN Controller (WLC) before CAPWAP became the standard.

Think of LWAPP as:

  • Cisco-proprietary

  • Older

  • Superseded by CAPWAP

  • Functionally similar, but less secure + less standardized

LWAPP Purpose

LWAPP allowed Cisco to convert “fat APs” (autonomous) into “thin APs” (controller-based).

It provided:

  1. Control channel

    • AP → WLC for configs, RF, join process

  2. Data channel

    • AP → WLC for client frames

  3. Central management

    • APs received configs from controller

  4. Split MAC architecture

    • WLC handled most MAC functions

    • AP handled real-time RF stuff

Why Cisco Replaced LWAPP

Cisco eventually moved to CAPWAP (Control and Provisioning of Wireless Access Points) because:

LWAPPCAPWAP
Cisco-proprietaryIETF standard
Encryption optionalDTLS encryption mandatory for control
Limited interoperabilityMulti-vendor capable
Early designModern RF features supported

CAPWAP fully replaced LWAPP on modern CCNA-tested controllers.

Ports

LWAPP used:

  • UDP 12222 (data)

  • UDP 12223 (control)
    CAPWAP uses:

  • UDP 5246 (control)

  • UDP 5247 (data)

Exam Tip for CCNA

  • CAPWAP is on the exam.

  • LWAPP is NOT except as a historical reference.

  • You only need to know:
    🔹 “LWAPP was Cisco’s older proprietary tunneling protocol replaced by CAPWAP.”

at No comments:
Labels: ,

Split MAC Architecture

 

Split MAC Architecture

In wireless networks, “MAC” does NOT mean MAC address — it means the Media Access Control sublayer of Layer 2.

Remember:
OSI Layer 2 = LLC + MAC

  • LLC = Logical Link Control

  • MAC = Media Access Control (sublayer responsible for frame handling & channel access)

In wireless LANs, the MAC sublayer performs many functions beyond wired Ethernet.
These functions include:

  • Frame acknowledgement (ACK)

  • RTS/CTS (collision avoidance)

  • Fragmentation & reassembly

  • Beaconing

  • Probe requests/responses

  • Authentication/Association frames

  • Load balancing decisions

  • Power-save (PS) buffering and delivery

  • Encryption/decryption

Split MAC Architecture Defined

Split MAC architecture means that the MAC sublayer operations are divided between the AP and the WLC.

The division looks like this:

MAC Functions Done on the AP

(Real-time, timing-critical operations)

The AP handles the MAC duties that require microsecond precision — tasks that cannot tolerate delay over a WAN tunnel.

AP handles:

  • Sending & responding to ACKs

  • RTS/CTS handshake

  • Beacons

  • Probe responses

  • Power Save mode buffering / delivery (TIM/DTIM)

  • Encryption/Decryption (in most modern deployments except some CAPWAP DTLS scenarios)

  • Retransmissions

  • Frame fragmentation/reassembly

  • Local RF calculations (RSSI/SNR)

Think of these as the radio-timing functions.

MAC Functions Done on the WLC

(Control, policy, and higher-level management tasks)

The WLC performs the MAC duties that are management/policy driven, not time-sensitive.

WLC handles:

  • 802.1X authentication

  • Client association authorization

  • Key management (WPA/WPA2 handshake mgmt)

  • Mobility/roaming decisions

  • Load balancing & band steering

  • QoS policy decisions

  • Captive portal & ACL enforcement

  • VLAN mapping

  • Client state tables

  • Forwarding decisions (in central switching mode)

Think of these as the brains while the AP handles the muscle.

Why It’s Split

Because wireless needs extremely tight timing — tighter than a WAN or even LAN round-trip could support.

So:

  • AP does timing-critical MAC functions

  • WLC does control/management MAC functions

This is what makes lightweight APs “lightweight” — they offload higher-order MAC logic to the controller.

CCNA-Level Exam Definition

Here is the exact short version Cisco expects:

Split MAC architecture divides MAC layer functions between the AP and the WLC, where the AP handles real-time 802.11 operations (ACKs, RTS/CTS, beacons) and the WLC handles non–real-time tasks (authentication, association, key management, policy).

at No comments:
Labels: , , , ,

BUILDING A WIRELESS LAN

 

CHAPTER 29 — BUILDING A WIRELESS LAN (FULL MASTER SUMMARY)

Aligned to CCNA 200-301 v1.1

Wendell Odom Literal + Inferred Mastery Required






WLANs have three major architectural eras:

1. Autonomous APs (Legacy)

  • Each AP is a full stand-alone device.

  • Configuration done individually on each AP.

  • No controller.

