FlexConnect

Information About FlexConnect

FlexConnect (previously known as Hybrid Remote Edge Access Point or H-REAP) is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points (AP) in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. The FlexConnect access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller. In the connected mode, the FlexConnect access point can also perform local authentication.

Figure 1. FlexConnect Deployment

This image is not available in preview/cisco.com

The embedded wireless controller software has a more robust fault tolerance methodology to FlexConnect access points. In previous releases, whenever a FlexConnect access point disassociates from embedded wireless controller, it moves to the standalone mode. The FlexConnect access point continues to serve locally switched clients. When the FlexConnect access point rejoins the embedded wireless controller (or a standby controller), all the clients are disconnected and are authenticated again. This functionality has been enhanced and the connection between the clients and the FlexConnect access points are maintained intact and the clients experience seamless connectivity. When both the access point and the embedded wireless controller have the same configuration, the connection between the clients and APs is maintained.

After the client connection is established, the embedded wireless controller does not restore the original attributes of the client. The client username, current rate and supported rates, and listen interval values are reset to the default values only after the session timer expires.

There is no deployment restriction on the number of FlexConnect access points per location. Multiple FlexConnect groups can be defined in a single location.

The embedded wireless controller can send multicast packets in the form of unicast or multicast packets to an access point. In FlexConnect mode, an access point can receive multicast packets only in unicast form.

FlexConnect access points support a 1-1 network address translation (NAT) configuration. They also support port address translation (PAT) for all features except true multicast. Multicast is supported across NAT boundaries when configured using the Unicast option. FlexConnect access points also support a many-to-one NAT or PAT boundary, except when you want true multicast to operate for all centrally switched WLANs.


Note

Although NAT and PAT are supported for FlexConnect access points, they are not supported on the corresponding controller. Cisco does not support configurations in which the controller is behind a NAT/PAT boundary.

VPN and Point-to-Point Tunnel Protocol (PPTP) are supported for locally switched traffic if these security types are accessible locally at the access point.

FlexConnect access points support multiple SSIDs.

Workgroup bridges and Universal Workgroup bridges are supported on FlexConnect access points for locally switched clients.

An access point does not have to reboot when moving from local mode to FlexConnect mode.

FlexConnect Authentication Process

When an access point boots up, it looks for an embedded wireless controller. If it finds one, it joins the embedded wireless controller, downloads the latest software image and configuration from the embedded wireless controller, and initializes the radio. It saves the downloaded configuration in nonvolatile memory for use in standalone mode.


Note
Once the access point is rebooted after downloading the latest embedded wireless controller software, it must be converted to the FlexConnect mode.

Note

802.1X is not supported on the AUX port for Cisco 2700 series APs.

A FlexConnect access point can learn the embedded wireless controller IP address in one of these ways:

  • If the access point has been assigned an IP address from a DHCP server, it can discover an embedded wireless controller through the regular CAPWAP or LWAPP discovery process.


    Note
    OTAP is not supported.

  • If the access point has been assigned a static IP address, it can discover an embedded wireless controller through any of the discovery process methods except DHCP option 43. If the access point cannot discover an embedded controller through Layer 3 broadcast, we recommend DNS resolution. With DNS, any access point with a static IP address that knows of a DNS server can find at least one embedded wireless controller.

  • If you want the access point to discover an embedded wireless controller from a remote network where CAPWAP or LWAPP discovery mechanisms are not available, you can use priming. This method enables you to specify (through the access point CLI) the embedded wireless controller to which the access point is to connect.

When a FlexConnect access point can reach the embedded wireless controller (referred to as the connected mode), the embedded wireless controller assists in client authentication..


Note
The LEDs on the access point change as the device enters different FlexConnect modes. See the hardware installation guide for your access point for information on LED patterns.

