SkarpSkarp

Chapter 13 of 29

Wireless LAN Fundamentals and Basic WLAN Configuration

Cut the cord and see how wireless LANs integrate into the campus network, from RF basics to SSIDs, security settings, and controller-based deployments.

27 min readen

Where Wireless Fits in the Campus Network

Wireless in the Campus

A WLAN is not a separate magic network. It is another access method into the same Layer 2 and Layer 3 campus infrastructure you already know: VLANs, STP, and inter-VLAN routing.

Main Building Blocks

Three key pieces: wireless clients (stations), access points (APs) that bridge RF and Ethernet, and the wired distribution system of switches, routers, and controllers.

AP as a Bridge

An AP is like a Layer 2 bridge: on one side it speaks Wi‑Fi frames over radio; on the other side it carries Ethernet frames that still belong to VLANs.

VLAN Reminder

When a client joins a WLAN, it effectively joins a VLAN. That VLAN is then routed by your Layer 3 devices. Always ask: which VLAN does this SSID map to?

Central vs Local Switching

Local switching: AP tags traffic into VLANs and sends it to the access switch. Centralized switching: AP tunnels traffic to a WLAN controller that drops it into the right VLAN.

RF Basics, Frequency Bands, Channels, and BSS

RF and Wi‑Fi Bands

WLANs use radio frequency to carry data. You mainly work with 2.4 GHz, 5 GHz, and increasingly 6 GHz bands in modern enterprise Wi‑Fi deployments.

2.4 GHz Traits

2.4 GHz offers longer range and wall penetration but only three practical non-overlapping channels (1, 6, 11) and more interference from other devices.

5 and 6 GHz Traits

5 GHz and 6 GHz provide more channels and capacity. 6 GHz (Wi‑Fi 6E/7) is newer and cleaner, ideal for high density and high throughput where regulators allow it.

Channels and Overlap

A channel is a slice of spectrum used by APs and clients. Overlapping channels interfere, so plan channel reuse carefully, especially in 2.4 GHz.

Basic Service Set (BSS)

A BSS is one AP’s coverage area plus its associated clients, identified by a BSSID (the radio MAC). Think of each BSS as a wireless cell on your floor plan.

SSIDs, WLANs, and How They Map to VLANs

What Is an SSID?

An SSID is the human-readable name of a Wi‑Fi network, like Campus-Student. APs advertise SSIDs in beacon frames so clients can see and join them.

What Is a WLAN on a Controller?

On Cisco controllers, a WLAN is a config object that includes the SSID, security settings, enable/disable state, and the interface/VLAN used on the wired side.

SSID to VLAN Mapping

You might map SSID Faculty-Secure to VLAN 10, Student-WiFi to VLAN 20, and Guest to VLAN 30, separating traffic into different broadcast domains.

Why It Matters

SSID is what users see, WLAN is how the controller implements it, and VLAN is the wired broadcast domain where the wireless client’s traffic ultimately lives.

Autonomous vs Controller-Based APs (WLC Concepts)

Autonomous APs

Autonomous APs are standalone: each AP is configured individually and handles RF, security, and VLAN bridging by itself. Fine for very small sites.

Controller-Based APs

Lightweight APs rely on a Wireless LAN Controller (WLC). They form CAPWAP tunnels, and the controller centralizes WLAN configs, security, and RF management.

Why Controllers Help

With a WLC, you define SSIDs and policies once and push them to many APs, gaining consistency, easier monitoring, and better scalability.

Key WLC Concepts

Remember CAPWAP, AP discovery/join, and AP groups or RF profiles. If you see these, you are dealing with controller-based (lightweight) APs, not autonomous.

Basic WLAN Configuration on a Cisco WLC (Conceptual Walkthrough)

Scenario Setup

Goal: create a secure Student-WiFi network on a WLC, with SSID Student-WiFi, VLAN 20, and WPA2-PSK security, then broadcast it from campus APs.

Step 1: Dynamic Interface

Create a dynamic interface Student_VLAN20 on the WLC, assign VLAN ID 20, an IP address, and a default gateway that points to the core switch SVI.

Step 2: Create the WLAN

Add a new WLAN: set profile name and SSID to Student-WiFi, choose a WLAN ID, and prepare to enable it once security is configured.

Step 3: Map to VLAN

In the WLAN settings, map Student-WiFi to the dynamic interface Student_VLAN20 so all its traffic is carried in VLAN 20 on the wired network.

