FlexConnect AP Configuration

In a traditional centralised wireless deployment, every packet a wireless client sends — even to a device on the same local network — travels across the WAN inside a CAPWAP tunnel to the WLC at headquarters, gets processed, and is tunnelled back. For branch offices connected over low-bandwidth or high-latency WAN links, this hairpinning is inefficient and means that if the WAN or WLC becomes unavailable, all wireless clients lose connectivity completely.

FlexConnect (formerly called H-REAP — Hybrid Remote Edge Access Point) solves both problems. A FlexConnect AP registers with and is managed by the central WLC over the WAN, but it can switch client traffic locally at the branch — directly between the wireless client and the local LAN — without sending every packet across the WAN. Crucially, when the WAN link or WLC becomes unreachable, FlexConnect APs enter standalone mode and continue to service wireless clients using locally cached policies, pre-downloaded SSID configurations, and locally stored credentials. Connectivity is maintained even during WLC outages. For wireless fundamentals see Wi-Fi Overview and Wi-Fi Security.

Before starting this lab, ensure you are familiar with WLC fundamentals at WLC Getting Started and SSID-to-VLAN mapping at WLC SSID & VLAN Mapping. For a comparison of Lightweight (CAPWAP) vs Autonomous AP modes, see Lightweight vs Autonomous APs. For the guest WLAN WebAuth scenario that FlexConnect must handle at the branch, see Guest WLAN with WebAuth. For trunk port configuration on the branch switch connecting to the FlexConnect AP, see Trunk Port Configuration.

1. FlexConnect — Core Concepts

Central Switching vs Local Switching

The key distinction in FlexConnect is how traffic is forwarded once a wireless client sends a frame. Each SSID on a FlexConnect AP can independently be set to central or local switching:

  ══ Central Switching (traditional CAPWAP) ══════════════════════

  [Branch Client] ──802.11──► [FlexConnect AP]
                                      │
                              CAPWAP tunnel (all data encapsulated)
                                      │
                               ──WAN link──►
                                      │
                               [WLC at HQ]
                                      │
                         Forwarded to destination
                         (even if destination is on same branch LAN)

  Pros: Full WLC visibility, centralised policy, simpler config
  Cons: WAN bandwidth consumed for local traffic, all access lost
        if WAN/WLC fails

  ══ Local Switching ════════════════════════════════════════════

  [Branch Client] ──802.11──► [FlexConnect AP]
                                      │
                              802.3 frame exits AP
                              directly to local switch
                                      │
                          [Branch Access Switch]
                                      │
                         Forwarded locally on branch LAN
                         WAN not involved at all

  Pros: Local traffic stays local, WAN bandwidth conserved,
        clients survive WLC/WAN outage (standalone mode)
  Cons: WLC has less real-time visibility; some features
        (WebAuth, central DHCP) need extra consideration

FlexConnect Operating Modes

Mode	WLC Reachable?	Data Forwarding	Authentication	Configuration Source
Connected Mode	Yes — CAPWAP control channel is up	Local switching (data) or central switching per SSID setting	Central (WLC authenticates against RADIUS) or local	WLC pushes config to AP in real time
Standalone Mode	No — WLC is unreachable (WAN down, WLC failure)	Local switching only — locally switched SSIDs remain up; centrally switched SSIDs go down	Local authentication (cached credentials or local RADIUS) — central RADIUS is unreachable	Cached config downloaded from WLC before outage

FlexConnect SSID Switching Modes

Each WLAN (SSID) mapped to a FlexConnect AP can be independently configured for local or central switching. The choice determines both normal operation and standalone mode behaviour:

SSID Switching Mode	Normal (Connected) Operation	Standalone Mode Behaviour	Typical Use Case
Local Switching	Client data exits AP directly onto the local VLAN — WAN not used for data	SSID remains up — clients can still access the local LAN	Corporate SSID for branch employees — local LAN access is critical
Central Switching	All client data is encapsulated in CAPWAP and sent to the WLC	SSID goes down — no local forwarding without WLC	Guest SSID where traffic must be hairpinned to headquarters for filtering and control

FlexConnect Groups

A FlexConnect Group is a WLC container that groups multiple FlexConnect APs at the same branch location. The group provides three key capabilities:

