FlexConnect

Chapter 7 FlexConnect

Applications

Authentication-local/switch-local

This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a FlexConnect goes into standalone mode. The WLAN continues to beacon and respond to probes (

Figure 7-5

). Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

Figure 7-5 Authentication-Local/Switch-Local WLAN

Branch

New

User

WEP, Shared

WPA/2 - PSK

User Data

FlexConnect

Standalone

Mode

CAPWAP

dot1q

Branch

Servers

Corporate Central

Cisco Prime Infrastructure

AAA

802.1x

Existing

User

Local Switched User Data

CAPWAP Control

Local Auth

Local Switched Data

CAPWAP Control

Centralized

WLAN Controller

Note

All 802.11 authentication and association processing occurs regardless of which operational mode the

AP is in. When in connected mode, the FlexConnect AP forwards all association/authentication information to the WLC. When in standalone mode, the AP cannot notify the WLC of such events, which is why WLANs that make use of central authentication/switching methods are unavailable.

Applications

The FlexConnect AP offers greater flexibility in how it can be deployed, such as:

Branch wireless connectivity

Branch guest access

Public WLAN hotspot

Branch Wireless Connectivity

FlexConnect addresses the wireless connectivity needs in branch locations by permitting wireless user traffic to terminate locally rather than tunneled across the WAN to a central WLC. With FlexConnect, branch locations can more effectively implement segmentation, access control, and QoS policies on a per-WLAN basis, as shown in

Figure 7-6

.

OL-14435-01

Enterprise Mobility 7.3 Design Guide

7-5

Chapter 7 FlexConnect

Applications

Branch Guest Access

The centralized WLC itself, as shown in

Figure 7-6 , can perform web authentication for guest access

WLANs. The guest user's traffic is segmented (isolated) from other branch office traffic. For more detailed information on guest access, refer to Chapter 10, “Cisco Unified Wireless Network Guest

Access Services.”

Figure 7-6 FlexConnect Topology

Branch

Servers

Corporate

Servers

Cisco Prime Infrastructure

WLAN 1 dot1q

Trunk dot1q

Trunk

FlexConnect

CAPWAP

Centralized

WLAN Controller

WLAN 2

VLAN Local Access WLAN 1

VLAN Local Access WLAN 2

Management VLAN

CAPWAP Control

Branch Corporate Central

Public WLAN Hotspot

Many public hotspot service providers are beginning to implement multiple SSID/WLANs. One reason for this is because an operator might want to offer an open authentication WLAN for web-based access and another WLAN that uses 802.1x/EAP for more secure public access.

The FlexConnect AP, with its ability to map WLANs to separate VLANs, is an alternative to a standalone

AP for small venue hotspot deployments where only one, or possibly two, APs are needed.

Figure 7-7

provides an example of hotspot topology using a FlexConnect AP.

7-6

Enterprise Mobility 7.3 Design Guide

OL-14435-01

Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement

Table of contents