Cisco 5500 Series Wireless Controllers

FlexConnect Feature Matrix

Document ID: 112042

Updated: May 12, 2015

Contributed by Nicolas Darchis, Cisco TAC Engineer.



This document describes the feature matrix for the FlexConnect feature on the Wireless LAN Controller (WLC). This feature matrix applies to Cisco Unified Wireless Network (CUWN) Release 7.0.116 and later.

Note: New features are added to FlexConnect with every new release. Review the release notes for the latest details.

Note: In releases earlier than Release 7.2, FlexConnect was called Hybrid REAP (HREAP). It is now always referred as Flexconnect.



Cisco recommends that you have knowledge of these topics:

  • Control and Provisioning of Wireless Access Points (CAPWAP) protocol
  • Configuration of lightweight Access Points (APs) and Cisco WLCs

Components Used

The information in this document is based on CUWN Releases and later. This article has been updated with Release 8.1.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Background Information 


FlexConnect is a wireless solution for branch office and remote office deployments. It enables you to configure and control APs in a branch or remote office from the corporate office through a WAN link without the deployment of a controller in each office. The FlexConnect APs can switch client data traffic locally and perform client authentication locally. When they are connected to the controller, they can also send traffic back to the controller. FlexConnect is only supported on these components:

  • 700, 1130AG, 1140, 1240AG, 1250, AP801, 1600, 1700, 2600, 2700, 3500I, 3500E, 3600, 3700, 1040, 1520, 1550, and 1260 APs
  • Cisco Flex 8500 and 7500, Cisco 5500, 4400, and 2500 Series Controllers
  • Catalyst 3750G Integrated WLC Switch
  • Cisco WiSM and WiSM2
  • Controller Network Module for Integrated Services Routers

FlexConnect local authentication is useful where you cannot maintain a remote office setup with a minimum bandwidth of 128 kb/s and a round-trip latency of no greater than 100 ms. The maximum tolerated latency for FlexConnect is 300 ms, regardless of the features that are used.

The next section outlines the FlexConnect Feature Matrix.

Note: Pre-802, 11n APs, such as 1130 or 1240, are still supported by later code. However, these APs do not receive new features as of Release 7.3. Therefore, these APs do not support FlexConnect features that appear after Release 7.3. Similarly, first generation 802.11n APs will not have any of the Flexconnect features of the 8.1 feature set even if they are able to join such a WLC. Refer to the release notes for more information.

FlexConnect Feature Matrix - Legacy and New Features in Release 7.0.116 and Later

Security - Client

Security support on FlexConnect varies with different modes and states. This table summarizes the security features that are supported:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization)WAN Down (Standalone)
Open/Static WEPYesYesYesYes
802.1x (WPA/WPA2)YesYesYesYes
MAC filter AuthenticationYesYesNoNo
CCKM Fast RoamingYesYesYesYes, for connected clients. No, for new clients.

Security - Infrastructure

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Down (Standalone)
Data DTLS EncryptionYesN/AN/A
Backup RadiusYes (7.0.116)Yes (7.0.116)Yes
MICYesYesNot applicable


Security support on FlexConnect varies with different modes and states. This table summarizes the legacy and new security features supported with WLC Release and later:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization)WAN Down (Standalone)
Adaptive Wireless Intrusion Prevention (aWIPS)YesYesYesNo
Rogue, Intrusion Detection (IDS)YesYesYesNo
Management Frame Protection (MFP) (Client, Infrastructure)YesYesYesNo
802.11w "MFP"Yes (7.5)Yes (7.5)Yes (7.5)Yes (7.5)
802.11r Fast TransitionYesYesYesNo
Self-Signed Certificate (SSC)YesYesYesN/A
Rogue Location Discovery Protocol (RLDP)Might work, depends on hops, WAN speedMight work, depends on hops, WAN speedMight work, depends on hops, WAN speedNo
Opportunistic Key Caching (OKC) Fast RoamYesYesYesNo(1)
FlexConnect Local AuthN/AYesYesYes

AAA Override




AAA VLAN assignment per Flexgroup with VLAN name

Static ACLYesYes(2)
Per-user radius ACLYes (7.5)Yes (7.5)Yes (7.5)No
L2 ACLYes (7.5)Yes (7.5)Yes (7.5)Yes (7.5)
DNS ACLYes (7.6)Yes (7.6)NoNo
P2P BlockingYesYesYesYes
Bring Your Own Device /ISE(BYOD)YesYes (


PCI Compliance for Neighbor PktsYesYesYesNo
Russia DTLS SupportYesN/ANoNo
wIPS Enhanced Local Mode (ELM)YesYesYesNo
Limit Clients per WLANYesYes(3)YesNo
Limit Clients per RadioYesYesYesYes
Client Exclusion PolicyYesYes(3)YesNo
Radius NACYesYesNoNo
TrustSec SXPNoNoNoNo

(1) Yes for clients that have association at Connected mode.
(2) FlexConnect Access Control Lists (ACLs) should be used.
(3) Limits/exclusion done by WLC so client will be deauthorized after a successful Association Response.

