FlexConnect

FlexConnect
FlexConnect
• Information About FlexConnect, page 1
• Restrictions on FlexConnect, page 7
• Configuring FlexConnect, page 8
• Configuring FlexConnect ACLs, page 20
• Configuring FlexConnect Groups, page 25
Information About FlexConnect
FlexConnect (previously known as Hybrid Remote Edge Access Point or H-REAP) is a wireless solution for
branch office and remote office deployments. It enables customers to configure and control access points (AP)
in a branch or remote office from the corporate office through a wide area network (WAN) link without
deploying a controller in each office. The FlexConnect access points can switch client data traffic locally and
perform client authentication locally when their connection to the controller is lost. When they are connected
to the controller, they can also send traffic back to the controller. In the connected mode, the FlexConnect
access point can also perform local authentication.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
1
FlexConnect
Information About FlexConnect
The figure below shows a typical FlexConnect deployment.
Figure 1: FlexConnect Deployment
The controller software has a more robust fault tolerance methodology to FlexConnect access points. In
previous releases, whenever a FlexConnect access point disassociates from a controller, it moves to the
standalone mode. The clients that are centrally switched are disassociated. However, the FlexConnect access
point continues to serve locally switched clients. When the FlexConnect access point rejoins the controller
(or a standby controller), all clients are disconnected and are authenticated again. This functionality has been
enhanced and the connection between the clients and the FlexConnect access points are maintained intact and
the clients experience seamless connectivity. When both the access point and the controller have the same
configuration, the connection between the clients and APs is maintained.
After the client connection has been established, the controller does not restore the original attributes of the
client. The client username, current rate and supported rates, and listen interval values are reset to the default
values only after the session timer expires.
There is no deployment restriction on the number of FlexConnect access points per location. Multiple
FlexConnect groups can be defined in a single location.
The controller can send multicast packets in the form of unicast or multicast packets to the access point. In
FlexConnect mode, the access point can receive multicast packets only in unicast form.
FlexConnect access points support a 1-1 network address translation (NAT) configuration. They also support
port address translation (PAT) for all features except true multicast. Multicast is supported across NAT
boundaries when configured using the Unicast option. FlexConnect access points also support a many-to-one
NAT/PAT boundary, except when you want true multicast to operate for all centrally switched WLANs.
Note
Although NAT and PAT are supported for FlexConnect access points, they are not supported on the
corresponding controller. Cisco does not support configurations in which the controller is behind a
NAT/PAT boundary.
VPN and PPTP are supported for locally switched traffic if these security types are accessible locally at the
access point.
FlexConnect access points support multiple SSIDs.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
2
OL-27510-01
FlexConnect
FlexConnect Authentication Process
Workgroup bridges and Universal Workgroup bridges are supported on FlexConnect access points for locally
switched clients.
FlexConnect supports IPv6 clients by bridging the traffic to local VLAN, similar to IPv4 operation. FlexConnect
supports Client Mobility for a group of up to 100 access points.
In the release 8.0, the access point no longer needs to reboot when moving from local to FlexConnect mode.
Note
For the Cisco Flex 7500 Series Wireless LAN Controller, auto convert mode is available on the CLI. The
auto convert mode triggers the change on all the connected APs. The change of the mode from Local to
FlexConnect and the reboot works in conjunction with the auto convert mode for the Cisco Flex 7500
Series WLC.
Note
When AP is changed from local to FlexConnect it will not reboot, but when it is changed from FlexConnect
to local it reboots and displays the following error message, "Warning: Changing AP Mode will reboot
the AP and will rejoin the controller afer a few minutes. Are you sure you want to continue?" but CLI
remains the same. Changing the AP's mode will also cause the AP to reboot.
FlexConnect Authentication Process
When an access point boots up, it looks for a controller. If it finds one, it joins the controller, downloads the
latest software image and configuration from the controller, and initializes the radio. It saves the downloaded
configuration in nonvolatile memory for use in standalone mode.
Note
Once the access point is rebooted after downloading the latest controller software, it must be converted
to the FlexConnect mode. This can done using the GUI or CLI.
A FlexConnect access point can learn the controller IP address in one of these ways:
• If the access point has been assigned an IP address from a DHCP server, it can discover a controller
through the regular CAPWAP or LWAPP discovery process.
Note
OTAP is no longer supported on the controllers with 6.0.196 code and above.
• If the access point has been assigned a static IP address, it can discover a controller through any of the
discovery process methods except DHCP option 43. If the access point cannot discover a controller
through Layer 3 broadcast, we recommend DNS resolution. With DNS, any access point with a static
IP address that knows of a DNS server can find at least one controller.
• If you want the access point to discover a controller from a remote network where CAPWAP or LWAPP
discovery mechanisms are not available, you can use priming. This method enables you to specify
(through the access point CLI) the controller to which the access point is to connect.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
3
FlexConnect
FlexConnect Authentication Process
Note
For more information about how access points find controllers, see the controller deployment
guide at:
http://www.cisco.com/c/en/us/td/docs/wireless/technology/controller/deployment/guide/dep.html.
When a FlexConnect access point can reach the controller (referred to as the connected mode), the controller
assists in client authentication. When a FlexConnect access point cannot access the controller, the access point
enters the standalone mode and authenticates clients by itself.
Note
The LEDs on the access point change as the device enters different FlexConnect modes. See the hardware
installation guide for your access point for information on LED patterns.
When a client associates to a FlexConnect access point, the access point sends all authentication messages to
the controller and either switches the client data packets locally (locally switched) or sends them to the
controller (centrally switched), depending on the WLAN configuration. With respect to client authentication
(open, shared, EAP, web authentication, and NAC) and data packets, the WLAN can be in any one of the
following states depending on the configuration and state of controller connectivity:
• central authentication, central switching—In this state, the controller handles client authentication, and
all client data is tunneled back to the controller. This state is valid only in connected mode.
• central authentication, local switching—In this state, the controller handles client authentication, and
the FlexConnect access point switches data packets locally. After the client authenticates successfully,
the controller sends a configuration command with a new payload to instruct the FlexConnect access
point to start switching data packets locally. This message is sent per client. This state is applicable only
in connected mode.
Note
For the FlexConnect local switching, central authentication deployments, if there is a
passive client with a static IP address, it is recommended to disable the Learn Client IP
Address feature under the WLAN > Advanced tab.
• local authentication, local switching—In this state, the FlexConnect access point handles client
authentication and switches client data packets locally. This state is valid in standalone mode and
connected mode.
In connected mode, the access point provides minimal information about the locally authenticated client
to the controller. The following information is not available to the controller:
◦Policy type
◦Access VLAN
◦VLAN name
◦Supported rates
◦Encryption cipher
Local authentication is useful where you cannot maintain a remote office setup of a minimum
bandwidth of 128 kbps with the round-trip latency no greater than 100 ms and the maximum
transmission unit (MTU) no smaller than 576 bytes. In local authentication, the authentication
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
4
OL-27510-01
FlexConnect
FlexConnect Authentication Process
capabilities are present in the access point itself. Local authentication reduces the latency
requirements of the branch office.
Note
Local authentication can only be enabled on the WLAN of a FlexConnect access point
that is in local switching mode.
Notes about local authentication are as follows:
◦Guest authentication cannot be done on a FlexConnect local authentication-enabled WLAN.
◦Local RADIUS on the controller is not supported.
◦Once the client has been authenticated, roaming is only supported after the controller and the other
FlexConnect access points in the group are updated with the client information.
◦Local authentication in connected mode requires a WLAN configuration.
Note
When locally switched clients that are connected to a FlexConnect access point renew
the IP addresses, on joining back, the client continues to stay in the run state. These
clients are not reauthenticated by the controller.
• authentication down, switch down—In this state, the WLAN disassociates existing clients and stops
sending beacon and probe requests. This state is valid in both standalone mode and connected mode.
• authentication down, local switching—In this state, the WLAN rejects any new clients trying to
authenticate, but it continues sending beacon and probe responses to keep existing clients alive. This
state is valid only in standalone mode.
When a FlexConnect access point enters standalone mode, WLANs that are configured for open, shared,
WPA-PSK, or WPA2-PSK authentication enter the “local authentication, local switching” state and continue
new client authentications. In controller software release 4.2 or later releases, this configuration is also correct
for WLANs that are configured for 802.1X, WPA-802.1X, WPA2-802.1X, or CCKM, but these authentication
types require that an external RADIUS server be configured. You can also configure a local RADIUS server
on a FlexConnect access point to support 802.1X in a standalone mode or with local authentication.
Other WLANs enter either the “authentication down, switching down” state (if the WLAN was configured
for central switching) or the “authentication down, local switching” state (if the WLAN was configured for
local switching).
When FlexConnect access points are connected to the controller (rather than in standalone mode), the controller
uses its primary RADIUS servers and accesses them in the order specified on the RADIUS Authentication
Servers page or in the config radius auth add CLI command (unless the server order is overridden for a
particular WLAN). However, to support 802.1X EAP authentication, FlexConnect access points in standalone
mode need to have their own backup RADIUS server to authenticate clients.
Note
A controller does not use a backup RADIUS server. The controller uses the backup RADIUS server in
local authentication mode.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
5
FlexConnect
FlexConnect Authentication Process
You can configure a backup RADIUS server for individual FlexConnect access points in standalone mode
by using the controller CLI or for groups of FlexConnect access points in standalone mode by using either
the GUI or CLI. A backup server configured for an individual access point overrides the backup RADIUS
server configuration for a FlexConnect.
