3 Steps to Tuning a Cisco WLAN Controller From Default Settings

When I asked a few Cisco Wireless Consulting Systems Engineers if they’d ever trust a controller’s default config for any time of AP deployment beyond 1 or 2 AP’s the typical answer (when they stopped laughing) was <expletive> NO.

Of course I anticipated that answer and was prepared with a follow up: Okay what would you change? Now the answers to that were harder to get. Most said “well there’s too many variables,” or “every deployment is different.”

I was ready for that response, too. What’s the same with ALL deployments? Here’s a brief transcript:

Them: Is there VoIP clients?
Me: Let’s assume no, for now.

Them: What about 802.11b?
Me: No support.

Them: What about legacy devices?
Me: Nope. No legacy devices.

Them: What deployment style?
Me: Let’s use the 80/20 rule. 80% of deployments will be pervasive wireless network in common open environments where AP’s are deployed approximately 60ft-80ft or coverage areas of 3000-5000 sq/ft per AP. Let’s not focus on the interesting things that come with warehouses or outdoor environments.

Then I got answers. Here’s a consolidation of their suggestions. It’s 3 simple steps.


  • Your radios will be brought down during this procedure!
  • Know before you go:  If you aren’t sure what something will do, it may be better to not do it until you do!

NOTE: Most of these screenshots were taken from AireOS controller code 7.2 or 7.4. All of these suggestions are applicable for 7.5 and 7.6.

Step 1: Tune Each SSID

  • Click on the WLANs tab at the top of the page. This will show your SSID’s.
  • You select an SSID by clicking on the blue WLAN ID number to the left of the Profile Name.

  • Now click on Security.
  • Make sure that WPA2 with AES encryption is selected. (TKIP does not support 11n data rates. Only AES!)
  • If you must support WPA (like, something doesn’t work that needs to when it’s disabled) make sure you use WPA + TKIP and WPA2 + AES. Do NOT just select everything.
  • Now click on Advanced

  • Turn on BandSelect, it is off by default. Not necessary for WLANs with latency sensitive clients such as VOIP clients.
  • Some notes on this tab:
    • AAA Override will allow ISE (or another RADIUS server that supports it) to change VLAN or QoS queue based on authentication.
    • Client Exclusion is a nice security feature to protect against duplicate IP’s or brute force attacks. Sometimes you may need to turn this off for troubleshooting. 60 seconds is good Timeout Value to set.

Step 2: Tune the RF settings

  • First, in 2.4 GHz (802.11b/g/n)
  • Click the WIRELESS top tab
  • Click the BOLD 802.11b/g/n Network Left Hand Tab

  • Disable Network Status
  • Disable 1, 2, 5.5, 6, 9 and 11. This way no 11b data rates are supported.
  • Change 12 to mandatory.
  • Everything else change to supported.

A note about mandatory data rates: Lowest is where management frames are sent out. Highest one is where multicast/broadcast frames are sent out. A client must at least have the ability to do the mandatory data rates.

It is the client device responsibility to determine WHEN to roam and which AP to roam TO. A client will NEVER even try to roam until it reaches the LOWEST mandatory data rate!

  • Within 802.11b/g/n click onRRM > Dynamic Channel Assignment (DCA)

  • Check Avoid Persistent Non-WiFi Interference
  • Check EDRRM
  • Within 802.11b/g/n click on CleanAir

  • Enable CleanAir (this MAY already be checked)
  • Re-Enable the 802.11b/g/n radio under the 802.11b/g/n > Network left hand tab
  • Now for the RF settings in 5 GHz (802.11a/n/ac)

