Home Drag and Drop

Drag and Drop

Here you will find answers to Drag and Drop Questions

Question 1

Match the interface description on the left with the appropriate interface on the right.



+ AP Manager: Used for Layer 3 communications between the Cisco WLC and the lightweight access points

+ Dynamic: Designed to be analogous to VLANs for wireless LAN client device

+ Management: This interface is the only consistently “pingable” in-band interface IP address on the Cisco WLC

+ Service Port: The only port that is active when the controller is in boot mode

+ Virtual: Used to support mobility management, DHCP relay and guest web authentication


A WLC has one or more AP Manager Interfaces that are used for all Layer 3 communications between the WLC and the lightweight access points after the access point discovers the controller. The AP Manager IP address is used as the tunnel source for LWAPP packets from the WLC to the access point, and as the destination for LWAPP packets from the access point to the WLC. The AP Manager must have a unique IP address. Usually this is configured on the same subnet as the Management interface, but this is not necessarily a requirement. An AP Manager IP address is not pingable from outside the WLC. The use of multiple AP Manager Interfaces is discussed in the Advanced Deployment Concepts Section.

Dynamic Interfaces are created by users and are designed to be analogous to VLANs for wireless LAN client device. The WLC will support up to 512 Dynamic Interface instances. Dynamic Interfaces must be configured on a unique (to the WLC) IP network and VLAN. Each Dynamic Interface acts as a DHCP relay for wireless clients associated to wireless LANs mapped to the interface.

The Management interface is the default interface for in-band management of the WLC and connectivity to enterprise services such as AAA servers. If the service port is in use, the management interface must be on a different subnet from the service port. The management interface is also used for layer 2 communications between the WLC and access points. The Management interface is the only consistently “pingable” in-band interface IP address on the WLC.

The Service-port Interface is statically mapped by the system only to the physical service port. The service port interface must have an IP address on a different subnet from the Management, AP Manager, and any dynamic interfaces. The service port can get an IP address via DHCP or it can be assigned a static IP address, but a default-gateway cannot be assigned to the Service-port interface. Static routes can be defined in the WLC for remote network access to the Service-port. The Service-port is typically reserved for out-of-band management in the event of a network failure. It is also the only port that is active when the controller is in boot mode. The physical service port is a copper 10/100 Ethernet port and is not capable of carrying 802.1Q tags so it must be connected to an access port on the neighbor switch.

The Virtual Interface is used to support mobility management, DHCP relay, and embedded layer 3 security like guest web authentication and VPN termination. The Virtual Interface must be configured with an unassigned and unused gateway IP address. A typical virtual interface is “”. The Virtual Interface address will not be pingable and should not exist in any routing table in your network. If multiple WLCs are configured in a mobility group, the Virtual Interface IP address must be the same on all WLC devices to allow seamless roaming.

(Reference: http://www.cisco.com/en/US/docs/wireless/technology/controller/deployment/guide/dep.html)

Question 2 (notice: we haven’t had enough information about this question yet, but it is something like this)



+ PEAP: Need Certificate on Authentication Server only

+ LEAP: Out of date

+ EAP-FAST: Need client credential

+ EAP-MD5: Need strong password

+ EAP-TLS: Need Certificate on both Server and Client


* EAP-MD5: MD5-Challenge requires username/password, and is equivalent to the PPP CHAP protocol [RFC1994]. This method does not provide dictionary attack resistance, mutual authentication, or key derivation, and has therefore little use in a wireless authentication enviroment.

* Lightweight EAP (LEAP): A username/password combination is sent to a Authentication Server (RADIUS) for authentication. Leap is a proprietary protocol developed by Cisco, and is not considered secure. Cisco is phasing out LEAP in favor of PEAP.

* EAP-TLS: Creates a TLS session within EAP, between the Supplicant and the Authentication Server. Both the server and the client(s) need a valid (x509) certificate, and therefore a PKI. This method provides authentication both ways.

*EAP-FAST: Provides a way to ensure the same level of security as EAP-TLS, but without the need to manage certificates on the client or server side. To achieve this, the same AAA server on which the authentication will occur generates the client credential, called the Protected Access Credential (PAC).

* Protected EAP (PEAP): Uses, as EAP-TTLS, an encrypted TLS-tunnel. Supplicant certificates for both EAP-TTLS and EAP-PEAP are optional, but server (AS) certificates are required. Developed by Microsoft, Cisco, and RSA Security, and is currently an IETF draft.

