Guest

Cisco 5500 Series Wireless Controllers

FlexConnect Feature Matrix

Hierarchical Navigation

Document ID: 112042

Updated: Dec 18, 2013

Contributed by Nicolas Darchis, Cisco TAC Engineer.

   Download PDF
   Print

Introduction

This document describes the feature matrix for the FlexConnect feature on the Wireless LAN Controller (WLC). This feature matrix applies to Cisco Unified Wireless Network (CUWN) Releases 7.5 and earlier.

Note: New features are added to FlexConnect with every new release. Please review the release notes here for the latest details.

Note: Prior to 7.2, FlexConnect was called Hybrid REAP (HREAP).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Control and Provisioning of Wireless Access Points (CAPWAP) protocol
  • Configuration of lightweight Access Points (APs) and Cisco WLCs

Components Used

The information in this document is based on CUWN Releases 7.0.98.0 and later.

Background Information 

FlexConnect

FlexConnect is a wireless solution for branch office and remote office deployments. It enables you to configure and control APs in a branch or remote office from the corporate office through a WAN link without the deployment of a controller in each office. The FlexConnect APs can switch client data traffic locally and perform client authentication locally. When they are connected to the controller, they can also send traffic back to the controller. FlexConnect is only supported on these components:

  • 1130AG, 1140, 1240AG, 1250, AP801, 1600, 2600, 3500I, 3500E, 3600, 1040, 1520, 1550, and 1260 APs
  • Cisco Flex 8500 and 7500, Cisco 5500, 4400, and 2500 Series Controllers
  • Catalyst 3750G Integrated WLC Switch
  • Cisco WiSM and WiSM2
  • Controller Network Module for Integrated Services Routers

FlexConnect local authentication is useful where you cannot maintain a remote office setup with a minimum bandwidth of 128 kb/s and a round-trip latency of no greater than 100 ms. The maximum tolerated latency for FlexConnect is 300 ms, regardless of the features that are used.

FlexConnect Feature Matrix

This section outlines the legacy and new features in FlexConnect Releases 7.0.116.0 and later.

Security - Client

Security support on the FlexConnect varies with different modes and states. This table summarizes the security features that are supported:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization)WAN Down (Standalone)
Open/Static WEPYesYesYesYes
WPA-PSKYesYesYesYes
802.1x (WPA/WPA2)YesYesYesYes
MAC filter AuthenticationYesYesNoNo
CCKM Fast RoamingYesYesYesYes, for connected clients. No, for new clients.

Security - Infrastructure

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Down (Standalone)
Data DTLS EncryptionYesN/AN/A
Local EAP (7.0 to 7.4)Yes (LEAP/EAP-FAST)Yes (LEAP/EAP-FAST)Yes (LEAP/EAP-FAST)
LocaL EAP (7.5 and above)Yes (LEAP/EAP-FAST/PEAP/EAP-TLS)Yes (LEAP/EAP-FAST/PEAP/EAP-TLS)Yes (LEAP/EAP-FAST/PEAP/EAP-TLS)
Backup RadiusYes (7.0.116)Yes (7.0.116)Yes

Security

Security support on the FlexConnect varies with different modes and states. This table summarizes the legacy and new security features supported with WLC Versions 7.0.116.0 and later:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization)WAN Down (Standalone)
Wireless Intrusion Prevention (WIPS)YesYesYesNo
Rogue, Intrusion Detection (IDS)YesYesYesNo
Management Frame Protection (MFP) (Client, Infrastructure)YesYesYesNo
802.11w "MFP"Yes (7.5)Yes (7.5)Yes (7.5)Yes (7.5)
802.11r Fast TransitionYesYesYesNo
Self-Signed Certificate (SSC)YesYesYesNo
Rogue Location Discovery Protocol (RLDP)Might work depending on hops, WAN speedMight work depending on hops, WAN speedMight work depending on hops, WAN speedNo
Opportunistic Key Caching (OKC) Fast RoamYesYesYesNo(1)
FlexConnect Local AuthN/AYesYesYes

AAA Override

YesYes

Yes

Yes

static ACL

Yes

Yes(2)

No

Yes(2)

No

Yes(2)

No

per-user radius ACLYes (7.5)Yes (7.5)Yes (7.5)No
L2 ACLYes (7.5)Yes (7.5)Yes (7.5)Yes (7.5)
P2P BlockingYesYesYesYes
Bring Your Own Device (BYOD)YesYes (7.2.110.0)

No

No
PCI Compliance for Neighbor PktsYesYesYesNo
Russia DTLS SupportYesN/ANoNo
wIPS Enhanced Local Mode (ELM)YesYesYesNo
Limit Clients per WLANYesYes(3)YesNo
Limit Clients per RadioYesYesYesYes
Client Exclusion PolicyYesYes(3)YesNo
Radius NACYesYesNoNo
TrustSec SXPNoNoNoNo

(1) Yes for clients that have association at Connected mode.
(2) FlexConnect Access Control Lists (ACLs) should be used.
(3) Limits/exclusion done by WLC so client will be deauthorized after a successful Association Response.

