Cisco WLAN Controller AP Modes – An Incomplete Guide

An Access Point, as defined by 802.11, can take a packet out of thin air and convert it to ethernet and has the ability to do all the stuff it needs to do to make it all happen. That’s called an “Autonomous” or “Standalone” AP.

The standalone AP is great but it doesn’t scale very well.  Then along come a way to better scale. The controller architecture (split-MAC they called it) and the “lightweight” AP.

Important: It’s not dumb or thin, it’s lightweight, in the same way other protocols were written to a portion of the spec and called the “lightweight” variant of that protocol.
A lightweight AP only does the real-time stuff an “AP” is supposed to do and the controller does all the non-real-time stuff.

The glue that holds the AP to the controller is an IETF standard protocol called CAPWAP.

For this lightweight architecture, an AP grabs packet out of thin air and then only does real-time stuff to it. Encryption/decryption is a good example of real-time stuff an AP does. It then takes that 802.11 packet and puts it in to a CAPWAP envelope and sends it to the controller.

The controller then converts the 802.11 packet to 802.3 (Ethernet), applies the correct policy, and puts it in the right VLAN.

This is the default operational mode of a lightweight AP and it’s called “Local Mode” which also can be called “Connected Mode”.

But what if you have a bunch of small branch offices with just a few AP’s each. You:

  1. don’t want the expense of controllers in each location (or the management burden) and you
  2. don’t want your print-job to go from your mobile device, all the way across your WAN, just to make a U-turn and come back across your WAN and print to a printer you’re physically 5 feet away from.


Flexconnect changes how packets are processed by allowing the AP to convert the 802.11 packet directly in to Ethernet and placing it on the VLAN that is trunked to the AP. This takes the controller out of the data path, even though the controller is responsible for firmware updates, configurations, RRM, and IPS. This default behavior of Flexconnect is called FlexConnect Local Switching.

Please keep in mind there are constraints you need to consider before using Flexconnect.  See the Restrictions on Flexconnect section of the configuration guide.

Now for the “flex” in FlexConnect.

For some SSID’s you may want to change the data path.  For example maybe you want all your employee traffic to stay at a branch but you want your guest traffic to go back to the controller for inspection.

So for that SSID you can use FlexConnect Central Switching. For this SSID (WLAN), it will act like a Local Mode AP, but for other SSID’s (WLANs) it’s in Local Switching.

Data Path vs. Authenticators

The other thing to consider is where 802.1x RADIUS authentications will take place.  By default it uses central authentication, you can also select local authentication.  These are options in the FlexConnect for how 802.1x authentication is done. Even though you may select local or central switching, all 802.1x authentication, by default, is done by the controller.

So what if the controller goes away? Well then your 802.1x authenticator goes away. Unless you have local authentication configured.  If you select local authentication for your FlexConnect AP, then you need to configure your AP as a RADIUS authenticator, which includes telling your RADIUS server about that AP and setting up a RADIUS key.

For more information refer to the FlexConnect section of the Configuration Guide.  Here is the link if you’re using version 8.3 code.  To find the configuration guide for the code version you’re running, click here.

New FCC Rules for WiFi and AP Part Numbers

The FCC will begin enforcing order 14-30 that has a few requirements for WiFi systems sold after April 2016.  This video descries how some Access Point part numbers will change reflecting compliance to these new rules.

The 5 Major Features of @Cisco_Mobility HDX and How To Turn Them On

HDX is acronym speak for Cisco’s High Density Experience, which is marketing speak for a series of patented features that specifically address the challenges that stem from the ever growing number of WiFi clients and their need for more reliable, higher bandwidth network access.

The truth is in order to be WiFi Compliant, especially in the early days, certain things needed to happen by default. These default settings may have worked a few years ago but today, even though you’re using high-end AP’s and trusted code levels, you may be getting unacceptably poor performance. This is why I wrote up 3 Steps to Tuning a Cisco WLAN Controller From Default Settings. In just a few minutes of configuration time and a radio reset, you may experience exponential performance gains.

Tuning a WLAN controller only solves part of the problem.  This is especially true as your deployment begins to take on more clients, demanding more bandwidth. What kind of symptoms will you experience?

  • Clients are still in charge of deciding when and where to roam.
  • If you elect to use them, 802.11ac introduces larger channel widths meaning we’re more vulnerable to interference.
  • With WiFi only one client can talk at a time… it’s half duplex.  As clients get further from an AP they begin to talk slower to stay connected, leaving less time for fast clients to talk fast.
  • AP’s are getting closer together to accommodate more clients, and there are limited RF channels we can use.  Even with the newer FCC rule changes adding more available channels, it’s mostly good news for 11ac environments.

To solve these problems we need Optimized Roaming, CleanAir for 80 MHz Channels, ClientLink 3.0, Air Time Fairness, and Turbo Performance! Let’s dive in to what buttons to press, which options to check, and how to get it all working for us.

1. Optimized Roaming

What’s the problem: Client stickiness. The 802.11 standard says clients can roam. As such, it’s the clients responsibility to decide when and where to roam… they just don’t do it very well. Normally the client will not even TRY to roam until it can no longer connect at the lowest mandatory data rate. This is why I recommend turning off the lower data rates, suited to your environment. We are preventing the client from being really bad, not promoting good behavior.

What it is: Optimized Roaming promotes good behavior. If the client’s data signal strength dips 6 dB the AP will send a disconnect message, prompting a roam. You can optionally set a minimum data rate. If the clients tries to dip below the minimum, it’ll get a disconnect message, prompting another roam. Use caution here. If the client cannot connect at the minimum data rate, it won’t be able to connect at all.