  • Rare on the exam except as a comparison point.

2. Controller-Based Wireless (CAPWAP-based)CCNA CORE

  • APs are “lightweight” (LAPs).

  • All control, authentication, and policy handled by WLC.

  • APs forward CAPWAP tunnels back to the controller.

CAPWAP Key Points

  • Ports: UDP 5246 (control), UDP 5247 (data)

  • Encrypts control traffic; data optional.

  • Replaces LWAPP.

3. Cloud-Based Wireless

  • APs managed from the cloud (like Meraki).

  • Still uses control-plane tunneling but cloud-managed.

4. Distributed / Local Mode Hybrid (FlexConnect)

  • AP can locally switch traffic at the remote site.

  • Still uses WLC for control/auth.

  • Great for WAN-constrained branch offices.


SECTION 2 — WLC BUILDING BLOCKS

1. WLC Interfaces (Exam Mandatory)

The WLC uses virtual interfaces to segment functions:

InterfacePurpose
ManagementWeb GUI, SSH, Telnet, SNMP, CAPWAP control
AP-ManagerAP CAPWAP data tunnels (in older WLCs; in modern controllers it’s integrated into mgmt)
Service-PortOut-of-band mgmt (physical port)
DynamicMapped to VLANs for WLANs (like an SVI on switches)
VirtualUsed for DHCP/NAT ARPs, client web auth (1.1.1.1 always)

2. WLAN Components on WLC

A WLAN in WLC =
SSID + Security + Interface mapping + Policy

CLI:

wlan <id> <profile-name> <ssid>
wlan <id> shutdown
wlan <id>
 no shutdown




SECTION 3 — AP JOIN PROCESS


AP Join Sequence — MUST KNOW FOR EXAM

  1. Discovery Phase

    • AP uses:

      • DHCP option 43

      • DNS: CISCO-CAPWAP-CONTROLLER.localdomain

      • Broadcast/multicast

      • Preconfigured controller IP

  2. DTLS Control-Tunnel Setup

  3. Image Download (if needed)

  4. Config Download

  5. Join (Run state)



Show commands:

show ap summary
show ap config general <APNAME>

AP operational modes:

ModePurpose
LocalDefault CAPWAP mode
FlexConnectLocal switching & local auth at branch
MonitorIDS/IPS, scanning
SnifferPacket capture
Rogue DetectorRogue AP detection
Bridge/MeshMesh APs
SE-ConnectSpectrum Analysis

SECTION 4 — RF FUNDAMENTALS (CCNA-LEVEL)

1. Frequencies

  • 2.4 GHz → long range, more interference

  • 5 GHz → cleaner, shorter range

  • 6 GHz (Wi-Fi 6E) → not on CCNA exam

2. Channel Widths

  • 20 MHz (primary)

  • 40 MHz

  • 80 MHz (DFS issues possible)

3. Channel Planning

  • 2.4 GHz: Channels 1, 6, 11

  • 5 GHz: DFS and non-DFS

4. Antenna Basics

  •  Omnidirectional vs directional dBi gain increases range but narrows beamwidth
  • dBi gain increases range but narrows beamwidth
SECTION 5 — SSID → WLAN → INTERFACE (THE WLC PIPELINE)




Exam Concept:
The WLC ties the SSID → Dynamic Interface → VLAN ID on upstream switch.

Pipeline

  1. Create WLAN

  2. Apply security

  3. Map to dynamic interface

  4. Dynamic interface maps to VLAN

  5. Switchport is trunked to carry that VLAN

CLI:

wlan 20 Students STUDENTS_SSID
 security wpa wpa2 enable
 security wpa akm psk set-key ascii <password>
 interface STUDENTS
 no shutdown

SECTION 6 — SECURITY (HEAVILY TESTED)

1. Open System Auth with PSK

  • WPA2 or WPA3

  • PSK stored locally or in external database

2. 802.1X

  • EAP-TLS, PEAP

  • Requires RADIUS (ISE or NPS)

3. AAA Config on WLC

config radius auth add <server-ip> <key>

4. Encryption Stacks

  • WEP (dead)

  • TKIP (deprecated)

  • AES-CCMP (standard)

  • GCMP (Wi-Fi 6, not heavily tested on CCNA)

SECTION 7 — ROAMING & MOBILITY





1. Layer 2 Roaming

  • Same subnet

  • Original controller maintains anchor state

2. Layer 3 Roaming

  • Client IP stays the same

  • Mobility tunneling between controllers

3. Mobility Groups

  • WLCs must share mobility group name

  • Needed for fast roaming

SECTION 8 — QoS ON WIRELESS (EXAM-MANDATORY)

1. WMM (Wireless Multimedia)

Maps wired CoS → wireless traffic categories:

WMM Access CategoryPriority
Voice (AC-VO)highest
Video (AC-VI)high
Best Effort (AC-BE)normal
Background (AC-BK)low

SECTION 9 — WLC HIGH AVAILABILITY (CCNA LEVEL)

1. N+1 Redundancy

  • Multiple controllers, any one may fail.

