Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6379
Views
5
Helpful
4
Replies

9800 FlexConnect - Central Association Pros and Cons

Go to solution
Arne Bier
VIP
VIP

‎03-16-2021 05:15 PM - edited ‎07-05-2021 01:23 PM

Hello

 

I was reading the Cisco document Understanding FlexConnect on 9800 and Cisco seems to indicate that WLAN Policy for Flex WLANs should have Central Association disabled.

 

I have it enabled currently, and the WCAE (Config analyser) recommends to disable Central Association. What would be the difference if I disabled it ? Would the WLC no longer log the Association requests? Would I lose the ability to do troubleshooting, etc.? What is the technical benefit/drawback or the reason I would disable Central Association?

 

I can understand Central Switching/DHCP needs to be disabled (obvious), and Central Authentication too - that is, the APs could be RADIUS clients to my ISE if I wanted - but I don't see the problem with having all the Auth go via the WLC first. But it would be an interesting option to have the APs do their own auth too.

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Arne Bier

‎03-17-2021 02:45 AM

Well through the years with AireOS as an example. There are settings where you would never enable or specific settings when in local mode vs FlexConnect and or kcal switching vs central switching. What I can tell you is that with that feature enabled, all the associations from client must go back to the controller. This would include roaming as another example. In FlexConnect local switching, you really want the ap to handle that not the controller. If the ap looses the controller as an example, well the ap is told to send association request to the controller, but the controller is not reachable. So certain local switching SSID’s would start failing for users. That feature like others for “central” is used for local mode or central switching SSID’s.
-Scott
*** Please rate helpful posts ***

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Scott Fella
Hall of Fame
Hall of Fame

‎03-16-2021 11:06 PM

I run FlexConnect with this feature disabled. I think the issue is if you are running locally switched, why would you want added traffic coming back to the controller.
Search in this doc for central association:

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKEWN-3013.pdf

This might not answer all your concerns, but it might be something you try and see. If the BU suggest disabling “something” it’s probably breaks something when it’s enabled. As always test, but if you have it enabled and there are no issues, then leave it enabled.
-Scott
*** Please rate helpful posts ***

Go to solution
Arne Bier
VIP
VIP

‎03-16-2021 11:40 PM

Thanks Scott - I have Nicolas Darchis session on my radar for this year's CiscoLive. Lots of wisdom in that slide deck - thanks.

 

It would be nice though to get a definition of what Central Association Enabled actually means/does vs. when it's Disabled. You'd think something that is user configurable would be properly documented (for humans to understand).

The documents I have found have literally instructed to set it either Enabled or Disabled depending on use case - but never offer any explanation of what this does. 

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to Arne Bier

‎03-17-2021 02:45 AM

Well through the years with AireOS as an example. There are settings where you would never enable or specific settings when in local mode vs FlexConnect and or kcal switching vs central switching. What I can tell you is that with that feature enabled, all the associations from client must go back to the controller. This would include roaming as another example. In FlexConnect local switching, you really want the ap to handle that not the controller. If the ap looses the controller as an example, well the ap is told to send association request to the controller, but the controller is not reachable. So certain local switching SSID’s would start failing for users. That feature like others for “central” is used for local mode or central switching SSID’s.
-Scott
*** Please rate helpful posts ***
0 Helpful

Go to solution
Thomas Obbekaer Thomsen
Level 3
Level 3

‎05-17-2022 02:07 AM

This is actually quite interesting topic.

In the original documentation for Flex on 9800 it says to have central association enabled. (or the picture shows it)

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213921-flexconnect-configuration-with-central-a.html

Then in , what I suppose is later documentation, central association is disabled.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

 

I get , that if you run Flexconnect for "survivability" you would need to have central association disabled.

But I seem to recall some bug where if you had a "local" mode SSID on the same AP as the "flex" SSID, and you did central association on the "local" one, and non-central association on the "flex" one there could be an overlab of "associaiton ID" and that would be bad.

If this is true, is the recommendation then to always have central association disabled whenever an AP runs any "flex" SSID, even on the "local" SSID on the same AP ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card