  • Up top click on Wireless, next on the left click on the Bold 802.11a/n/ac, then select Network.
    • Uncheck 802.11a Network Status to disable it as we will be making changes that required it to be turned off
    • Disable 6 Mbps
    • Disable 9 Mbps
    • Ensure 12 Mbps is Mandatory
    • Ensure 24 Mbps is Mandatory
    • Other data rates are Supported
  • Within 802.11a/n/ac click on RRM > Tx Power Control (TPC)
    • You have two options for RRM (Remote Radio Management).
    • o Interference Optimal Mode (TPCv2) will optimize the radio adjust power levels to detect and overcome external interference the AP discovers.
    • o Coverage Optimal Mode (TPCv1) will optimize the radio to adjust power transmit level based on neighboring AP’s it discovers.
    • o You can only have one Mode selected. TPCv1 is the recommended mode to select. TCPv2 is discouraged unless you have advance understanding of networking.
    • o If you are interesting in using TPCv2 here is a link on a helpful document and WLC Configuration Analyzer tool. https://supportforums.cisco.com/docs/DOC-1373
    • If the signal strength isn’t good enough across the entire network you can manually bump up the Power Threshold to -67 or more a little at a time, until RRM is properly tuned.
  • Within 802.11a/n/ac click on RRM > Dynamic Channel Assignment (DCA) and Event Driven RRM (EDRRM)

  • Check Avoid Persistence Non-WiFi Interference
  • Channel Width to 40 MHz
  • If you have the 802.11ac module you can select Channel Width to 80 Mhz. This will also auto tune the 802.11n radios to 40 Mhz.
  • Enable Event Driven RRM
  • Within 802.11a/n/ac click on CleanAir

  • Under the 802.11a/n/ac tab click on CleanAir
  • Top checkbox, Enable CleanAir
  • On Interferers to Detect add all
  • On Trap on these types under For Security Alarms add Jammer, WiFi Inverted, WiFi Invalid Channel
  • Re-Enable the 802.11a/n/ac radio under the 802.11a/n/ac > Network left hand tab

Step 3: Tune QoS

  • Click on the Wireless top tab, then QoS Left Hand Tab
  • For each QoS Profile, under Wired QoS Protocol Protocol Type select 802.1p. Tag number default is typically preferred.

And that’s it! Where this is not an exhaustive tuning guide, it serves as a starting point for just about any deployment style. For an exhaustive list, web on over to

Wireless LAN Controller (WLC) Configuration Best Practices.

Here’s a few other resources that may help.

26 Replies to “3 Steps to Tuning a Cisco WLAN Controller From Default Settings”

  1. Great post! Is there a reason why you have “Avoid foreign AP interference” unchecked within your DCA configuration?

  2. Great question Chuck! “Checked” is the default value for Avoid foreign AP interference. I wouldn’t recommend changing that unless an RF engineer or TAC suggests otherwise.

    1. Ok, thanks for the confirmation. Just wanted to make sure the default value (or school of thought) didn’t change in a later revision of code than what I’m running (7.4MR2).


  3. You actually want to modify the Platinum and Gold 802.1p values to platinum of 6 and gold of 5. These markings as far as my studies and tests have shown are in relation to the max WMM UP values that should be tagged at platinum and gold. The controller will auto mark the platinum at a COS value of 5 and gold at a COS value of 4.

  4. Jason, I just took a look and it appears that they have fixed the defaults. So by default they are now tagged at gold – 5 and platinum – 6. I am not sure what code revision they corrected this, must have been post 7.3. Anyways nevermind your guide is correct.

    1. Hey Paul great question. I love the IOS XE controller software. As you know it’s designed to support the Converged Access deployment model. Although the examples I give are on the AireOS controllers, the tuning suggestions are the same:

      1) Tune the SSID’s (security, features, best practices),
      2) Tune the Radios (disable low data rates, enable CleanAir and tune RRM)
      3) Tune QoS (and enable AVC)

  5. Hey. Thanks for the post. I’m managging a big campus with 6k users every day. They are always complaining about the performance of network, even with Cisco 1700 and 2700 AP’s deployed at 1Gbps.

    Although they use a lot Dropbox, Spotify, Youtube and other streaming app’s all the time. There’s any way to limit the throughput for these kind of services?!


    1. Hi there Bruno,

      Something often overlooked is even though the radios are capable of 1 Gbps connect speeds, the actual client throughput is determined by SNR (mix of signal strength vs interference), client capabilities, adjacent clients, apps in use, and a number of other factors, including design and configuration.

