Cisco WAP321 Wireless-N Selectable-Band Access Point with PoE Reviewed

Photo of author

Tim Higgins

Wireless-N Selectable-Band Access Point with PoE
At a glance
Product Cisco Wireless-N Selectable-Band Access Point with PoE (WAP321) [Website]
Summary Broadcom-based selectable dual-band 802.11abgn access point with Enterprise feature set and 802.3af PoE.
Pros • Extensive feature set
• HTTP/S, Telnet, SSH admin
• Captive web portal
• Lots o’ QoS options
• IPv6
Cons • Does not include power adapter
• Web admin requires a lot of scrolling


Access points (APs) are the wireless workhorses for businesses both large and small. They don’t share an internet connection (route), but can do all sorts of other tricks including separating traffic into VLANs, QoS, bridging and repeating and sometimes even more. The downside of APs is higher cost, which doesn’t usually buy higher performance.

Cisco’s Aironet APs have been around for a long time and are well-regarded, but beyond the reach of most very small businesses’ budgets. So in an effort to serve those with lighter wallets, Cisco recently introduced two APs—the single-band WAP121 and the dual-band WAP321 that I’m reviewing today.

The WAP321 is a selectable dual-band 802.11abgn AP with more features than I expected to find inside its unassuming softly-rounded beige plastic enclosure. Figure 1 shows the rear panel. There are three bi-colored lights on the top of the WAP—power, WLAN and LAN—that flash and change color to indicate status.

WAP321 rear view with callouts
Figure 1: WAP321 rear view with callouts

Instead of mounting screw slots, the bottom of the WAP321 has slots that fit a supplied plastic wall/ceiling mount bracket (Figure 2). The left side of the composite photo below shows the uninstalled bracket and the right side shows it installed.

WAP321 with mounting bracket
Figure 2: WAP321 with mounting bracket

While the AP itself has Kensington locking slots on its front and rear, the bracket itself doesn’t have any. Nor does it have any other features to lock the AP in place. The rear shroud covers the ports and power switch and has a knockout for cable routing and a hole for reset switch access.

The power switch is sort of an odd touch, since the WAP321 doesn’t come with a 12V/1.0A power supply and the power switch doesn’t work when the AP is PoE-powered. I used a power supply from one of the new Linksys EA series, which worked just fine.


The FCC photos weren’t clear enough for me to identify all the components. So after testing I opened up my sample for a look and found a view similar to the FCC photo in Figure 3.

WAP321 inside

Figure 3: WAP321 inside

Table 1 summarizes the key components, which show a design based on Broadom components. The FCC ID prefix indicates that the WAP321 is manufactured by Sercomm, a Taiwanese OEM I’ve encountered from time to time.

CPU Broadcom BCM4748 Intensi-fi XLR
2 x 2 IEEE 802.11n 2.4 GHz + 5 GHz SoC
Flash 16 MB
Ethernet Broadcom BCM54612E
Radio – BB / MAC / RF In BCM4748
– SiGe 2547A Dual Band 802.11a/b/g/n
Wireless LAN Front End (2X)
Table 1:Component summary

Note the three antennas while the SoC is 2×2. The third antenna is used to enhance receive gain. The antennas are all 2 dBi metal PIFA (Planar Inverted F Antenna) patch type.

Figure 4 shows an unobstructed although somewhat fuzzy view of the board. Note that the SiGe front-ends are not enclosed in an RF "can".

WAP321 board

Figure 4: WAP321 board

The heatsink shown in Figure 3 is actually secured via soldered pins. So I had to enable SSH access, log in and retrieve the processor info from /proc/cpuinfo.


