Introduction
The Cisco Catalyst 9800 Series Wireless LAN Controllers (WLCs) support various AP deployment modes, with FlexConnect Mode being useful for branch offices or remote sites.
Description
Local Switching: In FlexConnect mode, APs can locally switch client data traffic directly to the local network, bypassing the WLC. This reduces WAN bandwidth usage and latency for local traffic.
Centralized Management: While data traffic is switched locally, control and management traffic is still handled by the WLC, allowing centralized configuration and monitoring.
Resiliency: APs can continue to provide wireless services even if the connection to the WLC is lost. This is known as FlexConnect Standalone mode, which ensures continuous client connectivity and service availability during WAN outages.
Flexibility: FlexConnect mode supports both centrally switched and locally switched WLANs, offering flexibility to optimize traffic flow based on the specific requirements of each SSID.
Feature Support: FlexConnect supports many enterprise features such as 802.1X authentication, QoS, and security policies, ensuring robust and secure wireless connectivity.
AP Configuration: APs are configured to operate in FlexConnect mode, which allows them to determine whether to switch traffic locally or centrally.
WLAN Setup: WLANs can be configured for local or central switching based on the desired traffic handling policy.
Authentication and Policies: Authentication and security policies are managed centrally by the WLC, while data traffic is switched locally by the AP.
Resiliency Mechanisms: APs can store critical configuration information and maintain client sessions in the event of a WLC connectivity loss, ensuring uninterrupted service.
Deployment Scenarios
Description
Branch Offices: Ideal for remote or branch offices where local traffic should not traverse the WAN to reach the central WLC.
Retail Stores: Suitable for retail environments where local switching can improve performance and reduce costs.
Remote Sites: Effective for remote sites with limited WAN bandwidth, ensuring efficient use of available resources.
FlexConnect Mode Benefits
Description
Local Switching: FlexConnect mode allows access points (APs) to switch client data traffic locally rather than tunneling it back to the WLC. This reduces WAN bandwidth usage and minimizes latency for local traffic.
Centralized Management: Even though data traffic is switched locally, control and management traffic is handled by the WLC. This enables centralized configuration, monitoring, and policy enforcement.
Resiliency: APs in FlexConnect mode can continue to operate and provide wireless services even if the connection to the WLC is lost. This ensures continuous client connectivity and service availability during WAN outages.
Flexibility: FlexConnect supports both centrally switched and locally switched WLANs, offering flexibility to optimize traffic flow based on the specific requirements of each SSID.
Cost Efficiency: By reducing the dependency on WAN bandwidth for local traffic, FlexConnect can lower operational costs, especially in remote or branch office environments.
Improved Performance: Local switching reduces the latency associated with sending traffic to a central WLC, improving the overall performance and responsiveness of the wireless network.
Enhanced Security and Compliance:
FlexConnect supports enterprise security features like 802.1X authentication, ensuring that security policies are consistently applied across all APs, even in remote locations.
Simplified Deployment: FlexConnect simplifies the deployment of APs in remote locations by allowing them to be managed centrally while handling traffic locally, reducing the need for extensive local configuration.
The CLI output below represents the WLC default configuration.
-
–
show interface status
Port Name Status Vlan Duplex Speed Type
Te0/0/0 notconnect 1 full auto unknown media type
Te0/0/1 notconnect 1 full auto unknown media type
Te0/0/2 notconnect 1 full auto unknown media type
Te0/0/3 notconnect 1 full auto unnown media type
show running-config
Building configuration...
Current configuration : 9809 bytes
!
! Last configuration change at 12:03:10 UTC Tue May 28 2024
!
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
!
hostname WLC
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
no aaa new-model
vtp mode off
vtp version 1
!
!
!
!
!
!
!
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
diagnostic bootup level minimal
!
!
!
redundancy
mode sso
!
!
!
!
!
vlan internal allocation policy ascending
!
!
!
class-map match-any AVC-Reanchor-Class
match protocol cisco-jabber-audio
match protocol cisco-jabber-video
match protocol webex-media
match protocol webex-app-sharing
match protocol webex-control
match protocol webex-meeting
match protocol wifi-calling
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface TenGigabitEthernet0/0/0
no negotiation auto
!
interface TenGigabitEthernet0/0/1
no negotiation auto
!
interface TenGigabitEthernet0/0/2
no negotiation auto
!
interface TenGigabitEthernet0/0/3
no negotiation auto
!
interface GigabitEthernet0
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip http server
ip http authentication local
ip http secure-server
ip forward-protocol nd
!
ip tftpp source-interface GigabitEthernet0
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
line vty 0 4
login
transport input ssh
line vty 5 15
login
transport input ssh
!