2. SSO (Stateful SwitchOver) — More advanced

  • Redundant HA pair shares config and AP state.

3. AP Failover Behavior

  • AP has primary/secondary/tertiary WLC settings.

  • If primary fails, AP joins next available controller.

CLI:

ap name <APNAME> primary <WLCNAME> <IP>

SECTION 10 — WLAN LIFECYCLE BUILD — ODOM’S 8-STEP PLAN

Step 1 – Configure WLC Interfaces

Management, dynamic interfaces, etc.

Step 2 – Configure DHCP

WLC relays or external scope.

Step 3 – Configure AP Join Parameters

Step 4 – Create WLAN

SSID + profile name + WLAN ID.

Step 5 – Apply Security Parameters

Step 6 – Map WLAN to Dynamic Interface

Step 7 – Enable WLAN

GUI or CLI (no shutdown).

Step 8 – Verify

show wlan summary
show client summary
show ap summary

SECTION 11 — WLC CLI COMMAND SET (CCNA MUST KNOW)
Create/Modify WLAN
wlan <id> <profile> <ssid>
wlan <id> shutdown
no wlan <id>
Enable WLAN
wlan <id>
 no shutdown
Security (PSK example)
wlan <id>
 security wpa akm psk set-key ascii <key>
 security wpa wpa2 enable
Interface Mapping
wlan <id>
 interface <interface-name>
AP Join & Basic Setup
ap name <AP> ip address <ip> <mask> <gw>
ap name <AP> wlan <id> <ssid>
ap name <AP> mode flexconnect


SECTION 12 — SWITCH CONFIG REQUIRED FOR WLC DEPLOYMENTS



WLC uplinks use 802.1Q trunks:


interface gig0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport trunk allowed vlan 10,20,30



AP access ports:


interface gig0/10
 switchport mode access
 switchport access vlan 30   ← AP mgmt VLAN


SECTION 13 — TROUBLESHOOTING WORKFLOWS
1. Client not getting IP
  • Wrong VLAN / dynamic interface
  • AP in wrong mode
  • DHCP helper missing on switch
2. AP won’t join
  • CAPWAP ports blocked
  • Wrong controller IP
  • Option 43 misconfigured
  • Certificate mismatch
3. SSID not broadcasting
  • WLAN is shutdown
  • Country code mismatch
  • RF profile disabled
SECTION 14 — CCNA EXAM PREDICTED TOPICS (HIGH-PROBABILITY)
  • CAPWAP control vs data ports
  • AP join process steps
  • WLC interface types
  • SSID → WLAN → Dynamic Interface → VLAN mapping
  • AP modes (Local, FlexConnect)
  • WPA2-PSK vs 802.1X/EAP
  • WMM categories
  • Roaming (L2 vs L3)
  • Basic CLI: wlan, security, shutdown/no shutdown
  • Trunk requirements between AP/WLC
at No comments:
Labels: , , , , , , ,

ACLs, Standard, Extended, Named

 

⭐ ACLs — The Complete CCNA Review

(Covers concepts, logic, placement rules, and every command you need to know cold.)

1) What ACLs Do

ACL = ordered list of permit/deny statements.

ACLs are used for:

  • Packet filtering (L2-L4)

  • Controlling access to networks

  • NAT qualification (interesting traffic)

  • QoS classification

  • Route filtering (BGP/OSPF distribute-list)

Cisco IOS processes ACLs:

  1. Top → Bottom

  2. First match wins

  3. If no match → implicit deny all

2) Standard ACLs

What they filter:
Only source IP address
(No destination, no ports — nothing else)

Best placement:
Closest to the destination (minimize accidentally blocking legitimate traffic)

Number ranges:

  • 1–99 (legacy)

  • 1300–1999 (expanded)

Named ACL: yes, supported.

