Fabric Wireless Integration

Objective

Integrate wireless controllers and access points into an SD-Access fabric so wireless clients are fabric-enabled and receive the same segmentation, VXLAN encapsulation, and policy enforcement as wired endpoints. In production, fabric-enabled wireless provides consistent policy, L2 mobility, and seamless client roaming across buildings and data centers. Example real-world scenario: a hospital campus where wireless medical devices must keep the same security group tag (SGT) and routed domain while roaming between floors and between campus and data center.

Topology

ASCII topology (new wireless devices added). Interfaces and IPs used in this lesson are shown.

                      +--------------------+
                      |  Control Plane     |
                      |  Map-Server (LISP) |
                      |  CP-Node: 10.10.0.10
                      +--------------------+
                               |
                        10.10.0.0/24
                               |
      +----------------+     +----------------+
      | Fabric Border  |-----| Fabric Edge    |
      | Core (rtr)     |     | Switch (Dist)  |
      | 10.10.0.1      |     | 10.10.0.2      |
      +----------------+     +----------------+
                                   |
                        -----------------------------
                       |                             |
                 VLAN 10 (Mgmt)                 VLAN 100 (Wireless)
             10.1.10.1/24 (SVI)                 10.1.100.0/24
                       |                             |
               +---------------+               +----------------+
               |  WLC-Primary  |               |  AP (Join)     |
               | mgmt 10.1.10.10|              | static IP 10.1.100.50 |
               +---------------+               +----------------+
               |  WLC-Secondary|
               | mgmt 10.1.10.11|
               +---------------+

Device Table

Device	Role	Management IP
CP-Node	Control Plane (LISP Map-Server)	10.10.0.10
Fabric Border	Border / Core router	10.10.0.1
Fabric Edge	Distribution switch (fabric-enabled)	10.10.0.2
WLC-Primary	Wireless LAN Controller (primary)	10.1.10.10
WLC-Secondary	Wireless LAN Controller (secondary)	10.1.10.11
AP-01	Access Point (joins WLC, wireless clients)	10.1.100.50

Tip: For management GUI access to devices use the domain lab.nhprep.com and password Lab@123 where a username/password prompt applies in examples.

Quick Recap

This lesson continues from the Lab 45 topology. No additional fabric nodes are added. New devices for this lesson:

• WLC-Primary: 10.1.10.10 (management on VLAN 10)
• WLC-Secondary: 10.1.10.11 (management on VLAN 10)
• AP-01: 10.1.100.50 (joins WLC and will be fabric-enabled via the fabric edge)

We assume the fabric underlay (IP reachability between control plane nodes and fabric nodes) is already functional from earlier lessons.

Key Concepts

Before touching CLI, understand these core principles:

• CAPWAP control vs data: CAPWAP establishes a control channel and optionally a data channel between AP and WLC. In production, when the primary WLC fails, APs re-establish CAPWAP to the secondary WLC to preserve connectivity.
  • Packet flow: APs send CAPWAP discovery to controller management IP; once joined, control messages (join, config) flow over the CAPWAP control channel; client user plane may be tunneled or locally switched depending on WLC and fabric integration.
• WLC redundancy modes: Active/Standby (AP moves to secondary after re-join) and SSO (stateful standby) — SSO keeps client sessions during failover if supported. For embedded wireless on Catalyst 9000, hardware stacking or redundant supervisors achieve SSO.
• Fabric wireless integration: Wireless controllers/APs must be reachable in the SD-Access fabric management plane (VLAN/SVI) and the fabric edge must provide AP-manager / CAPWAP reachability and VXLAN encapsulation for wireless user traffic to map into VXLAN VNs.
• LISP for endpoint reachability: The LISP control plane maps endpoint locators (RLOCs) to EIDs. Wireless fabric-enabled endpoints are registered in the control plane similarly to wired endpoints, enabling campus-to-cloud and multisite mobility using LISP/VXLAN.
• MTU considerations: VXLAN adds overhead; in multisite transit environments ensure WAN and transit devices support higher MTU. If not, configure TCP MSS adjustments.

Step-by-step configuration

Each step includes commands, explanation, and verification.

Step 1: Prepare Fabric Edge for Wireless (SVI + AP manager)

What we are doing: Create the management SVI for WLCs and an AP-manager SVI (provides an interface for CAPWAP/data-plane for APs) on the fabric edge switch. This ensures WLCs and APs have IP reachability into the fabric management network.