When a client associates to a FlexConnect access point, the access point sends all authentication messages to the embedded wireless controller and either switches the client data packets locally (locally switched) or sends them to the controller (centrally switched), depending on the WLAN configuration. With respect to client authentication (open, shared, EAP, web authentication, and NAC) and data packets, the WLAN can be in any one of the following states depending on the configuration and state of controller connectivity:

  • central authentication, local switching—In this state, the embedded wireless controller handles client authentication, and the FlexConnect access point switches data packets locally. After the client authenticates successfully, the controller sends a configuration command with a new payload to instruct the FlexConnect access point to start switching data packets locally. This message is sent per client. This state is applicable only in connected mode.


    Note
    For the FlexConnect local switching, central authentication deployments, if there is a passive client with a static IP address, it is recommended to disable the Learn Client IP Address feature under the WLAN > Advanced tab.

  • authentication down, switch down—In this state, the WLAN disassociates existing clients and stops sending beacon and probe requests. This state is valid in both standalone mode and connected mode.

  • authentication down, local switching—In this state, the WLAN rejects any new clients trying to authenticate, but it continues sending beacon and probe responses to keep existing clients alive. This state is valid only in standalone mode.

When a FlexConnect access point enters standalone mode, WLANs that are configured for open, shared, WPA-PSK, or WPA2-PSK authentication enter the “local authentication, local switching” state and continue new client authentications. This configuration is also correct for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication types require that an external RADIUS server be configured. You can also configure a local RADIUS server on a FlexConnect access point to support 802.1X in a standalone mode or with local authentication.

Other WLANs enter either the “authentication down, switching down” state (if the WLAN was configured for central switching) or the “authentication down, local switching” state (if the WLAN was configured for local switching).

When FlexConnect access points are connected to the embedded controller (rather than in standalone mode), the controller uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication Servers page or in the config radius auth add CLI command (unless the server order is overridden for a particular WLAN). However, to support 802.1X EAP authentication, FlexConnect access points in standalone mode need to have their own backup RADIUS server to authenticate clients.


Note
A controller does not use a backup RADIUS server. The controller uses the backup RADIUS server in local authentication mode.

You can configure a backup RADIUS server for individual FlexConnect access points in standalone mode by using the embedded wireless controller CLI or for groups of FlexConnect access points in standalone mode by using either the GUI or CLI. A backup server configured for an individual access point overrides the backup RADIUS server configuration for a FlexConnect.

When web-authentication is used on FlexConnect access points at a remote site, the clients get the IP address from the remote local subnet. To resolve the initial URL request, the DNS is accessible through the subnet's default gateway. In order for the embedded wireless controller to intercept and redirect the DNS query return packets, these packets must reach the embedded controller at the data center through a CAPWAP connection. During the web-authentication process, the FlexConnect access points allows only DNS and DHCP messages; the access points forward the DNS reply messages to the embedded wireless controller before web-authentication for the client is complete. After web-authentication for the client is complete, all the traffic is switched locally.

When a FlexConnect access point enters into a standalone mode, the following occurs:

  • The access point checks whether it is able to reach the default gateway via ARP. If so, it will continue to try and reach the embedded wireless controller.

If the access point fails to establish the ARP, the following occurs:

  • The access point attempts to discover for five times and if it still cannot find the embedded wireless controller, it tries to renew the DHCP on the ethernet interface to get a new DHCP IP.

  • The access point will retry for five times, and if that fails, the access point will renew the IP address of the interface again, this will happen for three attempts.

  • If the three attempts fail, the access point will fall back to the static IP and will reboot (only if the access point is configured with a static IP).

  • Reboot is done to remove the possibility of any unknown error the access point configuration.

Once the access point reestablishes a connection with the embedded wireless controller, it disassociates all clients, applies new configuration information from the embedded wireless controller, and allows client connectivity again.

Restrictions for FlexConnect

  • You can deploy a FlexConnect access point with either a static IP address or a DHCP address. In the context of DHCP, a DHCP server must be available locally and must be able to provide the IP address for the access point at bootup.

  • FlexConnect supports up to 4 fragmented packets, or a minimum 576-byte maximum transmission unit (MTU) WAN link.

  • Round-trip latency must not exceed 300 milliseconds (ms) between the access point and the embedded wireless controller, and CAPWAP control packets must be prioritized over all other traffic. In scenarios where you cannot achieve the 300-ms round-trip latency, configure the access point to perform local authentication.

