Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1497
Views
0
Helpful
3
Replies

Flexconnect over redundant IPSEC VPN

patrashov88
Level 1
Level 1

‎03-15-2019 09:02 AM - edited ‎07-05-2021 10:03 AM

Hello!

I'm looking for best Design solution.

What I have:

- Data Center with two 5520 wlc.

- Some branches with access points.

- Two routers in DC and two in branch, two ISPs and redundant IPSEC tunnels

- All wireless traffic from branches should pass to DC .

 

I think Flexconnect will be best choise in my case but I have some questions.

 

1) What fundamentaly difference between Local mode AP and AP in Flexconnect Central Switching mode?

 

2) Based on first question, For Example, I have one WAN link: Will wireless client deassociate in Central Switching mode WLAN (WPA2-PSK) when WAN Link failure?

 

In the Wireless controller config guide 8.8 I read the following:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/8-8/config-guide/b_cg88/flexconnect.html

The controller software has a more robust fault tolerance methodology to FlexConnect access points. In previous releases, whenever a FlexConnect access point disassociates from a controller, it moves to the standalone mode. The clients that are centrally switched are disassociated. However, the FlexConnect access point continues to serve locally switched clients. When the FlexConnect access point rejoins the controller (or a standby controller), all clients are disconnected and are authenticated again. This functionality has been enhanced and the connection between the clients and the FlexConnect access points are maintained intact and the clients experience seamless connectivity. When both the access point and the controller have the same configuration, the connection between the clients and APs is maintained.

 

So, based on this information, in central switching mode client would not be deassociate.

But, in next chapter:

"authentication down, switch down—In this state, the WLAN disassociates existing clients and stops sending beacon and probe requests."

 

 

3) Maybe local mode AP in my scenario better choise? I'll have good 100Mbit/s WAN link between DC and branch. But in this case, I don't know behaviour of CAPWAPP tunnel over IPSEC when primary link failure and redundant IPSEC tunnel begins pass traffic. I could not find any CAPWAPP timers in datasheet.

 

4) Will FlexConnect AP with central switching WLAN goes in standalone mode in case of IPSEC switchover?

I read that flexconnect AP has hearteats (every 30 sec) and CAPWAPP echo (no information about periodically). And I think everithing will good and AP will not come in stamdalone mode in case of IPSEC switchover, but unfortunatelly I have no WLC to test in my lab and I'm not sure.

 

Thank you for all your ideas.

Labels:
0 Helpful
3 Replies 3

Haydn Andrews
VIP
VIP

‎03-15-2019 05:25 PM

1) What fundamentaly difference between Local mode AP and AP in Flexconnect Central Switching mode?

In Local Mode the wireless traffic is tunneled from the AP to the WLC as CAPWAP and the client traffic is dropped out the back of the controller.

In flexconnect mode (local switching) the traffic is dropped out the back of the AP as if the client was connected directly to the switch. 

In both modes AP management traffic is routed to the controller.

 

2) Based on first question, For Example, I have one WAN link: Will wireless client deassociate in Central Switching mode WLAN (WPA2-PSK) when WAN Link failure?

If the APs are in Local mode then if connectivity to the controller is lost they will start the controller discovery/ join process and all client traffic will stop until it re-joins the controller.

 

3) Maybe local mode AP in my scenario better choise? I'll have good 100Mbit/s WAN link between DC and branch. But in this case, I don't know behaviour of CAPWAPP tunnel over IPSEC when primary link failure and redundant IPSEC tunnel begins pass traffic. I could not find any CAPWAPP timers in datasheet.

 

You have large pipes, so you could consider local mode. There are a few questions you should ask:

Does the site need to keep wireless working when the WAN is down? If yes then have to use flexconnect mode as the controller is not local.

Where is the client traffic needing to go most? In local mode the wireless traffic goes to the controller, so if your printing to a wired printer in the office the traffic goes across the WAN to the WLC then back across the WAN to the printer.

