Discovery
Find as many controllers as possible. L2 broadcast - AP's default mode of discovery, but L2 LWAPP transport is no longer supported on controllers. OTAP - over the air provisioning, Aps that are joined transmit neighbor packets that include the IP of the controller. The listening AP can provision by listening to this. Not secure / not really used!? AP Priming - join the AP to the controller before deployment via command line. DHCP VID - DHCP option that responds to certain vendor classes and contains a (or list of) controller IP addresses. DNS - AP looks up CISCO-LWAPP-CONTROLLER (or now CISCO-CAPWAP-CONTROLLER) A record. The AP polls all of these and compiles a list of controller IP addresses. The AP then joins the master controller (if configured for the mobility domain) or the least loaded controller (joined APs/Total APs - ie 10/25 will lose over 50/250 because it is a lower percent of usage) Primed controllers can also be programmed with Primary, Secondary, and Tertiary controller IP addresses taking the guess work out of it.
Join
Join request sent from AP to controller IP which includes the controller type and MAC address, the AP hardware and software version, name, number and type of radios. The AP's certificate used to initiate a secure tunnel. Sends a jumbo frame version (1,596) then a 1500 byte frame to see if the network will support jumbo frames. Controller then sends a join reply that includes Success/Failure and staus message, the controllers certificate, a tes payload to check for jumbo frames.
Download
The code version on the AP has to match the code version on the controller. The AP tftps the code version to match the controller and reboots to that new version. AP downloads its configuration from the controller and applies it.
