LWAPP Mechanics (Cisco Wireless LAN Controllers) Part 1

To be able to find where an LWAPP-based system is failing, it is critical to understand how the underlying protocol works, because this lets you reduce the scope of investigation when a complex problem is reported.

This section covers two main parts:

■ LWAPP control path: Covers AP discovery, join, maintenance, and states in detail.

■ LWAPP data path: Covers client traffic. Because this is closely related to wireless client states.

The discussion of the control path uses the LWAPP state machine as seen on APs and WLC, which is a simplified view of the one found on the LWAPP draft. Figure 3-4 illustrates the LWAPP state machine.

LWAPP State Machine

Figure 3-4 LWAPP State Machine

Discovery Process

The discovery process forms part of the "hunting" state. It covers several steps, and you might see variations depending on the AP model and software version.

The idea is that the AP will do the following:

Step 1. Make a list: Obtain a list of possible destinations (WLCs) to send a discovery request.

Step 2. Send discovery: On each of the possible available methods (described in the list that follows), the AP will send a discovery request.

Step 3. Wait for answers: Collect the potential answers from the different methods used.

The conclusion of the discovery process is a list of potential destinations that will be passed down to join, after selecting the best candidate.

Discovery can use the following methods:

■ Local Broadcast Layer 2: Used on 10×0 and 1510 APs that support the LWAPP Layer 2 protocol.

■ Local Broadcast Layer 3: Supported by all APs, this discovery method uses UDP with destination

■ Option 43: Sent via Dynamic Host Control Protocol (DHCP) offer, it has a potential list of candidates (controller management IP addresses).

■ DNS: Taking the Domain Name System (DNS) servers from a DHCP offer or statically configured, the AP can try to resolve the CISCO-LWAPP-CONTROLLER hostname to obtain a list of the potential management IP addresses as destinations for a discovery request. The AP must have the correct domain name to properly query a DNS server. When using DHCP, this is Option 15. Without the proper domain name, the AP incorrectly queries for the fully qualified domain name (FQDN) CISCO-LWAPP-CONTROLLER. For example, if your DNS domain was company.com, the AP needs to query DNS for CISCO-LWAPP-CONTROLLER.company.com.

■ Previously known: The AP can "remember" up to 24 previously learned controllers and send discoveries to them. The AP will learn about any controllers from the mobility group configuration of the controller it is presently registered with. A single mobility group can contain up to 24 controllers.

Note APs do have a good memory. From the WLC graphical user interface (GUI), if you select Clear All Config from the Wireless > AP page, the AP still remembers the previously known controllers.

One way of making the AP forget all previously known controllers is to use the debug lwap console cli command and then issue the erase /all nvram: command. The default username and password to access the AP CLI is "cisco" and "Cisco" respectively.

■ Statically configured from WLC: Beginning with Release 4.2, you can configure an IP address for the primary/secondary/tertiary controllers. Using this "priming" method, you can configure a WLC outside the present mobility group as a secondary/tertiary controller for the AP. Starting in Release 5.0, you can also configure global primary and secondary WLCs.

■ Over the Air Provisioning (OTAP): APs put the radios in "listening" mode to try to hear neighbor exchanges between nearby APs, learning a potential WLC destination IP address.

■ Statically configured from AP CLI: Accessing the AP CLI via the console port, you can configure the following static parameters:


Be aware that the ability to enter these static commands from the AP CLI is disabled after the AP has joined a WLC. You have to clear the APs configuration to re-enable them.

Some of the discovery steps have dependencies. For example, you must obtain an IP address to be able to use LWAPP Layer 3 discovery. In addition, an AP will not use DNS if no DNS information is received in a DHCP offer or statically configured, so the actual steps the AP performs might change depending on the network configuration.

In the discovery request from the AP, an element identifies the discovery mechanism that the AP used to locate the controller. The value of the IE 58 parameter indicates the discovery type:

■ 0: broadcast (L2/L3)

■ 1: configured

■ 2: OTAP

■ 3: DHCP server

■ 4: DNS

Example 3-1 shows the output of debug lwapp packet enable from the WLC CLI for an AP that is trying to register with a WLC.

Example 3-1 debug lwapp packet enable Command Output

debug lwapp packet enable Command Output

The IE 58 parameter value in Example 3-1 is 1, indicating that the AP was configured with this particular WLC management IP address.

The following sections discuss the LWAPP discovery methods in more detail.

Layer 2/Layer 3 Broadcast Discovery

With Layer 2 LWAPP discovery, the important fact to remember is that this is hardly ever used anymore and is LWAPP only. It is mentioned here because it is part of the LWAPP discovery process and can be seen in traces and debugs. It occurs on the same subnet as the AP and uses encapsulated Ethernet frames containing MAC addresses for communications between the AP and the controller. Only Cisco 1000 Series LAPs support Layer 2 LWAPP mode. Also, Layer 2 LWAPP mode is not supported on Cisco 2100 Series WLCs or Wireless Integrated Service Modules (WiSM). These WLCs support only Layer 3 LWAPP mode.

This is the first method that a LAP uses to discover a WLC. The LAPs that support Layer 2 LWAPP mode broadcast an LWAPP discovery request message in a Layer 2 LWAPP frame, as you saw in Figure 3-2. If there is a WLC in the network configured for Layer 2 LWAPP mode, the controller responds with a discovery response. The LAP then moves to the join phase of the LWAPP state machine.

