Skip to content

Cisco Wireless

Scope

This file covers Cisco enterprise wireless LAN architecture including Catalyst 9800 wireless LAN controllers (9800-40, 9800-80, 9800-L, 9800-CL cloud controller), Catalyst and Aironet access points (Wi-Fi 6/6E/7 -- Catalyst 9100 series), RF design (channel planning, power levels, co-channel interference), FlexConnect for branch/remote site deployments, CleanAir technology for RF interference detection and mitigation, DNA Spaces (now Cisco Spaces) for location analytics, 802.1X and guest wireless authentication, wireless controller high availability (SSO, N+1), and integration with Cisco Catalyst Center (formerly DNA Center) and ISE for policy enforcement.

Checklist

  • [Critical] Is the wireless LAN controller platform selected appropriately -- Catalyst 9800-CL (virtual, on ESXi/KVM/cloud, up to 6000 APs), 9800-40 (hardware, up to 2000 APs), 9800-80 (hardware, up to 6000 APs), 9800-L (compact hardware, up to 250 APs for small sites) -- with controller capacity sized for total AP count plus 20% growth, and client density per AP validated against expected concurrent devices?
  • [Critical] Is the controller high availability design defined -- Stateful Switchover (SSO) with active/standby pair (sub-second failover, both controllers must be same model and software version) for mission-critical environments, or N+1 redundancy (AP fallback to backup controller, 30-60 second re-join) for cost-sensitive deployments with tolerance for brief wireless outage?
  • [Critical] Is the RF design completed with a professional site survey -- predictive survey (simulation-based using floor plans and material attenuation) for new construction, active survey (on-site with test APs) for existing buildings, with channel plan (non-overlapping channels: 1/6/11 for 2.4GHz, 8 or more channels for 5GHz with DFS, all channels for 6GHz), AP density targets (one AP per 2500-3500 sq ft for office, one per 500-1000 sq ft for high-density), and minimum signal strength (-67 dBm for voice, -72 dBm for data)?
  • [Critical] Is the WLAN security design defined -- WPA3-Enterprise (802.1X with EAP-TLS or PEAP) for corporate devices, WPA3-Personal (SAE) or WPA2-Personal for IoT/BYOD where 802.1X is not feasible, guest portal (CWA or LWA via ISE or WLC internal) with guest account lifecycle, and PMF (Protected Management Frames, mandatory with WPA3) to prevent deauthentication attacks?
  • [Critical] Is the SSID strategy designed -- minimum number of SSIDs (3-4 maximum per radio to minimize beacon overhead, each SSID consumes ~2-5% of airtime), with clear purpose per SSID (corporate 802.1X, guest, IoT/OT, optional voice-specific), and VLAN assignment per SSID or dynamic VLAN assignment via RADIUS for user-group segmentation?
  • [Recommended] Is FlexConnect configured for branch/remote sites -- local switching mode (traffic breaks out locally, continues during WAN outage) vs central switching (traffic tunneled to controller, provides centralized policy but WAN-dependent), with FlexConnect groups for consistent VLAN/ACL policy across remote APs?
  • [Recommended] Is Radio Resource Management (RRM) tuned appropriately -- Transmit Power Control (TPC) set to reduce power for high-density (avoid max power which causes co-channel interference), Dynamic Channel Assignment (DCA) enabled with appropriate channel width (20MHz for high-density 2.4GHz/5GHz, 40MHz for moderate density 5GHz, 80MHz only for low-density environments or 6GHz), and coverage hole detection sensitivity adjusted?
  • [Recommended] Is CleanAir enabled on all capable APs to detect and report non-Wi-Fi interference sources (microwave ovens, Bluetooth, cordless phones, video bridges, radar) with Event Driven RRM (ED-RRM) configured to trigger channel changes when persistent interference is detected on an AP's serving channel?
  • [Recommended] Is Catalyst Center (DNA Center) integrated for wireless assurance -- Client 360 for per-client health scoring, AP health monitoring, RF analytics, rogue AP detection and containment, and software image management (SWIM) for consistent AP firmware across the enterprise?
  • [Recommended] Is ISE (Identity Services Engine) integrated for wireless authentication and policy -- RADIUS for 802.1X, profiling for device type identification (IoT devices, printers, medical equipment), posture assessment for corporate devices, and dynamic VLAN/ACL/SGT assignment based on user role and device compliance?
  • [Recommended] Is the wireless QoS policy configured -- WMM (Wi-Fi Multimedia) enabled with proper queue mapping, Platinum/Gold/Silver/Bronze traffic classes for voice/video/best-effort/background, EDCA parameters tuned for the dominant traffic type, and AVC (Application Visibility and Control) on the WLC for application-level traffic shaping?
  • [Optional] Is Wi-Fi 6E (6GHz) or Wi-Fi 7 deployment evaluated -- 6GHz provides 59 additional non-overlapping 20MHz channels (1200MHz of spectrum), eliminates legacy client interference, and supports 160MHz channels for maximum throughput, but requires 6E/7-capable client devices and has shorter range requiring higher AP density?
  • [Optional] Is Cisco Spaces (formerly DNA Spaces) deployed for location analytics -- BLE-based or Wi-Fi-based location tracking for asset management, occupancy analytics, wayfinding, and engagement (push notifications), with privacy considerations documented for employee tracking environments?
  • [Optional] Is the outdoor wireless design addressed -- outdoor AP model selection (Catalyst 9124/9136 for outdoor, IP67 rated), antenna selection (omnidirectional for general coverage, directional/sector for point-to-area), lightning protection and grounding, and mesh networking for areas where wired backhaul is not feasible?

