Wireless LAN FlexConnect Configuration Example

Document

Tue, 07/14/2015 - 06:05
Apr 27th, 2012


 

Introduction

 

FlexConnect is a wireless solution for branch office and remote office deployments. Prior to WLC Release 7.2, FlexConnect was referred as Hybrid REAP (HREAP). Now it is called FlexConnect.

FlexConnect feature enables customers to configure and control Access Points through a wide area network (WAN) link without deploying a controller in each branch office. The FlexConnect access points can switch client data traffic and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller. In the connected mode, the FlexConnect access point can also perform local authentication.

FlexConnect is supported on the Cisco Aironet 1130AG, 1140, 1240, 1250, 1260, AP801, AP802, AP3550, and Cisco Aironet 600 Series OfficeExtend Access Points on the Cisco WiSM, Cisco 5500, 4400, 2100, 2500, and Flex 7500 Series Controllers, the Catalyst 3750G Integrated Wireless LAN Controller Switch; the Controller Network Module for Integrated Services Routers.

Information About FlexConnect

FlexConnect (previously known as Hybrid Remote Edge Access Point or H-REAP) is a wireless solution for branch office and remote office deployments. It enables customers to configure and control access points in a branch or remote office from the corporate office through a wide area network (WAN) link without deploying a controller in each office. The FlexConnect access points can switch client data traffic locally and perform client authentication locally when their connection to the controller is lost. When they are connected to the controller, they can also send traffic back to the controller. In the connected mode, the FlexConnect access point can also perform local authentication.

Figure shows a typical FlexConnect deployment.

 

 

Configuring the Wireless LAN Controller for FlexConnect (GUI)

  1. Choose WLANs from Controller web interface to open the WLANs page.
    wlc1.gif
     
  2. From the drop-down list, select Create New option and click on Go to open the WLANs > New page.
     
    wlc2.gif
     
  3. From Type drop-down list, choose WLANS.
    wlc3.gif
     
  4. In the Profile Name text box, enter a unique profile name for the WLAN. In this example Profile Name is Flexcon.
  5. In the WLAN SSID Text box, enter a name for WLAN. In our example, SSID is FlexWIFI.
  6. From the WLAN ID drop-down list, choose the ID number for this WLAN. Here WLAN ID is 4.
  7. Click on Apply to save your changes.
     
    wlc7.gif
     
  8. Once we apply the changes, Edit page appears. The controller can be configured for FlexConnect in both centrally switched and locally switched WLANs. In this example, lets configure the controller for FlexConnect in a locally switched WLAN.
  9. In the General tab, select the Status check box to enable the WLAN.
     
    wlc8a.gif
     
    10. In the Security > Layer 2 tab, select WPA+WPA2 from the Layer 2 Security drop-down list and then set the WPA+WPA2 parameters as required.
    wlc8b.gif
     
11.     In the Advanced tab, select the FlexConnect Local Switching check box to enable local switching for the WLAN. Click Apply to save your changes. Click Save Configuration to save your changes.
 
wlc8c.gif
 
  1. We can verify the configuration of the FlexConnect in WLANS tab
     
    wlc11.gif

 

Configuring an Access Point for FlexConnect (GUI)

 

  1. Select Wireless to open the All APs page. And click the name of the desired access point. In our example click on AP_3500E. The All APs >
Details page appears.
ap1.gif
 
  1. Select FlexConnect from the AP Mode drop-down list to enable FlexConnect for AP_3500E access point.
    ap2.gif
     
  2. Click Apply to save your changes and the AP will reboot
     
    ap4.gif
     
     
  3. After the reboot the AP will have Flexconnect Tab. Click on FlexConnect tab to open the All APs > Details for (FlexConnect) page. Note: If the access point belongs to a FlexConnect group, the name of the group appears in the FlexConnect Name text box.
     
    ap5.gif
     
Select the VLAN Support check box and enter the number of the native VLAN on the remote network (such as 100) in the Native VLAN ID

text box.

 

ap6.gif
 
 
  1. Click Apply to save the changes. The access point temporarily loses its connection to the controller while its Ethernet port is reset.
  2. Click the name of the same access point and then select the FlexConnect tab.
  3. Click VLAN Mappings to open the All APs > Access Point Name > VLAN Mappings page.
     
    ap9.gif
     
Enter the number of the VLAN from which the clients will get an IP address when doing local switching (VLAN 61, in this example) in the VLAN

ID text box

 
ap10.gif
  1. Click Apply to commit your changes.
  2. Click Save Configuration to save your changes
     
    ap12.gif
     

Verifying the client connectivity

Choose MONITOR > Clients or MONITOR > Summary to verify whether the clients are getting associated to the Flexconnect AP.