Capability	Description	Benefit
Local Authentication	Credentials (usernames and passwords) are pre-downloaded to all APs in the group and cached locally	APs can authenticate WPA2-Enterprise clients during standalone mode without reaching the RADIUS server at HQ
CCKM / Fast Roaming	APs in the group share PMK (Pairwise Master Key) caches — clients roaming between APs in the group do not need to re-authenticate with the RADIUS server	Seamless roaming within the branch without RADIUS round-trips for every AP association
Central DHCP Override	Overrides the DHCP server used by clients on locally switched SSIDs — can point to a local DHCP server at the branch	Clients get IPs from a local DHCP server at the branch, not a central DHCP server across the WAN

Traffic Flow Summary — FlexConnect Branch

  ┌─────────────────────────────────────────────────────────────────┐
  │                    BRANCH OFFICE                                │
  │                                                                 │
  │  [Corporate Client] ──802.11──► [FlexConnect AP]               │
  │                                        │                        │
  │                            Local Switch (VLAN 10)               │
  │                                        │                        │
  │                               [Branch Switch]                   │
  │                                        │                        │
  │                            Local LAN resources                  │
  │                            (file server, printer, etc.)         │
  │                                        │                        │
  │  ─ ─ ─ ─ ─ ─ ─ WAN Link ─ ─ ─ ─ ─ ─ ┤                        │
  │                                        │ (CAPWAP control only)  │
  └────────────────────────────────────────┼────────────────────────┘
                                           │
                              ┌────────────▼─────────────┐
                              │     WLC at HQ             │
                              │  (management + config     │
                              │   only — no data plane)   │
                              └───────────────────────────┘

  CAPWAP Control channel:   Always to WLC (AP management, config, stats)
  CAPWAP Data channel:      LOCAL SWITCHING → bypasses WLC entirely
                            CENTRAL SWITCHING → tunnelled to WLC

  Standalone mode (WAN down):
  ► Locally switched SSIDs: REMAIN UP  ✅
  ► Centrally switched SSIDs: GO DOWN  ✗
  ► Authentication: local cache from FlexConnect Group  ✅

2. Lab Topology & Scenario

NetsTuts has two branch offices — Branch-A and Branch-B — each with two FlexConnect APs. Both branches connect to the central WLC at HQ over a WAN. The corporate SSID (NetsTuts-Corp) must use local switching so branch employees maintain LAN access during WAN outages. The guest SSID (NetsTuts-Guest) uses central switching so all guest traffic is hairpinned through HQ for filtering. A FlexConnect group will be created for each branch to enable local authentication and fast roaming between the two APs at each site.

  ┌──────────────────────────────────────────────────────────────────┐
  │                    HQ — WLC                                      │
  │   Management: 10.0.0.50/24                                       │
  │   WLANs:                                                         │
  │     WLAN 1: NetsTuts-Corp  (WPA2-Enterprise, VLAN 10)            │
  │     WLAN 2: NetsTuts-Guest (Open + WebAuth,  VLAN 100)           │
  │   FlexConnect Groups:                                            │
  │     FC-GROUP-BRANCH-A  (Branch-A-AP1, Branch-A-AP2)             │
  │     FC-GROUP-BRANCH-B  (Branch-B-AP1, Branch-B-AP2)             │
  └───────────────────────────┬──────────────────────────────────────┘
                              │ WAN (CAPWAP control + central data)
               ┌──────────────┴──────────────┐
               │                             │
  ┌────────────▼────────────┐   ┌────────────▼────────────┐
  │       Branch-A          │   │       Branch-B          │
  │  Branch-A-AP1  (Gi0/1)  │   │  Branch-B-AP1  (Gi0/1)  │
  │  Branch-A-AP2  (Gi0/2)  │   │  Branch-B-AP2  (Gi0/2)  │
  │  Branch Switch          │   │  Branch Switch          │
  │  VLAN 10: 10.10.0.0/24  │   │  VLAN 10: 10.20.0.0/24  │
  │  VLAN 100: 192.168.10.0 │   │  VLAN 100: 192.168.20.0 │
  │  DHCP: local router     │   │  DHCP: local router     │
  └─────────────────────────┘   └─────────────────────────┘

  SSID Switching Mode per Branch AP:
  ┌──────────────────┬──────────────────────┬───────────────────────┐
  │ SSID             │ Switching Mode        │ Standalone Behaviour  │
  ├──────────────────┼──────────────────────┼───────────────────────┤
  │ NetsTuts-Corp    │ Local Switching       │ Remains UP  ✅        │
  │ NetsTuts-Guest   │ Central Switching     │ Goes DOWN   ✗         │
  └──────────────────┴──────────────────────┴───────────────────────┘

