CHAPTER7FlexConnectFlexConnect (previously known as Hybrid Remote Edge Access Point or H-REAP) is a wireless solutionfor branch office and remote office deployments. It enables you to configure and control access pointsin a branch or remote office from the corporate office through a wide area network (WAN) link withoutthe deployment of a controller in each office. The FlexConnect access points (APs) can switch client datatraffic locally and perform client authentication locally. When they are connected to the controller, theycan also send traffic back to the controller.Figure 7-1NoteFlexConnect ArchitectureTo view the FlexConnect feature matrix, oducts tech note09186a0080b3690b.shtml#matrixEnterprise Mobility 8.1 Design Guide7-1

Chapter 7FlexConnectFlexConnect TerminologySupported PlatformsFlexConnect is only supported on these components: Cisco AP-1130, AP-1240, AP-1040, AP-1140, AP-1260, AP-1250, AP-3500, AP-1600, AP-2600,AP-3600, AP-3700, AP-1700, AP-2700, AP 700, AP-1520, AP-1530, AP-1550, AP-1570 accesspoints Cisco 5520, 8540, Flex 7500, Cisco 8500, 4400, 5500, and 2500 series controllers Cisco WiSM-2 Cisco virtual controller (vWLC)FlexConnect TerminologyFor clarity, this section provides a summary of the FlexConnect terminology and definitions usedthroughout this chapter.Switching ModesFlexConnect APs are capable of supporting the following switching modes concurrently, on aper-WLAN basis.Local SwitchedLocally-switched WLANs map wireless user traffic to discrete VLANs via 802.1Q trunking, either to anadjacent router or switch. If so desired, one or more WLANs can be mapped to the same local 802.1QVLAN.A branch user, who is associated to a local switched WLAN, has their traffic forwarded by the on-siterouter. Traffic destined off-site (to the central site) is forwarded as standard IP packets by the branchrouter. All AP control/management-related traffic is sent to the centralized Wireless LAN Controller(WLC) separately via Control and Provisioning of Wireless Access Points protocol (CAPWAP).Central SwitchedCentral switched WLANs tunnel both the wireless user traffic and all control traffic via CAPWAP to thecentralized WLC where the user traffic is mapped to a dynamic interface/VLAN on the WLC. This is thenormal CAPWAP mode of operation.The traffic of a branch user, who is associated to a central switched WLAN, is tunneled directly to thecentralized WLC. If that user needs to communicate with computing resources within the branch (wherethat client is associated), their data is forwarded as standard IP packets back across the WAN link to thebranch location. Depending on the WAN link bandwidth, this might not be desirable behavior.Enterprise Mobility 8.1 Design Guide7-2

Chapter 7FlexConnectFlexConnect TerminologyOperation ModesThere are two modes of operation for the FlexConnect AP.Connected mode—The WLC is reachable. In this mode the FlexConnect AP has CAPWAP connectivitywith its WLC.Standalone mode—The WLC is unreachable. The FlexConnect has lost or failed to establish CAPWAPconnectivity with its WLC: for example, when there is a WAN link outage between a branch and itscentral site.FlexConnect StatesA FlexConnect WLAN, depending on its configuration and network connectivity, is classified as beingin one of the following defined states.Authentication-Central/Switch-CentralThis state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, orweb. User traffic is sent to the WLC via CAPWAP. This state is supported only when FlexConnect is inconnected mode (Figure 7-2); 802.1X is used in the example, but other mechanisms are equallyapplicable.Figure 7-2Authentication-Central/Switch-Central WLANAuthentication Down/Switching DownCentral switched WLANs (above) no longer beacon or respond to probe requests when the FlexConnectAP is in standalone mode. Existing clients are disassociated.Enterprise Mobility 8.1 Design Guide7-3