  • Client connections are restored only for locally switched clients that are in the RUN state when the access point moves from standalone mode to connected mode. After the access point moves, the access point’s radio is also reset.

  • The configuration on the embedded wireless controller must be the same between the time the access point went into standalone mode and the time the access point came back to connected mode. Similarly, if the access point is falling back to a secondary or backup embedded wireless controller, the configuration between the primary and the secondary or backup embedded wireless controller must be the same.

  • A newly connected access point cannot be booted in FlexConnect mode.

  • The primary and secondary embedded wireless controllers for a FlexConnect access point must have the same configuration. Otherwise, the access point might lose its configuration, and certain features, such as WLAN overrides, VLANs, static channel number, and so on, might not operate correctly. In addition, make sure you duplicate the SSID of the FlexConnect access point and its index number on both embedded wireless controllers.

  • If you configure a FlexConnect access point with a syslog server configured on the access point, after the access point is reloaded and the native VLAN other than 1, at the time of initialization, a few syslog packets from the access point are tagged with VLAN ID 1.

  • MAC filtering is not supported on FlexConnect access points in standalone mode. However, MAC filtering is supported on FlexConnect access points in connected mode with local switching and central authentication. Also, Open SSID, MAC Filtering, and RADIUS NAC for a locally switched WLAN with FlexConnect access points is a valid configuration, where MAC is checked by Cisco ISE.

  • FlexConnect does not support IPv6 ACLs, neighbor discovery caching, and DHCPv6 snooping of IPv6 NDP packets.

  • FlexConnect does not display any IPv6 client addresses in the Client Detail window.

  • FlexConnect access points with locally switched WLANs cannot perform IP source guard and prevent ARP spoofing. For centrally switched WLANs, the wireless embedded wireless controller performs IP source guard and ARP spoofing.

  • To prevent ARP spoofing attacks in FlexConnect APs with local switching, we recommend that you use ARP inspection.

  • When you enable local switching on WLAN for FlexConnect APs, the APs perform local switching. However, for the APs in local mode, central switching is performed.

    In a scenario where the roaming of a client between FlexConnect mode AP and Local mode AP is not supported, the client may not get the correct IP address due to VLAN difference after the move. Also, L2 and L3 roaming between FlexConnect mode AP and Local mode AP are not supported.

  • For Wi-Fi Protected Access Version 2 (WPA2) in FlexConnect standalone mode or local authentication in connected mode or CCKM fast roaming in connected mode, only Advanced Encryption Standard (AES) is supported.

  • For Wi-Fi Protected Access (WPA) in FlexConnect standalone mode or local-auth in connected mode or CCKM fast-roaming in connected mode, only Temporal Key Integrity Protocol (TKIP) is supported.

  • WPA2 with TKIP and WPA with AES is not supported in standalone mode, local-auth in connected mode, and CCKM fast-roaming in connected mode.

  • Only open and WPA (PSK and 802.1x) authentication is supported on the Cisco Aironet 1830 Series and 1850 Series APs.

  • Only 802.11r fast-transition roaming is supported on the Cisco Aironet 1830 Series and 1850 Series APs.

  • AVC on locally switched WLANs is supported on second-generation APs.

  • Local authentication fallback is not supported when a user is not available in the external RADIUS server.

  • For WLANs configured for FlexConnect APs in local switching and local authentication, synchronization of dot11 client information is supported.

  • DNS override is not supported on the Cisco Aironet 1830 Series and 1850 Series APs.

  • The Cisco Aironet 1830 Series and 1850 Series APs do not support IPv6. However, a wireless client can pass IPv6 traffic across these APs.

  • VLAN group is not supported in Flex mode under flex-profile.

  • Configuring maximum number of allowed media streams on individual client or radio is not supported in FlexConnect mode.

  • The WLAN client association limit will not work when the AP is in FlexConnect mode (connected or standalone) and is performing local switching and local authentication.

  • A local switching client on FlexConnect mode will not get IP address for RLAN profile on the Cisco Aironet 1810 Series AP.

