Wireless Infrastructure WLC and RF Design
Wireless Infrastructure WLC and RF Design
Introduction
Wireless networking is a critical pillar of the CCNP ENCOR exam and modern enterprise design. Understanding how wireless LAN controllers operate, how access points connect to the network fabric, and how RF design principles affect roaming and client experience will separate a competent engineer from someone who simply passes the test.
In this lesson you will learn how CAPWAP ties access points to a controller, the difference between non-fabric and fabric wireless deployments, how VXLAN with BGP EVPN builds the overlay that carries wireless traffic at scale, and why seamless roaming matters so much to end-user applications. By the end you will be able to explain WLC architecture choices, describe the role of every node in an EVPN fabric, and predict what happens to a client session when it roams across VLANs.
Key Concepts
CAPWAP and AP Connectivity
CAPWAP (Control and Provisioning of Wireless Access Points) is the protocol that connects access points back to a wireless LAN controller. In a traditional, non-fabric deployment CAPWAP is used exclusively for the control plane — the WLC pushes configuration, policy, and management instructions to each AP over this tunnel. The data plane, however, is locally switched, which means wireless client traffic is bridged directly onto the local wired VLAN at the AP rather than being tunneled back to the controller. Because the data plane is local, wireless traffic is treated exactly like wired traffic from the perspective of the upstream switches.
FlexConnect mode follows the same model: a CAPWAP control-plane tunnel exists between the AP and the WLC, but client data is switched locally at the AP site. This is the architecture you will encounter whenever APs sit at a branch or remote location and the WLC is centralized.
VXLAN with BGP EVPN Fabric Roles
When wireless is integrated into an SD-Access or campus EVPN fabric, several new node roles come into play. The table below summarizes each role drawn from the EVPN architecture.
| Fabric Role | Function |
|---|---|
| Leaf Node (VTEP) | Origination and termination point of the VXLAN-enabled overlay network. Hosts and APs attach here. |
| Spine Node | BGP EVPN route reflector that reflects L2/L3 VPN prefixes, providing hierarchical neighbor peering, learning, and distribution. |
| Intermediate Node | A Layer 2 or Layer 3 (IP/MPLS) underlay network system that provides basic transport and forwarding. |
| Border Node | Gateway between the EVPN fabric and an external network domain. |
| Border Gateway Node | Gateway between two or more BGP EVPN administrative domain boundaries. |
The control plane is standards-based, defined by RFC 8365 and RFC 7432, and relies on Multiprotocol BGP (MP-BGP) to distribute reachability information. The data plane can use several encapsulations — VXLAN (EVPN overlay), MPLS, or Provider Backbone Bridging (PBB) — but in campus wireless designs VXLAN is the dominant choice.
Key use cases enabled by BGP EVPN include Integrated Routing and Bridging (IRB), MAC Mobility, and Multi-Tenancy (VPN).
Seamless Roaming
Seamless roaming means keeping information consistent — specifically the client's IP address and policy — as the client moves between access points. A secure roam should complete in only a few tens of milliseconds with no need to re-authenticate against the AAA server at every transition.
To achieve this you need some form of key caching protocol, most commonly 802.11r (Fast BSS Transition). Optimized roaming is further supported by 802.11k (neighbor reports) and 802.11v (BSS transition management).
How It Works
VXLAN BGP EVPN Host Learning and MAC Mobility
Understanding how the fabric learns about wireless (and wired) hosts is essential for troubleshooting roaming and duplicate-address issues.
Consider a fabric with two leaf switches acting as VTEPs. The spine nodes sit above them as BGP EVPN route reflectors.
Step 1 — Initial Host Detection. A host with MAC address MAC1 and IP address IP1 appears behind VTEP-1. VTEP-1 detects the host and advertises an EVPN route. The BGP NLRI (Network Layer Reachability Information) carried in the update contains:
- Host MAC1 and IP1
- The NVE (Network Virtualization Endpoint) IP of VTEP-1
- VNI 5000 (the VXLAN Network Identifier for this segment)
- Next-Hop set to VTEP-1
- Extended Community attributes: Encapsulation type VXLAN, Sequence number 0
Every other leaf node in the fabric receives this update (reflected by the spine) and installs an entry in its L2VPN table pointing MAC1/IP1 toward VTEP-1.
Step 2 — Host Moves. The same host now moves behind VTEP-5 (for example, a wireless client roaming to an AP on a different leaf switch). VTEP-5 detects the host locally and advertises a new EVPN route for MAC1/IP1 with Sequence number 1.
Step 3 — Sequence Comparison. All receiving leaf nodes compare sequence numbers. Because Sequence 1 from VTEP-5 is more recent than Sequence 0 from VTEP-1, they update their L2VPN tables to point at VTEP-5.
Step 4 — Old Route Withdrawal. VTEP-1 also sees the more recent advertisement and withdraws its own route for MAC1/IP1.
This mechanism handles all mobility scenarios: local-to-local, local-to-remote, remote-to-local, and remote-to-remote MAC or MAC/IP moves. Duplicate detection timers can be adjusted to control how aggressively the fabric flags a host that bounces repeatedly between VTEPs.
A simplified view of the L2VPN tables on the two leaf nodes during initial attachment looks like this:
| Leaf Node | MAC | IP | VNI | Next-Hop | Encap | Seq |
|---|---|---|---|---|---|---|
| VTEP-1 (local) | MAC1 | IP1 | 5000 | VTEP-1 | VXLAN | 0 |
| VTEP-5 (remote) | MAC1 | IP1 | 5000 | VTEP-1 | VXLAN | 0 |
After the host moves behind VTEP-5, both tables converge to point at VTEP-5 with Sequence 1.
