WLC Initial Setup
Lab Objectives
- Initialize a Wireless LAN Controller (WLC) basic system settings: hostname and admin account.
- Configure the Management and AP-Manager interfaces with IP addressing so the WLC and Lightweight APs can be managed and can join.
- Verify the configuration and understand why separate interfaces are used in production.
Lab Tasks (Try It Yourself First!)
Complete these tasks WITHOUT looking at the solution below. Use
?andshowcommands to figure it out.
Task 1: Set WLC system identity and admin account
Configure the WLC hostname to WLC1 and create an administrative user account named admin with password Lab@123 and full privilege. Set the organization name to NHPREP (used as a label in GUI/system pages).
Task 2: Configure the Management interface
Assign the WLC Management interface the IP address 192.168.3.10/24 with default gateway 192.168.3.1 on VLAN 30 (Management). This address is used for device management (GUI/SSH) and data-plane control traffic from the network.
Task 3: Configure the AP-Manager interface
Assign the AP-Manager interface the IP address 192.168.3.11/24 on VLAN 30. This address is used for AP discovery/joins and CAPWAP tunnels in many deployments.
Think About It: Why should AP-Manager often be a separate interface (or at least a separate IP) from the Management interface? How does separating these roles improve stability and security in a production wireless network?
Lab Solution
ASCII topology (use this EXACT BASE TOPOLOGY). All interface IPs shown are exact from the lab IP scheme.
[Internet]
203.0.113.1
|
R1 (Gateway)
Gi0/0: 10.10.10.1
Gi0/1: 10.10.20.1
Gi0/2: 10.10.30.1
/ | \
R2 R3 R4
Gi0/0: 10.10.10.2 | Gi0/0: 10.10.30.2
Gi0/1: 10.10.40.1 |
/ \ |
S1 S2 S3
/ \ | /
PC1 PC2 PC3 PC4 PC5
|
WLC1
(connected to S3; Management VLAN 30: 192.168.3.0/24)
IP SCHEME (repeated for clarity)
- 10.10.10.0/24 — R1-R2 link
- 10.10.20.0/24 — R1-R3 link
- 10.10.30.0/24 — R1-R4 link
- 10.10.40.0/24 — R2-S1 link
- 192.168.1.0/24 — VLAN 10 (Sales)
- 192.168.2.0/24 — VLAN 20 (Engineering)
- 192.168.3.0/24 — VLAN 30 (Management)
- 203.0.113.0/24 — Public/Internet simulation
Task 1 Solution: Set WLC system identity and admin account
What we are doing: Give the controller a recognizable hostname and create an administrative account. This allows secure access (SSH/GUI) and identification in monitoring. Using a strong predefined password Lab@123 per lab convention.
config system hostname WLC1
config mgmtuser add admin Lab@123 15
config system organization NHPREP
save config
What just happened:
config system hostname WLC1— sets the device system name to WLC1 so the hostname appears in prompts and GUIs. This matters because human operators and management systems identify devices by hostname.config mgmtuser add admin Lab@123 15— creates theadminuser with passwordLab@123and privilege level 15 (full admin). This is required to access the controller for configuration and troubleshooting.config system organization NHPREP— stores the organization label used by the controller GUI/system pages; useful for inventory and certificates.save config— writes the running configuration to persistent storage so settings survive reload.
Verify:
show sysinfo
Expected output (representative):
Hostname: WLC1
Organization: NHPREP
Mgmt User: admin (privilege 15)
Configuration saved: yes
Task 2 Solution: Configure the Management interface
What we are doing: Configure the WLC Management interface with a static IP in the Management VLAN (192.168.3.0/24). The Management IP is used for the GUI, SSH, SNMP and general control-plane traffic.
config interface address management 192.168.3.10 255.255.255.0 192.168.3.1
save config
What just happened:
config interface address management 192.168.3.10 255.255.255.0 192.168.3.1— assigns IP 192.168.3.10/24 to the WLC Management interface and sets the default gateway to 192.168.3.1. This gateway must be reachable on VLAN 30 and used for out-of-subnet management access (e.g., from HQ).save config— ensures the setting persists after reboot.