Why This Matters

Wireless is the primary network access method for most enterprise users, and poor wireless performance directly impacts productivity, collaboration, and user satisfaction in ways that are immediately visible to the business. RF design is not optional -- deploying APs without a site survey results in co-channel interference (too many APs on the same channel), coverage gaps, and inconsistent performance that cannot be fixed with configuration changes alone. The Catalyst 9800 controller architecture (IOS-XE based) is a significant departure from the legacy AireOS controllers, with different HA behavior, configuration model (YANG/NETCONF), and troubleshooting workflow -- organizations migrating from AireOS must plan for operational retraining. CleanAir is uniquely valuable because non-Wi-Fi interference (particularly microwave ovens in break rooms and Bluetooth in high-density areas) causes performance degradation that is invisible to standard Wi-Fi diagnostics. SSID count is one of the most commonly violated best practices -- each SSID broadcasts management frames on every AP, and environments with 8+ SSIDs waste significant airtime on beacons alone. Wi-Fi 6E fundamentally changes wireless design by providing clean spectrum without legacy 802.11a/b/g/n client overhead, but the 6GHz band has higher free-space path loss requiring closer AP spacing.

Common Decisions (ADR Triggers)

  • Catalyst 9800 hardware vs virtual (9800-CL) -- Hardware controllers (9800-40, 9800-80) provide dedicated appliance performance with no hypervisor dependency, appropriate for large campuses. Virtual 9800-CL runs on ESXi, KVM, or cloud (AWS/Azure) with flexible scaling, lower upfront cost, and simplified DR. Choose hardware for large campus deployments (1000+ APs) or environments without virtualization; virtual for cloud-first organizations, multi-site with centralized management, or smaller deployments.
  • SSO (active/standby) vs N+1 controller HA -- SSO provides sub-second failover with zero client impact (clients maintain session, no re-authentication) but requires two identical controllers and licenses. N+1 provides AP-level fallback (30-60 second re-join, clients re-authenticate) with one backup controller serving multiple primaries. Choose SSO for voice-over-Wi-Fi, healthcare, and environments where any wireless disruption is unacceptable; N+1 for cost-sensitive deployments where brief re-association is tolerable.
  • FlexConnect local switching vs central switching -- Local switching keeps data traffic at the branch (better performance, survives WAN outage) but distributes policy enforcement. Central switching tunnels all traffic to the controller (centralized security, consistent policy) but depends on WAN bandwidth and availability. Choose local switching for branch offices with local services and unreliable WAN; central switching for environments requiring centralized inspection or where branch security cannot be trusted.
  • 20MHz vs 40MHz vs 80MHz channel width -- 20MHz provides the most non-overlapping channels (fewest co-channel interference issues), best for high-density environments. 40MHz doubles throughput per channel but halves available channels, appropriate for moderate density. 80MHz provides maximum throughput but only 2-4 non-overlapping channels in 5GHz, suitable only for low-density or 6GHz deployments. Choose 20MHz for conference rooms, auditoriums, and high-density office; 40MHz for standard office; 80MHz+ for 6GHz-only or dedicated high-throughput applications.
  • Cisco enterprise wireless vs Meraki wireless -- Catalyst 9800 + Catalyst APs provide full RF control, advanced features (CleanAir spectrum intelligence, DNA Spaces, Catalyst Center assurance), and complex deployment options (FlexConnect, mesh, controller HA). Meraki MR provides cloud simplicity with limited advanced RF tuning but dramatically faster deployment and simpler management. Choose Catalyst for large campus, healthcare, education, and environments needing granular RF control; Meraki for distributed retail, small offices, and environments prioritizing operational simplicity.
  • Wi-Fi 6E adoption vs Wi-Fi 6 only -- Wi-Fi 6E requires 6GHz-capable APs (higher cost) and 6E-capable client devices (limited adoption as of 2025, growing rapidly). Wi-Fi 6 (5GHz/2.4GHz) works with all modern clients. Choose Wi-Fi 6E for greenfield deployments, high-density environments, or future-proofing; Wi-Fi 6 for environments where client refresh has not yet reached 6E capability.

See Also

  • general/networking.md -- general networking architecture patterns
  • providers/cisco/switching.md -- Cisco campus switching (wired infrastructure for AP connectivity)
  • providers/cisco/meraki.md -- Cisco Meraki cloud-managed wireless (alternative to Catalyst wireless)