Contents
advertisement
Contents Introduction Prerequisites Requirements Components Used Background Information FlexConnect FlexConnect Feature Matrix - Legacy and New Features in Release 7.0.116 and Later Security - Client Security - Infrastructure Security Voice & Video Services Infrastructure Mobility / Roaming Scenarios Related information Introduction This document describes the feature matrix for the FlexConnect feature on the Wireless LAN Controller (WLC). This feature matrix applies to Cisco Unified Wireless Network (CUWN) Release 7.0.116 and later. Note: New features are added to FlexConnect with every new release. Review the release notes for the latest details. Note: In releases earlier than Release 7.2, FlexConnect was called Hybrid REAP (HREAP). It is now always referred as FlexConnect. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: ● ● Control and Provisioning of Wireless Access Points (CAPWAP) protocol Configuration of lightweight Access Points (APs) and Cisco WLCs Components Used The information in this document is based on CUWN Releases 7.0.116.0 and later. This article has been updated with Release 8.2. The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Background Information FlexConnect FlexConnect is a wireless solution for branch office and remote office deployments. It enables you to configure and control APs in a branch or remote office from the corporate office through a WAN link without the deployment of a controller in each office. The FlexConnect APs can switch client data traffic locally and perform client authentication locally. When they are connected to the controller, they can also send traffic back to the controller. FlexConnect is only supported on these components: 700, 1130AG, 1140, 1240AG, 1250, 1700, AP801, 1600, 1700, 2600, 2700, 3500I, 3500E, 3600, 3700, 1040, 1520, 1530, 1550, 1570, and 1260 APs Cisco Flex 8500 and 7500, Cisco 5500, 4400, and 2500 Series Controllers Catalyst 3750G Integrated WLC Switch Cisco WiSM and WiSM2 Controller Network Module for Integrated Services Routers FlexConnect local authentication is useful where you cannot maintain a remote office setup with a minimum bandwidth of 128 kb/s and a round-trip latency of no greater than 100 ms. The maximum tolerated latency for FlexConnect is 300 ms, regardless of the features that are used. ● ● ● ● ● The next section outlines the FlexConnect Feature Matrix. Note: Pre-802, 11n APs, such as 1130 or 1240, are still supported by later code. However, these APs do not receive new features as of Release 7.3. Therefore, these APs do not support FlexConnect features that appear after Release 7.3. Similarly, first generation 802.11n APs will not have any of the FlexConnect features of the 8.1 feature set even if they are able to join such a WLC. Refer to the release notes for more information. FlexConnect Feature Matrix - Legacy and New Features in Release 7.0.116 and Later Security - Client Security support on FlexConnect varies with different modes and states. This table summarizes the security features that are supported: Open/Static WEP WPA-PSK 802.1x WAN Up (Central Switching) WAN Up (Local WAN Up (Local Switching, Switching) Local Authentication) WAN Down (Standal Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes (WPA/WPA2) MAC filter Yes Authentication CCKM Fast Yes Roaming Yes No No Yes Yes Yes, for connected cli No, for new clients. Security - Infrastructure Data DTLS Encryption Local EAP (7.0 to 7.4) LocaL EAP (7.5 and later) Backup Radius MIC WAN Up (Central Switching) WAN Up (Local Switching) WAN Down (Standa Yes N/A N/A Yes (LEAP/EAP-FAST) Yes (LEAP/EAP-FAST) Yes (LEAP/EAP-FAS Yes (LEAP/EAP-FAST/PEAP/EAP- Yes (LEAP/EAP-FAST/PEAP/EAP- Yes (LEAP/EAP-FAS TLS) TLS) TLS) Yes (7.0.116) Yes (7.0.116) Yes Yes Yes Not applicable Security Security support on FlexConnect varies with different modes and