12-2
Cisco IOS Software Configuration Guide for Cisco Aironet Access Points
OL-11350-01
Chapter12 Configuring WDS, Fast Secure Roaming, Radio Management, and Wi reless Intrusion Detection
Understanding WDS
Understanding WDS
When you configure Wireless Domain Services on your network, access points on your wireless LAN
use the WDS device (either an access point, an Integrated Services Router, or a switch configured as the
WDS device) to provide fast, secure roaming for client devices and to participate in radio management.
If you use a switch as the WDS device, the switch must be equipped with a Wireless LAN Services
Module (WLSM). An access point configured as the WDS device supports up to 60 participating access
points, an Integrated Services Router (ISR) configured as the WDS devices supports up to 100
participating access points, and a WLSM-equipped switch supports up to 600 participating access points
and up to 240 mobility groups.
Note A single access point supports up to 16 mobility groups.
Fast, secure roaming provides rapid reauthentication when a client device roams from one access point
to another, preventing delays in voice and other time-sensitive applications.
Access points participating in radio management forward information about the radio environment (such
as possible rogue access points and client associations and disassociations) to the WDS device. The
WDS device aggregates the information and forwards it to a wireless LAN solution engine (WLSE)
device on your network.

Role of the WDS Device

The WDS device performs several tasks on your wireless LAN:
Advertises its WDS capability and participates in electing the best WDS device for your wireless
LAN. When you configure your wireless LAN for WDS, you set up one device as the main WDS
candidate and one or more additional devices as backup WDS candidates. If the main WDS device
goes off line, one of the backup WDS devices takes its place.
Authenticates all access points in the subnet and establishes a secure communication channel with
each of them.
Collects radio data from access points in the subnet, aggregates the data, and forwards it to the
WLSE device on your network.
Acts as a pass-through for all 802.1x-authenticated client devices associated to participating access
points.
Registers all client devices in the subnet that use dynamic keying, establishes session keys for them,
and caches their security credentials. When a client roams to another access point, the WDS device
forwards the client’s security credentials to the new access point.
Table12-1 lists the number of participating access points supported by the platforms that can be
configured as a WDS device: an access point, an ISR, or a WLSM-equipped switch.
Table12-1 Participating Access Points Supported by WDS Devices
Unit Configured as WDS Device Participating Access Points Supported
Access point that also serves client devices 30
Access point with radio interfaces disabled 60