!
!
!
!
!
wireless aaa policy default-aaa-policy
wireless cts-sxp profile default-sxp-profile
wireless profile airtime-fairness default-atf-policy 0
wireless profile flex default-flex-profile
description "default flex profile"
wireless profile mesh default-mesh-profile
description "default mesh profile"
wireless profile multi-bssid default-multi-bssid-profile
description "Default multi bssid profile"
wireless profile radio default-radio-profile
description "Preconfigured default radio profile"
wireless profile policy default-policy-profile
description "default policy profile"
wireless tag site default-site-tag
description "default site tag"
wireless tag policy default-policy-tag
description "default policy-tag"
wireless tag rf default-rf-tag
description "default RF tag"
wireless fabric control-plane default-control-plane
ap dot11 24ghz rf-profile Low_Client_Density_rf_24gh
coverage data rssi threshold -90
coverage level 2
coverage voice rssi threshold -90
description "pre configured Low Client Density rfprofile for 2.4gh radio"
high-density rx-sop threshold low
rate RATE_12M supported
rate RATE_24M supported
rate RATE_6M supported
tx-power v1 threshold -65
no shutdown
ap dot11 24ghz rf-profile High_Client_Density_rf_24gh
description "pre configured High Client Density rfprofile for 2.4gh radio"
high-density rx-sop threshold medium
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_24M supported
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
tx-power min 7
no shutdown
ap dot11 24ghz rf-profile Typical_Client_Density_rf_24gh
description "pre configured Typical Client Density rfprofile for 2.4gh radio"
rate RATE_11M disable
rate RATE_12M mandatory
rate RATE_1M disable
rate RATE_24M supported
rate RATE_2M disable
rate RATE_5_5M disable
rate RATE_6M disable
no shutdown
ap dot11 24ghz rate RATE_12M supported
ap dot11 24ghz rate RATE_24M supported
ap dot11 24ghz rate RATE_6M supported
ap dot11 6ghz rf-profile default-rf-profile-6ghz
description "default rfprofile for 6GHz radio"
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M mandatory
no shutdown
ap dot11 5ghz rf-profile Low_Client_Density_rf_5gh
coverage data rssi threshold -90
coverage level 2
coverage voice rssi threshold -90
description "pre configured Low Client Density rfprofile for 5gh radio"
high-density rx-sop threshold low
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M mandatory
tx-power v1 threshold -60
no shutdown
ap dot11 5ghz rf-profile High_Client_Density_rf_5gh
description "pre configured High Client Density rfprofile for 5gh radio"
high-density rx-sop threshold medium
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M disable
rate RATE_9M disable
tx-power min 7
tx-power v1 threshold -65
no shutdown
ap dot11 5ghz rf-profile Typical_Client_Density_rf_5gh
description "pre configured Typical Density rfprofile for 5gh radio"
rate RATE_12M mandatory
rate RATE_24M mandatory
rate RATE_6M mandatory
no shutdown
ap dot11 5ghz rate RATE_12M mandatory
ap dot11 5ghz rate RATE_24M mandatory
ap dot11 5ghz rate RATE_6M mandatory
ap dot11 6ghz rrm monitor measurement 600
ap tag-source-priority 2 source filter
ap tag-source-priority 3 source ap
ap profile default-ap-profile
description "default ap profile"
trapflags ap crash
trapflags ap noradiocards
trapflags ap register
end
Topology
The following topology has been used for this guide. Two layer 3 switches represent two different sites. They are responsible for the routing between all subnets and layer 2 traffic. The WLC is connected to the first site while the AP is connected at the second site.
The following configurations have been used on the routing devices.