states. This table summarizes the legacy and new security features supported with WLC Release 7.0.116.0 and later: WAN Up (Central Switching) WAN Up (Local Switching) WAN Up (Local Switching, Local Authentication) WAN Down (Standalone) Adaptive Wireless Intrusion Prevention Yes Yes Yes No (aWIPS) Rogue, Intrusion Yes Yes Yes No Detection (IDS) Management Frame Protection (MFP) Yes Yes Yes No (Client, Infrastructure) 802.11w "MFP" Yes (7.5) Yes (7.5) Yes (7.5) Yes (7.5) 802.11r Fast Transition Yes Yes Yes No Self-Signed Certificate Yes Yes Yes N/A (SSC) Rogue Location Might work, depends Might work, depends Might work, depends Discovery Protocol No on hops, WAN speed on hops, WAN speed on hops, WAN speed (RLDP) Opportunistic Key Caching (OKC) Fast Yes Yes Yes No Roam FlexConnect Local N/A Yes Yes Yes Auth AAA Override Yes Yes Yes Yes AAA VLAN assignment N/A Yes (8.1) Yes (8.1) Yes (8.1) per FlexGroup with (1) VLAN name Yes No Yes (7.5) Yes (7.5) No Yes N/A (2) Yes No Yes (7.5) Yes (7.5) No Yes N/A Yes Yes No No Yes (7.5) No Yes N/A (2) (2) Static ACL Per-user radius ACL Yes (7.5) L2 ACL Yes (7.5) DNS ACL Yes (7.6) P2P Blocking Yes Mesh LSC N/A Bring Your Own Yes Yes (7.2.110.0) No No Device /ISE(BYOD) PCI Compliance for Yes Yes Yes No Neighbor Pkts Russia DTLS Support Yes N/A No No wIPS Enhanced Local Yes Yes Yes No Mode (ELM) Limit Clients per Yes Yes Yes No WLAN Limit Clients per Radio Yes Yes Yes Yes Client Exclusion Policy Yes Yes Yes No Radius NAC Yes Yes No No TrustSec SXP No No No No Yes for clients that have association at Connected mode. FlexConnect Access Control Lists (ACLs) should be used. Note that flex ACLs are not supported on the A native VLAN! Limits/exclusion done by WLC so client will be deauthorized after a successful Association Response. Note that the per-user ACL on FlexConnect does not override a VLAN ACL on flex AP like it would overrid WLAN ACL on local mode AP. If both per user-ACL is pushed and AAA-VLAN ACL configured on the flex group, both will take effect. (4) (3) (3) (1) (2) (3) (4) Voice & Video This table lists the legacy and new Voice & Video services supported with WLC Release 7.0.116.0 and later with FlexConnect: QoS Markings QoS Per-User Bandwidth Yes (7.4) Contract UAPSD Yes Voice Diagnostics Yes Voice Metrics Yes TSPEC /Call Admission Yes - non CCX Yes - CCX Control (CAC) Includes both DSCP/dot1p markings. CAC on WLC, deauthorization on roaming failure. (1) (2) (1) (2) Services Yes (7.5) No Yes Yes Yes Yes - non CCX Yes - CCX Yes No No (2) Voice WAN Up (Central Switching) WAN Up (Local Switching) WAN Down 100 ms RTT 100 ms RTT (Standalone Yes with RT Yes with RTT 100 ms ms Yes with RT Yes with RTT 100 ms Yes with RTT 900 ms (with ms (with CC CCKM and OKC) and OKC) Yes Yes Yes No This table lists the legacy and new services supported with WLC Release 7.0.116.0 and later with FlexConnect: WAN Up (Central WAN Up (Local WAN Up (Local Switching, WAN Dow Switching) Switching) Local Authentication) (Standalo Internal Webauth Yes Yes No N/A External Webauth Yes (7.2.110.0) Yes (7.2.110.0) No N/A CleanAir (SI on Yes Yes Yes N/A 3500) Multicast-Unicast Yes (except on 7500, Yes (8.0) Yes (8.0) Yes (8.0) (Videostream) 8500 and vWLC) Yes with BW/Scale Yes with BW Location Yes with BW /Scale limitation N/A limitation /Scale limitation Radio Ressource Yes Yes Yes No Management NG RRM - RF Yes Yes Yes No Static Grouping SE Connect Yes Yes Yes No (Cleanair Update) S60 Enhancement Yes Yes Yes No Profiling Yes Yes Yes No AVC Yes (7.4) Yes (8.1) Yes (8.1) No Bonjour Gateway Yes No No No mDNS AP Yes No No No LSS Yes No No No Origin Based Yes No No No services Priority MAC Yes No No No Bonjour Browser Yes No No No Flex+Bridge mode Yes (8.0) Yes (8.0) Yes (8.0) Yes (8.0) Any RRM-specific requirements apply (at least 4 APs for TPC). Yes for standalone after disconnecting from WLC, but no for reboot. FlexConnect AVC supported on all WLCs (which include vWLC) except 2504. FlexConnect AVC is supported on Gen2 APs - 1530, 1600, 1700, 2600, 2700, 3600, 3700 in 8.1. 