Voice & Video

This table lists the legacy and new Voice & Video services supported with WLC Versions 7.0.116.0 and later with FlexConnect:

 WAN Up (Central Switching) 100 ms RTTWAN Up (Local Switching) 100 ms RTTWAN Down (Standalone)
VoiceYes with RTT 100 msYes with RTT 100 msYes with RTT 100 ms
Yes with RTT 900 ms (with CCKM and OKC)Yes with RTT 900 ms (with CCKM and OKC)
QoS Markings(1)YesYesYes
QoS Per-User Bandwidth Contract Yes (7.4) Yes (7.5) No
UAPSDYesYesYes
Voice DiagnosticsYesYesNo
Voice MetricsYesYesNo
TSPEC /Call Admission Control (CAC) Yes - non CCX Yes - non CCX No
Yes - CCX(2) Yes - CCX(2)

(1) Includes both DSCP/dot1p markings.
(2) CAC on WLC, deauthorization on roaming failure.

Services

This table lists the legacy and new services supported with WLC Version 7.0.116.0 with FlexConnect:

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Up (Local Switching, Local Authorization )Wan Down (Standalone)
Internal WebauthYesYesNoNo
External WebauthYes (7.2.110.0)Yes (7.2.110.0)NoNo
CleanAir (SI on 3500)YesYesYes No
Multicast-Unicast (Videostream)Yes (except on 7500, 8500 and vWLC)N/AN/A N/A
LocationYes with BW/Scale limitationYes with BW /Scale limitationYes with BW /Scale limitation N/A
Radio Ressource ManagementYesYesYes No
NG RRM ? RF Static GroupingYes(1)Yes(1)Yes No
SE Connect (Cleanair Update)YesYesYes No(2)
S60 EnhancementYesYesYes No
ProfilingYesYesYesNo

(1) Any RRM-specific requirements apply (at least 4 APs for TPC).
(2) Yes for standalone after disconnecting from WLC, but no for reboot.

Infrastructure

 WAN Up (Central Switching)WAN Up (Local Switching)WAN Down (Standalone)
Passive ClientsNoNoNo
SyslogYesYesYes
CDPYesYesYes
Client LinkYesYesNo
Load BalancingYes (7.4)Yes (7.5)Yes (7.5)
Band SelectYesYesNo
AP Image PreDownloadYesYesNo
FlexConnect Smart AP Image UpgradeYesYesYes(1)
AP Regularity Domain Updates (Chile)YesYesYes
VLAN Pooling/Mcast Optim.YesN/AN/A
Mesh ? 24 backhaulN/AN/AN/A
Cisco WGB Support (2)YesYes (7.3)No
3rd party WGB SupportYesYesYes
Web Auth ProxyYesYesNo
FlexConnect AP Group IncreaseYesYesYes
Client fault toleranceN/AYesN/A
DHCP Option 60YesYesYes
DFS/802.11hYesYesYes
AP Group VLANsYesN/AN/A

(1) Provided if the Master AP is already upgraded and Slave APs are updated with their Master AP.
(2) Third-party WGB works, but any client behind the 3rd party WGB does not receive an IP address unless you configure it to be static.

Mobility / Roaming Scenarios

WLAN ConfigurationLocal SwitchingCentral Switching
CCKMPMK (OKC)OthersCCKMPMK (OKC)Others
Mobility Between Same Flex GroupFast Roam(1)Fast Roam(1)Full Auth(1)Fast RoamFast RoamFull Auth
Mobility Between Different Flex GroupFull Auth(1)Fast Roam(1)Full Auth(1)Full AuthFast RoamFull Auth
Inter Controller MobilityN/AN/AN/AFull AuthFast RoamFull Auth

(1) Provided WLAN is mapped to the same VLAN (same subnet).


Note: In order to support centralized access control through a centralized Authentication, Authorization, and Accounting (AAA) server, such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis with the use of AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller, and the WLAN must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name, similar to the Airespace-ACL-Name attribute used in order to provision an IPv4-based ACL. The AAA attribute-returned contents should be a string that is equal to the name of the IPv6 ACL, as configured on the controller.

Updated: Dec 18, 2013
Document ID: 112042