When to FlexConnect

This week I’m having talks with a client regarding wireless at his remote sites. As they are currently having autonomous access points on all these sites they are looking to change to controller based access points and are starting to ask questions like ‘Do I need a WLC on each site?’, ‘How many AP’s can I have on a remote site connecting back to a central WLC’ and ‘What happens when the WAN-link goes down?’. Hopefully the answers can be found in this post.


FlexConnect is a wireless solution for branch office and remote office deployments. From a central Wireless LAN Controller (WLC), hopefully in your Data Centre with a redundant WLC not too far away, you can configure, control and manage access points in a branch or remote office. No need for a WLC in each office.

Switching Modes 

There are two switching modes supported by FlexConnect AP’s:

Local Switched: Locally-switched WLAN’s (the SSID you are connected to) will map their wireless user traffic to a VLAN via 802.1Q trunking to a local switch adjacent to the access point. A branch user, who is associated to a local switched WLAN, has their traffic forwarded by the on-site router. Traffic destined off-site (to the central site) is forwarded as standard IP packets by the branch router. All AP control/management-related traffic is sent to the centralized Wireless LAN Controller (WLC) via CAPWAP. This diagram below from Enterprise Mobility 7.3 Design Guide shows the local switched VLAN terminates at the switch and traffic can move from there to the branch servers or over the WAN as a standard IP packet and not a CAPWAP controlled tunnel. Flexconnect Central Switched: Central switched WLANs tunnel both the wireless user traffic and all control traffic via CAPWAP to the centralized WLC where the user traffic is mapped to a dynamic interface/VLAN on the WLC. This is the normal CAPWAP mode of operation. The traffic of a branch user, who is associated to a central switched WLAN, is tunnelled directly to the centralized WLC. If that user needs to communicate with computing resources within the branch (where that client is associated), their data is forwarded as standard IP packets back across the WAN link to the branch location. Depending on the WAN link bandwidth, this might not be desirable behaviour. Thus, if the branch client is connected to a SSID that needs services locally (such as print services and internet breakout) and centralized services (such as e-mail and AD) I would suggest to follow local switching. I would only follow central switching when the only service the WLAN provide is central such as secure guest services for example.

Design Considerations 

For me the main consideration is the WAN-link and here are some of the main considerations to take into account:

  •  It is highly recommended that the minimum bandwidth restriction remains 12.8 kbps per AP.
  • The round trip latency should not be greater than 300 ms for data deployments and 100 ms for data + voice deployments.
  • The maximum transmission unit (MTU) must be at least 500 bytes.
Deployment Type WAN Bandwidth (Min) WAN RTT Latency (Max) APs per Branch (Max) Clients per Branch (Max)
Data 64 kbps 300 ms 5 25
Data + Voice 128 kbps 100 ms 5 25
Monitor 64 kbps 2 sec 5 N/A
Data 640 kbps 300 ms 50 1000
Data + Voice 1.44 Mbps 100 ms 50 1000
Monitor 640 kbps 2 sec 50 N/A

Other considerations you might want to look at is roaming capabilities and QOS but from experience with both Cisco and Spectralink wireless phone solutions I had no problems in getting them working over a FlexConnect local switching solution.

Operation Modes

There are two modes of operation for the FlexConnect AP.

  • Connected mode: The WLC is reachable. In this mode the FlexConnect AP has CAPWAP connectivity with its WLC.
  • Standalone mode: The WLC is unreachable. The FlexConnect has lost or failed to establish CAPWAP connectivity with its WLC. A WAN-link outage between a branch and its central site is a example of such a mode of operation.

FlexConnect States

A FlexConnect WLAN, depending on its configuration and network connectivity, is classified as being in one of the following defined states.

  • Authentication-Central/Switch-Central: This state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, or web. User traffic is sent to the WLC via CAPWAP (Central switching). This state is supported only when FlexConnect is in connected mode.
  • Authentication Down/Switching Down: Central switched WLANs no longer beacon or respond to probe requests when the FlexConnect AP is in standalone mode. Existing clients are disassociated.
  • Authentication-Central/Switch-Local: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when the FlexConnect AP is in connected mode.
  • Authentication-Down/Switch-Local: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session time-out if configured. The WLAN continues to beacon and respond to probes until there are no more existing users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
  • Authentication-local/switch-local: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes. Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

I hope this summarization will help in your decisions regarding FlexConnect.

Reference and other FlexConnect information: http://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Mobility/emob73dg/emob73/ch7_HREA.html http://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-product-00.html

When to FlexConnect