How to turn it on:

  • Wireless > Advanced > Optimized Roaming
  • Check the Enable box in the 802.11a and 802.11b sections
  • Note you’ll get a warning: Modifying the default settings for the Optimized Roaming data rate and CHDM RSSI configurations could result in unintended client connectivity problems. Please be careful when making changes from the default settings
  • Reference from the 8.1 Configuration Guide

2. CleanAir for 80 MHz Channels

What’s the problem: It’s great that 802.11ac provides for greater bandwidth. It does that by using more spectrum, the channel is wider. More channel space means vulnerability to more interference. Interference is that that invisible threat that decreases overall throughput which often presents during times of load and is very difficult to troubleshoot.

What is is: CleanAir for 80 MHz Channels uses the built-in spectrum analysis of the Cisco AP to discover, identify, classify, and, most importantly, mitigate interference. Right away.

How to turn it on: CleanAir is OFF by default. So step one is Turn It On. It will automatically detect, identify, and classify. What we need to turn on is turn on 80 MHz channels and the Mitigate part of CleanAir. To do that got to Wireless > 802.11a/n/ac > RRM > DCA. There change the channel width to Best and at the bottom you need to make sure Event Driven RRM (ED-RRM) is Enabled. Note: By selecting the “Best” channel width, you are allowing the system to automatically back down the channel width if interference does not allow high-performance at 80 MHz.

3. ClientLink 3.0

What’s the problem: As a client gets further from the AP the signal strength from that AP get weaker. As a result, because it’s not yet time to “roam” it ends up lowering its data rate. It talks slower in order to stay connected. WiFi is a shared medium, meaning only one station (client or AP) can talk at a time. If a client is talking slow, there’s less time for the fast talkers to talk fast.

What it is: It’s fun with physics and it doesn’t need any client-side intelligence to work. So 802.11n introduced something called MIMO. It’s basically some fancy antenna technology that allows the AP to communicate with a client using multiple antennas at once. As seen in this 1 minute video called ClientLink at the Beach, when the transmissions from two or more antennas meet, they create a sweet spot of coverage. If your client is in that sweet spot, they’ll experience higher signal strength, and likely connect at a higher data rate. What is DOES is detect when the client is not in that sweet spot and it starts to manipulate the transmission timing on the multiple antennas putting a sweet spot right on the client.

How to turn it on: It’s on by default and works with any WiFi client out there that supports 802.11 a/g/n/ac!

4. Air Time Fairness (ATF)

What’s the problem: Guest users can potentially take up their unfair share of bandwidth downloading app updates or movies, degrading your business related WiFi traffic. Per-user bandwidth contracts only go so far. Because clients connect at different speeds, simple rate limiting is not efficient for WiFi.

What it is: Cisco Air Time Fairness allows us allocate an ability to consume bandwidth based on a defined group such as guests or smart phones. Regardless of a clients connected data rate, it can only talk a certain percentage of the time.

How to turn it on: Since you need to identify your groups and allocations, it’s not on by default. It’s a good idea to run ATF in monitor mode to understand actual bandwidth usage by SSID, by AP, or by a group of AP’s. Understanding that you can define and apply a policy.

  • Turn on ATF Monitor Mode

In the Wireless > ATF > Monitor Configuration menu select “Network.” Put a check next to 802.11a and 802.11b and click the enable button.

  • Configure ATF Policy

Here’s where a bit of planning helps. Remember that a policy is applied to an SSID, to an AP, or to an AP Group. First take a look at your actual Air Time allocation. Click on Wireless > ATF > ATF Statistics. Select an AP you want to see Air Time stats on. The top table shows you allocation over the last 3 minutes. The bottom table shows allocation as long as the radio has been up. Use this to determine the relative impact by enforcing “fairness.”

In the Wireless > ATF > Policy Configuration menu you will notice a policy ID 0 called “Default” with a weight of 10. This default cannot be changed, but don’t worry, you don’t need it to. Define all of the policy elements here. So if you want 75% employee allocation and 25% guest, you’d create 2 elements with appropriate weights. If you are building policies for multiple SSID’s or AP’s, just group them all together.

  • Apply the policy

Click on Wireless > ATF > Enforcement SSID Configuration. If you’ve followed the steps above, your radios will be in ATF Monitoring mode. Here is where you with them to “Optimized” mode or “Strict” mode enforcement. As it sounds, Strict mode enforces hard limits. Optimized allows for spiking above the policy if possible.

In the Policy Enforcement section you specify an SSID and a ATF Policy ID to enforce.

For a way more technical description check out the Cisco Air Time Fairness White Paper.

Cisco Air Time Fairness in the Configuration Guide

5. Turbo Performance

What’s the problem: As your network scales to many more devices with greater bandwidth needs, it won’t matter how fast we’re connected if we can’t process packets. With 802.11ac we’re processing nearly double the packets as with 802.11n! We could address this with a faster CPU but that’s an expensive upgrade.

What it is: Commodity hardware and chipsets need to have a central CPU to process packets. With Turbo Performance, Cisco dedicates CPU & RAM to each RADIO to perform packet processing at the edge. This is much more efficient than having a central processor do everything.

How to turn it on: You’re in luck! You have nothing to do to take advantage of this feature.

So this HDX… High Density Experience… is more than just marketing speak. It’s a set of patented technologies that show how hardware is just as important as software and something only Cisco can deliver.

  • Optimized Roaming
  • CleanAir for 80 MHz Channels
  • ClientLink 3.0
  • Air Time Fairness
  • Turbo Performance

For more information check out