Standard ACL Syntax

Create:

access-list <1-99> permit <source> <wildcard>
access-list <1-99> deny   <source> <wildcard>

Named variant:

ip access-list standard NAME
 permit <source> <wildcard>
 deny   <source> <wildcard>

Apply to interface:

interface g0/0
 ip access-group <ACL-NUMBER or NAME> {in|out}

Examples

Permit only LAN 10.1.1.0/24

access-list 10 permit 10.1.1.0 0.0.0.255

Deny one host

access-list 10 deny host 10.1.1.50

Named version

ip access-list standard USERS
 deny 10.1.1.50
 permit 10.1.1.0 0.0.0.255

3) Extended ACLs

What they filter:
Everything Standard can filter PLUS

  • Source IP

  • Destination IP

  • L4 protocol (TCP, UDP, ICMP)

  • Ports (eq/gt/lt/range)

  • Flags (established)

  • ICMP types

  • TCP handshake matching

Best placement:
Closest to the source (filter early)

Number ranges:

  • 100–199 (legacy)

  • 2000–2699 (expanded)

Extended ACL Syntax

Single-line:

access-list <100-199> permit tcp <source> <src-wc> <dest> <dst-wc> eq <port>

Named:

ip access-list extended NAME
 permit tcp <src> <wc> <dst> <wc> eq 80
 deny udp any any eq 53

Apply:

interface g0/1
 ip access-group FIREWALL-IN in

4) Wildcard Masks Refresher

0 = “must match”
255 = “don’t care”

Examples:

  • /24 → 0.0.0.255

  • /16 → 0.0.255.255

  • Single host → 0.0.0.0 or use host

Reverse of subnet mask.

5) Extended ACL Port Keywords (must know)

KeywordMeaning
eqequal to
gtgreater than
ltless than
neqnot equal
rangeport range

Examples:

eq 80
range 1000 2000

6) Extended ACL Examples (Exam Level)

Permit HTTP from 10.1.1.0/24 to server 172.16.0.10

access-list 101 permit tcp 10.1.1.0 0.0.0.255 host 172.16.0.10 eq 80

Block DNS from anywhere to 8.8.8.8

access-list 101 deny udp any host 8.8.8.8 eq 53

Permit ICMP ping only

access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply

Allow established TCP (“return traffic”)

access-list 101 permit tcp any any established

7) Applying ACLs (Interface Direction Rules)

Direction is from perspective of interface.

  • in = packets entering router on that interface

  • out = packets leaving router on that interface

Example:

int g0/0
 ip access-group 101 in

8) Placement Rules (big test topic)

Standard ACLs → near destination
Why? They only classify by source, so near source could block too broadly.

Extended ACLs → near source
Why? You have granular control with source/destination + ports → filter early.

Never apply ACLs to:

  • VLAN 1 SVI used for mgmt (bad practice)

  • Wrong direction (causes lock-out)

9) ACL Verification Commands

View all ACLs

show access-lists

View specific ACL

show access-lists 101

View interface ACL binding

show ip interface g0/0

View packet counters

show access-lists 101

(Counters increment only when matched → exam trick.)

10) Implicit Deny — Must Know

If no permit is matched → deny all automatically.

To allow all at end:

permit ip any any

11) Named ACL Editing

This is why named ACLs are preferred.

ip access-list extended BLOCK-HTTP
 10 deny tcp any any eq 80
 20 permit ip any any

Editing:

ip access-list extended BLOCK-HTTP
 no 10
 10 deny tcp any host 8.8.8.8 eq 80

You cannot “edit” numbered ACLs — only recreate them.

12) ACL Use Cases (CCNA-Level)

Traffic filtering

Block web access:

access-list 110 deny tcp any any eq 80

NAT “interesting traffic”

access-list 1 permit 10.1.0.0 0.0.255.255
ip nat inside source list 1 interface g0/0 overload

VTY (SSH/Telnet) restrictions

access-list 50 permit 10.30.0.0 0.0.0.255

line vty 0 4
 access-class 50 in

13) ACLs on SVIs (Layer 3 Switches)

Same syntax — applied to SVIs like router interfaces:

interface vlan 30
 ip access-group VLAN30-IN in

14) Exam Traps You Must Defend Against

  • Standard ACL placed near source = blocks too much

  • Using subnet mask instead of wildcard mask

  • Wrong direction (in vs out)

  • Implicit deny killing all traffic

  • Forgetting permit ip any any for “allow rest”

  • Placing “established” ACL incorrectly

Using hosts in wrong position (source vs destination)

 Named ACLs — Concepts, Syntax, and Configuration

(Complete CCNA-level mastery)

1) What Makes Named ACLs Different?

Named ACLs were added to solve the biggest problem with numbered ACLs:

🔥 Numbered ACLs cannot be edited in place.

— You must delete and recreate them if you need to change one line.