3. Step 1 — Convert APs to FlexConnect Mode

By default, Cisco lightweight APs join the WLC in Local mode — all data is centrally switched through the WLC. Each AP must be individually converted to FlexConnect mode via the WLC GUI or CLI. This is done per-AP, not globally. Navigate to Wireless → Access Points → All APs → [AP Name] → General:

  WLC GUI — Wireless → Access Points → All APs → Branch-A-AP1 → General

  ┌───────────────────────────────────────────────────────┐
  │  AP Name:         Branch-A-AP1                        │
  │  AP Model:        Cisco Aironet 2802i                 │
  │  AP MAC:          00:1a:2b:3c:4d:01                   │
  │  AP IP:           10.10.0.11 (DHCP from branch)       │
  │                                                       │
  │  AP Mode:         Local          ← CHANGE THIS        │
  │  [Dropdown]       ● FlexConnect  ← select FlexConnect │
  │                                                       │
  │  FlexConnect      ─────────────────────────────────── │
  │  Local Switching: ✅ Enabled                          │
  │  Local Auth:      ✅ Enabled                          │
  │  Learn Client IP: ✅ Enabled                          │
  └───────────────────────────────────────────────────────┘
  [Apply] — AP will reboot and rejoin in FlexConnect mode
            (30–90 seconds downtime during mode change)

  Repeat for:  Branch-A-AP2, Branch-B-AP1, Branch-B-AP2

After clicking Apply, the AP reboots and rejoin the WLC in FlexConnect mode. During the reboot, all clients on that AP are temporarily disconnected. Plan AP mode changes during a maintenance window or stagger the changes so not all APs at a branch reboot simultaneously. Learn Client IP tells the WLC to learn client IP addresses passively from locally switched traffic, maintaining visibility in Monitor → Clients even though data does not pass through the WLC. For AP types and modes, see Access Points & WLC and Lightweight vs Autonomous APs.

WLC CLI — Convert AP to FlexConnect Mode

! ── Alternatively, use the WLC CLI ───────────────────────
(Cisco Controller) >config ap mode flexconnect Branch-A-AP1

Changing the AP's mode will cause the AP to reboot.
Are you sure you want to continue? (y/n) y

(Cisco Controller) >config ap mode flexconnect Branch-A-AP2
Are you sure you want to continue? (y/n) y

(Cisco Controller) >config ap mode flexconnect Branch-B-AP1
Are you sure you want to continue? (y/n) y

(Cisco Controller) >config ap mode flexconnect Branch-B-AP2
Are you sure you want to continue? (y/n) y

4. Step 2 — Configure Local Switching on the Corporate WLAN

Local switching is enabled per WLAN (SSID), not per AP. When local switching is enabled on a WLAN, all FlexConnect APs broadcasting that SSID will switch that WLAN's client traffic locally. Navigate to WLANs → [WLAN ID] → Advanced:

  WLC GUI — WLANs → WLAN 1 (NetsTuts-Corp) → Advanced

  ┌───────────────────────────────────────────────────────┐
  │  FlexConnect                                          │
  │  ─────────────────────────────────────────────────── │
  │  FlexConnect Local Switching:  ✅ Enabled             │
  │  FlexConnect Local Auth:       ✅ Enabled             │
  │  FlexConnect Learn Client IP:  ✅ Enabled             │
  └───────────────────────────────────────────────────────┘
  [Apply] → [Save Configuration]

  WLC GUI — WLANs → WLAN 2 (NetsTuts-Guest) → Advanced

  ┌───────────────────────────────────────────────────────┐
  │  FlexConnect                                          │
  │  ─────────────────────────────────────────────────── │
  │  FlexConnect Local Switching:  ☐ Disabled            │
  │  (Central switching — all guest traffic to WLC)       │
  └───────────────────────────────────────────────────────┘
  [Apply] → [Save Configuration]

FlexConnect Local Switching on the corporate WLAN means client data frames exit the AP directly onto the local branch LAN VLAN — the WAN carries only the CAPWAP control channel (AP management, configuration, statistics). Guest traffic with local switching disabled remains hairpinned through the WLC, which allows central filtering, the WebAuth captive portal, and complete traffic visibility at HQ. For the guest WLAN and WebAuth configuration, see Guest WLAN with WebAuth.

