Cisco Wireless LAN Controller and FlexConnect at Branch Office's

I just recently setup a Cisco 2504 WLC with 36 Controller based cisco WAP's at a companies corporate office.  Now that this project is complete, they what to get their two branch offices on board with wireless.  I definitely can't get each branch office their own WLC, but was reading I could use FlexConnect on the WAP's at the branch office, and they could still be controlled from the WLC at the corporate office.  I have a site-to-site VPN between the corporate office and the branch office.  

Corporate office  -
Branch Office -

What my question really boils down to is how does the WAP at the remote office find the controller at the corporate office since they are on two different subnets?  Again I do have a site to site vpn between sites.  What happens if the branch office loses connectivity to the controller.  Any assistance would be greatly appreciated.  Thanks.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To get an AP to register to a controller across subnets, you have a few choices. You could hard code the controller address on the AP, you can use a special DNS entry, or you can use DHCP Option 43 to send the controller address to the AP.
I would go against the static entry if possible. DNS is the easiest, and DHCP is the most flexible. In your situation, it might be easiest to go with DNS.


If the office loses connectivity, the AP's will continue serving up wireless, however there are some gotchas to that. Depending on the type of authentication used, during an outage clients might not be able to roam or create a new association and only those that were connected prior to the outage will continue to work. I believe pre-shared keys allow full use of wireless, but certificate based authentication will have issues unless the cert server is at the local site.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Craig BeckCommented:
rauenpc has pretty-much said everything that needs to be said there!

If you only have one WLC, use the DNS method as long as you don't mind clients being able to resolve CISCO-CAPWAP-CONTROLLER to its respective IP address.  It's easier to implement this than the DHCP method (depending on the DHCP server).

You can use FlexConnect, but you don't have to.  If you want clients to be able to continue to use the wireless if the WLC fails or the WAN link or VPN goes down, FlexConnect will let your clients continue to work if they are already using the Wifi, however unless you have an authentication server at the local site new clients won't be able to connect.  Even if clients are using 802.1x authentication they will still continue to work until the reauthentication timer ends their current session.  Also, you can have an AP in FlexConnect mode without actually using FlexConnect.  If you do use FlexConnect you have to set the WLAN to be in FlexConnect mode also, or it will still need to take traffic back to the WLC instead of dropping it onto the local switch.

When you use FlexConnect mode you should configure the switchports where your APs connect as trunks instead of access ports like you do when you use Local mode on the AP.
denver218Author Commented:
So if the corporate office loses internet or the WLC goes down, I do wish for users to continue to work on the wireless at the branch offices.  I am not using user authentication, just a WPA2 password.  So to accomplish this, do I need to use FlexConnect?  FlexConnect is a feature in a controller based AP right?

Last question is another scenario I am trying to wrap my head around this morning.  If I put another controller at one of the two branch offices for redundancy purposes, if the controller at the corporate office when down, would all the WAP's at the corporate office move to the controller at the branch office?  How would this work?
Redefine Your Security with AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Check out our on-demand webinar to learn more about how AI can help your organization!

Craig BeckCommented:
Ok let's go with the second question first...

If you use a second WLC at a different site as a failover you need to to three things as a minimum:

1] Configure it exactly the same as the HQ WLC (apart from VLANs and IP addressing).
2] Configure mobility between the two WLCs.
3] Configure high-availability on the APs via the WLC.

Unfortunately though this means you also MUST configure FlexConnect for the branch WLANs.  It just won't work if your VLANs and subnets are different at each site due to routing, etc.

Back to the first question...

Yes, if you only have a central WLC you will need FlexConnect to enable the users at the branches to carry on working.  FlexConnect enables site-local switching, so no traffic has to go back to the WLC.  In a standard deployment ALL client traffic goes back to the WLC, then the WLC puts the traffic on the correct VLAN.
denver218Author Commented:
Do I need a special license to use another WLC for failover at another site?

So if I did go with the WLC failover solution, I'm a little unsure what you mean about the branch office that doesn't have a WLC.  Can't the branch office be on the same WLAN as the corporate office?  Or are you saying since I have to configure flexconnect on the branch site without a controller I have to have a separate WLAN.
Craig BeckCommented:
You don't need a special license for failover.

The branch office can be on the same WLAN as the corporate office, but if you want both the branch and corporate users to be on the same VLAN (subnet) you'll not be using FlexConnect.

If you want to use the same SSID (WLAN) at each site, but with FlexConnect at the branches, you can do that.  You'll need to group the APs into their respective sites and configure only the branch APs in FlexConnect mode.  Then you can configure the WLANs in their correct VLANs at the branches.  I know it sounds really complicated but it's really not.

If you don't have a failover WLC it's a lot easier to configure, but it's not that complicated to implement the failover once you get your head around what does what.
denver218Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Wireless Networking

From novice to tech pro — start learning today.