  • IPv6 RADIUS Server is not configurable for FlexConnect APs. Only IPv4 configuration is supported.

  • Central switching is not supported in a Cisco Embedded Wireless Controller on Catalyst Access Points deployment.

  • Local authentication is not supported in a Cisco Embedded Wireless Controller on Catalyst Access Points deployment.

Configuring a Site Tag

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 2

wireless tag site site-name

Example:

Device(config)# wireless tag site default-site-tag

Configures site tag and enters site tag configuration mode.
Step 3

flex-profile flex-profile-name

Example:

Device(config-site-tag)# flex-profile rr-xyz-flex-profile

Maps a flex profile to a site tag.
Step 4

ap-profile ap-profile

Example:

Device(config-site-tag)# ap-profile xyz-ap-profile

Assigns an AP profile to the wireless site.
Step 5

description site-tag-name

Example:

Device(config-site-tag)# description "default site tag"

Adds a description for the site tag.
Step 6

no local-site

Example:

Device(config-site-tag)# no local-site

Moves the access point to FlexConnect mode.
Step 7

end

Example:

Device(config-site-tag)# end

Saves the configuration, exits the configuration mode, and returns to privileged EXEC mode.
Step 8

show wireless tag site summary

Example:

Device# show wireless tag site summary

(Optional) Displays the summary of site tags.

Configuring a Policy Tag (CLI)

Follow the procedure given below to configure a policy tag:

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 2

wireless tag policy policy-tag-name

Example:

Device(config-policy-tag)# wireless tag policy default-policy-tag

Configures policy tag and enters policy tag configuration mode.
Step 3

wlan wlan-name policy profile-policy-name

Example:

Device(config-policy-tag)# wlan rr-xyz-wlan-aa policy rr-xyz-policy-1

Maps a policy profile to a WLAN profile.
Step 4

end

Example:

Device(config-policy-tag)# end

Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
Step 5

show wireless tag policy summary

Example:

Device# show wireless tag policy summary

(Optional) Displays the configured policy tags.

Note 

To view detailed information about a policy tag, use the show wireless tag policy detailed policy-tag-name command.

Attaching a Policy Tag and a Site Tag to an AP (GUI)

Procedure

Step 1

Choose Configuration > Wireless > Access Points.

The All Access Points section displays details of all the APs in your network.

Step 2

To edit the configuration details of an AP, select the row for that AP

The Edit AP window is displayed.

Step 3

In the General tab and Tags section, specify the appropriate policy, site, and RF tags that you created on the Configuration > Tags & Profiles > Tags page.

Step 4

Click Update & Apply to Device.

Attaching Policy Tag and Site Tag to an AP (CLI)

Follow the procedure given below to attach a policy tag and a site tag to an AP:

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 2

ap mac-address

Example:

Device(config)# ap F866.F267.7DFB

Configures a Cisco AP and enters AP profile configuration mode.

Note 

The mac-address should be a wired mac address.

Step 3

policy-tag policy-tag-name

Example:

Device(config-ap-tag)# policy-tag rr-xyz-policy-tag

Maps a policy tag to the AP.
Step 4

site-tag site-tag-name

Example:

Device(config-ap-tag)# site-tag rr-xyz-site

Maps a site tag to the AP.
Step 5

rf-tag rf-tag-name

Example:

Associates the RF tag.
Step 6

end

Example:

Device(config-ap-tag)# end

Saves the configuration, exits configuration mode, and returns to privileged EXEC mode.
Step 7

show ap tag summary

Example:

Device# show ap tag summary

(Optional) Displays AP details and the tags associated to it.
Step 8

show ap name <ap-name> tag info

Example:

Device# show ap name ap-name tag info

(Optional) Displays the AP name with tag information.
Step 9

show ap name <ap-name> tag detail

Example:

Device# show ap name ap-name tag detail

(Optional) Displays the AP name with tag detals..