When a FlexConnect access point enters standalone mode, it disassociates all clients that are on centrally
switched WLANs. For web-authentication WLANs, existing clients are not disassociated, but the FlexConnect
access point stops sending beacons when the number of associated clients reaches zero (0). It also sends
disassociation messages to new clients associating to web-authentication WLANs. Controller-dependent
activities, such as network access control (NAC) and web authentication (guest access), are disabled, and the
access point does not send any intrusion detection system (IDS) reports to the controller. Most radio resource
management (RRM) features (such as neighbor discovery; noise, interference, load, and coverage measurements;
use of the neighbor list; and rogue containment and detection) are disabled. However, a FlexConnect access
point supports dynamic frequency selection in standalone mode.
When web-authentication is used on FlexConnect access points at a remote site, the clients get the IP address
from the remote local subnet. To resolve the initial URL request, the DNS is accessible through the subnet's
default gateway. In order for the controller to intercept and redirect the DNS query return packets, these
packets must reach the controller at the data center through a CAPWAP connection. During the
web-authentication process, the FlexConnect access points allows only DNS and DHCP messages; the access
points forward the DNS reply messages to the controller before web-authentication for the client is complete.
After web-authentication for the client is complete, all the traffic is switched locally.
Note
If your controller is configured for NAC, clients can associate only when the access point is in connected
mode. When NAC is enabled, you need to create an unhealthy (or quarantined) VLAN so that the data
traffic of any client that is assigned to this VLAN passes through the controller, even if the WLAN is
configured for local switching. After a client is assigned to a quarantined VLAN, all of its data packets
are centrally switched. See the Configuring Dynamic Interfaces section for information about creating
quarantined VLANs and the Configuring NAC Out-of-Band section for information about configuring
NAC out-of-band support.
When a FlexConnect access point enters into a standalone mode, the following occurs:
• The access point checks whether it is able to reach the default gateway via ARP. If so, it will continue
to try and reach the controller.
If the access point fails to establish the ARP, the following occurs:
• The access point attempts to discover for five times and if it still cannot find the controller, it tries to
renew the DHCP on the ethernet interface to get a new DHCP IP.
• The access point will retry for five times, and if that fails, the access point will renew the IP address of
the interface again, this will happen for three attempts.
• If the three attempts fail, the access point will fall back to the static IP and will reboot (only if the access
point is configured with a static IP).
• Reboot is done to remove the possibility of any unknown error the access point configuration.
Once the access point reestablishes a connection with the controller, it disassociates all clients, applies new
configuration information from the controller, and allows client connectivity again.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
6
OL-27510-01
FlexConnect
Restrictions on FlexConnect
Restrictions on FlexConnect
• You can deploy a FlexConnect access point with either a static IP address or a DHCP address. In the
case of DHCP, a DHCP server must be available locally and must be able to provide the IP address for
the access point at bootup.
• FlexConnect supports up to four fragmented packets or a minimum 576-byte maximum transmission
unit (MTU) WAN link.
• Round-trip latency must not exceed 300 milliseconds (ms) between the access point and the controller,
and CAPWAP control packets must be prioritized over all other traffic. In cases where you cannot
achieve the 300 milliseconds round-trip latency, you can configure the access point to perform local
authentication.
• Client connections are restored only for locally switched clients that are in the RUN state when the
access point moves from standalone mode to connected mode. After the access point moves from the
standalone mode to the connected mode, the access point’s radio is also reset.
• The configuration on the controller must be the same between the time the access point went into
standalone mode and the time the access point came back to connected mode. Similarly, if the access
point is falling back to a secondary or backup controller, the configuration between the primary and
secondary or backup controller must be the same.
• A newly connected access point cannot be booted in FlexConnect mode.
• To use CCKM fast roaming with FlexConnect access points, you must configure FlexConnect Groups.
• NAC out-of-band integration is supported only on WLANs configured for FlexConnect central switching.
It is not supported for use on WLANs configured for FlexConnect local switching.
• The primary and secondary controllers for a FlexConnect access point must have the same configuration.
Otherwise, the access point might lose its configuration, and certain features (such as WLAN overrides,
VLANs, static channel number, and so on) might not operate correctly. In addition, make sure to duplicate
the SSID of the FlexConnect access point and its index number on both controllers.
• Do not connect access points in FlexConnect mode directly to a 2500 Series Controller.
• If you configure a FlexConnect access point with a syslog server configured on the access point, after
the access point is reloaded and the native VLAN other than 1, at time of initialization, few syslog
packets from the access point are tagged with VLAN ID 1. This is a known issue.
• MAC Filtering is not supported on FlexConnect access points in standalone mode. However, MAC
Filtering is supported on FlexConnect access points in connected mode with local switching and central
authentication. Also, Open SSID, MAC Filtering, and RADIUS NAC for a locally switched WLAN
with FlexConnect access points is a valid configuration where MAC is checked by ISE.
• FlexConnect does not support IPv6 ACLs, neighbor discovery caching, and DHCPv6 snooping of IPv6
NDP packets.
• FlexConnect does not display any IPv6 client addresses within the client detail page.
• FlexConnect Access Points with Locally Switched WLAN cannot perform IP Source Guard and prevent
ARP spoofing. For Centrally Switched WLAN, the wireless controller performs the IP Source Guard
and ARP Spoofing.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
7
FlexConnect
Configuring FlexConnect
• To prevent ARP spoofing attacks in FlexConnect AP with Local Switching, we recommend that you
use ARP Inspection.
• When you enable local switching on WLAN for the Flexconnect APs, then APs perform local switching.
However, for the APs in local mode, central switching is performed.
• For Wi-Fi Protected Access version 2 (WPA2) in FlexConnect standalone mode or local-auth in connected
mode or CCKM fast-roaming in connected mode, only Advanced Encryption Standard (AES) is supported.
• For Wi-Fi Protected Access (WPA) in FlexConnect standalone mode or local-auth in connected mode
or CCKM fast-roaming in connected mode, only Temporal Key Integrity Protocol (TKIP) is supported.
• WPA2 with TKIP and WPA with AES is not supported in standalone mode, local-auth in connected
mode, and CCKM fast-roaming in connected mode.
• AVC is not supported on APs in FlexConnect local switched mode.
• Local authentication fall back is not supported when user is not available in the external RADIUS server.
• For WLAN configured for the FlexConnect AP in the local switching and local authentication,
synchronization of dot11 clients information is supported.
• It is not possible for the Cisco WLC to detect if an AP has dissociated and with that whether the radio
is in operational state or non-operational state.
When a FlexConnect AP dissociates from the Cisco WLC, the AP can still serve the clients with the
radios being operational; however, with all other AP modes, the radios go into non-operational state.
• When you apply a configuration change to a locally switched WLAN, the access point resets the radio,
causing associated client devices to disassociate (including the clients that are not associated with the
modified WLAN). However, this behavior does not occur if the modified WLAN is centrally switched.
We recommend that you modify the configuration only during a maintenance window. This is also
applicable when a centrally switched WLAN is changed to a locally switched WLAN.
Configuring FlexConnect
Note
The configuration tasks must be performed in the order in which they are listed.
Configuring the Switch at a Remote Site
Step 1
Step 2
Attach the access point that will be enabled for FlexConnect to a trunk or access port on the switch.
Note
The sample configuration in this procedure shows the FlexConnect access point connected to a trunk port on
the switch.
See the sample configuration in this procedure to configure the switch to support the FlexConnect access point.
In this sample configuration, the FlexConnect access point is connected to trunk interface FastEthernet 1/0/2 with native
VLAN 100. The access point needs IP connectivity on the native VLAN. The remote site has local servers/resources on
VLAN 101. A DHCP pool is created in the local switch for both VLANs in the switch. The first DHCP pool (NATIVE)
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
8
OL-27510-01
FlexConnect
Configuring the Switch at a Remote Site
is used by the FlexConnect access point, and the second DHCP pool (LOCAL-SWITCH) is used by the clients when
they associate to a WLAN that is locally switched. The bolded text in the sample configuration shows these settings.
A sample local switch configuration is as follows:
ip dhcp pool NATIVE
network 209.165.200.224 255.255.255.224
default-router 209.165.200.225
dns-server 192.168.100.167
!
ip dhcp pool LOCAL-SWITCH
network 209.165.201.224 255.255.255.224
default-router 209.165.201.225
dns-server 192.168.100.167
!
interface FastEthernet1/0/1
description Uplink port
no switchport
ip address 209.165.202.225 255.255.255.224
!
interface FastEthernet1/0/2
description the Access Point port
switchport trunk encapsulation dot1q
switchport trunk native vlan 100
switchport trunk allowed vlan 101
switchport mode trunk
!
interface Vlan100
ip address 209.165.200.225 255.255.255.224
!
interface Vlan101
ip address 209.165.201.225 255.255.255.224
end
!
Configuring the Switch with Multicast enabled directly
In Flex Connect local switching, when Multicast to Unicast (MC2UC) is enabled, traffic will follow the queues
as mentioned below:
Step 1
Step 2
To send video or voice traffic into respective queues disabled Unicast Video Redirect and CAC support (ACM) should
be on the 802.11a or 802.11b radio on which MC2UC clients join.
When CAC is enabled or unicast video redirect enabled, MC2UC (video/voice) traffic will be pushed to Best Effort
queue.
This behavior in flex connect local switching
only.
Follow these steps to reproduce
Note
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
9
FlexConnect
Configuring the Controller for FlexConnect
a)
b)
c)
d)
e)
f)
g)
Have a 5500 WLC with 2602 Flexconnect AP.
Enable Multicast Direct globally.
Create a Multicast stream.
Enable Multicast direct in the WLAN with Gold QoS.
Associate a client to this WLAN.
