Enterprise Wireless on a Budget - Cisco WLC 2504 and Aironet 3600 in a Homelab
When you are building something from scratch, every franc you do not spend on infrastructure is a franc that goes toward what actually matters. One of the easiest places to overspend is wireless networking. A managed enterprise wireless deployment from a reseller, including controller licensing, access points, and setup fees, can run into five figures before you have connected a single device.
The alternative is to buy the hardware yourself, learn to operate it, and run it. This requires time and willingness to read documentation written for network engineers. But if you have the background, the savings are real and the capability exceeds anything a consumer or prosumer wireless solution offers.
This post documents a Cisco WLC 2504 and Aironet 3600 setup running a home office and lab network, including the parts the official documentation glosses over.
The Hardware
The Cisco Wireless LAN Controller 2504 is a physical appliance that manages lightweight access points using the CAPWAP protocol. Access points in lightweight mode do not make forwarding decisions independently — they tunnel all traffic back to the controller, which applies policies, VLAN mappings, and QoS centrally. This is the correct model for any deployment where you want consistent policy across multiple APs without configuring each one individually.
The Aironet 3600 is a dual-band 802.11n access point with support for the optional 802.11ac module. Enterprise customers were paying over a thousand francs per unit new. On the secondary market, post end-of-life, you find them for under fifty. The hardware did not get worse when Cisco stopped selling it.
The WLC 2504 supports up to 50 access points on the base license. For a home office and lab, two APs is the relevant number.
Why Lightweight Mode Matters
Consumer access points are autonomous — each one runs its own firmware, has its own web interface, and makes its own forwarding decisions. Managing multiple autonomous APs means logging into each one individually, keeping firmware in sync manually, and applying policy changes N times.
Lightweight APs managed by a controller have one management plane. You configure SSIDs, VLAN mappings, RF settings, and security policies once on the controller. Every AP inherits the configuration. Adding a third AP takes minutes, not an afternoon.
For a segmented network this matters because the wireless network needs to map onto the VLAN structure of the wired network. A primary SSID for personal devices, a separate SSID for IoT, a lab SSID for infrastructure access — each maps to a different VLAN with its own firewall policy. On a consumer AP you fight the firmware to get VLAN tagging working. On the WLC this is the default operating model.
Initial Setup
The WLC 2504 ships expecting to be configured through a setup wizard on its service port. Connect a laptop directly to the service port with a static IP in the 192.168.1.0/24 range and navigate to the web interface.
The wizard asks for a management IP, the AP manager IP, the virtual gateway IP, and the mobility group name. The management IP goes on your management VLAN. The AP manager IP is what access points use to register with the controller — it needs to be reachable from wherever your APs sit on the network.
One point the wizard does not make obvious: the virtual gateway IP is used for web authentication redirect pages. It does not need to be a real routable address. Use something in the 192.0.2.0/24 documentation range that will never appear on your actual network.
After the wizard completes, access points can register. Connect an Aironet 3600 to a switchport that carries your management VLAN untagged. The AP boots, gets a DHCP address, discovers the controller via DNS (cisco-capwap-controller.yourdomain.local) or DHCP option 43, and registers. The whole process takes under five minutes once DHCP and DNS are configured correctly.
SSID and VLAN Mapping
Each SSID on the WLC maps to a WLAN profile, and each WLAN profile maps to an interface, and each interface maps to a VLAN. The chain is explicit and auditable.
For this setup, three WLANs are active:
Primary SSID — WPA3-Personal, maps to the main client VLAN. Personal devices, phones, laptops that are not part of lab infrastructure.
IoT SSID — same VLAN but with client isolation enabled. IoT devices and anything that should not be able to talk to other clients on the same network. Client isolation prevents lateral movement between devices on the same SSID without any firewall rules required.
Lab SSID — maps to the server VLAN with 802.1X authentication via RADIUS. Lab devices authenticate with certificates before getting network access.
The switchports connecting the APs to the downstream switches are configured as trunks carrying all three VLANs. The controller handles the tagging. The AP itself is just a radio and a CAPWAP tunnel endpoint.
RF Configuration
The 3600 supports both 2.4GHz and 5GHz simultaneously. Radio Resource Management on the controller handles channel and power assignment automatically. RRM monitors the RF environment, detects interference, and adjusts channel assignments across APs to minimize overlap.
For a two-AP deployment the automatic settings work well. Disable 802.11b rates on the 2.4GHz radio — any device manufactured in the last fifteen years supports 802.11g at minimum, and keeping legacy rates enabled slows down the entire cell. On the WLC this is a global setting under Wireless > 802.11b/g/n > Network.
Enable band steering to push dual-band capable clients to 5GHz. The 2.4GHz band in a residential building is congested by default. Any client that can use 5GHz should.
What This Cost
Two Aironet 3600 access points: under 100 CHF total from a German IT recycler.
One WLC 2504: under 150 CHF, secondary market.
Total wireless infrastructure cost: under 300 CHF. A Cisco Meraki MR46 — the current mainstream enterprise AP — costs over 800 CHF per unit new, plus a mandatory cloud management subscription.
The WLC 2504 and Aironet 3600 are end of life. Cisco will not sell you support contracts for them. For a homelab where the operator is the support contract, end of life hardware at secondary market prices is the rational choice. The hardware works. The software works. The feature set covers everything a small enterprise deployment needs.
The Operational Reality
Running enterprise wireless yourself means you are the one who fixes it when something breaks. The WLC had one unplanned reboot in several months of operation, caused by a firmware issue resolved by downgrading one minor version. Diagnosing that required reading Cisco TAC documentation and forum threads from network engineers who hit the same issue years ago on production deployments. It took an afternoon.
That afternoon is the cost of not paying a managed service provider. For someone who can absorb it, it is a good trade.
Enterprise networking knowledge is a compressible skill. You learn it once, you operate the hardware yourself indefinitely, and the infrastructure cost approaches zero. Every organisation that outsources this because nobody on the team knows how to run it pays a recurring tax that compounds. Learning to operate your own infrastructure is one of the highest-ROI investments a technical person can make.