      Understanding that, yes, there is a way to limit throughput of certain applications. Using the AVC (Application Visibility and Control) features on the WLC you are able to identify certain applications in order to limit throughput, however that may cause more harm than good. The data is still there to send; decreasing their available bandwidth will just make them transmit for a longer period of time.

      Perhaps a better strategy is use AVC to identify critical applications and increase their priority.

  6. Hi Jason. Thank you so much for your help. I have a question and I will really appreciate if you can help me out. In the controller web interface within Wireless->802.11b/g/n(802.11a/n/ac)->Network there is a field called “RSSI Threshold (-60 to -90 dBm)” . What’s the difference between this and the field Power Threshold (-80 to -50 dBm) within Wireless->802.11b/g/n(802.11a/n/ac)->Network->TPC ? Is the first one refering about the minimum value that the spectrum can have and the second one about the minimum power value an AP can detect another neighbor device? I’m a little confused.

    Thank you in advance.

    1. The two items you reference are very different. In the Network page the “RSSI Threshold” refers to the option above called RSSI Low Check. Basically if a client attempts to associate to an AP but it’s RSSI is lower than the RSSI Low Check Threshold, the AP will respond back with “bad conditions” and not allow it. I don’t commonly use this feature but it definitely has value for some installations.

      In Transmit Power Control (TPC) the Power Threshold is the dBm that neighboring AP’s want to hear and AP at. When an AP joins a controller it starts at power level 1. The power level is slowly lowered until its closest neighbors can hear it at whatever the threshold is set to.

  7. When tuning the WLC, what is the benefit to “24 Mbps is Mandatory”?

    From my understanding, your forcing a client to talk at a speed that isn’t critical. Wouldn’t it be better to make the lowest data rate mandatory and then all the rest optional?

    1. Regardless of the data rate currently is on, the data rate at which broadcasts, multicasts, and management frames go out depend on the highest and lowest data rates. As well, clients often don’t even consider roaming until they can no longer connect at the lowest mandatory data rate. By keeping it high, your clients will be better wi-fi citizens.

  8. Thanks for your quick response! OK, that confirms my understanding. The environment is designed for Hyperlocation in my opinion, and I want roaming to be optimal. Would it make sense to increase the RSSI low check around -78 to -75? I’m thinking this will encourage roaming, since its not possible to make a client roam.

  9. Hi Jason. Thank you so much for this thread. I have a question, I’m currently having a problem with a wireless LAN. They’re using a WLC 2504 with 24 Aironet 2700 series APs mapped to port 1 and as of now, the clients are having difficulty roaming from 1 access point to another. Specifically, when they are registered to one access point and decides to roam, they get locked out on that AP even though there are others “nearer”. We’ve monitored on how the APs behave on one client, and noticed that the APs detected have fluctuating RSSIs. On top of that, clients experience sudden drop on data rates. What could be the cause of this? We’ve noticed a few red flags but they’re currently just a hunch:
    1. We noticed a lot of rogue APs and clients; 324 and 16, respectively.
    2. There are too much APs mapped to port 1

    1. Hi Ramil,

      You can check the port your 2504 is plugged in to but I don’t think the roaming issue is related to too many AP’s mapped to a single port. I have seen this behavior as the result of either AP’s being too far from one another, excessive interference (depending on how big your deployment, that could be a LOT of rogue AP’s), or as the result of a bug. Client drivers make a big difference, too. I recommend making sure your client drivers are up to date and there are no roaming bugs filed against the code you’re running. You can always open a case with TAC.

      Good luck!


  10. Hi Jason ,

    This is still very relevant. However is there an updated version of this , or a version with regards to the newer versions of code (i.e 8.3 and or later) ?


  11. Great post, I have 8540 and a couple of 5520 controllers,,,, and my avoid persistent Non-Wifi interference is unchecked, I just read in your post that it should be on by default, however all have the avoid non 802.11 a & b enabled, should I go ahead and an enabled the avoid persistent non wifi even though I haven’t had any issues

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.