What Happens When a Client Roams Across VLANs
Seamless Layer 2 roaming works smoothly as long as the client stays within the same VLAN and broadcast domain. If a client roams to an AP on a different VLAN, the session breaks. How severely it breaks depends on the client operating system:
- Even with a full re-authentication on roaming, some client operating systems may consider the network to be the same subnet and will not check DHCP at all.
- Windows performs a DHCP Inform and gateway detection but does not go through the entire DHCP discovery process.
- Other client operating systems do nothing, and DHCP simply times out after approximately 30 seconds, causing a prolonged session break.
- If roaming fails entirely and the client receives a de-authentication frame, it will perform a full DHCP discovery, which still takes roughly four to five seconds.
Beyond IP addressing, engineers must consider the broader impact of a VLAN-change roam:
- Application recovery — will the application layer handle a brief disconnection gracefully?
- VPN tunnels — will the tunnel need to be re-established after the IP address changes?
- DHCP server pressure — in a mass-roam event (for example, a lecture hall emptying between classes), the DHCP server may be flooded with simultaneous requests.
The takeaway is clear: for seamless roaming you need the same VLAN and Layer 2 broadcast domain available at every AP the client might reach. This is one of the primary reasons enterprises extend VLANs across access-layer switches or, better yet, use an overlay fabric like VXLAN BGP EVPN to stretch Layer 2 segments without the risks of traditional spanning tree.
Configuration Example
Viewing Client Scan Reports on the WLC
Client analytics on the WLC can be accessed through scan reports. To view detailed client information and the most recent scan report, use the following commands.
Display full client details including the scan report timestamp:
show wireless client mac-address H.H.H detail
Expected output includes a section similar to:
Client Scan Report Time : Timer not running
Client Scan Reports
Last Report @: 12/17/2024 17:48:01
BSSID : 345d.a80c.de22
Time : 12/17/2024 17:48:01
To request an on-demand scan report for a specific client:
wireless client mac-address H.H.H scan-report
Replace H.H.H with the actual MAC address of the wireless client in dotted-hexadecimal format. These scan reports show which BSSID the client last reported against and the timestamp of that report, which is invaluable when troubleshooting roaming issues or verifying that a client is connecting to the expected AP.
Best Practice: Use client scan reports proactively when investigating roaming complaints. The BSSID and timestamp tell you exactly which AP the client was associated with and when, letting you correlate RF events with user-reported problems.
Real-World Application
Choosing the Right Wireless Architecture
In production networks the choice between non-fabric (FlexConnect/local mode) and fabric-integrated wireless depends on scale, segmentation needs, and existing infrastructure.
Non-fabric deployments are simpler. The CAPWAP control plane manages the AP, and data is switched locally. This works well for smaller campuses or branch offices where overlay complexity is not justified. Because wireless traffic is locally switched, it behaves identically to wired traffic — the same VLANs, the same access-layer switch policies, the same troubleshooting tools.
VXLAN BGP EVPN fabric deployments are the choice for large campuses that need multi-tenancy, host mobility across leaf switches, and integrated routing and bridging. The sequence-number-based MAC mobility mechanism ensures that a wireless client roaming from one VTEP to another is tracked cleanly at the control plane without flooding. Border nodes and border gateway nodes give you well-defined exit points to external domains or to other EVPN administrative regions.
Roaming Design Considerations
When designing for seamless roaming, keep these principles in mind:
- Extend the same VLAN to every AP location where clients are expected to roam. In a fabric, the VXLAN overlay makes this straightforward without stretching Layer 2 across the physical underlay.
- Enable 802.11r (Fast BSS Transition) along with 802.11k/v to minimize roam times and eliminate full re-authentication against AAA.
- Plan for mass-roam events. Size DHCP scopes and server capacity for the worst case — hundreds of clients roaming simultaneously.
- Test application behavior. Even a sub-second roam can disrupt poorly written applications or tear down VPN tunnels, so validate end-to-end before declaring the design complete.
Cloud-Managed Scaling
For cloud-managed wireless platforms, a single organizational entity can support up to approximately 35,000 nodes, though dashboard performance is the practical constraint. A network — a logical grouping of devices, configurations, and statistics — is recommended to stay at or below 5,000 nodes for responsive management. For wireless specifically, the network defines the scope of SSIDs and policies, including RF profiles. If you need more scale, configure multiple organizations and use a multi-org view to manage them together.
Summary
- CAPWAP provides control-plane connectivity between APs and the WLC; in non-fabric and FlexConnect deployments the data plane is locally switched, making wireless traffic behave like wired traffic.
- VXLAN BGP EVPN fabrics use leaf nodes (VTEPs), spine nodes (route reflectors), border nodes, and border gateway nodes to build a scalable overlay governed by RFC 8365 and RFC 7432 with Multiprotocol BGP.
- MAC mobility in EVPN is handled through BGP sequence numbers — a higher sequence number wins, and the old VTEP withdraws its route, supporting all move scenarios including wireless roaming.
- Seamless roaming requires the same VLAN and Layer 2 broadcast domain at every AP; a VLAN change during roaming causes session disruption whose severity varies by client OS, from a brief DHCP Inform to a 30-second timeout.
- 802.11r, 802.11k, and 802.11v are the key standards for fast, secure, optimized roaming with minimal re-authentication delay.
Next, continue your study by exploring SD-Access fabric wireless integration and how Catalyst Center automates VXLAN BGP EVPN provisioning for wireless deployments.