Start sending the multicast traffic from Wired to wireless.
Check the queue in the AP.
Configuring the Controller for FlexConnect
You can configure the controller for FlexConnect in two environments:
• Centrally switched WLAN
• Locally switched WLAN
The controller configuration for FlexConnect consists of creating centrally switched and locally switched
WLANs. This table shows three WLAN scenarios.
Table 1: WLANs Example
WLAN
Security
Authentication
Switching
Interface Mapping (VLAN)
employee
WPA1+WPA2
Central
Central
management (centrally
switched VLAN)
Local
Local
101 (locally switched
VLAN)
employee-local WPA1+WPA2
(PSK)
guest-central
Web authentication Central
Central
management (centrally
switched VLAN)
employee
WPA1+WPA2
Local
101 (locally switched
VLAN)
Local
-local-auth
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
10
OL-27510-01
FlexConnect
Configuring the Controller for FlexConnect
Configuring the Controller for FlexConnect for a Centrally Switched WLAN Used for Guest
Access
Before You Begin
You must have created guest user accounts. For more information about creating guest user accounts, see the
Cisco Wireless LAN Controller System Management Guide.
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
Step 9
Step 10
Choose WLANs to open the WLANs page.
From the drop-down list, choose Create New and click Go to open the WLANs > New page .
From the Type drop-down list, choose WLAN.
In the Profile Name text box, enter guest-central.
In the WLAN SSID text box, enter guest-central.
From the WLAN ID drop-down list, choose an ID for the WLAN.
Click Apply. The WLANs > Edit page appears.
In the General tab, select the Status check box to enable the WLAN.
In the Security > Layer 2 tab, choose None from the Layer 2 Security drop-down list.
In the Security > Layer 3 tab:
a) Choose None from the Layer 3 Security drop-down list.
b) Choose the Web Policy check box.
c) Choose Authentication.
Note
If you are using an external web server, you must configure a preauthentication access control list (ACL) on the
WLAN for the server and then choose this ACL as the WLAN preauthentication ACL on the Layer 3 tab.
Step 11
Step 12
Click Apply.
Click Save Configuration.
Configuring the Controller for FlexConnect (GUI)
Step 1
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Choose WLANs to open the WLANs page.
From the drop-down list, choose Create New and click Go to open the WLANs > New page.
From the Type drop-down list, choose WLAN.
In the Profile Name text box, enter a unique profile name for the WLAN.
In the WLAN SSID text box, enter a name for the WLAN.
From the WLAN ID drop-down list, choose the ID number for this WLAN.
Click Apply.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
11
FlexConnect
Configuring the Controller for FlexConnect
Step 8
The WLANs > Edit page is displayed.
You can configure the controller for FlexConnect in both centrally switched and locally switched WLANs:
To configure the controller for FlexConnect in a centrally switched WLAN:
a) In the General tab, select the Status check box to enable the WLAN.
b) If you have enabled NAC and have created a quarantined VLAN and want to use it for this WLAN, select the interface
from the Interface/Interface Group(G) drop-down list in the General tab.
c) In the Security > Layer 2 tab, choose WPA+WPA2 from the Layer 2 Security drop-down list and then set the
WPA+WPA2 parameters as required.
To configure the controller for FlexConnect in a locally switched WLAN:
a) In the General tab, select the Status check box to enable the WLAN.
b) If you have enabled NAC and have created a quarantined VLAN and want to use it for this WLAN, select the interface
from the Interface/Interface Group(G) drop-down list in the General tab.
c) In the Security > Layer 2 tab, select WPA+WPA2 from the Layer 2 Security drop-down list and then set the
WPA+WPA2 parameters as required.
d) In the Advanced tab:
• Select or unselect the FlexConnect Local Switching check box to enable or disable local switching of client
data associated with the APs in FlexConnect mode.
Note
The guidelines and limitations for this feature are as follows:
• When you enable local switching, any FlexConnect access point that advertises this WLAN is
able to locally switch data packets (instead of tunneling them to the controller).
• When you enable FlexConnect local switching, the controller is enabled to learn the client’s IP
address by default. However, if the client is configured with Fortress Layer 2 encryption, the
controller cannot learn the client’s IP address, and the controller periodically drops the client.
Disable the client IP address learning feature so that the controller maintains the client connection
without waiting to learn the client’s IP address. The ability to disable this option is supported
only with FlexConnect local switching; it is not supported with FlexConnect central switching.
• For FlexConnect access points, the interface mapping at the controller for WLANs that is
configured for FlexConnect Local Switching is inherited at the access point as the default VLAN
tagging. This mapping can be changed per SSID and per FlexConnect access point.
Non-FlexConnect access points tunnel all traffic back to the controller, and VLAN tagging is
determined by each WLAN’s interface mapping.
• Select or unselect the FlexConnect Local Auth check box to enable or disable local authentication for the
WLAN.
• Select or unselect the Learn Client IP Address check box to enable or disable the IP address of the client to
be learned.
• Select or unselect the VLAN based Central Switching check box to enable or disable central switching on a
locally switched WLAN based on AAA overridden VLAN.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
12
OL-27510-01
FlexConnect
Configuring the Controller for FlexConnect
Note
These are the guidelines and limitations for this feature:
• Multicast on overridden interfaces is not supported.
• This feature is available only on a per-WLAN basis, where the WLAN is locally switched.
• IPv6 ACLs, CAC, NAC, and IPv6 are not supported.
• IPv4 ACLs are supported only with VLAN-based central switching enabled and applicable only
to central switching clients on the WLAN.
• This feature is applicable to APs in FlexConnect mode in locally switched WLANs.
• This feature is not applicable to APs in Local mode.
• This feature is not supported on APs in FlexConnect mode in centrally switched WLANs.
• This feature is supported on central authentication only.
• This features is not supported on web authentication security clients.
• Layer 3 roaming for local switching clients is not supported.
• Select or unselect the Central DHCP Processing check box to enable or disable the feature. When you enable
this feature, the DHCP packets received from AP are centrally switched to the controller and then forwarded
to the corresponding VLAN based on the AP and the SSID.
• Select or unselect the Override DNS check box to enable or disable the overriding of the DNS server address
on the interface assigned to the locally switched WLAN. When you override DNS in centrally switched WLANs,
the clients get their DNS server IP address from the AP, not from the controller.
• Select or unselect the NAT-PAT check box to enable or disable Network Address Translation (NAT) and Port
Address Translation (PAT) on locally switched WLANs. You must enable Central DHCP Processing to enable
NAT and PAT.
Step 9
Step 10
Click Apply.
Click Save Configuration.
Configuring the Controller for FlexConnect (CLI)
• config wlan flexconnect local-switching wlan_id enable—Configures the WLAN for local switching.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
13
FlexConnect
Configuring the Controller for FlexConnect
Note
When you enable FlexConnect local switching, the controller waits to learn the client
IP address by default. However, if the client is configured with Fortress Layer 2
encryption, the controller cannot learn the client IP address, and the controller periodically
drops the client. Use the config wlan flexconnect learn-ipaddr wlan_id disable
command to disable the client IP address learning feature so that the controller maintains
the client connection without waiting to learn the client’s IP address. The ability to
disable this feature is supported only with FlexConnect local switching; it is not supported
with FlexConnect central switching. To enable this feature, enter the config wlan
flexconnect learn-ipaddr wlan_id enable command.
Note
When a WLAN is locally switched (LS), you must use the config wlan flexconnect
learn-ipaddr wlan-id {enable | disable} command. When the WLAN is centrally
switched (CS), you must use the config wlan learn-ipaddr-cswlan wlan-id {enable |
disable} command.
• config wlan flexconnect local-switching wlan_id {enable | disable}—Configures the WLAN for central
switching.
• config wlan flexconnect vlan-central-switching wlan_id {enable | disable}—Configures central
switching on a locally switched WLAN based on an AAA overridden VLAN.
The guidelines and limitations for this feature are as follows:
• Multicast on overridden interfaces is not supported.
• This feature is available only on a per-WLAN basis, where the WLAN is locally switched.
• IPv6 ACLs, CAC, NAC, and IPv6 are not supported.
• IPv4 ACLs are supported only with VLAN-based central switching enabled and applicable only
to central switching clients on the WLAN.
• This feature is applicable to APs in FlexConnect mode in locally switched WLANs.
• This feature is not applicable to APs in Local mode.
• This feature is not supported on APs in FlexConnect mode in centrally switched WLANs.
• This feature is supported on central authentication only.
• This features is not supported on web authentication security clients.
• Layer 3 roaming for local switching clients is not supported.
Use these commands to get FlexConnect information:
• show ap config general Cisco_AP—Shows VLAN configurations.
• show wlan wlan_id—Shows whether the WLAN is locally or centrally switched.
• show client detail client_mac—Shows whether the client is locally or centrally switched.
Use these commands to obtain debug information:
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
14
OL-27510-01
FlexConnect
Configuring an Access Point for FlexConnect
• debug flexconnect aaa {event | error} {enable | disable}—Enables or disables debugging of
FlexConnect backup RADIUS server events or errors.
• debug flexconnect cckm {enable | disable}—Enables or disables debugging of FlexConnect CCKM.
• debug flexconnect {enable | disable}—Enables or disables debugging of FlexConnect Groups.
• debug pem state {enable | disable}—Enables or disables debugging of the policy manager state machine.
• debug pem events {enable | disable}—Enables or disables debugging of policy manager events.
Configuring an Access Point for FlexConnect
Configuring an Access Point for FlexConnect (GUI)
Before You Begin
Ensure that the access point has been physically added to your network.
Note
The AP will reboot when you change the AP behavior from Flexconnect to Local.