WLC CLI — Enable Local Switching on WLAN 1

! ── Enable FlexConnect local switching on WLAN 1 ─────────
(Cisco Controller) >config wlan flexconnect local-switching 1 enable

! ── Enable local auth on WLAN 1 ──────────────────────────
(Cisco Controller) >config wlan flexconnect local-auth 1 enable

! ── Enable learn client IP on WLAN 1 ─────────────────────
(Cisco Controller) >config wlan flexconnect learn-ipaddr 1 enable

! ── Confirm local switching is disabled on guest WLAN 2 ──
(Cisco Controller) >config wlan flexconnect local-switching 2 disable

5. Step 3 — Configure FlexConnect VLAN Mapping on the AP

When an AP switches traffic locally, it must know which local VLAN to place each SSID's traffic on. This is done through FlexConnect VLAN Mapping — mapping a WLAN ID to a local VLAN on the branch switch. Navigate to Wireless → Access Points → [AP Name] → FlexConnect:

  WLC GUI — Wireless → All APs → Branch-A-AP1 → FlexConnect

  ── Native VLAN ──────────────────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Native VLAN ID:  10                                  │
  │  (Management traffic from the AP uses VLAN 10)        │
  └───────────────────────────────────────────────────────┘

  ── VLAN Mappings ─────────────────────────────────────────
  ┌──────────┬────────────────────┬───────────────────────┐
  │ WLAN ID  │ WLAN Profile Name  │ VLAN ID (local)       │
  ├──────────┼────────────────────┼───────────────────────┤
  │ 1        │ NetsTuts-Corp      │ 10   (corporate VLAN) │
  │ 2        │ NetsTuts-Guest     │ 100  (guest VLAN)     │
  └──────────┴────────────────────┴───────────────────────┘
  [Apply]

  Repeat identical VLAN mapping for Branch-A-AP2
  (same branch = same local VLANs 10 and 100)

  For Branch-B APs: same WLAN IDs but same or different
  local VLAN IDs depending on branch L3 design

The Native VLAN ID is the untagged VLAN on the trunk port connecting the AP to the branch switch — this is also the VLAN used for AP management traffic and CAPWAP. The VLAN Mappings table tells the AP which 802.1Q VLAN tag to apply when locally switching each SSID's traffic onto the switch trunk. WLAN 1 (corporate) frames exit the AP tagged with VLAN 10; WLAN 2 (guest) frames tagged with VLAN 100. The branch switch trunk port connecting to the AP must allow both VLANs. For trunk configuration, see Trunk Port Configuration and VLAN Creation & Management. For VLAN tagging concepts, see VLAN Tagging.

Branch Switch — Trunk Port to FlexConnect AP

Branch_SW>en
Branch_SW#conf t

! ── Trunk port connecting to Branch-A-AP1 ─────────────────
Branch_SW(config)#interface GigabitEthernet0/1
Branch_SW(config-if)#description Trunk to Branch-A-AP1 (FlexConnect)
Branch_SW(config-if)#switchport mode trunk
Branch_SW(config-if)#switchport trunk native vlan 10
Branch_SW(config-if)#switchport trunk allowed vlan 10,100
Branch_SW(config-if)#spanning-tree portfast trunk
Branch_SW(config-if)#exit

! ── Trunk port connecting to Branch-A-AP2 ─────────────────
Branch_SW(config)#interface GigabitEthernet0/2
Branch_SW(config-if)#description Trunk to Branch-A-AP2 (FlexConnect)
Branch_SW(config-if)#switchport mode trunk
Branch_SW(config-if)#switchport trunk native vlan 10
Branch_SW(config-if)#switchport trunk allowed vlan 10,100
Branch_SW(config-if)#spanning-tree portfast trunk
Branch_SW(config-if)#exit

Branch_SW(config)#end
Branch_SW#wr

spanning-tree portfast trunk on the AP uplink port eliminates the 30-second STP listening/learning delay when the AP reboots or reconnects — the port transitions directly to forwarding, reducing AP join time. This is safe on AP uplink ports because APs do not generate BPDUs. The native VLAN on the switch trunk must match the Native VLAN ID configured on the AP in the WLC GUI. A mismatch causes management traffic to be tagged incorrectly and the AP will fail to communicate with the WLC. For PortFast details, see PortFast & BPDU Guard.

