Configure Dynamic Interface on WLC

A dynamic interface is simply an interface that maps a WLAN to a wired vlan or subnet.

Dynamic interfaces to be used to control and secure the traffic on the WLAN just like we would use vlans and subnets on the LAN for that purpose.

Maximum number of VLANs supported on Cisco Wireless Controllers

Wireless LAN Controllers

Max. VLAN Supported

Virtual WLC


WLC Module for ISR G2


WLC 2500 Series


WLC 5500 Series


WLC 6500 Series WISM2


WLC Flex 7500 Series


WLC 8500 Series


  • We must use tagged VLAN for Dynamic Interfaces

Configure Dynamic Interface is a very easy task either via GUI or CLI, here is the procedure:


GUI is the easiest way to configure multiple Dynamic interfaces on Cisco Wireless Controller. Here are the screenshots:

Choose Controller > Interfaces > New to open the Interfaces page.

New Interface

Click Apply, after this Interface > Edit page will appear, Enter the details



After entering all the detail, click on Apply, That’s it.


Here are the basic commands to create a dynamic interface via CLI on Cisco wireless LAN Controller:

(WLAN1)  >config interface create testinterface 84
(WLAN1)  >config interface address dynamic-interface testinterface
(WLAN1)  >config interface port testinterface 1
(WLAN1)  >config interface dhcp dynamic-interface testinterface primary secondary

Same like above I created one more dynamic interface “bde

(WLAN1)  >config interface create bde 85
(WLAN1)  >config interface address dynamic-interface bde
(WLAN1)  >config interface port bde 1
(WLAN1)  >config interface dhcp dynamic-interface bde primary secondary

Both the ways are very easy and not so much time consuming. Its all depends on you to configure from which method.

For me:

By GUI method it takes 2-3 minutes. By CLI method it takes 3-4 minutes (Can’t remember all commands that’s the reason its taking long time).

Remembering Points to create Dynamic Interface:

  • Create a Dynamic interface and define a name and ssid.
  • Assign IP address, Subnet mask and Gateway
  • Assign a physical port number
  • And last is to config DHCP servers(Primary or secondary: atleast one is necessary)

Configure Interface Groups on Cisco WLC

Now In this post we will learn about, how to create a interface group and assign many interface to this group.

Interface groups are logical groups of interfaces. An interface can be part of multiple interface groups.  For this, first we have to create an interface group and then we can assign dynamic interfaces to it.

When many APs support the same WLAN, all users of that WLAN, on all APs connected to the same controller, are sent to the same dynamic interface. To reduce this broadcast domain. One way to achieve this reduction is to break up the WLAN into multiple segments. You can do so by associating the WLAN to an interface group rather than a single dynamic interface. This is achieved by creating a new interface group, and by choosing the already created dynamic interfaces that the group should contain. Then, map WLANs to the group.

Via GUI:

Choose Controller > Interface Groups, on main page right side click on add group

Interface Group

*Here I created interface group as ”test-bde”

Click on add.

Interface Group des

Click on the interface group “test-bde”.

Int Grp add Int

Here you can click on Add Interface and assign to Interface Group.

Via CLI:

By command line we can use these commands to configure Interface group and assign interface to this group.

(WLAN1)  >config interface group create test-bde
(WLAN1)  >config interface group description test-bde "Just for learning"
(WLAN1)  >config interface group interface add test-bde testinterface
(WLAN1)  >config interface group interface add test-bde bde

Assign Interface Group to a WLAN

After creating Dynamic interface/ interface group now we have to assign these interfaces / Interface groups to WLAN.

First of all create a WLAN and then map these interface to it:

Here is the procedure:

Via GUI:

Step1: create a WLAN

Login GUI of WLC then click on WLAN, click on Go (select Create new)

Create WLAN

Step2: Enter the details as shown in screenshot

WLAN ssid profile

Step3: Click on Apply, WLAN > Edittest-bdepage will appear.

Enable WLAN, Select Interface or Interface Group and Select Broadcast SSID (If you want to)

WLAN Status

Step4: Click on Apply

Via CLI:

By command line it’s very easy but it needs more and more practice to remember these commands:

In this example:

Mapped “bde to WLAN:

(WLAN1)  >config wlan create 7 testbde testbde
(WLAN1)  >config wlan interface 7 bde
(WLAN1)  >config wlan broadcast-ssid enable 7
(WLAN1)  >config wlan enable 7

or we can Map interface group “test-bde” to WLAN:

(WLAN1)  >config wlan create 7 testbde testbde
(WLAN1)  >config wlan interface 7 test-bde
(WLAN1)  >config wlan broadcast-ssid enable 7
(WLAN1)  >config wlan enable 7

Roaming / Mobility Basics

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. In This post I will try to elaborate how mobility works when controllers are included in a wireless network.


In wireless networiking , roaming means to the ability to move from one AP coverage area to another without interruption in service or loss in connectivity. This is the key component in wireless network deployment.

Mobility Groups:

A mobility group is a set of Wireless LAN Controllers, by the same mobility group name, that defines of seamless roaming for wireless clients. By creating a mobility group, we can enable multiple WLCs in a network to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers in the same mobility group can share the context and state of client devices as well as their list of access points so that they do not consider each other’s access points as rogue devices. With this information, the network can support inter-controller wireless LAN roaming and controller redundancy.

Roaming is the action for a Wireless client to move from one AP to another AP while actively transmitting data without any interruption.

For Voice WLAN: It very common to have roaming.

For Data WLAN: For data deployment, it can be nomadic; user can get slight interruption while moving from one coverage area to another without impacting the user experience.

When a wireless client connects and authenticates to an AP, the AP´s controller (where AP is connected) put an entry for that client in its database, which contains the information of client like: Mac address, IP address, WLAN associate with and the AP where client is connected…etc.

If we have the controller based deployments then Roaming can be of three types.

  1. Intra(All AP on same controller)
  2. Inter or layer 2(Different controller with same network means same subnet)
  3. Layer 3 (Different controller with totally different subnets)


 Intra Controller Roaming:

Intra Controller Roaming

  • Intra controller roaming is the roaming between LAP’s managed by the same WLC, obviously in the same IP subnet.
  • It is necessarily about the subnets that the clients are using that are serviced by the APs.  So, let’s say we have 2 APs, both of which are servicing a specific IP subnet.  When client roam from one AP to the other, which is layer 2 roaming.  The client still maintains its IP address.
  • Wireless Clients move from one AP to another AP in same controller.
  • When client moves its association from one access point to another, the controller simply updates the client database with the newly associated access point.
  • This entry includes the client’s MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLAN, and the associated AP.
  • Sometimes it does also establish the new security context means if during roaming a clients session timeout or key change occurs then this information should pass to WLC. If we have open authentication then WLC don’t need to establish or update security Context.

AP: Encryption and Decryption

WLC: Mobility, QoS and Security Management

  • This Roaming process take less then 10ms (It almost seamless).

Lab result and logs will follow soon……………………………………………..

Layer 2 – Inter Controller Roaming:

 L2 - Inter Controller Roaming

Now when we do a layer to roam and multiple controllers are involved, then both controllers need to service the same subnet.  This would mean that we have a dynamic interface in subnet x configured on WLC1 and another interface that is also configured on subnet x on WLC2.  This would be Inter controller roaming (Layer 2).

  •  The wireless user moves from one AP to another AP connected to another controller in the same subnet (as the first controller).
  • It means that the client is roaming between two different controllers, but, these controllers can be part of the same Mobility Group and the same subnet.
  • When the client tries to join the new AP, both controllers exchange the client details (database entry and credentials).
  • The new WLC exchange mobility message with the original WLC and the client entry is moved to new WLC.  This entry includes the client’s MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLAN, and the associated AP.
  • Client database entry is updated for the new access point. This process takes less then 20ms and remains transparent to the user.

Lab result and logs will follow soon……………………………………………

Layer 3 – Inter Controller Roaming:

 L3 - Inter Controller Roaming

The wireless user moves from one AP to another AP connected to another controller in a different subnet or if the clients roam between APs registered to different controllers and the client WLAN on the two controllers is on different subnet, then it is called inter-controller L3 roam.

  • It’s similar to inter subnet roaming.
  • Controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database.
  • The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller.
  • The main advantage is clients maintain its original IP address even after changing the controller.
  • The process takes less than 30 ms.
  • The roam remains transparent to the wireless client. 

Lab result and logs will follow soon……………………………………………