Step 1
Step 2
Step 3
Choose Wireless to open the All APs page.
Click the name of the desired access point. The All APs > > Details page appears.
From the AP Mode drop-down list, choose FlexConnect to enable FlexConnect for this access point.
Note
The last parameter in the Inventory tab indicates whether the access point can be configured for FlexConnect.
Step 4
Step 5
Click Apply to commit your changes and to cause the access point to reboot.
Choose the FlexConnect tab to open the All APs > Details for (FlexConnect) page.
If the access point belongs to a FlexConnect group, the name of the group appears in the FlexConnect Name text box.
Step 6
Select the VLAN Support check box and enter the number of the native VLAN on the remote network (such as 100)
in the Native VLAN ID text box.
Note
By default, a VLAN is not enabled on the FlexConnect access point. After FlexConnect is enabled, the access
point inherits the VLAN ID associated to the WLAN. This configuration is saved in the access point and received
after the successful join response. By default, the native VLAN is 1. One native VLAN must be configured per
FlexConnect access point in a VLAN-enabled domain. Otherwise, the access point cannot send and receive
packets to and from the controller.
Note
If PMIPv6 MAG on FlexConnect AP is configured, VLAN Support can be checked or unchecked on the
FlexConnect AP. If you check the VLAN Support check box, enter the number of the native VLAN on the
remote network in the Native VLAN ID text box.
Note
To preserve the VLAN mappings in the access point after an upgrade or downgrade, it is necessary that the
access point join is restricted to the controller for which it is primed. That is, no other discoverable controller
with a different configuration should be available by other means. Similarly, at the time the access point joins,
if it moves across controllers that have different VLAN mappings, the VLAN mappings at the access point may
get mismatched.
Note
For Cisco 1140 access point, when the native VLAN ID is set, it disconnects and joins back the Cisco 8500
series wireless controller. And after resuming the admin mode for the AP, is disabled.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
15
FlexConnect
Configuring an Access Point for FlexConnect
Step 7
Step 8
Step 9
Step 10
Step 11
Step 12
Click Apply. The access point temporarily loses its connection to the controller while its Ethernet port is reset.
Click the name of the same access point and then click the FlexConnect tab.
Click VLAN Mappings to open the All APs > Access Point Name > VLAN Mappings page.
Enter the number of the VLAN from which the clients will get an IP address when doing local switching (VLAN 101,
in this example) in the VLAN ID text box.
To configure Web Authentication ACLs, do the following:
a) Click the External WebAuthentication ACLs link to open the ACL mappings page. The ACL Mappings page lists
details of WLAN ACL mappings and web policy ACLs.
b) In the WLAN Id box, enter the WLAN ID.
c) From the WebAuth ACL drop-down list, choose the FlexConnect ACL.
Note
To create a FlexConnect ACL, choose Wireless > FlexConnect Groups > FlexConnect ACLs, click New,
enter the FlexConnect ACL name, and click Apply.
d) Click Add.
e) Click Apply.
To configure Local Split ACLs:
a) Click the Local Split ACLs link to open the ACL Mappings page.
b) In the WLAN Id box, enter the WLAN ID.
c) From the Local-Split ACL drop-down list, choose the FlexConnect ACL.
Note
To create a FlexConnect ACL, choose Wireless > FlexConnect Groups > FlexConnect ACLs, click New,
enter the FlexConnect ACL name, and click Apply.
If a client that connects over a WAN link associated with a centrally switched WLAN has to send some traffic to a
device present in the local site, the client has to send traffic over CAPWAP to the controller and then get the same
traffic back to the local site either over CAPWAP or using some offband connectivity. This process unnecessarily
consumes WAN link bandwidth. To avoid this issue, you can use the split tunneling feature, which allows the traffic
sent by a client to be classified based on the packet contents. The matching packets are locally switched and the rest
of the traffic is centrally switched. The traffic that is sent by the client that matches the IP address of the device
present in the local site can be classified as locally switched traffic and the rest of the traffic as centrally switched.
To configure local split tunneling on an AP, ensure that you have enabled DCHP Required on the WLAN, which
ensures that the client associating with the split WLAN does DHCP.
Local split tunneling is not supported on Cisco 1500 Series, Cisco 1130, and Cisco 1240 access points, and
does not work for clients with static IP address.
d) Click Add.
Note
Step 13
To configure Central DHCP processing:
a) In the WLAN Id box, enter the WLAN ID with which you want to map Central DHCP.
b) Select or unselect the Central DHCP check box to enable or disable Central DHCP for the mapping.
c) Select or unselect the Override DNS check box to enable or disable overriding of DNS for the mapping.
d) Select or unselect the NAT-PAT check box to enable or disable network address translation and port address translation
for the mapping.
e) Click Add to add the Central DHCP - WLAN mapping.
Step 14
To map a locally switched WLAN with a WebAuth ACL, follow these steps:
a) In the WLAN Id box, enter the WLAN ID.
b) From the WebAuth ACL drop-down list, choose the FlexConnect ACL.
Note
To create a FlexConnect ACL, choose Wireless > FlexConnect Groups > FlexConnect ACLs, click New,
enter the FlexConnect ACL name, and click Apply.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
16
OL-27510-01
FlexConnect
Configuring an Access Point for FlexConnect
Step 15
Step 16
Step 17
c) Click Add.
Note
The FlexConnect ACLs that are specific to an AP have the highest priority. The FlexConnect ACLs that are
specific to WLANs have the lowest priority.
From the WebPolicy ACL drop-down list, choose a FlexConnect ACL and then click Add to configure the FlexConnect
ACL as a web policy.
Note
You can configure up to 16 Web Policy ACLs that are specific to an access
point.
Click Apply.
Click Save Configuration.
Note
Repeat this procedure for any additional access points that need to be configured for FlexConnect at the remote
site.
Configuring an Access Point for FlexConnect (CLI)
Note
The AP will reboot when you change the AP behavior from Flexconnect to Local.
• config ap mode flexconnect Cisco_AP—Enables FlexConnect for this access point.
• config ap flexconnect radius auth set {primary | secondary} ip_address auth_port secret
Cisco_AP—Configures a primary or secondary RADIUS server for a specific FlexConnect access point.
Note
Only the Session Timeout RADIUS attribute is supported in standalone mode. All other
attributes as well as RADIUS accounting are not supported.
Note
To delete a RADIUS server that is configured for a FlexConnect access point, enter the
config ap flexconnect radius auth delete {primary | secondary} Cisco_AP command.
• config ap flexconnect vlan wlan wlan_id vlan-id Cisco_AP—Enables you to assign a VLAN ID to this
FlexConnect access point. By default, the access point inherits the VLAN ID associated to the WLAN.
• config ap flexconnect vlan {enable | disable} Cisco_AP—Enables or disables VLAN tagging for this
FlexConnect access point. By default, VLAN tagging is not enabled. After VLAN tagging is enabled
on the FlexConnect access point, WLANs that are enabled for local switching inherit the VLAN assigned
at the controller.
• config ap flexconnect vlan native vlan-id Cisco_AP—Enables you to configure a native VLAN for
this FlexConnect access point. By default, no VLAN is set as the native VLAN. One native VLAN must
be configured per FlexConnect access point (when VLAN tagging is enabled). Make sure the switch
port to which the access point is connected has a corresponding native VLAN configured as well. If the
FlexConnect access point’s native VLAN setting and the upstream switch port native VLAN do not
match, the access point cannot transmit packets to and from the controller.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
17
FlexConnect
Configuring an Access Point for FlexConnect
Note
To save the VLAN mappings in the access point after an upgrade or downgrade, you
should restrict the access point to join the controller for which it is primed. No other
discoverable controller with a different configuration should be available by other means.
Similarly, at the time the access point joins, if it moves across controllers that have
different VLAN mappings, the VLAN mappings at the access point might get
mismatched.
• Configure the mapping of a Web-Auth or a Web Passthrough ACL to a WLAN for an access point in
FlexConnect mode by entering this command:
config ap flexconnect web-auth wlan wlan_id cisco_ap acl_name {enable | disable}
Note
The FlexConnect ACLs that are specific to an AP have the highest priority. The
FlexConnect ACLs that are specific to WLANs have the lowest priority.
• Configure a Policy ACL on an AP in FlexConnect mode by entering this command:
config ap flexconnect acl {add | delete} acl_name cisco_ap
Note
You can configure up to 16 Policy ACLs that are specific to an access point.
• To configure local split tunneling on a per-AP basis, enter this command:
config ap local-split {enable | disable} wlan-id acl acl-name ap-name
• Configure central DHCP on the AP per WLAN by entering this command:
config ap flexconnect central-dhcp wlan-id ap-name {enable override dns | disable | delete}
Note
The gratuitous ARP for the gateway is sent by the access point to the client, which
obtained an IP address from the central site. This is performed to proxy the gateway by
the access point.
Use these commands on the FlexConnect access point to get status information:
• show capwap reap status—Shows the status of the FlexConnect access point (connected or standalone).
• show capwap reap association—Shows the list of clients associated with this access point and their
SSIDs.
Use these commands on the FlexConnect access point to get debug information:
• debug capwap reap—Shows general FlexConnect activities.
• debug capwap reap mgmt—Shows client authentication and association messages.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
18
OL-27510-01
FlexConnect
Configuring an Access Point for FlexConnect
• debug capwap reap load—Shows payload activities, which are useful when the FlexConnect access
point boots up in standalone mode.
• debug dot11 mgmt interface—Shows 802.11 management interface events.
• debug dot11 mgmt msg—Shows 802.11 management messages.
• debug dot11 mgmt ssid—Shows SSID management events.
