I'm new to Cisco wireless and have a question about Flexconnect.
Is it possible to configure Cisco AP's so that when the controller is reachable they centrally auth, and switch traffic (at the controller) and only when the controller is un-reachable they go to locally switched?
I have been testing and from what I can tell its a either - or option. When I turn on locally switched, that is what the AP does even if it can see the controller.
The reason I would like this "best of both worlds" is because I understand debug/troubleshooting/visability is easier when traffic is centrally switched (I've had to debug client roaming in the past and I couldn't get much info on locally switched AP's). But I would like to know that if the controller/wan is down AP's can go to local auth/switch.
first of all you welcome to wireless world :) .
here is the scnarios of the APs mode :
1)local mode APs : are always switching traffic locally , even if the WLAN is configured as flexconnect local switching , if the WAN link between WLC and local AP go down the AP will not authenticate new clients , and it will disassoicate already connected clients , it will actually reboot and it's radios will go down .
2)flexconnect APs: flexconnect APs have multiple scenarios :
+if the WLAN is configured as centar switching and central auth :
the AP will always authenticate and switch the traffic centrally on the WLC , but when the WAN is down the AP keeps the connected client and start switching their traffic locally and authenticate new clients locally as well .
+if the WLAN is configured localy switching local auth :
AP will always localy authenticate and switch the client traffic weather the WLC is reachable or not ,
+locally switching central auth :
AP will always switch the traffic locally even if the WLC is reachable , while authenticating client centrally as long as the WLC is reachable , when its down it will authenticate client locally .
+centrally switching locally auth is not supported .
Thanks ali aqrabawi,
I'm aware of the auth. issues if the wan is down, so for this particular ssid we are using PSK. The security of this is another issue that does not need to be addressed here.
So if I understand you correctly I should leave my WLAN as centrally switched (don't select the "flexconnect local switching" option), but if the controller goes offline the AP will locally switch?
One thing I'm a bit confused about some of my sites don't have matching vlans, so I woudl like to configure Flexconnect groups and confiugre vlan maps for particular groups. But when I disable "flexconnect local switching" it tells me I can't have vlan maps.
Do you know the answer to this?
yes correct , keep the WLAN as it's without checking local switching , if each site will has it's specific WLAN-VLAN/interface mapping , then you need to configure AP group no flexconnect group ,
on each AP group you can have the desired WLAN-VLAN/interface mapping ,
The big question here is what security is the WLAN using ? If your doing radius and your radius is somewhere other than local if the wan or WLC go down existing clients will stay on till they reauth. New clients will not be able to reauth becuSe they can't reach radius ..
its a a much bigger question in design ..
your are right m but if you add the flexconnect APs in felxconnect group and configure radius server ip on that group , the AP will authenticate the client against those radius servers configured on the flexconnect group only if the WAN link is down .
Your assuming the local site has radius servers. :). WAN goes down it won't matter how many flex groups you have becuse the AP won't reach it.
almost all designs have central radius servers. The cost of local radius is expensive and difficult for many to manage.