Comments (22) Comments
  1. Anonymous
    June 11th, 2011

    Question 1 is wrong. The below information was taken straight from Cisco Configuration’s Guide

    Virtual Interface

    The virtual interface is used to support mobility management, Dynamic Host Configuration Protocol (DHCP) relay, and embedded Layer 3 security such as guest web authentication and VPN termination. It also maintains the DNS gateway host name used by Layer 3 security and mobility managers to verify the source of certificates when Layer 3 web authorization is enabled

    Management Interface

    The management interface is the default interface for in-band management of the controller and connectivity to enterprise services such as AAA servers. It is also used for communications between the controller and access points. The management interface has the only consistently “pingable” in-band interface IP address on the controller. You can access the controller’s GUI by entering the controller’s management interface IP address in Internet Explorer’s or Mozilla Firefox’s address field.

  2. Mark#13
    June 21st, 2011

    I agree with the previous comment. Q1, has been incorrectly answered.

  3. Mark#13
    July 14th, 2011

    Wirelesstut Administrator – Can you please update this web page accordingly or explain as to why the user suggestion is incorrect as it is taken directly from Cisco material.

  4. Optimistic
    July 16th, 2011

    This answer of this question is wrong. I agree with the first comment. For details please see
    Page 229

    Please update the web-page because it creates confusion. Thanks

  5. arina
    August 24th, 2011

    Hi looking for some one who did ccna wireless exam recently. and of great importance is for the administrator to clarify Q1.

  6. arina
    September 8th, 2011

    Ok why is the Q1 still un resolved despite several suggestions to either updated or explanation for decline. Administrator is of great impotance to listen and advice members where there is concerns.
    Thank you

  7. wirelesstut
    September 12th, 2011

    @all: I am very sorry for the late response. Q.1 has been updated with correct answers and explanation. Thanks to all!

  8. Sam
    September 20th, 2011

    Thanks for correction

  9. me
    September 25th, 2011

    Q2 is wrong, the “answer” section is correct where it shows “EAP-TLS Need Certificate on both Server and Client” .. but the “drag drop” illustration doesn’t show this option, it incorrectly shows “Need certificate on client only”

  10. wirelesstut
    September 28th, 2011

    @me: Yes, thanks for your detection. I updated it!

  11. rv
    December 21st, 2011

    what about the new drag and drop that some guys said:Cisco SPLIT MAC design?

  12. masterdooh
    March 1st, 2012

    The Cert dumps answers for this question seen to be wrong

  13. Lisa
    March 7th, 2012

    Here is the new question about SPLIT MAC design (Drag and drop to AP or Controller)
    – transmit beacons – AP
    – client authentication – WLC
    – Encryption/decryption – AP
    – RF management – WLC
    – transmission and buffering of frames – AP
    – 802.11 association and re-association – WLC

  14. Anonymous
    April 4th, 2012

    @Lisa: I think RF management would be for AP and not WLC

  15. RoOmi
    May 3rd, 2012

    @wirelesstut…..would you mind to share a new DD please….becasue having a look at the Lisa one…seems like…RF management can be done by RRM from WLC or according to the Guide ..RF monitoring is under AP in split MAC design…any one help me please…

  16. laltu
    May 7th, 2012

    is the q. 1 ans correct 100% ? anyone faced this DD in real exam ? In various dumps the answer is differing. Pls. confirm me as I am goin to attend the exam in next 2 days.

  17. lj
    August 21st, 2012

    yah neh,nice stuff

  18. hhh
    March 1st, 2013

    @Lisa association and re-association packets go from the client to the AP. so it should be AP.

  19. Royce
    May 1st, 2014

    I sat this exam today (just barely passed with 790/1000) and can honestly say that not one question from this site was in the exam. I had 75 multiple choice questions, zero labs. Zero drop and drag.
    I read the 640-722 quick reference guide twice and also watched the CBT nugget series on CCNA wireless. Going through these questions is a great way to identify your weaknesses and then study up, but if your planning to go into the exam using this as a dump your going to fail.

  20. Mudassir Azam
    July 14th, 2014

    Hi, my question to you Royce is that , how much is the passing score is for current CCNA Wireless exam 640-722 is ? Please reply me on my email mazam29@live.com also any sort of guidance will be appreciated alot.Thanks in advance.

  21. Roland
    December 10th, 2014

    @ Royce: where there many questions regarding the WCS, meaning what oprion to chose to do or see a certain configuration detail?

  22. rhce training
    January 6th, 2017

    Very informative , thanks

Reload Image