• debug dot11 mgmt state-machine—Shows the 802.11 state machine.
• debug dot11 mgmt station—Shows client events.
Configuring an Access Point for Local Authentication on a WLAN (GUI)
Step 1
Step 2
Step 3
Step 4
Step 5
Choose WLANs to open the WLANs page.
Click the ID of the WLAN. The WLANs > Edit page appears.
Clicked the Advanced tab to open the WLANs > Edit (WLAN Name) page.
Select the FlexConnect Local Switching check box to enable FlexConnect local switching.
Select the FlexConnect Local Auth check box to enable FlexConnect local authentication.
Caution
Do not connect access points in FlexConnect mode directly to 2500 Series Controllers.
Step 6
Click Apply to commit your changes.
Configuring an Access Point for Local Authentication on a WLAN (CLI)
Before You Begin
Before you begin, you must have enabled local switching on the WLAN where you want to enable local
authentication for an access point. For instructions on how to enable local switching on the WLAN, see the
Configuring the Controller for FlexConnect (CLI) section.
• config wlan flexconnect ap-auth wlan_id {enable | disable}—Configures the access point to enable
or disable local authentication on a WLAN.
Caution
Do not connect the access points in FlexConnect mode directly to Cisco 2500 Series Controllers.
• show wlan wlan-id —Displays the configuration for the WLAN. If local authentication is enabled, the
following information appears:
. . .
. . .
Web Based Authentication...................... Disabled
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
FlexConnect Local Switching........................ Enabled
FlexConnect Local Authentication................... Enabled
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
19
FlexConnect
Connecting Client Devices to WLANs
FlexConnect Learn IP Address....................... Enabled
Client MFP.................................... Optional
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
. . .
. . .
Connecting Client Devices to WLANs
Follow the instructions for your client device to create profiles to connect to the WLANs you created in the
Configuring the Controller for FlexConnect.
In the example scenarios (see Table 1: WLANs Example), there are three profiles on the client:
1 To connect to the “employee” WLAN, create a client profile that uses WPA/WPA2 with PEAP-MSCHAPV2
authentication. After the client becomes authenticated, the client gets an IP address from the management
VLAN of the controller.
2 To connect to the “local-employee” WLAN, create a client profile that uses WPA/WPA2 authentication.
After the client becomes authenticated, the client gets an IP address from VLAN 101 on the local switch.
3 To connect to the “guest-central” WLAN, create a client profile that uses open authentication. After the
client becomes authenticated, the client gets an IP address from VLAN 101 on the network local to the
access point. After the client connects, the local user can type any HTTP address in the web browser. The
user is automatically directed to the controller to complete the web-authentication process. When the web
login page appears, the user enters the username and password.
To determine if a client’s data traffic is being locally or centrally switched, choose Monitor > Clients on the
controller GUI, click the Detail link for the desired client, and look at the Data Switching parameter under
AP Properties.
Configuring FlexConnect ACLs
Information About Access Control Lists
An access control list (ACL) is a set of rules used to limit access to a particular interface (for example, if you
want to restrict a wireless client from pinging the management interface of the controller). ACLs enable access
control of network traffic. After ACLs are configured on the controller, you can apply them to the management
interface, the AP-Manager interface, any of the dynamic interfaces, or a WLAN. ACLs enable you to control
data traffic to and from wireless clients or to the controller CPU.You can configure ACLs on FlexConnect
access points to enable effective usage and access control of locally switched data traffic on an access point.
The FlexConnect ACLs can be applied to VLAN interfaces on access points in both the Ingress and Egress
mode.
Existing interfaces on an access point can be mapped to ACLs. The interfaces can be created by configuring
a WLAN-VLAN mapping on a FlexConnect access point.
The FlexConnect ACLs can be applied to an access point’s VLAN only if VLAN support is enabled on the
FlexConnect access point.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
20
OL-27510-01
FlexConnect
Restrictions for FlexConnect ACLs
Restrictions for FlexConnect ACLs
• FlexConnect ACLs can be applied only to FlexConnect access points. The configurations applied are
per AP and per VLAN.
• FlexConnect ACLs are supported on the native VLAN.
• You can configure up to 512 ACLs on a controller.
• Non-FlexConnect ACLs that are configured on the controller cannot be applied to a FlexConnect AP.
• FlexConnect ACLs do not support direction per rule. Unlike normal ACLs, Flexconnect ACLs cannot
be configured with a direction. An ACL as a whole needs to be applied to an interface as ingress or
egress.
• You can define up to 512 FlexConnect ACLs, each with up to 64 rules (or filters). Each rule has
parameters that affect its action. When a packet matches all the parameters pertaining to a rule, the action
set pertaining to that rule is applied to the packet.
• ACLs in your network might have to be modified because Control and Provisioning of Wireless Access
Points (CAPWAP) use ports that are different from the ones used by the Lightweight Access Point
Protocol (LWAPP).
• All ACLs have an implicit deny all rule as the last rule. If a packet does not match any of the rules, it is
dropped by the corresponding access point.
• ACLs mapping on the VLANs that are created on an AP using WLAN-VLAN mapping, should be
performed on a per-AP basis only. VLANs can be created on a FlexConnect group for AAA override.
These VLANs will not have any mapping for a WLAN.
• ACLs for VLANs that are created on a FlexConnect group should be mapped only on the FlexConnect
group. If the same VLAN is present on the corresponding AP as well as the FlexConnect group, AP
VLAN will take priority. This means that if no ACL is mapped on the AP, the VLAN will not have any
ACL, even if the ACL is mapped to the VLAN on the FlexConnect group.
• Ensure the FlexConnect ACL and the regular ACL names are not the same while configuring a WLAN
for FlexConnect local switching.
Note
A Local Switching WLAN is configured and ACL is mapped to a FlexConnect group with an ACL. The
ACL has set of 'deny and permit' rules. When you associate a client to the WLAN, the client needs to have
DHCP permit rule added for getting the IP address.
Configuring FlexConnect ACLs
Configuring FlexConnect ACLs (GUI)
Step 1
Choose Security > Access Control Lists > FlexConnect Access Control Lists.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
21
FlexConnect
Configuring FlexConnect ACLs
The FlexConnect ACL page is displayed.
This page lists all the FlexConnect ACLs configured on the controller. This page also shows the FlexConnect ACLs
created on the corresponding controller. To remove an ACL, hover your mouse over the blue drop-down arrow adjacent
to the corresponding ACL name and choose Remove.
Step 2
Add a new ACL by clicking New.
The Access Control Lists > New page is displayed.
Step 3
Step 4
Step 5
In the Access Control List Name text box, enter a name for the new ACL. You can enter up to 32 alphanumeric characters.
Click Apply.
When the Access Control Lists page reappears, click the name of the new ACL.
When the Access Control Lists > Edit page appears, click Add New Rule.
The Access Control Lists > Rules > New page is displayed.
Step 6
Configure a rule for this ACL as follows:
a) The controller supports up to 64 rules for each ACL. These rules are listed in order from 1 to 64. In the Sequence
text box, enter a value (between 1 and 64) to determine the order of this rule in relation to any other rules defined for
this ACL.
Note
If rules 1 through 4 are already defined and you add rule 29, it is added as rule 5. If you add or change a
sequence number of a rule, the sequence numbers of the other rules are automatically adjusted to maintain
a continuous sequence. For instance, if you change a rule’s sequence number from 7 to 5, the rules with
sequence numbers 5 and 6 are automatically reassigned as 6 and 7, respectively.
b) From the Source drop-down list, choose one of these options to specify the source of the packets to which this ACL
is applicable:
• Any—Any source (This is the default value.)
• IP Address—A specific source. If you choose this option, enter the IP address and netmask of the source in
the corresponding text boxes.
c) From the Destination drop-down list, choose one of these options to specify the destination of the packets to which
this ACL applies:
• Any—Any destination (This is the default value.)
• IP Address—A specific destination. If you choose this option, enter the IP address and netmask of the destination
in the text boxes.
d) From the Protocol drop-down list, choose the protocol ID of the IP packets to be used for this ACL. The protocol
options that you can use are the following:
• Any—Any protocol (This is the default value.)
• TCP
• UDP
• ICMP—Internet Control Message Protocol
• ESP—IP Encapsulating Security Payload
• AH—Authentication Header
• GRE—Generic Routing Encapsulation
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
22
OL-27510-01
FlexConnect
Configuring FlexConnect ACLs
• IP in IP—Permits or denies IP-in-IP packets
• Eth Over IP—Ethernet-over-Internet Protocol
• OSPF—Open Shortest Path First
• Other—Any other Internet-Assigned Numbers Authority (IANA) protocol
Note
If you choose Other, enter the number of the desired protocol in the Protocol text box. You can find
the list of available protocols in the INAI website.
The controller can permit or deny only the IP packets in an ACL. Other types of packets (such as Address Resolution
Protocol (ARP) packets) cannot be specified.
If you chose TCP or UDP, two additional parameters, Source Port and Destination Port, are displayed. These parameters
enable you to choose a specific source port and destination port or port range. The port options are used by applications
that send and receive data to and from the networking stack. Some ports are designated for certain applications, such
as Telnet, SSH, HTTP, and so on.
e) From the DSCP drop-down list, choose one of these options to specify the differentiated services code point (DSCP)
value of this ACL. DSCP is an IP header text box that can be used to define the quality of service across the Internet.
• Any—Any DSCP (This is the default value.)
• Specific—A specific DSCP from 0 to 63, which you enter in the DSCP text box
f) From the Action drop-down list, choose Deny to cause this ACL to block packets, or Permit to cause this ACL to
allow packets. The default value is Deny.
g) Click Apply.