Why this matters in production:
- The management IP must be routable and reachable by NMS, admins, and external servers (NTP, RADIUS). Using 192.168.3.x for management segregates control traffic from user SSIDs.
Verify:
show interface summary
Expected output (representative):
Interface Type IP Address Netmask Gateway
management management 192.168.3.10 255.255.255.0 192.168.3.1
ap-manager ap-manager unassigned 0.0.0.0 0.0.0.0
Also verify reachability from a network device (R1/S3) or PC in the same VLAN:
ping 192.168.3.10
Expected output (representative):
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.3.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Task 3 Solution: Configure the AP-Manager interface
What we are doing: Configure the AP-Manager interface used by APs for discovery and CAPWAP tunnels. Use IP 192.168.3.11/24 on the Management VLAN.
config interface address ap-manager 192.168.3.11 255.255.255.0
save config
What just happened:
config interface address ap-manager 192.168.3.11 255.255.255.0— sets the AP-Manager address which APs use as their CAPWAP endpoint during join and for control traffic when configured. Separating AP-Manager from the management interface can isolate CAPWAP/AP traffic from administrative access.save config— saves the configuration.
Verify:
show interface summary
Expected output (representative):
Interface Type IP Address Netmask Gateway
management management 192.168.3.10 255.255.255.0 192.168.3.1
ap-manager ap-manager 192.168.3.11 255.255.255.0 -
Also check AP-manager reachability from an AP or switch in the same VLAN (example ping from S3):
ping 192.168.3.11
Expected output:
!!!!!
Success rate is 100 percent (5/5)
Troubleshooting Scenario
Scenario: APs cannot join the WLC
Symptom: Lightweight APs power up, discover the WLC IP via DHCP option/Internet connectivity, but the APs never complete the join (they show CAPWAP discovery but not join), and the WLC shows no APs connected.
Your task: Find and fix the issue.
Hint: APs and the WLC's AP-Manager must be in the same L3 reachable network; check AP-Manager IP and VLAN gateway.
Solution:
- Check AP-Manager IP:
If AP-Manager IP is in a different subnet (e.g., 192.168.2.x) or missing, reconfigure it:show interface summaryconfig interface address ap-manager 192.168.3.11 255.255.255.0 save config - Ensure network path: verify switch ports and VLAN 30 are trunked/access correctly and the gateway (192.168.3.1) routes traffic. On the router (R1) ensure there is a route or SVI for 192.168.3.0/24. Fix switch VLAN membership or router SVI as needed.
Explanation: APs will try to reach the AP-manager IP; if it is unreachable due to wrong subnet, wrong VLAN, or missing gateway, CAPWAP join fails.
Verification Checklist
- WLC hostname set to WLC1
- Admin user
adminexists with passwordLab@123 - Management interface assigned 192.168.3.10/24 with gateway 192.168.3.1
- AP-Manager interface assigned 192.168.3.11/24
-
show interface summarydisplays both interfaces with correct IPs
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| APs fail to join WLC | AP-Manager IP not configured or in different subnet | Configure AP-Manager to 192.168.3.11/24; verify VLAN and routing |
| Cannot SSH/GUI to WLC | Management IP missing or wrong gateway | Configure management IP 192.168.3.10/24 and gateway 192.168.3.1; verify reachability |
| Settings lost after reload | Did not save configuration | Run save config after changes |
| Admin login fails | Wrong password or user not created | Recreate admin user: config mgmtuser add admin Lab@123 15 |
Challenge Task
Configure the WLC so that Management uses DHCP to obtain an IP in VLAN 30, and verify the WLC receives the correct address and gateway. (Do this without step-by-step guidance — think how DHCP interacts with controller management and what network components must be present for DHCP to succeed.)
Tip: In production, using DHCP for management is generally discouraged unless accompanied by DHCP reservations and robust bootstrapping; static addresses provide predictable management access.
Important: In production networks, separating Management and AP-Manager addresses helps isolate administrative traffic from AP and CAPWAP control traffic. Think of the Management interface as the controller’s "front desk" for admins and monitoring, and the AP-Manager interface as its "back office" for AP coordination — separating them improves reliability and security.