1570 supported in 8.1-MR1. (1) (1) (2) 4 3 (1) (2) (3) (4) Note: The FlexConnect mode AP cannot join the Multicast group address configured at the WLC, so it cannot receive Multicast packets that are sent by WLC(Multicast packets sent by flex central switching is received by local mode APs). If Multicast needs to be forwarded for FlexConnect central switching, you must configure AP mode Multicast to Unicast. This configuration is global since it is applicable to the local mode AP. Infrastructure WAN Up (Local Switching) No Yes (8.0) Yes Yes Yes Yes (7.4) Yes WAN Down (Standa No Yes (8.0) Yes Yes Yes No No (2) Passive Clients Proxy ARP Syslog CDP Client Link Load Balancing Band Select WAN Up (Central Switching) No Yes (8.0) Yes Yes Yes Yes (7.4) Yes (3) AP Image PreDownload Yes Yes No FlexConnect Smart AP Yes Yes Yes Image Upgrade AP Regularity Domain Yes Yes Yes Updates (Chile) VLAN Pooling/Mcast Yes N/A N/A Optim. Mesh - 24 backhaul N/A N/A N/A Cisco WGB Support Yes Yes (7.3) Yes (7.3) 3rd party WGB Support Yes Yes Yes Web Auth Proxy Yes Yes No FlexConnect AP Group Yes Yes Yes Increase Client fault tolerance N/A Yes N/A DHCP Option 60 Yes Yes Yes DFS/802.11h Yes Yes Yes AP Group VLANs Yes N/A N/A Vlan mappings through Yes Yes Yes FlexGroups Provided if the Master AP is already upgraded and Slave APs are updated with their Master AP. Only on second generation 11n APs and later (1600, 2600, 3600, and so on). FlexConnect APs do not send (re)association responses with status 17 for load-balancing as do Local mo APs; instead, they first send (re)association responses with status 0 (success) and then deauth with reaso This occurs as the AP handles the association locally and load-balancing decisions are taken at the WLC Note: The passive client feature is not supported on Flex APs. However, the APs do not do proxy ARP by default on FlexConnect (and that is a part of the passive client feature). On the contrary, proxy ARP was a as a feature for FlexConnect APs with Release 8.0 and later. (1) (1) (2) (3) Mobility / Roaming Scenarios WLAN Local Switching Central Switching CCKM PMK (OKC) Others CCKM PMK (OKC) Others Configuration Mobility Between Fast Roam Fast Roam Full Auth Fast Roam Fast Roam Full Auth Same Flex Group Mobility Between Full Auth Fast Roam Full Auth Full Auth Fast Roam Full Auth Different Flex Group Inter Controller N/A N/A N/A Full Auth Fast Roam Full Auth Mobility Provided WLAN is mapped to the same VLAN (same subnet). If WLAN is mapped to different subnets, no roaming can occur as the client will have to obtain a new IP address. (1) (1) (1) (1) Note: FT/802.11r fast roaming also requires APs to be in the same FlexGroup. Only WPA2 OKC, which happens at the WLC level, can tolerate APs to be in different FlexConnect groups for fast roaming. Note: In order to support centralized access control through a centralized Authentication, Authorization, and Accounting (AAA) server, such as the Cisco Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis with the use of AAA Override attributes. In order to use this feature, the IPv6 ACL must be configured on the controller, and the WLAN must be configured with the AAA Override feature enabled. The AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name, similar to the AirespaceACL-Name attribute used in order to provision an IPv4-based ACL. The AAA attribute- returned contents should be a string that is equal to the name of the IPv6 ACL, as configured on the controller. Related information ● ● ● ● H-Reap Design and Deployment Guide Hybrid Remote Edge Access Point (H-REAP) Basic Troubleshooting Cisco Wireless LAN Controller Configuration Guide, Release 7.0 Technical Support & Documentation - Cisco Systems