The Access Control Lists > Edit page is displayed on which the rules for this ACL are shown.
h) Repeat this procedure to add additional rules, if any, for this ACL.
Step 7
Click Save Configuration.
Configuring FlexConnect ACLs (CLI)
Use the following commands on the controller to view information related to FlexConnect ACLs:
•
• config flexconnect acl create name
Creates an ACL on a FlexConnect access point. The name must be an IPv4 ACL name of up to 32
characters.
• config flexconnect acl delete name
Deletes a FlexConnect ACL.
• config flexconnect acl rule action acl-name rule-index {permit |deny}
Permits or denies an ACL.
• config flexconnect acl rule add acl-name rule-index
Adds an ACL rule.
• config flexconnect acl rule change index acl-name old-index new-index—
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
23
FlexConnect
Configuring FlexConnect ACLs
Changes the index value for an ACL rule.
• config flexconnect acl rule delete name
Deletes an ACL rule.
• config flexconnect acl rule dscp acl-name rule-index {0-63 | any }
Specifies the differentiated services code point (DSCP) value of the rule index. DSCP is an IP header
that can be used to define the quality of service across the Internet. Enter a value between 0 and 63 or
the value any. The default value is any.
• config flexconnect acl rule protocol acl-name rule-index {0-255 | any}
Assigns the rule index to an ACL rule. Specify a value between 0 and 255 or ‘any’. The default is ‘any.’
• config flexconnect acl rule destination address acl-name rule-index ipv4-addr subnet-mask
Configures a rule's destination IP address, netmask and port range.
• config flexconnect acl rule destination port range acl-name rule-index start-port end-port
Configures a rule’s destination port range.
• config flexconnect acl rule source address acl-name rule-index ipv4-addr subnet-mask
Configures a rule's source IP address and netmask.
• config flexconnect acl apply acl-name
Applies an ACL to the FlexConnect access point.
• config flexconnectacl rule swap acl-name index-1 index-2
Swaps the index values of two rules.
• config ap flexconnect vlan add acl vlan-id ingress-aclname egress-acl-name ap-name
Adds a VLAN on a FlexConnect access point.
• config flexconnect acl rule source port range acl-name rule-index start-port end-port
Configures a rule’s source port range.
Viewing and Debugging FlexConnect ACLs (CLI)
Use the following commands on the controller to view information related to FlexConnect ACLs:
• show flexconnect acl summary—Displays a summary of the ACLs.
• show client detail mac-address—Displays the FlexConnect ACL Applied Status and IPv4 ACL Applied
Status. The IPv4 ACL name field shows the ACL applied to the client based on local/central switching.
• show flexconnect acl detailed acl-name—Displays the detailed information about the ACL.
• debug flexconnect acl {enable | disable}—Enables or disables the debugging of FlexConnect ACL.
• debug capwap reap—Enables debugging of CAPWAP.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
24
OL-27510-01
FlexConnect
Configuring FlexConnect Groups
Configuring FlexConnect Groups
Information About FlexConnect Groups
To organize and manage your FlexConnect access points, you can create FlexConnect Groups and assign
specific access points to them.
All of the FlexConnect access points in a group share the same backup RADIUS server, CCKM, and local
authentication configuration information. This feature is helpful if you have multiple FlexConnect access
points in a remote office or on the floor of a building and you want to configure them all at once. For example,
you can configure a backup RADIUS server for a FlexConnect rather than having to configure the same server
on each access point.
The following figure shows a typical FlexConnect deployment with a backup RADIUS server in the branch
office.
Figure 2: FlexConnect Group Deployment
FlexConnect Groups and Backup RADIUS Servers
You can configure the controller to allow a FlexConnect access point in standalone mode to perform full
802.1X authentication to a backup RADIUS server. You can configure a primary backup RADIUS server or
both a primary and secondary backup RADIUS server. These servers can be used when the FlexConnect
access point is in of these two modes: standalone or connected.
FlexConnect Groups and CCKM
FlexConnect Groups are required for CCKM fast roaming to work with FlexConnect access points. CCKM
fast roaming is achieved by caching a derivative of the master key from a full EAP authentication so that a
simple and secure key exchange can occur when a wireless client roams to a different access point. This feature
prevents the need to perform a full RADIUS EAP authentication as the client roams from one access point to
another. The FlexConnect access points need to obtain the CCKM cache information for all the clients that
might associate so they can process it quickly instead of sending it back to the controller. If, for example, you
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
25
FlexConnect
Information About FlexConnect Groups
have a controller with 300 access points and 100 clients that might associate, sending the CCKM cache for
all 100 clients is not practical. If you create a FlexConnect that includes a limited number of access points
(for example, you create a group for four access points in a remote office), the clients roam only among those
four access points, and the CCKM cache is distributed among those four access points only when the clients
associate to one of them.
Note
CCKM fast roaming among FlexConnect and non-FlexConnect access points is not supported.
FlexConnect Groups and Opportunistic Key Caching
Starting with the Cisco Wireless LAN Controller Release 7.0.116.0, FlexConnect groups accelerate
Opportunistic Key Caching (OKC) to enable fast roaming of clients. OKC facilitates fast roaming by using
PMK caching in access points that are in the same FlexConnect group.
OKC prevents the need to perform a full authentication as the client roams from one access point to another.
FlexConnect groups store the cached key on the APs of the same group, accelerating the process. However,
they are not required, as OKC will still happen between access points belonging to different FlexConnect
groups and will use the cached key present on the Cisco WLC, provided that Cisco WLC is reachable and
APs are in connected mode.
To see the PMK cache entries at the FlexConnect access point, use the show capwap reap pmk command.
This feature is supported on Cisco FlexConnect access points only. The PMK cache entries cannot be viewed
on Non-FlexConnect access points.
Note
The FlexConnect access point must be in connected mode when the PMK is derived during WPA2/802.1x
authentication.
When using FlexConnect groups for OKC or CCKM, the PMK-cache is shared only across the access points
that are part of the same FlexConnect group and are associated to the same controller. If the access points are
in the same FlexConnect group but are associated to different controllers that are part of the same mobility
group, the PMK cache is not updated and CCKM roaming will fail but OKC roaming will still work.
Note
Fast roaming works only if the APs are in the same FlexConnect group for APs in FlexConnect mode,
802.11r .
FlexConnect Groups and Local Authentication
You can configure the controller to allow a FlexConnect access point in standalone mode to perform LEAP,
EAP-FAST authentication for up to 100 statically configured users. The controller sends the static list of
usernames and passwords to each FlexConnect access point when it joins the controller. Each access point in
the group authenticates only its own associated clients.
This feature is ideal for customers who are migrating from an autonomous access point network to a lightweight
FlexConnect access point network and are not interested in maintaining a large user database or adding another
hardware device to replace the RADIUS server functionality available in the autonomous access point.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
26
OL-27510-01
FlexConnect
Configuring FlexConnect Groups (GUI)
Note
This feature can be used with the FlexConnect backup RADIUS server feature. If a FlexConnect is
configured with both a backup RADIUS server and local authentication, the FlexConnect access point
always attempts to authenticate clients using the primary backup RADIUS server first, followed by the
secondary backup RADIUS server (if the primary is not reachable), and finally the FlexConnect access
point itself (if the primary and secondary are not reachable).
For information about the number of FlexConnect groups and access point support for a Cisco WLC model,
see the data sheet of the respective Cisco WLC model.
Configuring FlexConnect Groups (GUI)
Step 1
Choose Wireless > FlexConnect Groups to open the FlexConnect Groups page.
This page lists any FlexConnect groups that have already been created.
If you want to delete an existing group, hover your cursor over the blue drop-down arrow for that group and
choose Remove.
Click New to create a new FlexConnect Group.
On the FlexConnect Groups > New page, enter the name of the new group in the Group Name text box. You can
enter up to 32 alphanumeric characters.
Click Apply. The new group appears on the FlexConnect Groups page.
To edit the properties of a group, click the name of the desired group. The FlexConnect Groups > Edit page appears.
If you want to configure a primary RADIUS server for this group (for example, the access points are using 802.1X
authentication), choose the desired server from the Primary RADIUS Server drop-down list. Otherwise, leave the text
box set to the default value of None.
Note
IPv6 RADIUS Server is not configurable. Only IPv4 configuration is supported.
Note
Step 2
Step 3
Step 4
Step 5
Step 6
Step 7
Step 8
If you want to configure a secondary RADIUS server for this group, choose the server from the Secondary RADIUS
Server drop-down list. Otherwise, leave the field set to the default value of None.
To add an access point to the group, click Add AP. Additional fields appear on the page under Add AP.
Step 9
Perform one of the following tasks:
• To choose an access point that is connected to this controller, select the Select APs from Current Controller
check box and choose the name of the access point from the AP Name drop-down list.
Note
If you choose an access point on this controller, the MAC address of the access point is automatically
entered in the Ethernet MAC text box to prevent any mismatches from occurring.
• To choose an access point that is connected to a different controller, leave the Select APs from Current Controller
check box unselected and enter its MAC address in the Ethernet MAC text box.
Note
Step 10
If the FlexConnect access points within a group are connected to different controllers, all of the controllers
must belong to the same mobility group.
Click Add to add the access point to this FlexConnect group. The access point’s MAC address, name, and status appear
at the bottom of the page.
Note
If you want to delete an access point, hover your cursor over the blue drop-down arrow for that access point
and choose Remove.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
27
FlexConnect
Configuring FlexConnect Groups (GUI)
Step 11
Step 12
Click Apply.