Step 4–5: Security and APs

Configure WPA2-PSK with a strong passphrase, disable open access, then ensure the relevant AP group includes the Student-WiFi WLAN so APs broadcast it.

Wireless Security Fundamentals (Open, WPA2, WPA3, 802.1X)

Open Networks

Open WLANs use no Wi‑Fi layer encryption. Anyone can associate, and traffic over the air is unencrypted, even if a web captive portal is used.

WPA2-PSK (Personal)

WPA2-PSK uses a shared passphrase and AES-CCMP encryption. It is secure but hard to manage at scale because changing the key affects every client.

WPA2-Enterprise (802.1X)

WPA2-Enterprise uses 802.1X and a RADIUS server. Each user has their own credentials, enabling strong security and accountability in enterprise WLANs.

WPA3 Basics

WPA3-Personal uses SAE for better protection against password attacks; WPA3-Enterprise strengthens encryption and key management for corporate use.

Common Exam Cues

Open means no encryption; WPA2/AES is secure; 802.1X implies RADIUS. Hidden SSIDs and MAC filters are weak security and mostly management tools.

Roaming, Coverage, and Channel Planning

Coverage and Overlap

Each AP forms a wireless cell. Cells should overlap moderately so clients can move between APs without hitting dead zones or dropping connections.

Roaming Basics

Roaming is decided by the client, which measures signals from APs using the same SSID and security, then re-associates to a better AP as it moves.

Channel Planning

Reuse channels on APs that are far apart, avoid same-channel neighbors. In 2.4 GHz, channels 1, 6, and 11 are the standard non-overlapping set.

Power and RF Management

Excessive AP power increases interference and sticky clients. Controllers often auto-tune channels and power to balance coverage and performance.

Thought Exercise: Map This Wireless Design

Work through this mental design exercise to connect WLAN concepts back to VLANs and routing.

Scenario

You are designing wireless for a small campus building with three user groups:

  • Staff
  • Students
  • Guests

Your wired network already has:

  • VLAN 10: Staff (10.10.10.0/24)
  • VLAN 20: Students (10.10.20.0/24)
  • VLAN 30: Guests (10.10.30.0/24)

A core Layer 3 switch provides SVIs and routing:

  • VLAN 10 SVI: 10.10.10.1 (staff default gateway)
  • VLAN 20 SVI: 10.10.20.1 (student default gateway)
  • VLAN 30 SVI: 10.10.30.1 (guest default gateway)

You have a Cisco WLC with several lightweight APs.

Your task

Without writing commands, answer these questions in your own words (say them out loud or jot them down):

  1. SSID design
  • What SSIDs would you create for each group? Would you combine any, or keep them separate? Why?
  1. SSID-to-VLAN mapping
  • For each SSID, which VLAN on the wired network should it map to? How will you configure this on the WLC conceptually?
  1. Security choices
  • Which security type would you use for:
  • Staff (most sensitive)
  • Students (many users, still internal)
  • Guests (untrusted)
  • Briefly justify each choice.
  1. Routing and default gateway
  • When a wireless guest connects, where is their default gateway? How does their traffic reach the internet?
  1. Roaming and RF
  • How will you ensure that a staff member can walk across the floor on a voice call without dropping it? Mention cell overlap and channel planning.

After you reason through your answers, compare them mentally against the principles you learned: SSID/VLAN mapping, WPA2/WPA3 choices, and roaming behavior.

Quiz 1: Core WLAN Concepts

Answer this question to check your understanding of basic wireless concepts.

Which statement best describes the relationship between an SSID, a WLAN, and a VLAN on a Cisco wireless LAN controller?

  1. The SSID and VLAN are the same thing, and the WLAN is only used for security settings.
  2. An SSID is a name users see; a WLAN is the controller configuration that defines that SSID and its policies; the WLAN is then mapped to a VLAN on the wired network.
  3. A VLAN is only used on wired networks, so wireless SSIDs never map to VLANs.
  4. The WLAN is the radio channel, the SSID is the encryption method, and the VLAN is the IP subnet.
Show Answer

Answer: B) An SSID is a name users see; a WLAN is the controller configuration that defines that SSID and its policies; the WLAN is then mapped to a VLAN on the wired network.

On a Cisco WLC, the SSID is the user-visible network name. The WLAN is the configuration object on the controller that defines the SSID, security, and other policies. That WLAN is mapped to a dynamic interface that tags traffic into a specific VLAN on the wired network.