Since the WAP321 is priced over twice what you’d pay for a selectable dual-band N consumer router, you should expect more features for the money, and the WAP321 delivers! Here is a feature summary culled from various Cisco docs:

  • AP/WDS Bridge/WDS Repeater modes
  • Client bridge mode (no WDS required)
  • Eight SSIDs
  • SSID broadcast control
  • 1 management VLAN plus 8 VLANs for SSID
  • SSID to VLAN mapping
  • Auto-channel selection
  • Transmit power adjust
  • Multicast and Legacy Rate setting
  • MCS setting
  • Rogue AP detection
  • WAP and Station Enhanced Distributed Channel Access (EDCA) QoS (802.11e)
  • TSPEC support
  • Bandwidth utilization (% of AP bandwidth used before AP stops allowing associations)
  • Diffserv based client QoS
  • Client limit (32 maximum, 20 active recommended)
  • 802.11i preauthentication for fast roaming
  • IPv6 Host, RADIUS,syslog, NTP support
  • Wireless enable/disable scheduling per SSID
  • WiFi Protected Setup (no physical pushbutton)
  • WEP, WPA/WPA2 Personal and Enterprise security
  • MAC address filtering
  • Management access control
  • IPv4, IPv6, MAC Deny/Permit ACL
  • HTTP/HTTPS/Telnet/SSH/Bonjour/SNMP v3 administration
  • Internal and syslog log support
  • LAN and WLAN traffic statistics
  • Packet capture
  • 802.1d Spanning Tree support

Figure 5 is a shot of the web admin interface so you can get an idea of the approach. As it has with its Linksys consumer routers, Cisco has adopted the same look-and-feel across its small business line. So the approach is similar to what we’ve seen in the recent RV router reviews.

The look is nice and clean, but requires a wide format screen and therefore isn’t tablet and notebook friendly. You’ll find yourself doing a lot of horizontal scrolling, especially in the status screens.

WAP321 landing page

Figure 5: WAP321 landing page

Unfortunately, Cisco doesn’t have an online emulator so that you can take the WAP321 for a test drive. There are a lot of features and nuances, so you might want to download the admin guide. I’m going to touch on some of the highlights and have included a mess of screenshots in the gallery for other features.

Both HTTP and HTTPs connections are supported to the web admin interface and HTTPS is enabled by default. But if you just hit the AP’s IP address, you don’t get auto-forwarded to the secure interface; you need to specify https://.

One of the things you should get with a more expensive AP is more knobs to twiddle. Figure 6 shows the radio settings that you can play with. Supported modes are 802.11a, 802.11b/g, 802.11a/n, 802.11b/g/n (default), 5 GHz 802.11n and 2.4 GHz 802.11n. Transmit power can be cranked down (only) to 50, 25 and 12%.

WAP321 radio settings

Figure 6: WAP321 radio settings

You get control over advertised Legacy and Multicast rates and can pick and choose the 802.11n MCS settings, too. Basically, this means you get fine control over the link rates that clients can use.

All those TSPEC settings are mainly there to support Voip and Voice Over Wireless LAN (VoWLAN) devices that support 802.11e. You also get priority-based EDCA (Enhanced Distributed Channel Access) AP and Client controls, which also require devices to support 802.11e.

One bandwidth control feature that doesn’t require 802.11e is Bandwidth Utilization. You simply set a percentage (the default is 0) of radio bandwidth that can be used before the AP stops allowing new client associations. This is a simple way to prevent individual APs in multi-AP installations from becoming overloaded.

The WAP321 supports two wireless bridging methods. WDS bridge supports up to four associations with static WEP or WPA2/AES encryption. WDS bridge partners automatically also function as repeaters; there is no way to create a closed bridge (block client association) other than to not provide the encryption key to users.

Work Group Bridge mode doesn’t use WDS, so will work with any access point or router. The Access Point Interface controls in Figure 7 are used when you want to set this flavor of bridge up as a repeater. Note that you can use either WDS or Work Group Bridge mode, not both at once.

WAP321 Work Group Bridge settings

Figure 7: WAP321 Work Group Bridge settings

Features – more

Every wireless router and AP has MAC address filtering. But the WAP321 goes a step beyond with Access Control Lists (Figure 8). Up to 50 rules can be created to allow or deny access to clients based on IPv4 (shown), IPv6 or MAC address parameters. (There are no user based controls.)