! Enter configuration mode on Fabric Edge switch
configure terminal
! Create VLAN 10 for WLC management and VLAN 100 for wireless
vlan 10
 name WLC-MGMT
vlan 100
 name WIRELESS
! Create SVIs for management and wireless AP-manager
interface Vlan10
 description WLC-Management-SVI
 ip address 10.1.10.1 255.255.255.0
 no shutdown
interface Vlan100
 description AP-Manager-SVI
 ip address 10.1.100.1 255.255.255.0
 no shutdown
! Ensure trunk ports to APs/access switches carry these VLANs (example)
interface GigabitEthernet1/0/1
 switchport mode trunk
 switchport trunk allowed vlan 10,100
exit
write memory

What just happened: VLANs were created and SVIs assigned for WLC management and AP-manager segments. The switch now routes and provides gateway functionality for 10.1.10.0/24 and 10.1.100.0/24 networks. Trunking lets AP ports carry management and AP traffic. Without these SVIs, WLCs or APs would lack L3 reachability to the fabric control plane.

Real-world note: In production the AP-manager SVI is often isolated and ACL-protected to limit CAPWAP discovery and protect APs.

Verify:

show ip interface brief
Interface              IP-Address      OK? Method Status                Protocol
Vlan10                 10.1.10.1       YES manual up                    up
Vlan100                10.1.100.1      YES manual up                    up
GigabitEthernet1/0/1   unassigned      YES unset  up                    up

Step 2: Configure WLC Management and Redundancy

What we are doing: Configure management interfaces on both primary and secondary WLCs so they are reachable via 10.1.10.0/24 and enable redundancy so APs know both controllers. This matters because APs need at least a primary and secondary controller to join and to failover.

! On WLC-Primary (via CLI)
config interface create Management 10.1.10.10 255.255.255.0 10.1.10.1
config redundancy mode full
config redundancy mgmt-ip add 10.1.10.11
save config

! On WLC-Secondary (via CLI)
config interface create Management 10.1.10.11 255.255.255.0 10.1.10.1
config redundancy mode standby
config redundancy mgmt-ip add 10.1.10.10
save config

What just happened: Each WLC was assigned a management IP and default gateway pointing at the fabric edge SVI (10.1.10.1). Redundancy configuration establishes that WLC-Primary and WLC-Secondary know about each other so APs can rejoin to the secondary if needed. The redundancy mode chosen determines how state is preserved — "full" or "standby" indicate active/standby behavior.

Real-world note: For embedded WLCs on Catalyst 9300/9400, redundancy may be implemented via supervisor redundancy or switch stacking for SSO. Verify platform docs before choosing redundancy mode.

Verify:

! On WLC-Primary
show interface management
Management Interface
IP Address: 10.1.10.10
Netmask: 255.255.255.0
Gateway: 10.1.10.1

show redundancy summary
Redundancy Mode: full
Peer Management IPs: 10.1.10.11

Step 3: Configure AP Join VLAN and CAPWAP Reachability

What we are doing: Ensure APs have the correct VLAN and can reach WLC management IPs. For static AP IP example, set AP's management to VLAN100 and gateway to SVI. This step ensures CAPWAP discovery packets reach the WLC.

! Example: configure an AP with static IP (ap's local CLI or via switch port DHCP option)
! If setting static on the AP:
ap-set-ip 10.1.100.50 255.255.255.0 10.1.100.1
ap-set-controller primary 10.1.10.10 secondary 10.1.10.11
! On the switch ensure port connects AP to VLAN100 (access mode)
interface GigabitEthernet1/0/10
 switchport mode access
 switchport access vlan 100
 spanning-tree portfast
exit
write memory

What just happened: The AP was given an IP in VLAN100 and pointed to primary/secondary WLCs. The switch port was configured to place the AP into VLAN100 so the AP uses 10.1.100.1 as a gateway and can send CAPWAP discovery to the WLCs. Without correct VLAN placement, APs fail to discover controllers.

Real-world note: In DHCP-based deployments you commonly use DHCP Option 43 or DNS to direct APs to controllers. Static configuration is useful for lab or troubleshooting.

Verify:

! On AP-01
show ip
IP Address : 10.1.100.50
Subnet Mask: 255.255.255.0
Gateway    : 10.1.100.1
Primary Controller: 10.1.10.10
Secondary Controller: 10.1.10.11

! On WLC-Primary
show ap join stats
Ap Name          IP Address     State
AP-01            10.1.100.50    Joined

Step 4: Confirm CAPWAP Tunnel and Fabric Enrollment

What we are doing: Verify the CAPWAP control channel and ensure the WLC has registered the AP and that wireless clients will be mapped into the fabric VN (VXLAN) and LISP control plane. This confirms APs are fully fabric-enabled.