6. Step 4 — Create and Configure FlexConnect Groups

FlexConnect Groups enable local authentication (so APs can authenticate clients during WLC outage), fast roaming between APs at the same branch, and central DHCP override. A separate group is created for each branch. Navigate to Wireless → FlexConnect Groups → New:

  WLC GUI — Wireless → FlexConnect Groups → [New]

  ── Create Group for Branch-A ─────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  FlexConnect Group Name:  FC-GROUP-BRANCH-A           │
  └───────────────────────────────────────────────────────┘
  [Apply]

  ── Tab: General ─────────────────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Multicast Mode:    Multicast-Multicast  ← for video  │
  │  Central DHCP:      Disabled (use local branch DHCP)  │
  └───────────────────────────────────────────────────────┘

  ── Tab: APs ──────────────────────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Add AP: Branch-A-AP1  [Add]                          │
  │  Add AP: Branch-A-AP2  [Add]                          │
  │                                                       │
  │  AP List:                                             │
  │    Branch-A-AP1  00:1a:2b:3c:4d:01  FlexConnect       │
  │    Branch-A-AP2  00:1a:2b:3c:4d:02  FlexConnect       │
  └───────────────────────────────────────────────────────┘

  ── Tab: Local Authentication ─────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Local Radius Server:  ✅ Enabled                     │
  │  EAP Type:             EAP-FAST  (recommended)        │
  │                        or PEAP-MSCHAPv2               │
  │                                                       │
  │  Local Net Users (cached credentials):                │
  │  Username: branch-user1   Password: BranchP@ss1       │
  │  Username: branch-user2   Password: BranchP@ss2       │
  │  (These are downloaded to the AP and used during      │
  │   WLC outage for standalone-mode authentication)      │
  └───────────────────────────────────────────────────────┘
  [Apply] → [Save Configuration]

  ── Repeat: Create FC-GROUP-BRANCH-B ────────────────────

  WLC GUI — Wireless → FlexConnect Groups → [New]
  ┌───────────────────────────────────────────────────────┐
  │  FlexConnect Group Name:  FC-GROUP-BRANCH-B           │
  └───────────────────────────────────────────────────────┘
  [Apply]

  ── Tab: APs ──────────────────────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Add AP: Branch-B-AP1  [Add]                          │
  │  Add AP: Branch-B-AP2  [Add]                          │
  └───────────────────────────────────────────────────────┘

  ── Tab: Local Authentication ─────────────────────────────
  ┌───────────────────────────────────────────────────────┐
  │  Local Radius Server:  ✅ Enabled                     │
  │  EAP Type:             EAP-FAST                       │
  │  Local Net Users:      branch-b-user1 / BranchP@ss1  │
  └───────────────────────────────────────────────────────┘
  [Apply] → [Save Configuration]

APs in the same FlexConnect Group share a PMK (Pairwise Master Key) cache — when a client roams from Branch-A-AP1 to Branch-A-AP2, it performs a fast roam (CCKM or OKC) without a full 802.1X re-authentication with the RADIUS server. This is critical for voice and real-time applications that cannot tolerate the 300–800ms delay of a full EAP exchange during roam. An AP can belong to only one FlexConnect Group. For 802.1X authentication details, see 802.1X Port Authentication and AAA RADIUS Configuration.

WLC CLI — Create FlexConnect Group and Add APs

! ── Create FlexConnect Group for Branch-A ────────────────
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-A add

! ── Add APs to the group (by AP name) ────────────────────
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-A ap add Branch-A-AP1
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-A ap add Branch-A-AP2

! ── Enable local authentication on the group ─────────────
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-A radius ap enable

! ── Add local credentials cached on the AP ───────────────
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-A radius ap user add branch-user1 password BranchP@ss1

! ── Repeat for Branch-B ───────────────────────────────────
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-B add
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-B ap add Branch-B-AP1
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-B ap add Branch-B-AP2
(Cisco Controller) >config flexconnect group FC-GROUP-BRANCH-B radius ap enable

7. Step 5 — Verify and Understand Standalone Mode Behaviour

Before testing standalone mode, it is important to understand precisely what FlexConnect can and cannot do when the WLC is unreachable, so expectations are set correctly:

Feature	Connected Mode	Standalone Mode	Requirement
Locally switched SSIDs (WPA2-PSK)	Up	Up ✅	PSK is cached on AP — no WLC needed
Locally switched SSIDs (WPA2-Enterprise)	Up	Up ✅ (if local auth enabled)	Local credentials pre-cached via FlexConnect Group
Centrally switched SSIDs	Up	Down ✗	CAPWAP data tunnel to WLC required — not available without WLC
New client associations (locally switched)	Yes	Yes ✅	AP handles association autonomously with cached config
New client associations (centrally switched)	Yes	No ✗	WLC required for CAPWAP data channel
DHCP for locally switched clients	From local DHCP server (branch router)	From local DHCP server ✅	DHCP must be a local branch server — central DHCP over WAN is unavailable
Configuration changes	WLC pushes to AP immediately	Not possible ✗	AP uses last cached config from WLC — changes applied only when WLC reconnects
WebAuth (Guest captive portal)	Yes (central or local WebAuth)	Limited — depends on WebAuth type	Internal WebAuth can work locally; External WebAuth (ISE) requires WLC

