Cisco Wireless LAN Controller and FlexConnect at Branch Office's

Posted on 2013-09-27
Medium Priority
Last Modified: 2013-12-27
I just recently setup a Cisco 2504 WLC with 36 Controller based cisco WAP's at a companies corporate office.  Now that this project is complete, they what to get their two branch offices on board with wireless.  I definitely can't get each branch office their own WLC, but was reading I could use FlexConnect on the WAP's at the branch office, and they could still be controlled from the WLC at the corporate office.  I have a site-to-site VPN between the corporate office and the branch office.  

Corporate office  -
Branch Office -

What my question really boils down to is how does the WAP at the remote office find the controller at the corporate office since they are on two different subnets?  Again I do have a site to site vpn between sites.  What happens if the branch office loses connectivity to the controller.  Any assistance would be greatly appreciated.  Thanks.
Question by:denver218
  • 3
  • 3
LVL 20

Accepted Solution

rauenpc earned 1000 total points
ID: 39527571
To get an AP to register to a controller across subnets, you have a few choices. You could hard code the controller address on the AP, you can use a special DNS entry, or you can use DHCP Option 43 to send the controller address to the AP.
I would go against the static entry if possible. DNS is the easiest, and DHCP is the most flexible. In your situation, it might be easiest to go with DNS.


If the office loses connectivity, the AP's will continue serving up wireless, however there are some gotchas to that. Depending on the type of authentication used, during an outage clients might not be able to roam or create a new association and only those that were connected prior to the outage will continue to work. I believe pre-shared keys allow full use of wireless, but certificate based authentication will have issues unless the cert server is at the local site.
LVL 47

Expert Comment

by:Craig Beck
ID: 39527869
rauenpc has pretty-much said everything that needs to be said there!

If you only have one WLC, use the DNS method as long as you don't mind clients being able to resolve CISCO-CAPWAP-CONTROLLER to its respective IP address.  It's easier to implement this than the DHCP method (depending on the DHCP server).

You can use FlexConnect, but you don't have to.  If you want clients to be able to continue to use the wireless if the WLC fails or the WAN link or VPN goes down, FlexConnect will let your clients continue to work if they are already using the Wifi, however unless you have an authentication server at the local site new clients won't be able to connect.  Even if clients are using 802.1x authentication they will still continue to work until the reauthentication timer ends their current session.  Also, you can have an AP in FlexConnect mode without actually using FlexConnect.  If you do use FlexConnect you have to set the WLAN to be in FlexConnect mode also, or it will still need to take traffic back to the WLC instead of dropping it onto the local switch.

When you use FlexConnect mode you should configure the switchports where your APs connect as trunks instead of access ports like you do when you use Local mode on the AP.

Author Comment

ID: 39528034
So if the corporate office loses internet or the WLC goes down, I do wish for users to continue to work on the wireless at the branch offices.  I am not using user authentication, just a WPA2 password.  So to accomplish this, do I need to use FlexConnect?  FlexConnect is a feature in a controller based AP right?

Last question is another scenario I am trying to wrap my head around this morning.  If I put another controller at one of the two branch offices for redundancy purposes, if the controller at the corporate office when down, would all the WAP's at the corporate office move to the controller at the branch office?  How would this work?
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 1000 total points
ID: 39528079
Ok let's go with the second question first...

If you use a second WLC at a different site as a failover you need to to three things as a minimum:

1] Configure it exactly the same as the HQ WLC (apart from VLANs and IP addressing).
2] Configure mobility between the two WLCs.
3] Configure high-availability on the APs via the WLC.

Unfortunately though this means you also MUST configure FlexConnect for the branch WLANs.  It just won't work if your VLANs and subnets are different at each site due to routing, etc.

Back to the first question...

Yes, if you only have a central WLC you will need FlexConnect to enable the users at the branches to carry on working.  FlexConnect enables site-local switching, so no traffic has to go back to the WLC.  In a standard deployment ALL client traffic goes back to the WLC, then the WLC puts the traffic on the correct VLAN.

Author Comment

ID: 39528184
Do I need a special license to use another WLC for failover at another site?

So if I did go with the WLC failover solution, I'm a little unsure what you mean about the branch office that doesn't have a WLC.  Can't the branch office be on the same WLAN as the corporate office?  Or are you saying since I have to configure flexconnect on the branch site without a controller I have to have a separate WLAN.
LVL 47

Expert Comment

by:Craig Beck
ID: 39528230
You don't need a special license for failover.

The branch office can be on the same WLAN as the corporate office, but if you want both the branch and corporate users to be on the same VLAN (subnet) you'll not be using FlexConnect.

If you want to use the same SSID (WLAN) at each site, but with FlexConnect at the branches, you can do that.  You'll need to group the APs into their respective sites and configure only the branch APs in FlexConnect mode.  Then you can configure the WLANs in their correct VLANs at the branches.  I know it sounds really complicated but it's really not.

If you don't have a failover WLC it's a lot easier to configure, but it's not that complicated to implement the failover once you get your head around what does what.

Author Closing Comment

ID: 39574239

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Using in-flight Wi-Fi when you travel? Business travelers beware! In-flight Wi-Fi networks could rip the door right off your digital privacy portal. That’s no joke either, as it might also provide a convenient entrance for bad threat actors.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question