Scene Introduction
In a bright, well-equipped office at the university’s engineering department, Professor Network, a seasoned and wise network engineer in his sixties, is preparing for a mentoring session. His desk is cluttered with books, network diagrams, and a laptop open to a presentation on wireless networking technologies.
Sophie the Intern, a 25-year-old aspiring network engineer, enters the room with a notebook in hand, eager to learn. She has been interning under Professor Network and is keen on understanding the complexities of network engineering. Today, they are scheduled to discuss FlexConnect, a concept Sophie has been curious about.
FlexConnect Introduction
Good morning, Sophie! Today, we’ll delve into the world of FlexConnect, a crucial aspect of wireless networking. Are you ready?
Absolutely, Professor! I’ve heard about FlexConnect, but I’m not clear on its specifics. How does it differ from the Local Mode?
Excellent question! Let’s start with the basics. When the Access Points, APs in short, are configured in Local Mode, all types of traffic, like Control and Data Plane, are tunneled from the APs, via Control And Provisioning of Wireless Access Points protocol, to the Wireless Lan controller, or WLC. This means the controller handles all the data traffic, making decisions and applying policies.
So, in Local Mode, the controller is like the central brain for all operations?
Precisely! Now, FlexConnect is different. It’s designed for sites that have limited connectivity to the main corporate network. In FlexConnect, some of the control is shifted to the access points, allowing them to handle data traffic locally.
Interesting! So, FlexConnect allows access points to make certain decisions? What kind of decisions can they make?
FlexConnect access points can switch client data traffic locally, sending it directly to the switch, and apply security policies. This is particularly useful in remote branch offices where WAN connectivity is limited or expensive. So, instead of tunneling the data traffic via CAPWAP to the controller, the AP sends the data directly to the local switch. Take a look at the board to see how FlexConnect Mode differs from Local Mode. On the you see Local Mode or FlexConnect with Central Switching while on the right you can see FlexConnect with Central Local Switching.
Wait. Local Mode and FlexConnect Central Switching are the same thing?
Well, yes and no. Local Mode and FlexConnect Central Switching behave the same when it comes to forward data traffic, meaning that all traffic will be tunneled to the controller. But, an AP in Local Mode can only switch traffic, centrally, trough the controller for ALL SSIDs, while an AP in FlexConnect mode can be configured to switch traffic Locally for some SSIDs while for other SSIDs it can be configured to centrally switch traffic, trough the controller, same as in Local Mode.
Professor! Can you provide a use case and explain why would we want to mix SSIDs with Local and Central Switching on a FlexConnect AP?
Excellent question Sophie! Consider the following scenario: In a remote branch office, we have two SSIDs. One is called Guest-SSID and the other one is called Corporate-SSID. We do not really care about the guest traffic using Guest-SSID so we can locally offload this traffic and not tunnel it to the WLC in the Central Office to not waste bandwidth. But, for the Corporate-SSID, we may want the users traffic that are using this SSID to be sent to the WLC in the Central Office and from there to the internet, but not before it passes a Firewall were Security policies may be implemented.
OK, clear now. That sounds efficient. But now, can you explain how does FlexConnect APs handle the communication with the controller?
FlexConnect maintains a connection to the controller for centralized control and management. However, it allows the local switching of data traffic, in Local Switching mode as discussed earlier. This hybrid approach offers flexibility and scalability, especially for distributed networks. CAPWAP, or Control and Provisioning of Wireless Access Points, is a standard protocol that enables access points to communicate with the wireless LAN controller. Let’s break down how it works in the context of FlexConnect.
In FlexConnect, even though data traffic can be switched locally at the access point, CAPWAP is still used for administrative and control traffic between the access point and the controller. This includes configurations, firmware updates, and other management functions. The access point establishes a CAPWAP tunnel to the controller over the network. This tunnel is used to send and receive control messages. Even if the access point is operating in FlexConnect mode and handling data locally, it still uses this CAPWAP tunnel for all control operations. We will talk about CAPWAP in detail a little bit later.
I see. Are there any specific requirements or limitations for using FlexConnect?
Yes, there are. FlexConnect is best suited for branch offices or remote locations with limited WAN bandwidth. The access points must be capable of FlexConnect mode, and the network design should consider factors like the number of clients, types of applications, and QoS requirements.
Got it. So, the choice between FlexConnect and Local Mode depends on the specific network environment and requirements?
Exactly! Understanding the environment and requirements is key to choosing the right deployment model. Each has its advantages and is suited for different scenarios.
This is really enlightening, Professor. I think I have a much clearer understanding of FlexConnect now. Thank you!
You’re welcome, Sophie! Remember, network engineering is all about adapting to the needs of the environment. Always keep learning and exploring. So, now that we have a basic understanding about FlexConnect, let’s dive into more advanced topics related to FlexConnect.