DHCP Planning for FlexConnect Standalone: If your branch clients rely on a DHCP server at HQ (central DHCP), they will lose IP addresses when the WAN goes down in standalone mode — DHCP Discover messages cannot cross the WAN to HQ. Always deploy a local DHCP server at each branch (typically the branch router or a local Windows server). Configure the FlexConnect Group's Central DHCP setting to Disabled and ensure the branch router's DHCP scope covers the locally switched VLAN. See DHCP Server Configuration and DHCP Relay Agent for related DHCP planning.

8. Verification

show ap config general [AP-Name] — Primary Verification Command

(Cisco Controller) >show ap config general Branch-A-AP1

Cisco AP Identifier.............................. 1
Cisco AP Name.................................... Branch-A-AP1
Country code..................................... US
AP Mode.......................................... FlexConnect
AP SubMode....................................... Not Configured
Rogue Detection.................................. Enabled

FlexConnect Information:
  FlexConnect Mode................................. Local
  VLAN Support..................................... Yes
  VLAN name for Central Switching.................. management
  VLAN ID for Native VLAN.......................... 10
  Local Switching for Locally Mapped WLANs......... Enabled
  Flexconnect ACL Applied.......................... No
  FlexConnect Group................................ FC-GROUP-BRANCH-A

Local Authentication:
  Local Auth....................................... Enabled
  EAP Type......................................... EAP-FAST
  Number of local users............................ 2

CAPWAP Path MTU.................................. 1485
Primary Cisco Switch Name........................ WLC-HQ
Primary Cisco Switch IP Address.................. 10.0.0.50

The key fields to confirm: AP Mode: FlexConnect (not Local, Monitor, or Sniffer), Local Switching: Enabled, VLAN Support: Yes, Native VLAN: 10, FlexConnect Group: FC-GROUP-BRANCH-A, and Local Auth: Enabled. If AP Mode shows "Local" the AP was not converted to FlexConnect mode. If FlexConnect Group is blank, the AP was not added to a group and local authentication and fast roaming will not function.

show ap flexconnect [AP-Name] — FlexConnect WLAN Detail

(Cisco Controller) >show ap flexconnect Branch-A-AP1

FlexConnect AP: Branch-A-AP1
  WLAN  SSID              Mode              VLAN  Status
  ----  ----------------  ----------------  ----  -------
  1     NetsTuts-Corp     Local Switching   10    Enabled
  2     NetsTuts-Guest    Central Switching 100   Enabled

This output confirms WLAN 1 (NetsTuts-Corp) is in Local Switching mode and mapped to VLAN 10 — client data bypasses the WLC and is forwarded directly onto the branch LAN. WLAN 2 (NetsTuts-Guest) is in Central Switching mode — all guest traffic is tunnelled to the WLC. This is the most important verification for FlexConnect deployment correctness.

show flexconnect group detail [Group-Name]

(Cisco Controller) >show flexconnect group detail FC-GROUP-BRANCH-A

FlexConnect Group: FC-GROUP-BRANCH-A

Group Members:
  AP Name             AP Mac              Status
  ------------------  ------------------  ----------
  Branch-A-AP1        00:1a:2b:3c:4d:01   Connected
  Branch-A-AP2        00:1a:2b:3c:4d:02   Connected

Local Authentication:
  Local Radius:       Enabled
  EAP Type:           EAP-FAST
  Local Users:        2 configured

VLAN-ACL Mapping:     None
Multicast Mode:       Multicast-Multicast

show ap summary — Confirm All APs in FlexConnect Mode

(Cisco Controller) >show ap summary

Number of APs.................................... 4

AP Name          Slots  AP Model          Ethernet MAC       Radio MAC         IP Address    State
---------------  -----  ----------------  -----------------  ----------------  ------------  ---------
Branch-A-AP1     2      AIR-AP2802I-UXK9  00:1a:2b:3c:4d:01  00:1a:2b:3c:4d:00  10.10.0.11  FlexConnect
Branch-A-AP2     2      AIR-AP2802I-UXK9  00:1a:2b:3c:4d:02  00:1a:2b:3c:4d:10  10.10.0.12  FlexConnect
Branch-B-AP1     2      AIR-AP2802I-UXK9  00:2c:3d:4e:5f:01  00:2c:3d:4e:5f:00  10.20.0.11  FlexConnect
Branch-B-AP2     2      AIR-AP2802I-UXK9  00:2c:3d:4e:5f:02  00:2c:3d:4e:5f:10  10.20.0.12  FlexConnect