Named ACLs fix that:

Named ACLs allow:

  • Line-by-line editing

  • Sequence numbers

  • Insert / reorder new entries

  • Remove specific lines

  • Better readability

  • Standard or Extended ACLs under one naming scheme

2) Types of Named ACLs

You must specify type when creating a named ACL:

ip access-list standard NAME
ip access-list extended NAME

The “ip access-list” keyword is what activates Named ACL mode.

3) Core Syntax Difference

Numbered ACL (old method)

access-list 10 permit 10.1.1.0 0.0.0.255
access-list 10 deny any

Flat list → no editing → must recreate.

Named ACL (new method)

You enter a sub-configuration mode:

ip access-list standard USERS
 permit 10.1.1.0 0.0.0.255
 deny any

Or for extended:

ip access-list extended FIREWALL-IN
 permit tcp any any eq 80
 deny ip any any

Key difference:

  • You see prompts:
    (config-std-nacl)# or (config-ext-nacl)#

  • Sequence numbers added automatically (10,20,30…)

4) Named ACL Configuration (Standard)

✔ Create:

ip access-list standard USERS
 permit 10.1.1.0 0.0.0.255
 deny any

✔ Add a new line:

ip access-list standard USERS
 5 deny host 10.1.1.50

✔ Delete a single entry:

ip access-list standard USERS
 no 20

✔ Show:

show access-lists USERS

5) Named ACL Configuration (Extended)

✔ Create:

ip access-list extended BLOCK-WEB
 deny tcp any any eq 80
 permit ip any any

✔ Add new line at top:

ip access-list extended BLOCK-WEB
 5 deny tcp any host 8.8.8.8 eq 80

✔ Delete only one line:

ip access-list extended BLOCK-WEB
 no 10

✔ Reorder (sequence numbering):

ip access-list resequence BLOCK-WEB 10 10

This renumbers: 10,20,30,…

6) Applying Named ACLs to Interfaces

Identical to numbered ACLs:

interface g0/0
 ip access-group USERS in

Or:

interface g0/1
 ip access-group BLOCK-WEB out

The ACL name replaces the number.

7) Why Named ACLs Are Preferred (Cisco Exam Logic)

1. Easy editing

— Add/remove one line without deleting the entire ACL.

2. Human-readable

— “BLOCK-TELNET-IN” tells you exactly what it does.

3. Resequencing possible

— This is an exam trick.
You can renumber (you cannot on numbered ACLs).

4. All modern deployments use named ACLs

— Especially on Catalyst L3 switches, routers, firewalls.

8) Named ACLs — FULL Syntax List (Exam Fast Sheet)

Create:

ip access-list standard <NAME>
ip access-list extended <NAME>

Inside mode:

permit <…>
deny <…>
remark <text>

Edit:

no <seq-number>
<new-seq> <permit/deny…>

Resequence:

ip access-list resequence <NAME> 10 10

Apply to interface:

ip access-group <NAME> in
ip access-group <NAME> out

9) Full Named ACL Example — Standard (Exam Style)

Create ACL:

ip access-list standard MGMT-ACCESS
 10 permit 10.30.0.0 0.0.0.255
 20 deny any

Apply to VTY:

line vty 0 4
 access-class MGMT-ACCESS in

10) Full Named ACL Example — Extended (Exam Style)

Create:

ip access-list extended BLOCK-SOCIAL
 10 deny tcp any any eq 443
 20 permit ip any any

Apply:

int g0/1
 ip access-group BLOCK-SOCIAL out

11) Exam Traps About Named ACLs

❌ Trap: Forgetting to specify “standard” or “extended”

Correct:

ip access-list extended NAME

❌ Trap: Trying to edit numbered ACLs

Not allowed.

❌ Trap: Forgetting sequence numbers

IOS adds them automatically, but you must remove them by number:

no 10

❌ Trap: Adding entries without going into ACL mode

This is:

access-list 101 ...

—that’s numbered, not named.

at No comments:
Labels: , , , ,
Subscribe to: Comments (Atom)

LWAPP (Lightweight Access Point Protocol)

  LWAPP was Cisco’s original tunneling + control protocol used between lightweight APs and a Wireless LAN Controller (WLC) before CAPWAP bec...

  • CCNA Topic 3.6 — VPN Fundamentals
      CCNA Topic 3.6 — VPN Fundamentals Blueprint Verb: Explain the purpose and use of VPNs Mastery Level: Conceptual — understand operation...
  • Cisco AP Modes
    Cisco APs can operate in one of the following modes, depending on how they are configured:  Local: This default lightweight mode offers one...
  • Port Security & Switch Hardening
      Access vs trunk considerations What happens during violations (and WHY) How to read show port-security and show port-security in...