• Single pane of monitoring and troubleshooting.

• Ease of management.

• Secured and seamless mobile access to Data Center resources.

• Reduction in branch footprint.

• Increase in operational savings.

• No operational downtime (survivability) against complete WAN link failures or controller unavailability.

• Mobility resiliency within branch during WAN link failures.

• Increase in branch scalability. Supports branch size that can scale up to 100 APs and 250,000 square feet (5000 sq. feet per AP).

The Cisco FlexConnect solution also supports Central Client Data Traffic, the table below defines the supported layer 2 and layer 3 security types only for central switched and local switched users.

FlexConnect APs are deployed at the Branch site and managed from the Data Center over a WAN link. The maximum transmission unit (MTU) must be at least 500 bytes.

Note	It is highly recommended that the minimum bandwidth restriction remains 12.8 Kbps per AP with the round trip latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments.

Refer the flexconnect matrix document on the below link to validate the list of supported feature.

• Branch size that can scale up to 100 APs and 250,000 square feet (5000 sq. feet per AP)

• Central management and troubleshooting

• No operational downtime

• Client-based traffic segmentation

• Seamless and secured wireless connectivity to corporate resources

• PCI compliant

• Support for guests

Branch customers find it increasingly difficult and expensive to deliver full-featured scalable and secure network services across geographic locations. In order to support customers, Cisco is addressing these challenges by introducing the FlexConnect deployment mode.

The FlexConnect solution virtualizes the complex security, management, configuration, and troubleshooting operations within the data center and then transparently extends those services to each branch. Deployments using FlexConnect are easier for IT to set up, manage and, most importantly, scale.

• Increase scalability with 6000 AP support.

• Increased resiliency using FlexConnect Fault Tolerance

• Increase segmentation of traffic using FlexConnect (Central and Local Switching).

• Ease of management by replicating store designs using different policy profiles and site tags per store while maintaining the same WLAN profile as seen in figure below:

The rest of the sections in the guide captures feature usage and recommendations to realize the typical branch network design.

Profiles represent a set of attributes that are applied to the clients associated to the APs .Profiles are reusable entities which can be used across tags. Profiles (used by Tags) define the properties of the AP or associated clients.

There are different kinds of profiles depending on the characteristic of the entities they define. These profiles are in turn part of a larger construct called a Tag.

A Tag’s property is defined by the property of the profiles associated to it. This property is in turn inherited by an associated client/AP. There are various type of tags, each associated to different profiles.

No two types of Tags include profiles having common properties. This helps eliminate the precedence amongst the configuration entities to a large extent. Every Tag has a default that is created when the system boots up.

• AAA VLAN override is supported on WLANs configured for local switching in central and local authentication mode.

• AAA override should be enabled on the policy profile mapped to the WLAN.

• The FlexConnect AP should have VLAN pre-created from WLC, this is done in the flex profile mapped to the site tag.

• If VLANs returned by AAA override are not present on AP, client will be excluded and not allowed access to the network.

• Multicast traffic on a AAA overridden VLAN is not supported

Traffic flow on WLANs configured for Local Switching when Flex APs are in Connected Mode.

• If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the Flex AP database, traffic will switch centrally and the client will be assigned this VLAN/Interface returned from the AAA server provided that the VLAN exists on the WLC.

• If the VLAN is returned as one of the AAA attributes and that VLAN is not present in the Flex AP database, traffic will switch centrally. If that VLAN is also not present on the WLC, the client will be excluded with the reason VLAN failure.

• If the VLAN is returned as one of the AAA attributes and that VLAN is present in the Flex Connect AP database, traffic will switch locally.

• If the VLAN is not returned from the AAA server, the client will be assigned a VLAN mapped on the policy profile that is attached to the policy tag on that FlexConnect AP and traffic will switch locally.

• If the VLAN returned as part of the AAA attribute is present on both the AP and WLC, the client will be locally switched. The vlan on the AP takes precedence over the one on the WLC.