WAP321 Client ACL

Figure 8: WAP321 Client ACL

If your devices don’t support 802.11e, don’t despair. The WAP321 has a complete set of diffserv based controls. I’m always at a loss to even get started at configuring diffserv.

But the WAP321’s implementation is clear enough that I think even I could get some useful diffserv-based QoS working! That said, it would certainly help if the Admin Guide had some examples, in addition to its complete description of each control. Check the gallery for all the screens.

The last, but not least, feature that will probably sell a lot of WAP321s is the Captive Portal. This would be used for hotspot or other applications where you want to put a level of authentication, or even just an advertisement between your user and general Internet access or redirect them to a "walled garden" website.

You can create two CPs, each with its own verification methods. Each instance has a very complete set of parameters (Figure 9). Note that you can even limit up and down bandwidth and authenticate as a guest, to a user/password database stored on the WAP321 or a RADIUS server.

WAP321 Captive Portal parameters

Figure 9: WAP321 Captive Portal parameters

CPs can be assigned to any or all of the 8 virtual APs (SSIDs) and you can upload your own portal page, or modify the built-in one (Figure 10).

WAP321 Default Captive Portal screen

Figure 10: WAP321 Default Captive Portal screen

The built-in user database supports three groups and 128 total users. Each user has a password, away timeout (0 – 1440 mins), and max/min bandwidth (0-300 Mbps). Report screens are also provided for current users and failed authentications.

I tried a simple user-authenticated portal and got it to work on the first try!

I should note that the online help is generally excellent, containing helpful explanations and definitions as well as control descriptions. Check the gallery for more screenshots of key admin pages and further commentary.


The setup wizard automatically launches on first access.

System summary

While interesting, a more comprehensive overview of AP status would be more useful.

Traffic Statistics

Sorry, but no fancy graphs for traffic stats.


Log entries with the default Level 7 – Debug set

User Account

You can add more admins, but with read-only access.

Rogue AP

You can scan for other in-range networks on the currently-selected band.


You can create 16 schedules to control AP access times.

Sched Assoc

Schedules can be applied to the eight SSIDs individually or all at once.


Up to four WDS partners can be connected

Work Group Bridge

This mode lets you form a wireless bridge with APs and routers that don’t support WDS.


These fancy controls require clients to support 802.11e tagging.

WPS Setup

You need to get into the nitty-gritty of WPS to set it up

WPS Process

This is where you can initiate a WPS pushbutton or PIN session.


Both RADIUS IPv4 and IPv6 servers are supported


802.1x supplicant controls


Good security requires strong passwords. You can enforce strength rules for administration password and for WPA-PSK passwords on a similar screen (no aging controls there).

Client ACL

You can set permit/deny access rules based on IPv4, IPv6 or MAC address parameters.

QoS Class Map

In addition to 802.11e QoS, diffserv QoS is also implemented. You first define class maps that use many fields in a packet to establish its class.

QoS Policy Map

You define up to 50 Policy maps, each of which can contain 10 Class Maps. The Policy map determines how packets in a class map are handled.

Client QoS

Think of this as client QoS for dummies. It provides simple up/down bandwidth limits for all or certain classes of traffic.

Client QoS Status

You check QoS status here. A table format would be more helpful for busy APs.

Captive Portal Params

There are many authentication methods available for the Captive Portal feature.

Captive Portal web

You can modify a built-in portal page, or upload your own.

Captive Portal Screen

This is what the default captive portal authentication screen looks like.

Wireless Performance

The WAP321 is Wi-Fi Certified and defaults to the 2.4 GHz band in 20 MHz bandwidth mode on power-up. Even though Wi-Fi Protected Setup (WPS) is supported, it is disabled by default. As noted earlier, WPS configuration is more complicated that on consumer routers. But even though I followed all the configuration rules, I could not get it to enable.