-
–
R1
hostname R1
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
!
interface GigabitEthernet0
switchport mode trunk
no ip address
!
interface Vlan1
ip address 172.16.1.254 255.0.0.0
ip nat inside
ip virtual-reassembly in
!
ip nat inside source list 10 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
dialer-list 1 protocol ip permit
access-list 10 permit 172.0.0.0 0.255.255.255
!
end
LABSW01
hostname LABSW01
!
ip routing
!
ip domain name configure-networks.com
ip dhcp excluded-address 172.16.5.1 172.16.5.11
ip dhcp excluded-address 172.16.4.1 172.16.4.11
ip dhcp excluded-address 172.16.3.1 172.16.3.11
!
ip dhcp pool CLIENTS10
network 172.16.4.0 255.255.255.0
default-router 172.16.4.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENTS20
network 172.16.5.0 255.255.255.0
default-router 172.16.5.1
dns-server 8.8.8.8
!
ip dhcp pool WLAN-MGMT
network 172.16.3.0 255.255.255.0
default-router 172.16.3.1
dns-server 8.8.8.8
!
vtp mode transparent
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 1-5 priority 4096
!
vlan 2
name NWMGMT
!
vlan 3
name WLAN-MGMT
!
vlan 4
name CLIENTS1
!
vlan 5
name CLIENTS2
!
interface Port-channel1
description LABWLC-UPLINK
switchport trunk allowed vlan 3
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/1
description TO-INTERNET
switchport trunk allowed vlan 1
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
!
interface GigabitEthernet1/0/2
description CLIENTS10
switchport access vlan 4
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
description CLIENTS20
switchport access vlan 5
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/1/1
description TO-LABSW02
switchport trunk allowed vlan 1
switchport mode trunk
switchport nonegotiate
!
interface TenGigabitEthernet1/1/3
description LABWLC-UPLINK
switchport trunk allowed vlan 3
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
interface TenGigabitEthernet1/1/4
description LABWLC-UPLINK
switchport trunk allowed vlan 3
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
!
!
interface Vlan1
description TO-INTERNET
ip address 172.16.1.1 255.255.255.0
!
interface Vlan2
description NWMGMT
ip address 172.16.2.1 255.255.255.0
!
interface Vlan3
description WLAN-MGMT
ip address 172.16.3.1 255.255.255.0
!
interface Vlan4
description CLIENTS10
ip address 172.16.4.1 255.255.255.0
!
interface Vlan5
description CLIENTS20
ip address 172.16.5.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 172.17.0.0 255.255.0.0 172.16.1.2
!
end
LABSW02
hostname LABSW02
!
ip routing
!
ip domain name configure-networks.com
ip dhcp excluded-address 172.17.5.1 172.17.5.11
ip dhcp excluded-address 172.17.4.1 172.17.4.11
ip dhcp excluded-address 172.17.3.1 172.17.3.11
!
ip dhcp pool CLIENTS10
network 172.17.4.0 255.255.255.0
default-router 172.17.4.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENTS20
network 172.17.5.0 255.255.255.0
default-router 172.17.5.1
dns-server 8.8.8.8
!
ip dhcp pool WLAN-MGMT
network 172.17.3.0 255.255.255.0
default-router 172.17.3.1
dns-server 8.8.8.8
!
vtp mode transparent
!
spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
spanning-tree vlan 10-20 priority 4096
!
vlan 12
name NWMGMT
!
vlan 13
name WLAN-MGMT
!
vlan 14
name CLIENTS10
!
vlan 15
name CLIENTS20
!
interface GigabitEthernet1/0/1
description ACCESS-POINT
switchport trunk native vlan 13
switchport trunk allowed vlan 13-15
switchport mode trunk
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/2
description CLIENTS10
switchport access vlan 14
switchport mode access
switchport nonegotiate
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/0/3
description CLIENTS20
switchport access vlan 15
switchport mode access
switchport nonegotiate
device-tracking
spanning-tree portfast
spanning-tree bpduguard enable
!
interface GigabitEthernet1/1/1
switchport trunk allowed vlan 1
switchport mode trunk
switchport nonegotiate
!
!
interface Vlan1
description TO-LABSW01
ip address 172.16.1.2 255.255.255.0
!
interface Vlan12
description NWMGMT
ip address 172.17.2.1 255.255.255.0
!
interface Vlan13
description WLAN-MGMT
ip address 172.17.3.1 255.255.255.0
!
interface Vlan14
description CLIENTS10
ip address 172.17.4.1 255.255.255.0
!
interface Vlan15
description CLIENTS20
ip address 172.17.5.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 172.16.1.254
ip route 172.16.0.0 255.255.0.0 172.16.1.1
!
end
0 Comments