Traffic flow on WLANs configured for Local Switching when Flex APs are in Standalone Mode:

• If the VLAN returned by an AAA server is not present in the Flex AP database, the client will be put to default VLAN (that is the VLAN mapped on the policy profile which is linked to the WLAN). When the AP connects back, this client will be de-authenticated and will switch traffic centrally.

• If the VLAN returned by an AAA server is present in the Flex AP database, the client will be put into a returned VLAN and traffic will switch locally.

• If the VLAN is not returned from an AAA server, the client will be assigned a WLAN mapped VLAN on that FlexConnect AP and traffic will switch locally.

• The use of local authentication in branch enables resiliency at the branch location by providing wireless access in scenarios where the WAN connectivity is lost with the Data center. The AP moves to standalone mode and provides wireless access with authentication for dot1x directed to a radius server available at the branch side.

• The AP can act as a radius server and this feature is only supported on the Wave1 AP’s.

• This feature can be used with central authentication or local authentication .In Central authentication case the WLC will authenticate the wireless clients as long as the AP is in connected mode.

• Once the AP loses connectivity with the WLC the AP will move to standalone and authenticate the client locally.

• This feature can be used with local authentication and local switching, in cases where there is a local radius server at the branch, the AP can forward the radius request to the radius server at the branch thereby avoiding the latency variation caused by the WAN links.

• EAP-LEAP is the only method supported for AP as radius Server.

FlexConnect AP can be configured as a RADIUS server for LEAP client authentication. In standalone mode and also when local authentication feature is enabled on the WLANs, FlexConnect AP will do dot1x authentication on the AP itself using the local radius facility.

• The AP in standalone mode can support a maximum of two radius servers, the first server added in the server group acts as the primary. The second radius server acts as a backup for the primary.

• The AP as radius server is supported only on Wave 1 AP‘s . On 16.10 the EAP method supported for AP as radius server is EAP-LEAP.

• Fast roaming is not supported with default site-tag, if the AP’s are mapped to a default site tag then the master key for caching is not shared among those APs.

The ACL implementation for branch deployments can be done through the following methods:

• WLAN ACL - The ACL applied on the WLAN dot11 interface and is enforced to all the client connecting on that SSID

• WLAN ACL - The ACL applied on the WLAN dot11 interface and is enforced to all the client connecting on that SSID

• Client ACL- The ACL returned as part of the AAA attribute and is enforced for the specific client

The ACL for the enforcement needs to be created on the WLC and also needs to be pushed to the Flex AP, the way to push the ACL to the flex AP is using the flex profiles. An administrator can create policy ACL on the flex profile to push the ACL on the AP or use a dummy VLAN to ACL mapping on the flex profile. When a wireless client joins an SSID and an ACL is enforced either through WLAN/VLAN or AAA, the WLC checks if the ACL is also pushed to the AP .If the ACL is not present on the AP the client is moved to exclusion list .

• This feature allows application of Per-Client ACL for locally switching WLANs.

• Client ACL is returned from the AAA server on successful Client authentication.

• The AP needs to be provisioned with the ACL by using the policy ACL or dummy vlan acl mapping on the flex profile.

• The ACL will be pushed to all the AP’s that has the same site tag and policy tag mapped.

• In the case of central authentication, when the controller receives the ACL from the AAA server, it will send the ACL name to the AP for the client. For locally authenticated clients, the ACL name will be sent from the AP to the controller as part of CCKM/PMK cache, which will then be distributed to all APs belonging to the same site tag and policy tag.

• Ease of software management

• Schedule per branch updates: NCS or Cisco Prime is needed to accomplish this.

• Reduces downtime

The Controller needs to be install mode for the AP pre-image to work, if a controller works in bundle mode it needs to be converted to install mode. Please refer cisco.com for the conversion for bundle mode to install mode.