So I had to manually configure the AP with WPA2/AES security before running tests using our standard wireless test process, using Channel 1 for the 2.4 GHz band and Channel 36 for the 5 GHz band. As is now our standard, I used an Intel Centrino Ultimate-N 6300 in a Lenovo x220i notebook running Win 7 Home Premium as the test client. I left all other controls to their defaults, which included no QoS features enagaged.

Because the WAP321 is not a router, you’ll find it in the Wireless Charts, not the Router Charts. I don’t test that many non-routing wireless products, so I included both single and dual-band products in the comparison charts in Figures 11 and 12.

Most people are focused on downlink performance, so that’s what I charted. Figure 11 shows the WAP321 doing quite well for throughput averaged over all four test locations, taking the top spot for access point devices with 45 Mbps. Although not shown, the WAP321 didn’t do quite as well for 2.4 GHz, 20 MHz mode uplink, averaging only 30 Mbps, about 10 Mbps lower than the top-performer, D-Link’s DAP-2553.

Wireless performance comparison - 2.4 GHz, 20 MHz mode, downlink

Figure 11: Wireless performance comparison – 2.4 GHz, 20 MHz mode, downlink

Switching over to 5 GHz, the WAP321 again took the top spot with 58 Mbps of average throughput across only three test locations. Like most all other products I’ve tested, the WAP321 failed to even be detected when I moved to my most difficult test location F.

Wireless performance comparison - 5 GHz, 40 MHz mode, downlink

Figure 12: Wireless performance comparison – 5 GHz, 40 MHz mode, downlink

Note that I showed the 40 MHz bandwidth mode 5 GHz test, since that’s what people typically use in an attempt to get maximum bandwidth for video streaming. Switching to uplink in the same band and mode again produced significantly lower results of only 39 Mbps.

As noted earlier, I don’t have many access points to compare the WAP321 with and even fewer dual-band models. But I pulled the recently retested single band EnGenius EAP-300 into the Performance Table in Figure 13, since it was tested with the same Intel 6300 client and would provide the best apples-apples comparison.

Although this compares only 2.4 GHz band performance, you can see the WAP321’s stronger 20 MHz mode performance, both up and downlink. But the data summary also shows that the WAP321 doesn’t pick up a lot of bandwidth for single client tests when switching to 40 MHz bandwidth mode.

Wireless Performance Table

Figure 13: Wireless Performance Table

It seems you need to use multiple clients to get higher aggregate bandwidth. The simultaneous up/downlink tests for 2.4 GHz moved from 78 to 110 Mbps in 2.4 GHz and 64 to 96 Mbps in 5 GHz.

Throughput stability looked pretty good as shown in the IxChariot plot in Figure 14.

IxChariot plot - 2.4 GHz, 20 MHz, downlink

Figure 14: IxChariot plot – 2.4 GHz, 20 MHz, downlink

Curiously, the only plots that didn’t show the big dropouts were for the simultaneous up/downlink tests. These turned in total throughput of 56 Mbps for 20 MHz bandwidth mode and 87 Mbps for 40 MHz, with nary a dropout.

Here are links to the other 2.4 GHz plots for your reference:

Closing Thoughts

It looks like Cisco has come up with a fully-featured small-biz access point that they should sell a lot of, even priced around $225. About the only thing missing is a simple and inexpensive cloud-based management option, which I suspect Cisco’s OnPlus Service isn’t.

If you can live with single-band and want to save some $, you can check out the WAP121, which is about $100 cheaper. While you’ll gain a bundled 12V power supply, you’ll give up the Captive Portal feature and four SSID’s too, however.

Related posts

ASUSWRT-Merlin Reviewed

This alternative firmware for ASUS' RT-N66U and RT-AC66U routers has bug fixing as its top priority.

D-Link AirPlus Enhanced 2.4GHz Wireless Access Point Review

D-Link's DWL-900AP+ is the first consumer access point to offer wireless bridging, repeating and client modes.

ASUS RT-AC66U 802.11ac Dual-Band Wireless-AC1750 Gigabit Router Reviewed

ASUS' RT-AC66U is not the successor to the RT-N66U that you may be hoping for.