Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how AP + L2 + L3 + WLC switch communicates ?


I have a confusion if someone can help me will be appriciated.

We have 50 APs (Cisco 1130ag), which connects to cisco 2900 series L2 switch, L2 switch is connected to L3 switch, we have 30 lvans,I have put all APs in a single valn named 11, on WLC we have 3 WLANs created on it, 1. sales 2. accounts 3.CC, sales have 254 IPs,account have 254 IPs, CC have 254 IPs,a client is authenticated and connected to sales WLAN, when a client broadcast,will it broadcast to entire network where 11 lvan is allowed on trunk port of L2 switch?



Cisco Employee

Re: how AP + L2 + L3 + WLC switch communicates ?

Hi AS,

Assuming that your AP's are in the default mode local, here's the general idea on packet flow.

When int local mode, the AP's tunnel all of their traffic to and from the controller through a capwap or lwapp tunnel.

The key concept to remember that while the AP's are in local mode, the controller is the wireless clients' IP point of presence to the wired network.

Here's an example:

Controller's mgmt interface is on vlan 1, (configured as untagged)

An AP associated with the controller is also on vlan 1,

The controller has dynamic interfaces configured associated with vlan 2 and vlan 3:



The controller has these ssid's:

ssid2, mapped to vlan 2

ssid3, mapped to vlan 3

The controller's port is conencted to a switch port, which is trunking for vlans 1,2 and 3, with vlan 1 as the native vlan (un tagged by cisco switches)

The AP by default advertises both of these wlans (ssid's).

A wireless client authenticates to ssid2, and gets an IP address via dhcp,

From the wireless client, you are able to successfully ping the router on the other end of the controller's trunk, which is

So how does this work?

1) the client sends the packet wirelessly

2) the ap processes the packet, which is associated with ssid2

3) the ap encapsulates the packet in a lwapp or capwap header, and sends it to the controller

4) the controller gets the packet, notes that it is part of ssid2, which is mapped to vlan2

5) the controller strips off the lwapp/capwap header, adds an 802.1q tag for vlan 2, and sends it to the switch

As far as the switch knows, this packet may have come from a wired client.  At this point it's just another ethernet frame tagged for vlan2.

If the client wants to ping a wired host on vlan 3?  Same thing, except routing will occur.  Assuming that the wlan2 client got assigned the correct default gateway (keep in mind that this is the router, and not the controller's vlan2 interface), the process will be the same.

The router will get the packet being none the wiser where it came from.  He'll see the destination mac is for his interface, destination ip is off of vlan3, routes it.

Now, the other mode for AP's is H-Reap.  This causes the AP's to treat packets put onto the wire as if they were a Layer 2 switch.  No tunneling to the controller happens.  The AP's switch port should be configured as if the AP is a switch (usually trunking).

In the same scenario as above, when the AP gets the wlan2 packet, he takes care of tagging it for vlan 2 and putting it on the wire.

New Member

Re: how AP + L2 + L3 + WLC switch communicates ?


Jeff, I appreciate the information.  Can you further your explanation by + Radius authentication?  and/or do you know of any pictorial representations that show the process flow for the original inquiry with authentication? (e.g. AP + L2 + L3 + WLC + Radius Server).