! On WLC-Primary
show capwap client summary
Controller IP : 10.1.10.10
AP Name    IP Address     CAPWAP State    Joined Clients
AP-01      10.1.100.50    CAPWAP Up       2

! On Fabric Edge (to verify mapping / LISP registration visibility)
show lisp registrations
EID Prefix      RLOCs
10.1.100.50/32  10.10.0.2

What just happened: The WLC shows AP-01 has an active CAPWAP session and has client associations. On the fabric edge, LISP registrations for wireless EIDs show the mapping between endpoint (AP/client EID) and RLOCs, enabling the control plane to route VXLAN-encapsulated traffic across fabric sites. This is how the fabric knows where wireless endpoints are located.

Real-world note: LISP registrations let control plane nodes build global reachability for endpoints. Ensure control plane nodes are reachable (10.10.0.10 in topology).

Verify:

! On WLC-Primary
show capwap tunnel summary
AP Name    Tunnel State   Control State
AP-01      Up             Established

! On CP-Node (show map-cache)
show lisp map-cache
Prefix            Locator(s)
10.1.100.0/24     10.10.0.2
10.1.100.50/32    10.10.0.2

Step 5: Test Failover Behavior (Primary -> Secondary)

What we are doing: Simulate a primary WLC failure to confirm APs and clients re-establish to the secondary and that the fabric updates registrations. This validates redundancy and ensures minimal client disruption in production.

! On WLC-Primary simulate failure (shutdown management interface)
! (If available: admin CLI to disable interface)
config interface disable Management

! Wait 30-60 seconds, then verify AP rejoin on secondary
! On WLC-Secondary
show ap join stats
Ap Name          IP Address     State
AP-01            10.1.100.50    Joined

! On Fabric Edge / CP node, verify LISP updates
show lisp registrations
EID Prefix      RLOCs
10.1.100.50/32  10.10.0.2

What just happened: After disabling the primary management interface, APs re-attempt CAPWAP discovery and joined the secondary controller. The fabric control plane re-learned endpoint locators if necessary. In production, failover time depends on CAPWAP timers and redundancy mode; SSO reduces disruption.

Real-world note: Simulated failovers are essential in maintenance windows to confirm failover behavior, especially for critical wireless services in healthcare or manufacturing.

Verify:

! On WLC-Primary (show interface status)
show interface management
Management Interface
IP Address: 10.1.10.10
Status: Admin Down

! On WLC-Secondary
show capwap client summary
AP Name    IP Address     CAPWAP State
AP-01      10.1.100.50    CAPWAP Up

Verification Checklist

• Check 1: WLC management SVIs are reachable. Verify with show ip interface brief on fabric edge and show interface management on WLCs.
• Check 2: APs have joined a controller. Verify with show ap join stats on the WLC and show capwap client summary.
• Check 3: LISP registrations for wireless EIDs are present on control plane / fabric nodes. Verify with show lisp registrations or show lisp map-cache.

Common Mistakes

Symptom	Cause	Fix
AP stays in “discovery” state and never joins	AP cannot reach WLC management IP (VLAN mismatch or SVI missing)	Ensure AP port VLAN and SVI exist; verify show ip interface brief and switchport config
AP joins Primary but clients get no fabric services	WLC management network not in fabric control plane or VXLAN mapping missing	Ensure WLC lives in fabric-managed management VLAN and LISP registrations appear; verify show lisp registrations
AP fails to join secondary after primary failure	Redundancy IPs not configured or CAPWAP timers too long	Configure primary/secondary mgmt IPs on AP/WLC and test; adjust CAPWAP timers only if necessary and supported
Clients lose connectivity during WLC failover	Redundancy mode is active/standby without SSO support	Consider SSO or embedded hardware redundancy on supported Catalyst platforms to preserve client sessions

Key Takeaways

• Fabric-enabled wireless requires both proper L3 reachability for WLC/AP management and fabric control-plane registration (LISP) for wireless EIDs to participate in VXLAN/VN segmentation.
• CAPWAP is the mechanism for AP/WLC control; APs must be able to reach primary and secondary WLC management IPs. In failure events APs will re-initiate CAPWAP to the secondary.
• Redundancy mode matters: SSO or hardware redundancy reduces client disruption, while active/standby may require AP rejoin and client re-authentication.
• Always validate MTU and transit path for VXLAN encapsulation in multisite designs; insufficient MTU can cause fragmented or dropped user traffic.

Warning: In production, perform controller failover tests during maintenance windows. Wireless is user-facing and failovers can impact critical services if not validated.

If you want, I can produce a companion checklist with example CLI outputs saved to text files for lab practice, or a short troubleshooting flowchart for common CAPWAP and LISP issues.