I was thinking applying that option, but my concerns are going about limitations of this architecture, regarding that we are going to move forward deploying Cisco ISE in few month. 

Hi, Sorry for my delay. Just 25 LAP.

Hello

Flexconnect - local switch is a good option if you don't want that all the user traffic pass the DC. In this scenario the CAPWAP traffic will go to the DC (WLC) and when the user wil be authenticated the traffic will be local.

If you have the DC locally on each office, you can point the DHCP / DNS locally if you want (depending of your infrastrcuture).

Here you can find teh limitation of the FLEX connect :

https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html

And the difference between Local Mode and FleXConnect Local Switching:

https://community.cisco.com/t5/wireless-and-mobility/difference-between-local-mode-and-flexconnect-central-switching/td-p/2325698

The solution depends of our envieroment and the traffic path that you have on your network.

Im currenlty runnign Flexconnect with local switch with a single WLC in a Datacenter with more than 70 AP and more than 2000 clients with no issues.

REgards

jmanzanera, thank you for your response. It is good to know you use Flexconnect in your environment.

My concerns are about that Flexconnect is recommended for remote offices and this solution will be deployed in our campus. After that we are going to implement Cisco ISE as a NAC solution and our idea is to use certificates on each PC. 

We also want to use the same DHCP server, NTP server, DNS servers and user VLANs that we use on wired networks.

I just want to make sure I'm correct:

Option 1: If I select Flexconnect - Local SW the traffic path would be:

     >>>> LAP[Phase 1: User Auth, Phase 2: Allows Data traffic] >  Access SW(L2) > Agg SW(L2) > Core SW(L2) > ISFW[Default-GW for User VLANs]. In this case DATA traffic path would be the same we have now. 

Option 2: if I select Central SW the traffic path would be:

    >>>> LAP[CAPWAP TUNNEL TO vWLC] > vWLC () > Core SW(L2) > ISFW[Default-GW for User VLANs]. In this case the user traffic will jump between the LAP and the vWLC, and then I need to allow the user vlans on the DC path to Core and then the ISFW.

#### Policies for User VLANs having access to our Business App would be applied in our ISFW #### 

THANKS IN ADVANCE,

I also want to use the same vlans I use for users on the wire network. In this case the configuration would be:

> link between LAP <> SW would be an Access port for Mgmt VLAN and the vWLC would be in the same VLAN: this would allow the communication between LAP <> WLC through CAPWAP.

> In this case I think I need to expand the user VLANs through the path between the vWLC and the Internal Segmentation  FW (creating dynamic interfaces in the vWLC and bind those with the User VLANs extending those VLANs through the path vWLC > Server Agg SWs > Core SW > Internal Segmentation FW). 

Am I ok? Are there other way to do it ?

thanks,

Hello

both solutions are ok, however you need to take in consideration the BW of your circuits. You need to ask yourself if your circuits are capable to support the maximum usage for all your users or not.

If you have no limitations for any multicast traffic I suggest to go to Flexconnect solution with a local backup (via AP) in case the WLC will fail. I think is the cheapper option for you and you are going to save some BW on the circuits aswell.

Regarding the concern you have for your VLANs double hceck taht post : https://community.cisco.com/t5/wireless-and-mobility/wlc-5500-multiple-ssid-and-vlans-on-lap/td-p/1858528, I think it will be usefull for you.