Enable local authentication for a FlexConnect Group as follows:
a) Ensure that the Primary RADIUS Server and Secondary RADIUS Server parameters are set to None.
b) Select the Enable AP Local Authentication check box to enable local authentication for this FlexConnect Group.
The default value is unselected.
c) Click Apply.
d) Choose the Local Authentication tab to open the FlexConnect > Edit (Local Authentication > Local Users)
page.
e) To add clients that you want to be able to authenticate using LEAP, EAP-FAST, perform one of the following:
f) Upload a comma-separated values (CSV) file by selecting the Upload CSV File check box, clicking the Browse
button to browse to an CSV file that contains usernames and passwords (each line of the file needs to be in the
following format: username, password), and clicking Add to upload the CSV file. The clients’ names appear on the
left side of the page under the “User Name” heading.
g) Add clients individually by entering the client’s username in the User Name text box and a password for the client
in the Password and Confirm Password text boxes, and clicking Add to add this client to the list of supported local
users. The client name appears on the left side of the page under the “User Name” heading.
Note
You can add up to 100
clients.
h) Click Apply.
i) Choose the Protocols tab to open the FlexConnect > Edit (Local Authentication > Protocols) page.
j) To allow a FlexConnect access point to authenticate clients using LEAP, select the Enable LEAP Authentication
check box.
k) To allow a FlexConnect access point to authenticate clients using EAP-FAST, select the Enable EAP-FAST
Authentication check box. The default value is unselected.
l) Perform one of the following, depending on how you want protected access credentials (PACs) to be provisioned:
• To use manual PAC provisioning, enter the server key used to encrypt and decrypt PACs in the Server Key and
Confirm Server Key text boxes. The key must be 32 hexadecimal characters.
• To allow PACs to be sent automatically to clients that do not have one during PAC provisioning, select the
Enable Auto Key Generation check box
m) In the Authority ID text box, enter the authority identifier of the EAP-FAST server. The identifier must be 32
hexadecimal characters.
n) In the Authority Info text box, enter the authority identifier of the EAP-FAST server in text format. You can enter
up to 32 hexadecimal characters.
o) To specify a PAC timeout value, select the PAC Timeout check box and enter the number of seconds for the PAC
to remain viable in the text box. The default value is unselected, and the valid range is 2 to 4095 seconds when
enabled.
p) Click Apply.
Step 13
In the WLAN-ACL mapping tab, you can do the following:
a) Under Web Auth ACL Mapping, enter the WLAN ID, choose the WebAuth ACL, and click Add to map the web
authentication ACL and the WLAN.
b) Under Local Split ACL Mapping, enter the WLAN ID, and choose the Local Split ACL, and click Add to map the
Local Split ACL to the WLAN.
Note
You can configure up to 16 WLAN-ACL combinations for local split tunneling. Local split tunneling does
not work for clients with static IP address.
Step 14
In the Central DHCP tab, you can do the following:
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
28
OL-27510-01
FlexConnect
Configuring FlexConnect Groups (CLI)
a)
b)
c)
d)
Step 15
Step 16
In the WLAN Id box, enter the WLAN ID with which you want to map Central DHCP.
Select or unselect the Central DHCP check box to enable or disable Central DHCP for the mapping.
Select or unselect the Override DNS check box to enable or disable overriding of DNS for the mapping.
Select or unselect the NAT-PAT check box to enable or disable network address translation and port address translation
for the mapping.
e) Click Add to add the Central DHCP - WLAN mapping.
Note
When the overridden interface is enabled for the FlexConnect Group DHCP, the DHCP broadcast to unicast is
optional for locally switched clients.
Click Save Configuration.
Repeat this procedure if you want to add more FlexConnects.
Note
To see if an individual access point belongs to a FlexConnect Group, you can choose Wireless > Access Points
> All APs > the name of the desired access point in the FlexConnect tab. If the access point belongs to a
FlexConnect, the name of the group appears in the FlexConnect Name text box.
Configuring FlexConnect Groups (CLI)
Step 1
Add add or delete a FlexConnect Group by entering this command:
config flexconnect group group_name {add | delete}
Step 2
Configure a primary or secondary RADIUS server for the FlexConnect group by entering this command:
config flexconect group group-name radius server auth {{add {primary | secondary} ip-addr auth-port secret} |
{delete {primary | secondary}}}
Step 3
Add an access point to the FlexConnect Group by entering this command:
config flexconnect group_name ap {add | delete} ap_mac
Step 4
Configure local authentication for a FlexConnect as follows:
a) Make sure that a primary and secondary RADIUS server are not configured for the FlexConnect Group.
b) To enable or disable local authentication for this FlexConnect group, enter this command:
config flexconnect group group_name radius ap {enable | disable}
c) Enter the username and password of a client that you want to be able to authenticate using LEAP, EAP-FAST by
entering this command:
config flexconnect group group_name radius ap user add username password password
Note
You can add up to 100
clients.
d) Allow a FlexConnect access point group to authenticate clients using LEAP or to disable this behavior by entering
this command:
config flexconnect group group_name radius ap leap {enable | disable}
e) Allow a FlexConnect access point group to authenticate clients using EAP-FAST or to disable this behavior by
entering this command:
config flexconnect group group_name radius ap eap-fast {enable | disable}
f) To download EAP Root and Device certificate to AP, enter this command:
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
29
FlexConnect
Configuring FlexConnect Groups (CLI)
config flexconnect group group_name radius ap eap-cert download
g) Allow a FlexConnect access point group to authenticate clients using EAP-TLS or to disable this behavior by entering
this command:
config flexconnect group group_name radius ap eap-tls {enable | disable}
h) Allow a FlexConnect access point group to authenticate clients using PEAP or to disable this behavior by entering
this command:
config flexconnect group group_name radius ap peap {enable | disable}
i) Enter one of the following commands, depending on how you want PACs to be provisioned:
• config flexconnect group group_name radius ap server-key key—Specifies the server key used to encrypt
and decrypt PACs. The key must be 32 hexadecimal characters.
• config flexconnect group group_name radius ap server-key auto—Allows PACs to be sent automatically to
clients that do not have one during PAC provisioning.
j) To specify the authority identifier of the EAP-FAST server, enter this command:
config flexconnect group group_name radius ap authority id id
where id is 32 hexadecimal characters.
k) To specify the authority identifier of the EAP-FAST server in text format, enter this command:
config flexconnect group group_name radius ap authority info info
where info is up to 32 hexadecimal characters.
l) To specify the number of seconds for the PAC to remain viable, enter this command:
config flexconnect group group_name radius ap pac-timeout timeout
where timeout is a value between 2 and 4095 seconds (inclusive) or 0. A value of 0, which is the default value,
disables the PAC timeout.
Step 5
Configure a Policy ACL on a FlexConnect group by entering this command:
config flexconnect group group-name acl {add | delete} acl-name
Step 6
Configure local split tunneling on a per-FlexConnect group basis by entering this command:
config flexconnect group group_name local-split wlan wlan-id acl acl-name flexconnect-group-name {enable |
disable}
Step 7
To set multicast/broadcast across L2 broadcast domain on overridden interface for locally switched clients, enter this
command:
config flexconnect group group_name multicast overridden-interface {enable | disable}
Step 8
Configure central DHCP per WLAN by entering this command:
config flexconnect group group-name central-dhcp wlan-id {enable override dns | disable | delete}
Step 9
Configure the DHCP overridden interface for FlexConnect group, use the
configflexconnectgroupflexgroupdhcpoverridden-interfaceenablecommand.
Step 10
Configure policy acl on FlexConnect group by entering this command:
config flexconnect group group_name policy acl {add | delete} acl-name
Step 11
Configure web-auth acl on flexconnect group by entering this command:
config flexconnect group group_name web-auth wlan wlan-id acl acl-name {enable | disable}
Step 12
Configure wlan-vlan mapping on flexconnect group by entering this command:
config flexconnect group group_name wlan-vlan wlan wlan-id{add | delete}vlan vlan-id
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
30
OL-27510-01
FlexConnect
Configuring VLAN-ACL Mapping on FlexConnect Groups (GUI)
Step 13
To set efficient upgrade for group, enter this command:
config flexconnect group group_name predownload {enable | disable | master | slave} ap-name retry-count maximum
retry count ap-name ap-name
Step 14
Save your changes by entering this command:
save config
Step 15
See the current list of flexconnect groups by entering this command:
show flexconnect group summary
Step 16
See the details for a specific FlexConnect Groups by entering this command:
show flexconnect group detail group_name
Configuring VLAN-ACL Mapping on FlexConnect Groups (GUI)
Step 1
Choose Wireless > FlexConnect Groups.
The FlexConnect Groups page appears. This page lists the access points associated with the controller.
Step 2
Step 3
Click the Group Name link of the FlexConnect Group for which you want to configure VLAN-ACL mapping.
Click the VLAN-ACL Mapping tab.
The VLAN-ACL Mapping page for that FlexConnect group appears.
Step 4
Step 5
Step 6
Step 7
Enter the Native VLAN ID in the VLAN ID text box.
From the Ingress ACL drop-down list, choose the Ingress ACL.
From the Egress ACL drop-down list, choose the Egress ACL.
Click Add to add this mapping to the FlexConnect Group.
The VLAN ID is mapped with the required ACLs. To remove the mapping, hover your mouse over the blue drop-down
arrow and choose Remove.
Note
The Access Points inherit the VLAN-ACL mapping on the FlexConnect groups if the WLAN VLAN mapping
is also configured on the groups.