Deployment Options for Remote Branches
That was a great explanation of FlexConnect, Professor. So when we are talking about remote branches we always need to use FlexConnect?
No really, Sophie. Let’s explore other deployment options, each with its unique advantages. First, there’s the option of having a local controller at the branch.
What’s the advantage of a local controller in the branch?
A local controller provides full wireless LAN capabilities at the branch level. It’s ideal for larger branches with high density of wireless clients, offering high resilience and local processing
And what’s the disadvantage of a local controller in the branch?
Consider a large company with thousand of remote locations. Maintaining the software up to date on each controller in each branch would be a lot of work. A controller in a remote branch makes sense only if the number of APs and the connected clients is high enough to justify the deployment of a local controller.
I see. And how about FlexConnect with a central controller?
FlexConnect with a central controller, as we discussed, is suited for branches with limited WAN bandwidth. It offers centralized control but allows local data switching, balancing control and efficiency. Also, if traffic from a particular SSID needs to pass security policies before being sent out to the internet, than that SSID can be configured in FlexConnect Central Switching mode.
That’s clear. What about Mobility Express?
Mobility Express is designed for small to medium-sized deployments. It doesn’t require a physical controller. One of the access points takes the role of a virtual controller, managing others. It’s cost-effective and easy to deploy. It is similar to a dedicated controller and all the access points are creating CAPWAP tunnels to this Mobility Express AP.
Interesting! And the embedded wireless controller?
The Embedded Wireless Controller, or EWC, is integrated into certain access points as well, but instead of running on AireOS, they are running IOS XE software. It provides controller functionality without the need for a separate hardware controller. It’s scalable, flexible, and ideal for small to midsize networks. Also, some Cisco Catalyst 9xxx switches models, like 9300L, 9300, 9400 and 9500 support the Embedded Wireless Controller feature.
So it’s like Mobility Express but for larger networks?
Exactly. While Mobility Express can support up to 100 APs and 2000 clients, EWC can support up to 200 APs and 4000 clients, depending on the device model on which it is deployed.
Lastly, there’s Office Extend. It’s unique because it’s designed for remote workers. Office Extend access points extend the corporate network to remote locations, providing secure, reliable access just like in the office.
That sounds perfect for work-from-home scenarios. How do they ensure security?
Office Extend APs maintains a secure VPN tunnel with strong encryption back to the controller in the corporate network. It ensures that remote workers have the same security and experience as if they were in the office.
This is a lot to take in, but it’s fascinating how many options there are. Each caters to different needs.
Indeed, Sophie. Now let’s summarize the factors to consider when extending wireless services to remote and branch offices. It’s a multifaceted decision involving several critical aspects.
First, we need to assess the reliability and latency of communication between branches and the corporate network. This influences the choice of deployment model significantly.
Next, consider the application needs of branch users. Do they require real-time applications like voice and video, or are their needs confined to data-only communications? This will dictate the necessary network capabilities.
The size of the IT team is also a factor. A lean IT team might prefer solutions that require less hands-on management.
Then, the number of branches and the scale of each branch are crucial. How many employees are at each branch, and how many access points are required?
Additionally, we must look at how branch offices connect to the Internet. Do they have local Internet access, or are they connected to the core network in a hub-and-spoke model via technologies such MPLS?
Scalability is a key consideration. For instance, Mobility Express supports up to 50 or 100 access points, depending on the AP type. FlexConnect can support up to 100 APs per group, with the possibility of multiple groups. However, if a branch exceeds these numbers, a local controller or multiple independent groups may be necessary. But remember, deploying multiple groups can limit certain functions like Radio Resource Management (RRM) and seamless roaming between access points. More on this later.
As for choosing between FlexConnect and Mobility Express/Embedded Wireless Controller (ME/EWC), it boils down to WAN reliability and requirements. FlexConnect is suitable when WAN connectivity is reliable for controlling APs. ME/EWC, on the other hand, is used when WAN is unreliable, the latency is high, or bandwidth is too constrained for FlexConnect APs. ME/EWC provides a complete set of controller capabilities local to the branch, running directly on an access point, eliminating the need for a standalone controller. However, this could mean managing more controllers and potentially requiring more IT support.
Thanks, Professor. Understanding these options really broadens my perspective on network deployment for remote branches!
You’re doing great, Sophie. Remember, technology is always evolving, so keep updating your knowledge and skills!
Modes of Operation
After a couple of hours Sophie comes back with more questions for Professor Network.
Professor, I’m trying to get a grasp on FlexConnect APs and their modes of operation. Can you help me understand them better?