Applying ACLs on FlexConnect

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 2

wireless profile flex flex-profile-name

Example:

Device(config)# wireless profile flex Flex-profile-1

Configures a wireless flex profile and enters wireless flex profile configuration mode.
Step 3

acl-policy acl-policy-name

Example:

Device(config-wireless-flex-profile)# acl-policy ACL1

Configures an ACL policy.
Step 4

exit

Example:

Device(config-wireless-flex-profile-acl)# exit

Returns to wireless flex profile configuration mode.
Step 5

native-vlan-id

Example:

Device(config-wireless-flex-profile)# native-vlan-id 25

Configures native vlan-id information.
Step 6

vlan vlan-name

Example:

Device(config-wireless-flex-profile)# vlan-name VLAN0169

Configures a VLAN.
Step 7

acl acl-name

Example:

Device(config-wireless-flex-profile-vlan)# acl ACL1

Configures an ACL for the interface.
Step 8

vlan-idvlan-id

Example:

Device(config-wireless-flex-profile-vlan)# vlan-id 169

Configures VLAN information.

Configuring FlexConnect


Note

The configuration tasks must be performed in the order in which they are listed here.

Configuring a Switch at a Remote Site

Procedure

Step 1

Attach the access point, which will be enabled for FlexConnect, to a trunk or access port on the switch.

Note 

The sample configuration in this procedure shows the FlexConnect access point connected to a trunk port on the switch.
Step 2

The following example configuration shows you how to configure a switch to support a FlexConnect access point.

In this sample configuration, the FlexConnect access point is connected to the trunk interface FastEthernet 1/0/2 with native VLAN 100. The access point needs IP connectivity on the native VLAN. The remote site has local servers or resources on VLAN 101. A DHCP pool is created in the local switch for both the VLANs in the switch. The first DHCP pool (NATIVE) is used by the FlexConnect access point, and the second DHCP pool (LOCAL-SWITCH) is used by the clients when they associate to a WLAN that is locally switched. 


.
.
.
ip dhcp pool NATIVE
   network 209.165.200.224 255.255.255.224
   default-router 209.165.200.225
   dns-server 192.168.100.167
!
ip dhcp pool LOCAL-SWITCH
   network 209.165.201.224 255.255.255.224
   default-router 209.165.201.225 
   dns-server 192.168.100.167
!
interface FastEthernet1/0/1
 description Uplink port
 no switchport
 ip address 209.165.202.225 255.255.255.224
!
interface FastEthernet1/0/2
 description the Access Point port
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 100
 switchport trunk allowed vlan 101
 switchport mode trunk
!
interface Vlan100
 ip address 209.165.200.225 255.255.255.224
!
interface Vlan101
 ip address 209.165.201.225 255.255.255.224
end
!
.
.
.

Configuring the Controller for FlexConnect

You can configure the controller for FlexConnect in two environments:

  • Centrally switched WLAN

  • Locally switched WLAN

The controller configuration for FlexConnect consists of creating centrally switched and locally switched WLANs. This table shows three WLAN scenarios.

Table 1. WLAN Scenarios

WLAN

Security

Authentication

Switching

Interface Mapping (VLAN)

Employee

WPA1+WPA2

Central

Central

Management (centrally switched VLAN)

Employee-local

WPA1+WPA2 (PSK)

Local

Local

101 (locally switched VLAN)

Guest-central

Web authentication

Central

Central

Management (centrally switched VLAN)

Employee-local-auth

WPA1+WPA2

Local

Local

101 (locally switched VLAN)

Configuring Local Switching in FlexConnect Mode (GUI)

Procedure
Step 1

Choose Configuration > Tags & Profiles > Policy.

Step 2

On the Policy Profile page, click the name of a policy profile to edit it or click Add to create a new one.

Step 3

In the Add/Edit Policy Profile window that is displayed, uncheck the Central Switching check box.

Step 4

Click Update & Apply to Device.

Configuring Local Switching in FlexConnect Mode (CLI)

Procedure
  Command or Action Purpose
Step 1

configure terminal

Example:
Device# configure terminal

Enters global configuration mode.
Step 2

wireless profile policy profile-policy

Example:
Device(config)# wireless profile 
policy rr-xyz-policy-1

Configures WLAN policy profile and enters the wireless policy configuration mode.
Step 3

no central switching

Example:
Device(config-wireless-policy)# no central switching

Configures the WLAN for local switching.
Step 4

end

Example:
Device(config)# end

Returns to privileged EXEC mode. Alternatively, you can also press Ctrl-Z to exit global configuration mode.

Connecting Client Devices to WLANs

Follow the instructions for your client device to create profiles to connect to the WLANs you created, as specified in the Configuring the Controller for FlexConnect .

In the example scenarios (see Configuring the Controller for FlexConnect), there are three profiles on the client:

  1. To connect to the employee WLAN, create a client profile that uses WPA or WPA2 with PEAP-MSCHAPV2 authentication. After the client is authenticated, the client is allotted an IP address by the management VLAN of the embedded controller.

  2. To connect to the local-employee WLAN, create a client profile that uses WPA or WPA2 authentication. After the client is authenticated, the client is allotted an IP address by VLAN 101 on the local switch.

  3. To connect to the guest-central WLAN, create a client profile that uses open authentication. After the client is authenticated, the client is allocatted an IP address by VLAN 101 on the network local to the access point. After the client connects, a local user can enter any HTTP address in the web browser. The user is automatically directed to the controller to complete the web authentication process. When the web login window appears, the user should enter the username and password.

Configuring FlexConnect Ethernet Fallback

Information About FlexConnect Ethernet Fallback

You can configure an AP to shut down its radio when the Ethernet link is not operational. When the Ethernet link comes back to operational state, you can configure the AP to set its radio back to operational state. This feature is independent of the AP being in connected or standalone mode. When the radios are shut down, the AP does not broadcast the WLANs, and therefore, the clients cannot connect to the AP, either through first association or through roaming.

Configuring FlexConnect Ethernet Fallback

Before you begin

This feature is not applicable to APs with multiple ports.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 2

wireless profile flex flex-profile-name

Example:

Device(config)# wireless profile flex test

Configures a wireless flex profile and enters wireless flex profile configuration mode.
Step 3

fallback-radio-shut

Example:

Device(config-wireless-flex-profile)# fallback-radio-shut

Enables radio interface shutdown.
Step 4

end

Example:

Device(config-wireless-flex-profile)# end

Exits configuration mode and returns to privileged EXEC mode.
Step 5

show wireless profile flex detailed flex-profile-name

Example:

Device# show wireless profile flex detailed test

(Optional) Displays detailed information about the selected profile.

Proxy ARP

Proxy ARP, the most common method for learning about other routes, enables an Ethernet host with no routing information to communicate with hosts on other networks or subnets. The host assumes that all hosts are on the same local Ethernet and that they can use ARP to learn their MAC addresses. If a Device receives an ARP request for a host that is not on the same network as the sender, the Device evaluates whether it has the best route to that host. If it does, it sends an ARP reply packet with its own Ethernet MAC address, and the host that sent the request sends the packet to the Device, which forwards it to the intended host. Proxy ARP treats all networks as if they are local, and performs ARP requests for every IP address.

Enabling Proxy ARP for FlexConnect APs

Follow the procedure given below to configure proxy ARP for FlexConnect APs.

Procedure

  Command or Action Purpose
Step 1

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.
Step 2

wireless profile flex flex-policy

Example:

Device(config)# wireless profile flex flex-test

Configures WLAN policy profile and enters wireless flex profile configuration mode.
Step 3

arp-caching

Example:

Device(config-wireless-flex-profile)# arp-caching

Enables ARP caching.

Note 

Use the no arp-caching command to disable ARP caching.

Step 4

end

Example:

Device(config-wireless-flex-profile)# end

Returns to privileged EXEC mode.

Step 5

show running-config | section wireless profile flex

Example:

Device# show running-config | section wireless profile flex

Displays ARP configuration information.
Step 6

show wireless profile flex detailed flex-profile-name

Example:

Device# show wireless profile flex detailed flex-test

(Optional) Displays detailed information of the flex profile.
Step 7

show arp summary

Example:

Device# show arp summary

(Optional) Displays ARP summary.