• Master and Slave APs are selected for each AP Model per site tag

• Master downloads image from WLC

• Slave downloads image from Master AP using tftp

• Reduces downtime and saves WAN bandwidth

• The master is choosen by the system , the AP with the lowest mac among the same type and model is to become a master

The system decides on the election of a master AP and the decision on who the master is decided when the smart AP image download process is initiated. Once the decision is made any AP that joins after and which has a lower mac will not alter or change the master AP already elected.

Pre-auth ACL refers to a state when a wireless client would require access to resources prior to getting authenticated. In case of the LWA/CWA or BYOD the client might require access to resources before getting full access into the network. The URL filtering for flex is supported only on the Wave 2 platforms. The url filtering follows a whitelist and black list model of working, the administrator can specify up to 20 URLS within a URL filter. The URL filter supports wild card matching to support sub URL matching.

For e.g.:

The URL filtering ACL works along with a regular ACL, to have the URL ACL pushed to a flex AP it needs to be linked with a regular ACL in the flex profile .The URL ACL works by snooping the DNS transaction between the DNS client and a DNS server, for flex deployment the DNS snooping is performed on the AP for each client. With snooping in place, AP learns the IP address of the resolved domain name in the DNS response. If the domain name matches the configured URL, then the DNS response is parsed for the IP address, and the IP address is mapped in the ACL for locally switched traffic. The rules created from DNS parsing has a permit or deny based on the URL filtering rules which is either white listing or blacklisting. When a packet from or to a client traverses through the AP, the DNS rules are processed first before proceeding with the regular ACL processing. The URL filtering is optional configuration on the LWA and CWA flow.

• The URL filter is only supported on wave2 AP‘s and is not supported on wave 1 APs.

• Post Auth support for URL filter is not supported for local switched clients.

• FlexConnect will not disconnect clients when the AP is connecting back to the same controller provided there is no change in configuration on the controller.

• FlexConnect will not disconnect clients when connecting to the backup controller provided there is no change in configuration and the backup controller is identical to the primary controller.

• FlexConnect will not reset its radios on connecting back to the primary controller provided there is no change in configuration on the controller.

• Supported on both Wave1 and Wave 2 AP’s.

• Supported only for FlexConnect with Central/Local Authentication with Local Switching.

• Centrally authenticated clients require full re-authentication if the client session timer expires before the FlexConnect AP switches from Standalone to Connected mode.

• FlexConnect primary and backup controllers must be in the same mobility domain.

This feature enables the wireless architecture to deploy multicast video streaming across the branches, just like it is currently possible for enterprise deployments. This feature recompenses the drawbacks that degrade the video delivery as the video streams and clients scale in a branch network. VideoStream makes video multicast to wireless clients more reliable and facilitates better usage of wireless bandwidth in the branch.

On a traditional WLAN networks multicast and broadcast is send out over the wireless medium at the lowest data rate with no acknowledgement and the packet delivery for such streams are on a best effort basis .This makes the usage of multicast unreliable on a WLAN network . The usage of multicast for delivering critical application has become a demand and need of the hour. There is also a need to differentiate multiple streams and assign priority and weightage based on the applications supported. With the adoption of 802.11ac and the data rates supported it is possible to deliver multicast streams using the data rates available on 11ac with reliability and priority built in.

• VideoStream provides efficient bandwidth utilization by removing the need to broadcast multicast packets to all WLANs on the AP

• Supported on Wave 1 and Wave 2 AP’s

• Supported for flexconnect local switching and Central authentication

• With video stream in flex connect local switching the multicast to unicast conversion happens on the AP

• The branch infrastructure should have multicast enabled

• Admission control is currently not supported

• IPv6 support for media stream is not supported

The section below details the procedure for configuring media stream from the controller.It is expected the branch network is enabled for multicast. Please refer the cisco.com on enabling multicast on the switching platforms.

Please ensure the following multicast features are enabled on the network.

• Multicast routing protocol – PIM sparse/dense mode

• IGMP version 2 or 3

• IGMP snooping

This section doesn’t cover enabling multicast on the infrastructure rather on the wireless controller.