Voice & Video

This table lists the legacy and new Voice & Video services supported with WLC Release and later with FlexConnect:

 WAN Up (Central Switching) 100 ms RTTWAN Up (Local Switching) 100 ms RTTWAN Down (Standalone)
VoiceYes with RTT 100 msYes with RTT 100 msYes with RTT 100 ms
Yes with RTT 900 ms (with CCKM and OKC)Yes with RTT 900 ms (with CCKM and OKC)
QoS Markings(1)YesYesYes
QoS Per-User Bandwidth ContractYes(7.4)Yes(7.5)No
Voice DiagnosticsYesYesNo
Voice MetricsYesYesNo
TSPEC /Call Admission Control (CAC)Yes - non CCXYes - non CCXNo
Yes - CCX(2)Yes - CCX(2)

(1) Includes both DSCP/dot1p markings.
(2) CAC on WLC, deauthorization on roaming failure.


This table lists the legacy and new services supported with WLC Release  and later with FlexConnect:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization )WAN Down (Standalone)
Internal WebauthYesYesNoN/A
External WebauthYes ( (
CleanAir (SI on 3500)YesYesYes N/A
Multicast-Unicast (Videostream)Yes (except on 7500, 8500 and vWLC)Yes (8.0)Yes (8.0)Yes (8.0)
LocationYes with BW/Scale limitationYes with BW /Scale limitationYes with BW /Scale limitation N/A
Radio Ressource ManagementYesYesYesNo
NG RRM - RF Static GroupingYes(1)Yes(1)YesNo
SE Connect (Cleanair Update)YesYesYesNo(2)
S60 EnhancementYesYesYes No
AVCYes (7.4)Yes(8.1)Yes(8.1)No
Bonjour GatewayYesNoNoNo
Origin Based servicesYesNoNoNo
Priority MACYesNoNoNo
Bonjour BrowserYesNoNoNo
Flex+Bridge modeYes (8.0)Yes(8.0)Yes(8.0)Yes(8.0)

(1) Any RRM-specific requirements apply (at least 4 APs for TPC).
(2) Yes for standalone after disconnecting from WLC, but no for reboot.


 WAN Up (Central Switching)WAN Up (Local Switching)WAN Down (Standalone)
Passive ClientsNoNoNo
Proxy ARPYes (8.0)Yes (8.0)Yes (8.0)
Client LinkYesYesYes(2)
Load Balancing(3)Yes (7.4)Yes (7.4)No
Band SelectYesYesNo
AP Image PreDownloadYesYesNo
FlexConnect Smart AP Image UpgradeYesYesYes(1)
AP Regularity Domain Updates (Chile)YesYesYes
VLAN Pooling/Mcast Optim.YesN/AN/A
Mesh - 24 backhaulN/AN/AN/A
Cisco WGB Support YesYes (7.3)No
3rd party WGB SupportYesYesYes
Web Auth ProxyYesYesNo
FlexConnect AP Group IncreaseYesYesYes
Client fault toleranceN/AYesN/A
DHCP Option 60YesYesYes
Vlan mappings through FlexGroupsYesYesYes

(1) Provided if the Master AP is already upgraded and Slave APs are updated with their Master AP.

(2) Only on second generation 11n APs and later (1600, 2600, 3600, and so on).

(3) FlexConnect APs do not send (re)association responses with status 17 for load-balancing as do Local mode APs; instead, they first send (re)association responses with status 0 (success) and then deauth with reason 5. This occurs as the AP handles the association locally and load-balancing decisions are taken at the WLC.

Note: The passive client feature is not supported on Flex APs. However, the APs do not do proxy ARP by default on FlexConnect (and that is a part of the passive client feature). On the contrary, proxy ARP was added as a feature for FlexConnect APs with Release 8.0 and later.

Mobility / Roaming Scenarios

WLAN ConfigurationLocal SwitchingCentral Switching
Mobility Between Same Flex GroupFast Roam(1)Fast Roam(1)Full Auth(1)Fast RoamFast RoamFull Auth
Mobility Between Different Flex GroupFull AuthFull AuthFull AuthFull AuthFull AuthFull Auth
Inter Controller MobilityN/AN/AN/AFull AuthFast RoamFull Auth

(1) Provided WLAN is mapped to the same VLAN (same subnet).

Note: In order to support centralized access control through a centralized Authentication, Authorization, and Accounting (AAA) server, such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis with the use of AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller, and the WLAN must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name, similar to the Airespace-ACL-Name attribute used in order to provision an IPv4-based ACL. The AAA attribute-returned contents should be a string that is equal to the name of the IPv6 ACL, as configured on the controller.

Related information

Updated: May 12, 2015
Document ID: 112042