Quiz 2: AP Deployment and Security

Check your understanding of controller-based APs and security options.

You are reviewing a campus WLAN design. All APs form CAPWAP tunnels to a central controller. The 'CorpSecure' SSID uses WPA2 with 802.1X authentication against a RADIUS server. Which of the following is TRUE?

  1. The APs are autonomous, and CorpSecure is using open authentication.
  2. The APs are lightweight, and CorpSecure is using WPA2-Enterprise security.
  3. The APs are autonomous, and CorpSecure is using WPA2-PSK security.
  4. The APs are lightweight, and CorpSecure is using WEP with MAC filtering.
Show Answer

Answer: B) The APs are lightweight, and CorpSecure is using WPA2-Enterprise security.

CAPWAP tunnels indicate a controller-based (lightweight) deployment. WPA2 with 802.1X and a RADIUS server is WPA2-Enterprise, providing per-user authentication. Autonomous APs would not use CAPWAP, and WEP/open/MAC filter options do not match the description.

Key Wireless Terms Review

Flip through these flashcards to reinforce key WLAN terminology for the CCNA exam.

SSID (Service Set Identifier)
The human-readable name of a wireless network, advertised by APs in beacon frames and selected by clients when joining a WLAN.
Basic Service Set (BSS)
One AP’s wireless coverage area plus the clients associated to it, identified by a unique BSSID (the AP radio’s MAC address).
BSSID
The MAC address of an AP’s radio interface that uniquely identifies a Basic Service Set (BSS).
Lightweight AP
An access point that relies on a Wireless LAN Controller, using CAPWAP to offload configuration, control, and often data forwarding.
Autonomous AP
A standalone access point that is configured individually and performs RF, security, and VLAN bridging functions locally without a central controller.
CAPWAP
Control and Provisioning of Wireless Access Points, a UDP-based protocol used between lightweight APs and a wireless LAN controller for control and often data tunneling.
WLAN (on a Cisco controller)
A configuration object that defines an SSID, its security settings, enable/disable state, and the interface/VLAN used on the wired side.
WPA2-PSK (Personal)
A Wi‑Fi security mode where all clients share a pre-shared key and use AES-CCMP encryption to protect traffic.
WPA2-Enterprise
A Wi‑Fi security mode that uses 802.1X and a RADIUS server to provide per-user authentication and strong encryption, common in enterprise WLANs.
Roaming
The process by which a wireless client moves its association from one AP to another while maintaining network connectivity, typically driven by the client’s signal assessments.

Key Terms

SSID
Service Set Identifier; the human-readable name of a wireless network that clients see and select.
WPA3
The successor to WPA2, improving password security and encryption; available in Personal (SAE) and Enterprise variants.
BSSID
The MAC address that uniquely identifies an AP radio and its Basic Service Set.
CAPWAP
Control and Provisioning of Wireless Access Points; a tunneling and control protocol between lightweight APs and a WLC.
Channel
A specific frequency range within a Wi‑Fi band used by APs and clients to communicate.
Roaming
A client’s transition from one AP to another while maintaining its network session.
WPA2-PSK
Wi‑Fi Protected Access 2 using a pre-shared key for all clients, with AES-CCMP encryption.
5 GHz band
Wi‑Fi frequency range around 5 GHz with more channels and higher capacity than 2.4 GHz.
6 GHz band
Newer Wi‑Fi frequency range used by Wi‑Fi 6E and 7, offering many clean, wide channels where regulators permit its use.
2.4 GHz band
Wi‑Fi frequency range around 2.4 GHz with limited non-overlapping channels and longer range.
Autonomous AP
A standalone access point that is configured individually and performs all wireless and bridging functions locally.
Lightweight AP
An access point that depends on a wireless LAN controller and uses CAPWAP for control and often data tunneling.
WPA2-Enterprise
Wi‑Fi Protected Access 2 using 802.1X authentication and a RADIUS server, with per-user credentials and strong encryption.
Basic Service Set (BSS)
One AP’s wireless coverage area plus its associated clients, identified by a unique BSSID (radio MAC address).
WLAN (controller context)
A configuration object on a WLC that defines an SSID, its security, and its mapping to a wired interface/VLAN.
Wireless LAN Controller (WLC)
A device that centralizes configuration, security, RF management, and client control for multiple lightweight access points.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself