-
FlexConnect mode can support only 16 VLANs per AP.
-
You can deploy a FlexConnect access point with either a static IP address or a DHCP address. In the context of DHCP, a DHCP
server must be available locally and must be able to provide the IP address for the access point at bootup.
-
FlexConnect supports up to 4 fragmented packets, or a minimum 576-byte maximum transmission unit (MTU) WAN link.
-
Round-trip latency must not exceed 300 milliseconds (ms) between the access point and the controller, and CAPWAP control packets must be prioritized over all other traffic. In scenarios where you cannot achieve the 300-ms
round-trip latency, configure the access point to perform local authentication.
-
Client connections are restored only for locally switched clients that are in the RUN state when the access point moves from
standalone mode to connected mode. After the access point moves, the access point’s radio is also reset.
-
When multiple APs come from standalone mode to connected mode on FlexConnect and all the APs send the client entry in hybrid-REAP
payload to the controller. In this scenario, the controller sends disassociation messages to the WLAN client. However, the
WLAN client comes back successfully and joins the controller.
-
When APs are in standalone mode, if a client roams to another AP, the source AP cannot determine whether the client has roamed
or is just idle. So, the client entry at source AP will not be deleted until idle timeout.
-
The configuration on the controller must be the same between the time the access point went into standalone mode and the time the access point came back to connected
mode. Similarly, if the access point is falling back to a secondary or backup controller, the configuration between the primary and the secondary or backup controller must be the same.
-
A newly connected access point cannot be booted in FlexConnect mode.
-
FlexConnect mode requires that the client send traffic before learning the client's IPv6 address. Compared to in local mode
where the controller learns the IPv6 address by snooping the packets during Neighbor Discovery to update the IPv6 address
of the client.
-
802.11r fast transition roaming is not supported on APs operating in local authentication.
-
The primary and secondary controllers for a FlexConnect access point must have the same configuration. Otherwise, the access point might lose its configuration,
and certain features, such as WLAN overrides, VLANs, static channel number, and so on, might not operate correctly. In addition,
make sure you duplicate the SSID of the FlexConnect access point and its index number on both controllers.
-
If you configure a FlexConnect access point with a syslog server configured on the access point, after the access point is
reloaded and the native VLAN other than 1, at the time of initialization, a few syslog packets from the access point are tagged
with VLAN ID 1.
-
MAC filtering is not supported on FlexConnect access points in standalone mode. However, MAC filtering is supported on FlexConnect
access points in connected mode with local switching and central authentication. Also, Open SSID, MAC Filtering, and RADIUS
NAC for a locally switched WLAN with FlexConnect access points is a valid configuration, where MAC is checked by Cisco ISE.
-
FlexConnect does not display any IPv6 client addresses in the Client Detail window.
-
FlexConnect access points with locally switched WLANs cannot perform IP source guard and prevent ARP spoofing. For centrally
switched WLANs, the wireless controller performs IP source guard and ARP spoofing.
-
To prevent ARP spoofing attacks in FlexConnect APs with local switching, we recommend that you use ARP inspection.
-
Proxy ARP for VM clients (with any wireless host) does not work since the client includes many IP addresses for the same MAC.
To avoid this issue, disable the ARP-caching option in the Flex profile.
-
When you enable local switching on policy profile for FlexConnect APs, the APs perform local switching. However, for the APs
in local mode, central switching is performed.
In a scenario where the roaming of a client between FlexConnect mode AP and Local mode AP is not supported, the client may
not get the correct IP address due to VLAN difference after the move. Also, L2 and L3 roaming between FlexConnect mode AP
and Local mode AP are not supported.
FlexConnect local switching is not supported on Cisco Aironet Cisco 1810T and 1815T (Teleworker) Access Points.
-
Cisco Centralized Key Management (CCKM) is not supported in FlexConnect standalone mode. Hence, CCKM enabled client will not
be able to connect when AP is in FlexConnect standalone mode.
-
For Wi-Fi Protected Access Version 2 (WPA2) in FlexConnect standalone mode or local authentication in connected mode or Cisco
Centralized Key Management fast roaming in connected mode, only Advanced Encryption Standard (AES) is supported.
-
For Wi-Fi Protected Access (WPA) in FlexConnect standalone mode or local-auth in connected mode or Cisco Centralized Key
Management fast-roaming in connected mode, only Temporal Key Integrity Protocol (TKIP) is supported.
-
WPA2 with TKIP and WPA with AES is not supported in standalone mode, local-auth in connected mode, and Cisco Centralized
Key Management fast-roaming in connected mode.
-
WPA with TKIP is supported in non-FIPS mode.
-
Only open, WPA (PSK and 802.1x), and WPA2 (AES) authentication is supported on the Cisco Aironet 1830 Series and 1850 Series
APs.
-
Only 802.11r fast-transition roaming is supported on the Cisco Aironet 1830 Series and 1850 Series APs.
-
AVC on locally switched WLANs is supported on second-generation APs.
-
Local authentication fallback is not supported when a user is not available in the external RADIUS server.
-
For WLANs configured for FlexConnect APs in local switching and local authentication, synchronization of dot11 client information
is supported.
-
DNS override is not supported on the Cisco Aironet 1830 Series and 1850 Series APs.
-
The Cisco Aironet 1830 Series and 1850 Series APs do not support IPv6. However, a wireless client can pass IPv6 traffic across
these APs.
-
VLAN group is not supported in Flex mode under flex-profile.
-
Configuring maximum number of allowed media streams on individual client or radio is not supported in FlexConnect mode.
-
The WLAN client association limit will not work when the AP is in FlexConnect mode (connected or standalone) and is performing
local switching and local authentication.
-
A local switching client on FlexConnect mode will not get IP address for RLAN profile on the Cisco Aironet 1810 Series AP.
-
Standard ACL is not supported on FlexConnect AP mode.
-
IPv6 RADIUS Server is not configurable for FlexConnect APs. Only IPv4 configuration is supported.
-
In Flex mode, IPv4 ACLs configured on WLAN gets pushed to AP but IPv6 ACLs does not.
-
The client delete reason counters that are a part of the show wireless stats client delete reasons command, will be incremented only when the client record entry persists for join.
For example, when an AP in the FlexConnect mode performs local authentication with ACL mismatch, then the AP deletes the client,
and the controller does not create any client record.
-
Cisco Centralized Key Management (CCKM) is supported in wave 1 APs in FlexConnect when you use local association.
-
If the client roams from one AP to another and the roaming is successful, the following occurs:
-
The client does not send any traffic to the new AP.
-
The client’s state is IP LEARN pending.
-
The client is deauthenticated after 180 seconds, if there is no traffic for the entire duration. In case the DHCP Required
flag is set, the deauthentication occurs after 60 seconds.
-
Using custom VLANs under the policy profile of the FlexConnect locally switched WLANs stops the SSID broadcast. In such scenarios,
run the shut and no shut commands on the policy profile to start the SSID broadcast.
SSIDs are broadcasted when you:
-
Perform VLAN name to id mapping under FlexConnect profile and map the custom VLAN name under the policy profile.
-
Use VLAN id or standard VLAN name, for example, VLANxxxx.
-
In the FlexConnect mode, the group temporal key (GTK) timer is set to 3600 seconds by default on Cisco Wave 2 AP, and this
value cannot be reconfigured.
-
When FlexConnect AP sends CAPWAP discovery request and the FlexConnect AP does not get any response after 18 CAPWAP discovery
requests, the AP performs DHCP renew.
Note
|
The clients must not disconnect when AP performs DHCP renew.
|
-
For Flex mode deployments, local association configured policy profiles are not supported at a given time on the WLAN. Only
the local association command must be enabled.
-
From Cisco IOS XE Amsterdam 17.1.1 release onwards, the police rate per client in the flex connect APs in the controller,
is represented as rate_out for Ingress (input) and rate_in for Egress (output). To verify police rate on the flex AP, use the show rate-limit client command.
-
FlexConnect APs do not forward the DHCP packets after Change of Authorization (CoA) and change of VLANs using 802.1X encryption.
You must disconnect the client from the WLAN and reconnect the client to enable the client to get an IP address in the second
VLAN.
-
Cisco Wave 2 and Catalyst Wi-Fi6 APs in FlexConnect local switching mode do not support Layer2(PSK, 802.1X) + Layer3(LWA,
CWA, redirection-based posturing) + Dynamic AAA override + NAC.
-
In Cisco Catalyst 9136I APs, in FlexConnect local authentication, the ongoing session timeout for a client gets reset after
every roam.
-
Network access control (NAC) is not supported in FlexConnect local authentication.
-
Multicast traffic on an AAA overridden VLAN is not supported. Using this configuration may result in potential traffic leaks
between VLANs.