Chapter 7FlexConnectFlexConnect TerminologyAuthentication-Central/Switch-LocalThis state represents a WLAN that uses centralized authentication, but user traffic is switched locally.This state is supported only when the FlexConnect AP is in connected mode (Figure 7-3); 802.1X is usedin the Figure 7-3 example, but other mechanisms are equally applicable.Figure 7-3Authentication-Central/Switch-Local WLANCorporate CentralBranchCisco Prime InfrastructureBranchServersAAAFlexConnectCAPWAP dot1qUser DataLocal Switched User Data350999CentralizedWLAN ControllerCAPWAP Control802.1xAuthentication-Down/Switch-LocalA WLAN that requires central authentication (as explained above) rejects new users. Existingauthenticated users continue to be switched locally until session time-out (if configured). The WLANcontinues to beacon and respond to probes until there are no more (existing) users associated to theWLAN. This state occurs as a result of the AP going into standalone mode (Figure 7-4).Figure 7-4NewUserAuthentication-Down/Local SwitchCorporate CentralBranchBranchServersAAA Cisco Prime InfrastructureORFlexConnectCentralizedWLAN ControllerExistingUserUser DataLocal Switched User DataEnterprise Mobility 8.1 Design Guide7-4CAPWAP Control802.1x351001CAPWAP dot1q

Chapter h-localThis state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. Usertraffic is switched locally. These are the only security methods supported locally if a FlexConnect goesinto standalone mode. The WLAN continues to beacon and respond to probes (Figure 7-5). Existingusers remain connected and new user associations are accepted. If the AP is in connected mode,authentication information for these security types is forwarded to the WLC.Figure 7-5NewUserAuthentication-Local/Switch-Local WLANCorporate CentralBranchBranchServersWEP, SharedWPA/2 - PSKCisco Prime er DataCAPWAP dot1qLocal Switched User DataCAPWAP ControlCentralizedWLAN Controller351000ExistingUserLocal AuthLocal Switched DataCAPWAP ControlNoteAll 802.11 authentication and association processing occurs regardless of which operational mode theAP is in. When in connected mode, the FlexConnect AP forwards all association/authenticationinformation to the WLC. When in standalone mode, the AP cannot notify the WLC of such events, whichis why WLANs that make use of central authentication/switching methods are unavailable.ApplicationsThe FlexConnect AP offers greater flexibility in how it can be deployed, such as: Branch wireless connectivity Branch guest access Public WLAN hotspot Wireless BYOD in Branch sitesBranch Wireless ConnectivityFlexConnect addresses the wireless connectivity needs in branch locations by permitting wireless usertraffic to terminate locally rather than tunneled across the WAN to a central WLC. With FlexConnect,branch locations can more effectively implement segmentation, access control, and QoS policies on aper-WLAN basis, as shown in Figure 7-6.Enterprise Mobility 8.1 Design Guide7-5

Chapter 7FlexConnectApplicationsBranch Guest AccessThe centralized WLC itself, as shown in Figure 7-6, can perform web authentication for guest accessWLANs. The guest user's traffic is segmented (isolated) from other branch office traffic. For moredetailed information on guest access, refer to Chapter 10, “Cisco Unified Wireless Network GuestAccess Services.”Figure 7-6FlexConnect TopologyCisco Prime InfrastructureCorporateServersBranchServersWLAN LAN ControllerBranchCorporate Central351021VLAN Local Access WLAN 1VLAN Local Access WLAN 2Management VLANCAPWAP ControlWLAN 2Public WLAN HotspotMany public hotspot service providers are beginning to implement multiple SSID/WLANs. One reasonfor this is because an operator might want to offer an open authentication WLAN for web-based accessand another WLAN that uses 802.1x/EAP for more secure public access.The FlexConnect AP, with its ability to map WLANs to separate VLANs, is an alternative to a standaloneAP for small venue hotspot deployments where only one, or possibly two, APs are needed. Figure 7-7provides an example of hotspot topology using a FlexConnect AP.Enterprise Mobility 8.1 Design Guide7-6

Chapter 7FlexConnectApplicationsFigure 7-7Hotspot Access using FlexConnect Local SwitchingService ProviderHotspotAAAWeb Cisco PrimeServer InfrastructureMobileWorkerCentralizedWLAN 351002CiscoSSGWireless BYOD in Branch sitesRelease supports these ISE functionalities for FlexConnect APs for local switching andcentrally authenticated clients. Also, release integrated with ISE 1.1.1 provides (but is notlimited to) these BYOD solution features for wireless: Device profiling and posture Device registration and supplicant provisioning Onboarding of personal devices (provision iOS or Android devices)Enterprise Mobility 8.1 Design Guide7-7