All four APs show State: FlexConnect — this confirms none are in Local mode (full central switching). If an AP shows "Local" it was not successfully converted. The IP addresses shown are the AP management IPs on the branch LAN — each AP registers with the WLC using its branch IP address, not a HQ IP.

show client detail [MAC] — Confirm Local Switching is Active

(Cisco Controller) >show client detail a4:c3:f0:11:22:33

Client MAC Address............................... a4:c3:f0:11:22:33
Client Username.................................. branch-user1
AP Name.......................................... Branch-A-AP1
Client State..................................... Associated
Wireless LAN Id.................................. 1
WLAN Profile Name................................ NetsTuts-Corp
IP Address....................................... 10.10.0.55
VLAN............................................. 10
Data Switching................................... Local
Authentication................................... Local
FlexConnect Data Switching....................... Local
FlexConnect Dhcp Status.......................... Local

Data Switching: Local and FlexConnect Data Switching: Local confirm this client's traffic is being switched locally at the branch — it is not traversing the WAN or being processed by the WLC data plane. FlexConnect Dhcp Status: Local confirms the client is receiving its IP from the local branch DHCP server. Authentication: Local means the 802.1X authentication was handled by the AP's local RADIUS cache — this would be the case during standalone mode.

Simulate Standalone Mode — Disconnect WLC and Verify

! ── On WLC — disable the management interface temporarily ─
! ── (lab simulation — do not do on production WLC) ────────
(Cisco Controller) >config interface disable management

! ── On the AP console (during standalone mode) ────────────
! ── APs log the transition to standalone ─────────────────
AP-Console: %CAPWAP-3-GOING_TO_STANDALONE: CAPWAP SM is moving to standalone mode.
AP-Console: %CAPWAP-5-STANDALONE: The AP has gone to standalone mode.

! ── Verify on AP CLI (connect via SSH or console) ─────────
Branch-A-AP1>show capwap ip config

CAPWAP State: STANDALONE

! ── Clients on locally switched WLAN remain connected ─────
! ── Test: ping from branch client to local LAN resource ───
Branch-Client$ ping 10.10.0.1
PING 10.10.0.1: 64 bytes from 10.10.0.1, icmp_seq=1, ttl=64, time=1.2ms
PING 10.10.0.1: 64 bytes from 10.10.0.1, icmp_seq=2, ttl=64, time=1.1ms

! ── Clients on centrally switched WLAN disconnect ─────────
! ── (NetsTuts-Guest goes down in standalone) ──────────────

Verification Command Summary

Command	What It Shows	Primary Use
`show ap config general [AP]`	Full AP configuration — AP mode (FlexConnect/Local), FlexConnect mode, VLAN support, native VLAN, FlexConnect group membership, local auth status	Primary verification — confirm AP is in FlexConnect mode with correct group and local auth
`show ap flexconnect [AP]`	Per-WLAN FlexConnect configuration — SSID, switching mode (local/central), VLAN mapping, enabled/disabled status	Confirm each SSID is correctly set to local or central switching with the right VLAN
`show flexconnect group detail [group]`	FlexConnect group members — AP names, MAC addresses, connection status, local auth settings, user count	Confirm all branch APs are in the correct group and local auth is configured
`show ap summary`	All APs — name, model, MAC, IP, and current state (FlexConnect / Local / Standalone)	Quick overview — confirm all target APs show FlexConnect state, not Local
`show client detail [MAC]`	Per-client detail — data switching (Local/Central), DHCP status (Local/Central), authentication type	Confirm an associated client is being locally switched and using local DHCP and auth
`show capwap ip config` (AP CLI)	CAPWAP state on the AP — Connected or Standalone, WLC IP, CAPWAP tunnel status	On the AP CLI via SSH or console — confirm whether the AP is in connected or standalone mode