 

Client1.gif

More Information

Cisco Wireless LAN Controller Configuration Guide - Configuring FlexConnect

Cisco WLC Configuration Guide, Release 7.5 - Configuring FlexConnect

stephen.marshall Tue, 05/15/2012 - 20:44

Hi there - just a point of confusion for my self that I would like clarified. Please can you confirm whether or not the Aironet 1040 series APs support HREAP?

many thanks

Stephen Marshall

Vinayaka Raman Wed, 05/23/2012 - 03:54

remote office ap registered to corporate off wlc in flex connect mode..

i wanted to ensure they recieve ip address from the local wlc not the wlc configured on controller

how can i acheive this ?

mvoegtlin Sun, 09/02/2012 - 06:55

Hi

I configured flexconnect as described. But my clients dont't have connectivity to the local network.

I used vlan 2334 vor Clients and vlan 186 as native vlan,

I'm running code

7.2.110.0 on 5500 controller and 1242bg Access Points

mvoegtlin Sun, 09/02/2012 - 08:40

I've got some additional information on my problem:

I checked the MAC addresse on the switch interface. There is no mac address entry on the client vlan.

The switch configuration ist correct. I don't use any authentication on the wirless LAN.

Has someone an idea why my setup is not working?

I also tried a vlan number 310 (standard vlan instead of extended vlans) for clients -> no difference

Thanks for your support.

Scott Fella Sun, 09/02/2012 - 09:22

Your switchport is a trunk port correct and it's allowing the native vlan of the ap and vlan 310?  Can you post you ap switchport config. Is spanning-tree forwarding vlan 310 on that port?

mvoegtlin Sun, 09/02/2012 - 12:07

Hi Scott

Thanks for your help.

Here ist the switch config. The AP is working fine. I have access to the AP, but client traffic is obviousliy not bridged to vlan 2335. I set the AP mode flex connect and the native vlan to 310. In the vlan mapping section on the AP, I set the SSID to vlan 2335.

interface GigabitEthernet3/18

switchport access vlan 310

switchport trunk encapsulation dot1q

switchport trunk native vlan 310

switchport trunk allowed vlan 310,331,2335

switchport mode trunk

switchport port-security

switchport port-security violation restrict

no snmp trap link-status

spanning-tree portfast trunk

spanning-tree bpduguard enable

switch#sh spann int gig 3/18

Vlan                Role Sts Cost      Prio.Nbr Type

------------------- ---- --- --------- -------- --------------------------------

VLAN0310            Desg FWD 19        128.146  P2p Edge

VLAN0331            Desg FWD 19        128.146  P2p Edge

VLAN2335            Desg FWD 19        128.146  P2p Edge

Scott Fella Sun, 09/02/2012 - 13:25

I would test with a vlan that has a lower id. I never used vlans above 999 to be honest. This will just prove of its the high vlan id or not. I woul also remove the port security on the trunk port.

mvoegtlin Sun, 09/02/2012 - 14:14

Hi Scott

I already checked with vlan id 331. But the port-security is a good hint.

I just checked the switch and saw that Security-Violation counters are at a high level on that port. I'm pretty sure that port-securtiy is the problem. I'm sorry, just wasn't aware of this configuration. I will test it tomorow and give a feedback.

mvoegtlin Sun, 09/09/2012 - 22:51

Hi Scott

Yes, as you were right. Port security on the LAN Switch was the problem. Thanks once again, and sorry for my silly question. Should have seen it myself .

rasyadanr Wed, 12/05/2012 - 19:51

Hi Markus/Scott,

Where is the configuration of the swith took placed? the access switch that connect directly to AP or at the core/distribution switch? I have 40 APs at remote site which the controller resides at HQ. The connection between APs and controller seems ok. The APs got the dynamic ip address and joined the controller. Sadly, the clients at remote site do not get the ip address after connected to the SSID. The WAN connection between the HQ & remote site is using access port via MetroE network.

Please help me to rectify this problem. Thank you in advance.

shamax_1983 Wed, 12/05/2012 - 20:02

Do your remote users reside in seperate VLAN to what the Access Points are in ?

If so, for the customers to get an IP from there specific VLAN, you sould either have a dhcp ip-helper address defined on the local router (remote router) or have DHCP server available locally.

mvoegtlin Wed, 12/05/2012 - 22:04

Hi Rasyadan

On the access switch you have to configure the access VLAN (L2).

On the next hop (L3) you have to configure the IP-Helper for the dhcp server.

The configuration is similar to “normal” wired switched environment.

Using flex connect, IP-Helper addresses configured on the controller have no effect.

junajunction Fri, 09/19/2014 - 14:36

Hi guys, I have an issue on flexconnect with remote site. we are extending our ssid's to remote offices.

the int used while making the ssid flexconnect was management int which is in vlan 116. in the remote office we need to make vlan mappings for guest. in the remote site our native vlan is 1 and after completing the vlan mapping for guest and ssid network for employees with native vlan 1,the users are unable to obtain ip address from the dhcp server thru wireless.

the local lan vlan is in vlan 1 and the ap's also have management address fro the same vlan.

 

Thanks

iskoy.istem Wed, 04/24/2013 - 19:04

Hi,

can i have a locally switched VLAN gateway to a local internet connection in a branch?

JEFF SPRADLING Fri, 09/06/2013 - 13:38

Any way to set the AP flexconnect parameters for all the AP's, or do you have to hit each one individually?

Mohammad Ali Fri, 03/07/2014 - 13:44

Great document, I do have a question about this part:

Select the VLAN Support check box and enter the number of the native  VLAN on the remote network (such as 100) in the Native VLAN ID text box.

This Native VLAN that I define here on the 5508 WLC at the corporate site this would be the native VLAN of the remote site not the Corporate site correct?

FlexConnect group what is that for exactly?

Also 5508 supports 100 AP groups and 25 AP's per group so that equates to 2500 AP's however max AP support on 5508 is 500 AP's.  Can someone confirm what is the exact number?

IngGerardo013 Mon, 05/12/2014 - 10:36

Hi there,

Configuration it seems not so complicated, I am goint to implement it next wednesday on the remote office, on the central office they have a virtual WLC with the latest release 7.6.100. reading this document, I get a little doubts, 

1.- If the AP is on remote office,  How can I tell to the AP that look for virtual WLC that is on central office to get registered? if the AP look for VWLC locally (making broadcast that no pass over the WAN link).

 

2.- How the virutal WLC will know that the native vlan specified (for the AP) on this configuration example is across the WAN link?

 

3.- What considerations we neet to take making reference to routing (on switch core of the remote office, radius servers and certificates)

 

4.- We need to create interfaces on the virtual WLC?...

 

 

Thanks a lot for yor inputs. I will apreciate so much.

 

 

 

junajunction Fri, 09/19/2014 - 14:35

Hi guys, I have an issue on flexconnect with remote site. we are extending our ssid's to remote offices.

the int used while making the ssid flexconnect was management int which is in vlan 116. in the remote office we need to make vlan mappings for guest. in the remote site our native vlan is 1 and after completing the vlan mapping for guest and ssid network for employees with native vlan 1,the users are unable to obtain ip address from the dhcp server thru wireless.

the local lan vlan is in vlan 1 and the ap's also have management address fro the same vlan.

 

Thanks

abhisar patil Sat, 11/01/2014 - 04:15

Dear,

 

Thank you for the same. I just want to know whether we can do guest authentication(time based access) for the users on AP at remote site and after authetication internet access should go via local gateway?

Please share any guide.

 

Thank You,

Abhisar

ejlbarcelon Tue, 07/14/2015 - 06:05

it is not working on my case. when i do a show client detail it still gets VLAN36 instead of VLAN 100

Session Timeout.................................. 1800
Client CCX version............................... 4  
Client E2E version............................... 1  
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
WMM Support...................................... Enabled
  APSD ACs.......................................  BK(T/D)  BE(T/D)  VI(T/D)  VO(T/D)
Power Save....................................... ON
Current Rate..................................... m7
Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
    ............................................. 12.0,18.0,24.0,36.0,48.0,
    ............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes

--More-- or (q)uit
Audit Session ID................................. 0a0501040000000455a56de3
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
Client Type...................................... SimpleIP
mDNS Status...................................... Disabled
mDNS Profile Name................................ none
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local
FlexConnect Vlan Based Central Switching......... No
FlexConnect Authentication....................... Central

--More-- or (q)uit
FlexConnect Central Association.................. No
Quarantine VLAN.................................. 0
Access VLAN...................................... 36
Local Bridging VLAN.............................. 36

Actions

This Document

Related Content