Of course, Sophie. FlexConnect Access Points (APs) primarily operate in two modes: Connected Mode and Standalone Mode. In Connected Mode, the Wireless LAN Controller (WLC) is accessible to the AP, allowing regular communication and control through the CAPWAP protocol.
So, Connected Mode is like the standard mode where everything functions normally?
Exactly. The AP maintains a CAPWAP tunnel with the controller, ensuring smooth operation. In contrast, Standalone Mode occurs when the AP can’t reach the WLC, possibly due to a WAN-link failure. The AP then operates independently, though with some limitations.
What happens to the network services in Standalone Mode?
While basic connectivity remains, certain advanced services like Radio Resource Management (RRM), client web authentication, and IPv6 mobility are unavailable. The AP continues to switch packets locally, ensuring that existing users remain connected.
Professor, you mentioned that in Standalone Mode, the AP operates independently but with some limitations. Can you elaborate on these limitations?
Certainly, Sophie. In Standalone Mode, where the FlexConnect AP loses connectivity with the Wireless LAN Controller (WLC), several high-end features become unavailable. These limitations include:
-
Client Web Authentication: This feature, used for authenticating clients through a web portal, isn’t available in Standalone Mode.
-
Centrally Switched SSIDs: Any SSIDs (Service Set Identifiers) that are centrally switched can’t be supported. The AP will no longer be able to tunnel user data to the central controller for these SSIDs.
-
Radio Resource Management (RRM): Essential for optimizing radio frequencies and channels, RRM is not functional in this mode, affecting the AP’s ability to automatically select optimal channels and power settings.
-
IPv6 Mobility: Support for IPv6 client mobility is lost, limiting the network’s capacity to handle IPv6 traffic efficiently.
-
Native Profiling: The ability to profile devices natively on the network is compromised.
-
Policy Classification: The AP’s capability to classify and enforce policies based on different criteria is reduced.
-
Service Discovery Gateway: This feature, crucial for discovering and utilizing network services, is unavailable.
-
Configuration Updates: The AP can’t receive real-time configuration updates from the controller.
-
Wireless Intrusion Prevention System (WIPS): The system’s ability to detect and prevent wireless threats is limited.
Each of these features requires active communication with the WLC, which is why they’re unavailable when the AP is in Standalone Mode. However, the AP still maintains basic network connectivity and local switching, ensuring users stay connected.
I see. You also mentioned earlier about FlexConnect Central and Local Switching. Can we please discuss about this?
Of course Sophie! FlexConnect APs can handle two switching modes concurrently on a per-WLAN basis: Local Switched and Central Switched. In Local Switched mode, user traffic is mapped to VLANs and handled locally, ideal for branch users accessing on-site resources.
I recall you said that it reduces the load on the WAN link, right?
Precisely. It’s efficient for traffic destined within the branch. Meanwhile, Central Switched mode tunnels both user and control traffic to the central controller. This is typical for operations needing centralized control, but it can be bandwidth-intensive, especially for traffic that needs to return to the branch.
So the choice between Local and Central Switching depends on the traffic’s destination and WAN bandwidth?
Correct. Each mode has its advantages, depending on the network setup and requirements. FlexConnect offers the flexibility to adapt to different scenarios, whether it’s for a local office or a branch connected to a central site.
This really clarifies the operational dynamics of FlexConnect APs. It’s fascinating how they can adapt to different network conditions.
Indeed, Sophie. FlexConnect’s versatility is crucial for modern networks, especially those spanning multiple locations with varying connectivity challenges.
WAN Requirements
Sophie is thinking about the WAN bandwidth and requirements that Professor Network mentioned multiple times.
Earlier, Professor, you mentioned WAN connectivity requirements for FlexConnect APs. Can you shed more light on that?
Certainly, Sophie. For FlexConnect APs to operate effectively in connected mode, they must meet specific bandwidth and latency requirements, especially when handling different types of data. These requirements are essential for maintaining CAPWAP connectivity with the controller.
-
Bandwidth Needs: The required bandwidth depends on the number of APs and clients at the branch. There’s a general linear relationship here – as the number of APs and clients increases, so does the minimal bandwidth requirement.
-
Latency Thresholds: Latency requirements vary based on the type of wireless applications in use. For instance, data-only applications might have a different latency threshold compared to applications involving data and voice.
If these WAN requirements aren’t met, APs might revert to standalone mode, temporarily losing certain services until the network conditions improve and reach the necessary thresholds.
Take a look at the below table, you’ll see these requirements based on the number of APs and clients:
Perfect, I try to remember the requirements. So, the network’s performance directly influences the mode in which FlexConnect APs operate?
Precisely. Maintaining optimal WAN conditions ensures that FlexConnect APs remain in connected mode, providing full functionality and centralized control.