I need to configure flex connect to allow locally switched traffic for remote sites in a large metropolitan area. I have some questions about the configurations.
A) Do I have to create ACLs?
B) If I create a Flex Connect group, and enable "Flex Connect Local Switching" in the WLAN > Advanced tab, and place an AP into that Flex connect group, if the VLAN the WLAN is assigned to isn't on the Access Point's local uplink, how will the client work? Similarly, if the WLAN is assigned to the controller's management interface, how will clients work?
A) ACLs are not a requirement
B) You don't really need to create Flex Connect groups. Those are used to help with key caching. What you need to do is go into the advanced tab of the SSID and enable it for Flex Connect Local Switching. Then put the AP in FlexConnect mode. On the AP's FlexConnect tab define the WLAN to VLAN mapping. (This setting overrides what is defined for the interface on the SSID).
Pardon the newbie questions, but when I enable VLAN mapping, and then assign a Native VLAN, won't that then make all clients require a local DHCP source from whatever VLAN I assign? Since at that point the VLAN/Interface defined in the WLAN settings is being superceded by the AP's local VLAN?
Yes, that's correct. You can't use the WLC for DHCP unless you're doing FC Central Switching. When doing FC Local Switching it's a lot like attaching the wireless client to a wired connection. They look for all of their services locally (DHCP, DNS, etc.) So in that case, you will need to either provide DHCP on their gateway switch or put an ip helper-address on the interface of their gateway to send the packet to another DHCP server.
There's no rule that a DHCP server has to be local to a site. If you use the ip helper-address it can be anywhere. You just can't use the DHCP service on the WLC with FC Local Switching.
I think I understand. For it to work, the AP's Flex Connect native vlan would have to be the AP's IP VLAN, then trunk all the WLAN VLANs onto the AP's uplink, layer-2 them back to the local router and add a helper to get the wireless clients back to their original DHCP.
That seems like a huge amount of work just to get APs to bridge local traffic. Is there an easier way?
Yes sir. I think you have it. Native VLANs need to match on both sides of the trunk that goes between the AP and the switch. It can be whatever you want as long as it's the same thing. The AP connects to the switch via a trunk port. Only the wireless VLANs are allowed. (These VLANs are just local to that site and can be whatever you want as long as they match what you put in the AP configuration on the WLC.) Your switchport config would look something like this.
Gigabit Ethernet 1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk
switchport trunk native vlan 10
switchport trunk allowed vlan 10,20,30
Oh and there is not an easier way to do it. FlexConnect is kind of a pain, but if you need it then you gotta do it. It's a lot more configuration than normal Local Mode.
Wow. So, if someone asks me to help them get all their wireless client traffic to be bridged locally, and they have a thousand APs at 15 sites terminating on 2 controllers, all 1000 APs, and AP uplink ports will have to be reconfigured, plus all the local site router config changes, etc., etc.
That is a huge amount of effort. I'm not even sure why they want the client traffic bridge locally. WAN bandwidth savings? Some degree of WAN outage tolerance (though if the WAN link goes down and network resources aren't local, having SSIDs in the air won't help matters any).
Yes it will be a huge effort to go from centrally switched to locally switched. This is know and that why it depends on requirements and the end design. FlexConnect has some limitations when comparing that to local mode, so you need to consider that also. The info can be found in the FlexConnect deployment guides out there. If the limitations will not meet the customers requirement, and if the customer wants traffic local to the site, that would mean a WLC at each location. Yes that is more money, but it depends on the requirements of the solution you need to provide. I have migrated FlexConnect sites to local with wlC at each site due to limitations on FlexConnect and the new requirements of the customer due to the growth in the wireless environment.
Correct. That would be a huge amount of work. FC Local Switching was really designed for situations in which the site is too small to justify the purchase of a controller. If they have roughly 66 APs per site, that should be plenty big to purchase a WLC for each location.
Depending on the WAN bandwidth and the importance of wireless, you can decide whether a 2nd local WLC is appropriate or to have the backup WLC be across the WAN and shared between several sites.