Chapter 7FlexConnectDeployment ConsiderationsDeployment ConsiderationsThe following section covers the various implementation and operational caveats associated withdeploying FlexConnect APs.WAN LinkFor the FlexConnect AP to function predictably, keep in mind the following with respect to WAN linkcharacteristics: Latency—A given WAN link should not impose latencies greater than 100 ms. The AP sendsheartbeat messages to the WLC once every thirty seconds. If a heartbeat response is missed, the APsends five successive heartbeats (one per second) to determine whether connectivity still exists. Ifconnectivity is lost, the FlexConnect AP switches to standalone mode.Similarly, AP and WLC exchange echo CAPWAP packet to check the connectivity. If the echoCAPWAP packet response is missed, the AP sends five successive echo CAPWAP packets (everythree seconds) to determine whether the connectivity still exists. If the connectivity is lost, theFlexConnect AP switches to standalone mode. (see Operation Modes, page 7-3 for operation modedefinitions). The AP itself is relatively delay tolerant. However, at the client, timers associated withauthentication are sensitive to link delay, and thus a constraint of 100 ms is required. Otherwise,the client can time-out waiting to authenticate, which can cause other unpredictable behaviors, suchas looping. Bandwidth—WAN links should be at least 128 kbps for deployments when up to eight APs are beingdeployed at a given location. If more than eight APs are deployed, proportionally more bandwidthshould be provisioned for the WAN link. Path MTU—An MTU no smaller than 500 bytes is required.RoamingWhen a FlexConnect AP is in connected mode, all client probes, association requests, 802.1xauthentication requests, and corresponding response messages are exchanged between the AP and theWLC via the CAPWAP control plane. This is true for open, static WEP, and WPA PSK-based WLANseven though CAPWAP connectivity is not required to use these authentication methods when the AP isin standalone mode. Dynamic WEP/WPA—A client that roams between FlexConnect APs using one of these keymanagement methods performs full authentication each time it roams. After successfulauthentication, new keys are passed back to the AP and client. This behavior is no different than astandard centralized WLAN deployment, except that in an FlexConnect topology, there can be linkdelay variations across the WAN, which can in turn impact total roam time. Depending on the WANcharacteristics, RF design, back end authentication network, and authentication protocols beingused, roam times may vary. WPA2—To improve client roam times, WPA2 introduced key caching capabilities, based on theIEEE 802.11i specification. Cisco created an extension to this specification called Proactive KeyCaching (PKC). PKC today is supported only by the Microsoft Zero Config Wireless supplicant andthe Funk (Juniper) Odyssey client. Cisco CCKM is also compatible with WPA2.Remote branch locations requiring predictable, fast roaming behavior in support of applicationssuch as wireless IP telephony should consider deploying a local WLC (Virtual Controller on UCSblade or 2500 WLC).Enterprise Mobility 8.1 Design Guide7-8

Chapter 7FlexConnectDeployment ConsiderationsNote Cisco Centralized Key Management (CCKM)—CCKM is a Cisco-developed protocol in which theWLC caches the security credentials of CCKM-capable clients and forwards those credentials toother APs within a mobility group. When a client roams and associates with another AP, theircredentials are forwarded to that AP, which allows the client to re-associate and authenticate in atwo-step process. This eliminates the need for full authentication back to the AAA server.CCKM-capable clients undergo full 802.1x authentication each time they roam from oneFlexConnect to another. FlexConnect Groups are required for CCKM/OKC fast roaming to work with FlexConnect accesspoints. Fast roaming is achieved by caching a derivative of the master key from a full EAPauthentication so that a simple and secure key exchange can occur when a wireless client roams toa different access point. This feature prevents the need to perform a full RADIUS EAPauthentication as the client roams from one access point to another. The FlexConnect access pointsneed to obtain the CCKM/OKC cache information for all the clients that might associate so they canprocess it quickly instead of sending it back to the controller. If, for example, you have a controllerwith 300 access points and 100 clients that might associate, sending the CCKM/OKC cache for all100 clients is not practical. If you create a FlexConnect Group comprising a limited number ofaccess points (for example, you create a group for four access points in a remote office), the clientsroam only among those four access points, and the CCKM/OKC cache is distributed among thosefour access points only when the clients associate to one of them. Layer 2 switch CA