 

4) Will FlexConnect AP with central switching WLAN goes in standalone mode in case of IPSEC switchover?

This comes down to how fast the IPSEC switchover is, and where the heartbeats really are in the process. Ive seen WAN failures between primary and secondary and have no issues, then ive seen ones where all the APs go standalone mode.

 

I could be wrong but believe the max latency between the AP and the WLC for local mode is 300ms 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful

patrashov88
Level 1
Level 1
In response to Haydn Andrews

‎03-16-2019 02:31 AM

Thank you for your answers!
But I'm interesting with difference AP local mode and Flexconnect Central mode exactly.
The second question was about FlexConnect Central Switching. I'm not sure about client behavior in Flexconnect Central switching when WAN link failure.
All wireless trafic should go to DC, so I choose from two types of connection: Local mode and Flexconnect Central switching. And I'm trying to figure out the advantages and disadvantages of the first and second.
0 Helpful

Haydn Andrews
VIP
VIP
In response to patrashov88

‎03-16-2019 07:40 PM

If your running APs in Flexconnect Mode but with Central switching it is effectively the same as being in local mode, all traffic is routed to the WLC. WAN goes down that WLAN goes down.

 

  • Central authentication, central switching (What your referring to)—In this state, the controller handles client authentication, and all client data is tunneled back to the controller. This state is valid only in connected mode.
  • Central authentication, local switching—In this state, the controller handles client authentication, and the FlexConnect access point switches data packets locally. After the client authenticates successfully, the controller sends a configuration command with a new payload to instruct the FlexConnect access point to start switching data packets locally. This message is sent per client. This state is applicable only in connected mode.
  • Local authentication, local switching—In this state, the FlexConnect access point handles client authentication and switches client data packets locally. This state is valid in standalone mode and connected mode.

Reference: https://www.cisco.com/c/en/us/td/docs/wireless/controller/7-2/configuration/guide/cg/cg_flexconnect.html#84768

 

For Fail scenarios: https://wlanlessonslearned.wordpress.com/tag/flexconnect/

 

  • Authentication-Central/Switch-Central: This state represents a WLAN that uses a centralized authentication method such as 802.1X, VPN, or web. User traffic is sent to the WLC via CAPWAP (Central switching). This state is supported only when FlexConnect is in connected mode.
  • Authentication Down/Switching Down: Central switched WLANs no longer beacon or respond to probe requests when the FlexConnect AP is in standalone mode. Existing clients are disassociated.
  • Authentication-Central/Switch-Local: This state represents a WLAN that uses centralized authentication, but user traffic is switched locally. This state is supported only when the FlexConnect AP is in connected mode.
  • Authentication-Down/Switch-Local: A WLAN that requires central authentication rejects new users. Existing authenticated users continue to be switched locally until session time-out if configured. The WLAN continues to beacon and respond to probes until there are no more existing users associated to the WLAN. This state occurs as a result of the AP going into standalone mode.
  • Authentication-local/switch-local: This state represents a WLAN that uses open, static WEP, shared, or WPA2 PSK security methods. User traffic is switched locally. These are the only security methods supported locally if a Flex Connect goes into standalone mode. The WLAN continues to beacon and respond to probes. Existing users remain connected and new user associations are accepted. If the AP is in connected mode, authentication information for these security types is forwarded to the WLC.

 

From this unless you have WLANs that are also being locally switched you get no real difference between Flexconnect mode and Local Mode, if your doing centrally switched WLANs.

 

If your never going to look at local switching then its really a preference to you, I would probably go Flexconnect to help out if there is future changes where they want local drop off WLANs, so i don't have to reboot APs to change modes.

Keep in mind if the site has more than 100 APs then Flexconnect isn't the best design.

 

The Flexconnect deployment guide also has some advantages and disadvantages:

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/Flex_7500_DG.html#pgfId-154683

 

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card