Configuring VLAN-ACL Mapping on FlexConnect Groups (CLI)
• config flexconnect group group-name vlan add vlan-id acl ingress-acl egress acl
Add a VLAN to a FlexConnect group and map the ingress and egress ACLs by entering this command:
Viewing VLAN-ACL Mappings (CLI)
• show flexconnect group detail group-name
View FlexConnect group details.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
31
FlexConnect
Configuring AAA Overrides for FlexConnect
• show ap config general ap-name
View VLAN-ACL mappings on the AP.
Configuring AAA Overrides for FlexConnect
Information About Authentication, Authorization, Accounting Overrides
The Allow Authentication, Authorization, Accouting (AAA) Override option of a WLAN enables you to
configure the WLAN for authentication. It enables you to apply VLAN tagging, QoS, and ACLs to individual
clients based on the returned RADIUS attributes from the AAA server.
AAA overrides for FlexConnect access points introduce a dynamic VLAN assignment for locally switched
clients. AAA overrides for FlexConnect also support fast roaming (Opportunistic Key Caching [OKC]/ Cisco
Centralized Key management [CCKM]) of overridden clients.
VLAN overrides for FlexConnect are applicable for both centrally and locally authenticated clients. VLANs
can be configured on FlexConnect groups.
If a VLAN on the AP is configured using the WLAN-VLAN, the AP configuration of the corresponding ACL
is applied. If the VLAN is configured using the FlexConnect group, the corresponding ACL configured on
the FlexConnect group is applied. If the same VLAN is configured on the FlexConnect group and also on the
AP, the AP configuration, with its ACL takes precedence. If there is no slot for a new VLAN from the
WLAN-VLAN mapping, the latest configured FlexConnect group VLAN is replaced.
If the VLAN that was returned from the AAA is not present on the AP, the client falls back to the default
VLAN configured for the WLAN.
Before configuring a AAA override, the VLAN must be created on the access points. These VLANs can be
created by using the existing WLAN-VLAN mappings on the access points, or by using the FlexConnect
group VLAN-ACL mappings.
AAA Override for IPv6 ACLs
In order to support centralized access control through a centralized AAA server such as the Cisco Identity
Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override
attributes. In order to use this feature, the IPv6 ACL must be configured on the controller and the WLAN
must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is
Airespace-IPv6-ACL-Name similar to the Airespace-ACL-Name attribute used for provisioning an IPv4-based
ACL. The AAA attribute-returned contents should be a string that is equal to the name of the IPv6 ACL as
configured on the controller.
Restrictions for AAA Overrides for FlexConnect
• Before configuring a AAA override, VLANs must be created on the access points. These VLANs can
be created by using the existing WLAN-VLAN mappings on the access points, or by using the
FlexConnect group VLAN-ACL mappings.
• At any given point, an AP has a maximum of 16 VLANs. First, the VLANs are selected as per the AP
configuration (WLAN-VLAN), and then the remaining VLANs are pushed from the FlexConnect group
in the order that they are configured or displayed in the FlexConnect group. If the VLAN slots are full,
an error message is displayed.
• VLAN, ACL, QoS, Rate limiting are supported with local and central switching WLAN.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
32
OL-27510-01
FlexConnect
Configuring AAA Overrides for FlexConnect
• Dynamic VLAN assignment is not supported for web authentication from a controller with Access
Control Server (ACS).
Configuring AAA Overrides for FlexConnect on an Access Point (GUI)
Step 1
Choose Wireless > All > APs.
The All APs page is displayed. This page lists the access points associated with the controller.
Step 2
Step 3
Step 4
Step 5
Click the corresponding AP name.
Click the FlexConnect tab.
Enter a value for Native VLAN ID.
Click the VLAN Mappings button to configure the AP VLANs mappings.
The following parameters are displayed:
• AP Name—The access point name.
• Base Radio MAC—The base radio of the AP.
• WLAN-SSID-VLAN ID Mapping—For each WLAN configured on the controller, the corresponding SSID and
VLAN IDs are listed. Change a WLAN-VLAN ID mapping by editing the VLAN ID column for a WLAN.
• Centrally Switched WLANs—If centrally switched WLANs are configured, WLAN–VLAN mapping is listed.
• AP Level VLAN ACL Mapping—The following parameters are available:
◦VLAN ID—The VLAN ID.
◦Ingress ACL—The Ingress ACL corresponding to the VLAN.
◦Egress ACL—The Egress ACL corresponding to the VLAN.
Change the ingress ACL and egress ACL mappings by selecting the mappings from the drop-down list for each
ACL type.
• Group Level VLAN ACL Mapping—The following group level VLAN ACL mapping parameters are available:
◦VLAN ID—The VLAN ID.
◦Ingress ACL—The ingress ACL for this VLAN.
◦Egress ACL—The egress ACL for this VLAN.
Step 6
Click Apply.
Configuring VLAN Overrides for FlexConnect on an Access Point (CLI)
To configure VLAN overrides on a FlexConnect access point, use the following command:
config ap flexconnect vlan add vlan-id acl ingress-acl egress-acl ap_name
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
33
FlexConnect
Configuring FlexConnect AP Upgrades for FlexConnect Access Points
Configuring FlexConnect AP Upgrades for FlexConnect Access Points
Information About FlexConnect AP Upgrades
Normally, when upgrading the image of an AP, you can use the pre-image download feature to reduce the
amount of time the AP is unavailable to serve clients. However, it also increases the downtime because the
access point cannot serve clients during an upgrade. The Pre-image download feature can be used to reduce
this downtime. However, in the case of a branch office set up, the upgrade images are still downloaded to
each access point over the WAN link, which has a higher latency.
A more efficient way is to use the FlexConnect AP Upgrade feature. When this feature is enabled, one access
point of each model in the local network first downloads the upgrade image over the WAN link. It works
similarly to the master-slave or client-server model. This access point then becomes the master for the remaining
access point of the similar model. The remaining access points then download the upgrade image from the
master access point using the pre-image download feature over the local network, which reduces the WAN
latency.
Restrictions for FlexConnect AP Upgrades for FlexConnect Access Points
• The primary and secondary controllers in the network must have the same set of primary and backup
images.
• If you configured a FlexConnect group, all access points in that group must be within the same subnet
or must be accessible through NAT.
• A FlexConnect group can have a maximum of 100 APs on Cisco 7510 WLC, and 25 APs on Cisco 5508
WLC.
• A FlexConnect group can have one master AP per AP model. If a master AP is not selected manually,
the AP that has the least MAC address value is automatically chosen as the master AP for that model.
• A maximum of 3 slave APs of the same model can download the image from their master AP (a maximum
of 3 TFTP connections can serve at a time). The rest of the slave APs use the random back-off timer to
retry for the master AP to download the image. The random back-off value is more than 100 seconds.
After a slave AP downloads the image, the AP informs the Cisco WLC about the completion of the
download. After random back-off, the waiting slave AP can occupy the empty TFTP slot at the master
AP.
If a slave AP fails to download the image from its master AP even after the slave retry count that you
have configured is exhausted, the slave AP reaches out to the Cisco WLC to fetch the new image.
• This feature works only with CAPWAP APs.
• This feature does not work if a master AP is connected over CAPWAP6.
• If you upgrade from a release that is prior to Release 7.5 directly to Release 7.6.X or a later release, the
predownload process on Cisco AP2600 and AP3600 fails. After the Cisco WLC is upgraded to Release
7.6.X or a later release, the new image is loaded on Cisco AP2600 and AP3600. After the upgrade to a
Release 7.6.X image, the predownload functionality works as expected. The predownload failure is only
a one-time failure.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
34
OL-27510-01
FlexConnect
Configuring FlexConnect AP Upgrades for FlexConnect Access Points
Configuring FlexConnect AP Upgrades (GUI)
Step 1
Choose Wireless > FlexConnect Groups.
The FlexConnect Groups page appears. This page lists the FlexConnect Groups configured on the controller.
Step 2
Step 3
Step 4
Step 5
Click the Group Name link on which you want to configure the image upgrade.
Click the Image Upgrade tab.
Check the FlexConnect AP Upgrade check box to enable a FlexConnect AP Upgrade.
If you enabled the FlexConnect AP upgrade in the previous step, you must enable the following parameters:
• Slave Maximum Retry Count—The number of attempts the slave access point must try to connect to the master
access point for downloading the upgrade image. If the image download does not occur for the configured retry
attempts, the image is upgraded over the WAN. The default value is 44; the valid range is between 1 and 63.
• Upgrade Image—Select the upgrade image. The options are Primary, Backup, and Abort.
Step 6
From the AP Name drop-down list, click Add Master to add the master access point.
You can manually assign master access points in the FlexConnect group by selecting the access points.
Step 7
Step 8
Click Apply.
Click FlexConnect Upgrade to upgrade.
Configuring FlexConnect AP Upgrades (CLI)
• config flexconnect group group-name predownload {enable | disable}—Enables or disables the
FlexConnect AP upgrade.
• config flexconnect group group-name predownload master ap-name—Sets the AP as the master AP
for the model.
• config flexconnect group group-name predownload slave ap-name ap-name—Sets the AP as a slave
AP.
• config flexconnect group group-name predownload slave retry-count max-retry-count —Sets the
retry count for slave APs.
• config flexconnect group group-name predownload start {abort | primary | backup}—Initiates the
image (primary or backup) download on the access points in the FlexConnect group, or aborts an image
download process.
• show flexconnect group group-name—Displays the summary of the FlexConnect group configuration.
• show ap image all—Displays the details of the images on the access point.
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
OL-27510-01
35
FlexConnect
Configuring FlexConnect AP Upgrades for FlexConnect Access Points
Cisco Wireless LAN Controller Configuration Guide, Release 7.3
36
OL-27510-01
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement