Cisco lightweight access points use the IETF standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) to communicate with the wireless controller and other lightweight access points on the network
Control and Provisioning of Wireless Access Points Protocol (CAPWAP): The Internet Engineering Task Force (IETF) standard Control and Provisioning of Wireless Access Points Protocol (CAPWAP) is the underlying protocol used in the Cisco Centralized WLAN Architecture (functional architecture of the Cisco Unified Wireless Network solution). CAPWAP provides the configuration and management of APs and WLANs in addition to encapsulation and forwarding of WLAN client traffic between an AP and a WLAN controller (WLC). CAPWAP is based on the Lightweight Access Point Protocol (LWAPP) but adds additional security with Datagram Transport Layer Security (DTLS). CAPWAP uses the User Datagram Protocol (UDP) and can operate either over Internet Protocol version 4 (IPv4) or Internet Protocol version 6 (IPv6). CAPWAP encapsulates the data between LAP and WLC within new IP packets. The tunneled data is then switched or routed over a campus network.
CAPWAP control messages: CAPWAP carries exchanges that are used to configure the AP and manage its operation. The control messages are authenticated and encrypted so the AP is securely controlled by only the appropriate WLC,then transported over the control tunnel. Only the CAPWAP(Control and Provisioning of Wireless Access Points) control tunnel is secured by default. Client data passes over the CAPWAP data tunnel, but is optionally encrypted. DHCP requests are client data and are not encrypted by default. Finally, 802.11 beacons are sent over the air from an LAP, so they are not encrypted or transported by CAPWAP.
Because the network is built with a WLC and LAPs, CAPWAP tunnels are required. One CAPWAP tunnel connects each LAP to the WLC, for a total of 32 tunnels. CAPWAP encapsulates wireless traffic inside an additional IP header, so the tunnel packets are routable across a Layer 3 network. That means the LAPs and WLC can reside on any IP subnet as long as the subnets are reachable. There is no restrictions for the LAPs and WLC to lie on the same Layer 2 VLAN or Layer 3 IP subnet. A lightweight AP in local mode needs only an access link with a single VLAN; everything else is carried over the CAPWAP tunnel to a WLC.
Wireless Controller ports: Wireless Controller ports are physical connections to the switched network infrastructure. Controller Ports are the physical ports of the device. The following are the most important Controller physical ports.
Service Port (SP):Used for initial boot function, system recovery and out of band management. If you want to configure the controller with GUI you need to connect your computer with service port.
Redundancy Port (RP): This port is used to connect another controller for redundant operations.
Distribution Ports: These ports are used for all Access Points and management traffic. A Distribution Port connects to a switch port in trunk mode. 4400 series controllers have four distribution ports and 5500 series controllers have eight distribution ports.
Console port: Used for out-of-band management, system recovery and initial boot functions.
Link Aggregation Group(LAG): Controllers use a link aggregation group (LAG) to bundle the ports together. It is a partial implementation of the 802.3ad port aggregation standard. It bundles all of the controller's distribution system ports into a single 802.3ad port channel, thereby reducing the number of IP addresses needed to configure the ports on your controller. LAG multiply the bandwidth, increase port flexibility, and provide link redundancy between two devices. Link Aggregation Control Protocol (LACP) is a part of IEEE specification (802.3az) that can control the bundling of several physical ports together to form a single logical channel (LAG).
WLC Interfaces: Cisco wireless controllers provide the necessary connectivity through internal logical interfaces, which must be configured with an IP address, subnet mask, default gateway, and a Dynamic Host Configuration Protocol (DHCP) server. Each interface is then assigned to a physical port and a VLAN ID.