The debug lwapp events enable command output shown in Example 3-2 shows the sequence of events that occur when a LAP using Layer 2 LWAPP mode registers with the WLC.

Example 3-2 debug lwapp events enable L2 Discovery

debug lwapp events enable L2 Discovery




debug lwapp events enable L2 Discovery

The next discovery mechanism, Layer 3 LWAPP discovery, occurs on different subnets from the AP and uses IP addresses and UDP packets rather than the MAC addresses used by Layer 2 discovery. This is the more common method and should be referred to as the standard.

Example 3-3 shows the output of debug lwapp events enable during a Layer 3 discovery by an AP.

Example 3-3 debug lwapp events enable L3 Discovery

debug lwapp events enable L3 Discovery

Example 3-3 debug lwapp events enable L3 Discovery

debug lwapp events enable L3 Discovery

DHCP Options 43 and 60

Any DHCP server can pass this option to an AP, including Cisco switches and routers.

When an AP requests an IP address from a DHCP server, the DHCP discover from the AP contains a Vendor Class Identifier (VCI). If the DHCP server has Option 60 and 43 correctly configured, the DHCP offer includes one or more IP addresses for the management interface of a WLC(s). Option 60 on the DHCP server is configured to correspond to the VCI string of the AP model that you are using. When the DHCP server receives a DHCP discover or request from an AP with the correct VCI string matching that of Option 60, it knows to return Option 43, which is the WLC management IP address, to the AP in the DHCP offer.

Although you can use pretty much any DHCP server for this discovery method, you will learn here how to set up Option 60 and Option 43 using a Cisco switch as the DHCP server. For more DHCP server configurations, please see Cisco Document ID 97066, "DHCP OPTION 43 for Lightweight Cisco Aironet Access Points Configuration Example" at Cisco.com.

The Cisco 1000 Series APs use a string format for DHCP Option 43, whereas the Aironet APs use the type, length, value (TLV) format for DHCP Option 43. DHCP servers must be programmed to return the option based on the AP DHCP VCI string (DHCP Option 60). Table 3-2 lists the VCI strings for Cisco APs that can operate in lightweight mode.

The format of the TLV block is as follows:

■ Type: 0xf1 (decimal 241).

■ Length: Number of controller IP addresses * 4 (number of octets).

■ Value: List of WLC management interfaces. Remember that this is the IP address of the management interface, not the AP-Manager IP address.

Example 3-4 shows configuring DHCP Option 43 and 60 on a Cisco IOS switch for 1240 series AP. Without configuring Option 60, the DHCP server would never pass Option 43 to the AP. Look at Option 60 as a condition. If the device requesting an IP address is this type of device, the DHCP offer will include the IP address in the Option 43 field.

Table 3-2 Cisco AP VCI Strings

Access Point

Vendor Class Identifier

Option 43 Format

Cisco Aironet 1000 Series



Cisco Aironet 1100 Series

Cisco AP c1100


Cisco Aironet 1130 Series

Cisco AP c1130


Cisco Aironet 1200 Series

Cisco AP c1200


Cisco Aironet 1240 Series

Cisco AP c1240


Cisco Aironet 1250 Series

Cisco AP c1250


Cisco Aironet 1300 Series

Cisco AP c1300


Cisco Aironet 1500 Series

Cisco AP c15001 Cisco AP.OAP15002 Cisco AP.LAP15053 Cisco AP.LAP15104 Cisco AP c1520 Airespace.AP12005

ascii for 1500, hex for 1520

Cisco 3201 Lightweight Access Point

Cisco AP C3201 WMIC6


AP801 (embedded in 86x/88x series ISRs7

Cisco AP 801


1Any 1500 Series AP running 4.1 software 21500 OAP AP running 4.0 software 31505 Model AP running 4.0 software 41510 Model AP running 4.0 software 5Any 1500 Series AP running 3.2 software 6WMIC =Wireless Mobile Interface Card 7ISR =Integrated Services Router

Example 3-4 Cisco IOS Switch DHCP Option 60 and 43 Example


In this example, DHCP Option 60 is correctly using the VCI string for the 1240 series AP. The Option 43 line is the TLV As you can see, the Type is F1, the Length indicates 1 WLC IP address (1 x 4 = 04), and Value is the WLC management IP converted to hex, c0a80605. The WLC IP is

Note The Cisco IOS DHCP servers allow only one Option 43 definition. This means you can have only one device type for each DHCP address pool, so only one AP type can be supported for each DHCP address pool.

You can configure DHCP servers to return WLC IP addresses in vendor-specific Option 43 in the DHCP offer to lightweight Cisco APs. When the AP gets an IP address through DHCP, the AP looks for WLC IP addresses in the Option 43 field in the DHCP offer. The AP sends a unicast LWAPP discovery message to each of the WLCs that are listed in DHCP Option 43. WLCs that receive the LWAPP discovery request messages unicast an LWAPP discovery response to the AP. Each of the WLCs that receives the LWAPP discovery request message replies with a unicast LWAPP discovery response to the AP.

Figure 3-5 shows a DHCP request with Option 60 and the DHCP over with Option 43.

DHCP with Option 60 and 43

Figure 3-5 DHCP with Option 60 and 43

In Figure 3-5, you can see both the DHCP discover (inset) from the AP and the DHCP offer from the switch. Notice the Option 60 VCI string in the DHCP discover packet.

Because the DHCP server received Option 60 from the AP, it returns Option 43 in hex. The AP converts this hex value to the IP address of

Next post:

Previous post: