Mental model
In a controller-based Wi-Fi deployment (WLC + lightweight APs), every AP joins a wireless LAN controller and runs the mode you assigned. The mode determines:
- Where client data flows (tunneled to WLC vs switched locally).
- Whether the AP serves clients at all (or just listens / sniffs).
- What happens when the WAN to the WLC dies.
You’re not picking a model — you’re picking a behavior. The same physical AP can run any of these modes; you just change the mode in the controller.
The seven modes — what each does
1. Local mode (default)
Default for in-building corporate deployments.
- Data path: Client traffic tunneled over CAPWAP to the WLC, decapsulated, then routed/switched.
- Control: Centralized at the WLC.
- Use when: APs and WLC are on the same LAN — fast, low-latency tunnel.
- Downside: All client traffic crosses the WLC. A branch AP with the WLC at HQ means every Wi-Fi packet round-trips through HQ.
2. FlexConnect (formerly H-REAP)
Built for branch offices with the WLC at HQ over WAN.
- Data path: Client traffic is switched locally at the AP — never traverses the WAN to the WLC.
- Control: Still managed by the WLC, but the AP keeps a local copy of the auth/config so it can keep clients connected if the WAN dies (Standalone state).
- Use when: Branch with a local internet break-out, or branches where WAN failure must not kill Wi-Fi.
- Two sub-states:
- Connected — talking to WLC normally.
- Standalone — WAN down. AP authenticates clients itself using cached PSK/802.1X creds. Limited features (no new VLAN changes, no central RADIUS unless the AP can still reach it).
3. Bridge mode / Mesh
The AP becomes a wireless infrastructure node rather than serving clients directly.
- Data path: AP bridges Ethernet to a wireless backhaul radio. Used for outdoor mesh, point-to-point links between buildings, or extending coverage to areas without Ethernet drops.
- Roles:
- Root AP (RAP) — has wired uplink, acts as the gateway for the mesh.
- Mesh AP (MAP) — wireless-only backhaul to a RAP.
- Use when: Outdoor parking lots, warehouse high-bays, port/yard coverage, or temporary event Wi-Fi.
4. Monitor mode
AP serves no clients. Pure RF monitor.
- Behavior: Scans all channels on both 2.4/5/6 GHz bands. Detects rogue APs, interference, performs location services, runs CleanAir.
- Use when: High-density deployment that needs continuous monitoring without giving up client-serving APs.
- Downside: AP can’t serve clients while in this mode — it’s a dedicated sensor.
5. Sniffer mode
AP becomes a wireless packet sniffer, streaming 802.11 frames to Wireshark.
- Behavior: AP listens on one channel and forwards all 802.11 traffic to a remote sniffer host (Wireshark, OmniPeek) via Ethernet.
- Use when: Troubleshooting roaming, association, or auth issues — you need to see the actual wireless frames, which a normal NIC doesn’t capture.
- Downside: No client service. Single-channel only.
6. SE-Connect mode
Connects the AP’s CleanAir radio to Spectrum Expert for deep RF analysis.
- Behavior: AP becomes a spectrum-analyzer probe streaming raw RF data.
- Use when: Investigating non-Wi-Fi interference (microwaves, Bluetooth, jammers, faulty radios) — these don’t appear on regular Wi-Fi captures.
- Downside: No client service.
7. Rogue Detector
Connects via Ethernet to a trunk port; listens for unknown MACs that match wireless clients to detect rogue APs on the wired network.
- Behavior: Wired-side detection of devices originating wireless traffic.
- Use when: Compliance environments where you must guarantee no unauthorized AP is bridging wireless onto the wired LAN.
- Mostly legacy — modern WLCs do rogue detection from local-mode APs that scan briefly between client serving frames.
Quick comparison
| Mode | Serves clients? | Data path | WAN-tolerant? | Typical use |
|---|---|---|---|---|
| Local | Yes | Tunnel to WLC | No (LAN deployment) | HQ campus |
| FlexConnect | Yes | Switched at AP | Yes — Standalone state | Branch |
| Bridge / Mesh | RAP/MAP roles | Wireless backhaul | Within mesh | Outdoor, warehouse, P2P |
| Monitor | No | n/a | n/a | RF intel, rogue detection |
| Sniffer | No | Forward to Wireshark | n/a | Troubleshooting |
| SE-Connect | No | Spectrum data | n/a | Non-Wi-Fi interference hunt |
| Rogue Detector | No | Wired listen | n/a | Compliance / legacy |
Configuration — set the mode
From the WLC GUI (Catalyst 9800 example):
Configuration > Wireless > Access Points > [AP name] > General tab > AP Mode
CLI (Catalyst 9800):
WLC(config)# ap name AP-LOBBY mode flex-connect
WLC(config)# ap name AP-LOBBY mode monitor
WLC(config)# ap name AP-LOBBY mode sniffer
Mode change usually causes the AP to reboot or re-register.
FlexConnect deep dive — the most CCNA-relevant non-local mode
FlexConnect ACL / VLAN mapping is configured per-WLAN at the WLC:
WLAN: BRANCH-CORP
FlexConnect: Enable
FlexConnect Local Switching: Enable
VLAN Mapping: SSID → VLAN 20 at branch
When a client associates, the AP tags the traffic into VLAN 20 on the local trunk rather than encapsulating to the WLC. The WLC still handles auth (via cached creds in Standalone, or live RADIUS in Connected).
States to know:
- Authentication Central / Switching Central — Local mode behavior over FlexConnect — rare.
- Authentication Central / Switching Local — Standard FlexConnect — auth at WLC, data switched at AP.
- Authentication Local / Switching Local — Standalone — WAN down, AP using cached creds.
Common mistakes
-
Putting branch APs in Local mode. Every Wi-Fi packet hairpins to HQ. Saturates the WAN. Always FlexConnect for branches.
-
Forgetting the trunk on a FlexConnect AP’s switch port. Local switching means the AP needs a trunk to deliver client traffic into the right VLAN. An access port on VLAN 1 → all clients land on VLAN 1.
-
Using Monitor mode on every AP. You give up half your client-serving capacity. Modern WLCs scan opportunistically — dedicated monitor APs are only needed in critical environments.
-
Confusing Sniffer mode with packet capture on a switch. Switch port mirroring captures wired frames. Sniffer mode captures over-the-air 802.11 frames including beacons, probes, retries — invisible at the switch.
-
Mesh without good RF planning. A 3-hop mesh chain loses about half its throughput per hop. Always cable as many APs as you can; mesh is a last resort.
-
Treating SE-Connect as a normal sniffer. SE-Connect is for non-Wi-Fi interference. For 802.11 packets, use Sniffer mode.
Real-world deployments
- Bank HQ + 30 branches — HQ APs in Local, branch APs in FlexConnect so a leased-line failure doesn’t kill teller Wi-Fi.
- Warehouse — root AP cabled at the door, Mesh APs on poles inside the high-bay aisles.
- Hospital — most APs in Local, two per floor permanently in Monitor for rogue detection in HIPAA-sensitive areas.
- Trade-show venue — temporary deployment, every AP in FlexConnect because the controller is over a VPN.
- Engineer chasing a microwave — pick one AP, switch it to SE-Connect, point it at the suspect area, look for the 2.4 GHz noise spike.
Lab to try tonight
- In a Cisco Catalyst 9800 (or 9800-CL virtual on your laptop), join one AP.
- By default it’ll be Local. Verify:
show ap summary. - From the GUI, change the AP to FlexConnect. Wait for the reload.
- Verify it reassociates as FlexConnect:
show ap name AP-1 config general | include AP Mode. - Disconnect the WLC (
shutits uplink). The AP should enter Standalone. A pre-associated client should keep working (try ping). - Reconnect. AP returns to Connected. Verify.
- Bonus: switch the AP to Monitor mode. Verify it no longer broadcasts an SSID (
show wireless wlan summaryfrom client view). - Bonus: switch to Sniffer, point it at your laptop running Wireshark on the same management VLAN. Capture an association exchange.
Cheat strip
| Mode | One-line purpose |
|---|---|
| Local | Default. Centralized control + data plane to WLC |
| FlexConnect | Switches data locally at AP. Survives WAN outage (Standalone state) |
| Bridge / Mesh | RAPs and MAPs — wireless backhaul instead of Ethernet |
| Monitor | RF sensor only — no client serving |
| Sniffer | Streams 802.11 frames to remote Wireshark |
| SE-Connect | Spectrum analyzer probe — find non-Wi-Fi interference |
| Rogue Detector | Wired-side rogue AP detection. Mostly legacy |
| Branch deployment | FlexConnect, always |
| Standalone state | FlexConnect AP authenticating clients itself when WAN to WLC is down |
| CAPWAP | Tunnel protocol between AP and WLC — UDP 5246 (control) / 5247 (data) |