9. Troubleshooting FlexConnect Issues

Problem	Symptom	Cause	Fix
AP still shows "Local" mode after FlexConnect conversion	`show ap summary` shows State: Local — AP did not successfully reboot into FlexConnect mode	The AP rebooted but failed to rejoin the WLC in FlexConnect mode, or the mode change was applied but not saved — AP reverted to Local mode on reboot	Re-apply the mode change: `config ap mode flexconnect [AP-Name]`. Verify the WLC configuration is saved: `save config`. Check that the AP can reach the WLC after rebooting — CAPWAP discovery failure causes the AP to fall back to its default mode. See WLC Getting Started
Locally switched clients cannot get DHCP addresses	Corporate SSID clients get APIPA (169.254.x.x) or no IP in FlexConnect local switching mode	The branch has no local DHCP server — clients are relying on a DHCP server at HQ that is unreachable without WAN, or the FlexConnect group has Central DHCP enabled pointing to a WLC-internal scope that does not apply to local switching	Deploy a DHCP server locally at the branch (branch router or local server) with a scope covering the corporate VLAN. Disable Central DHCP in the FlexConnect Group settings. Verify `show client detail` shows FlexConnect DHCP Status: Local. See DHCP Server Configuration
Clients cannot connect during standalone mode (WPA2-Enterprise)	When the WAN is down, WPA2-Enterprise clients fail to associate to the locally switched corporate SSID — authentication fails	FlexConnect Local Authentication is not enabled on the FlexConnect Group, or the local user credentials are not configured, or the EAP type used by clients does not match the EAP type configured in the group (must be EAP-FAST or PEAP)	Verify the FlexConnect Group has Local Radius Server: Enabled and that local users are populated. Confirm the AP in `show ap config general [AP]` shows Local Auth: Enabled and user count is non-zero. Ensure the client supplicant is configured for EAP-FAST or PEAP matching the group setting
VLAN mapping not working — traffic goes to wrong VLAN	Locally switched corporate clients end up on VLAN 1 (native/untagged) instead of VLAN 10, or get no connectivity	The VLAN mapping in Wireless → All APs → [AP] → FlexConnect was not configured, or the native VLAN on the AP does not match the native VLAN on the switch trunk port facing the AP	Verify the VLAN mapping table: each WLAN ID must have an explicit local VLAN ID assigned. Confirm the Native VLAN ID on the AP (in WLC GUI) matches the `switchport trunk native vlan` on the branch switch port. A mismatch causes management and data traffic to be placed on the wrong VLAN
AP enters standalone mode unexpectedly during normal operation	AP transitions to standalone despite the WAN link appearing to be up — `show ap summary` briefly shows State: Standalone	CAPWAP keepalive timers are expiring — the WAN link is degraded (high latency or packet loss) but not fully down. The WLC considers the AP unreachable when keepalive packets are not returned within the CAPWAP heartbeat timeout	Increase the CAPWAP echo interval on the WLC: `config advanced timers ap-heartbeat-timeout [seconds]` (default is 30 seconds). Investigate the WAN link quality with `ping [WLC-IP] repeat 100` from the branch router. For WAN resilience, consider a backup WAN path or a secondary WLC. Check show logging for CAPWAP disconnection events
Guest SSID (central switching) stays up during WLC outage	After WLC becomes unreachable, the guest SSID still appears in the AP's beacon — but clients cannot associate or pass traffic	The SSID is still being broadcast (beacon still transmitted) but the AP cannot forward client data without the WLC. Clients may associate but will get no IP address and no traffic forwarding — the SSID appears up but is not functional	This is expected behaviour — centrally switched SSIDs continue broadcasting beacons in standalone mode but cannot pass traffic. Configure the WLAN to suppress the SSID broadcast during standalone mode if needed: in the FlexConnect Group WLAN settings, set the WLAN to be disabled in standalone mode. This prevents clients from attempting to connect to a non-functional SSID

Key Points & Exam Tips

FlexConnect (formerly H-REAP) allows a Cisco lightweight AP to switch client traffic locally at the branch while still being managed by a central WLC. The CAPWAP control channel always goes to the WLC; the CAPWAP data channel is bypassed for locally switched SSIDs.
Each SSID on a FlexConnect AP can be independently set to Local Switching (traffic exits the AP directly onto the local VLAN) or Central Switching (traffic is tunnelled through CAPWAP to the WLC). Local switching survives WLC outages; central switching does not.
FlexConnect APs operate in two modes: Connected (WLC reachable — full management, real-time config, statistics) and Standalone (WLC unreachable — AP uses last cached configuration, locally switched SSIDs remain up, centrally switched SSIDs go down).
FlexConnect Groups serve three purposes: (1) local authentication — cached credentials allow WPA2-Enterprise authentication during standalone mode without a RADIUS server; (2) fast roaming — shared PMK cache between APs in the group enables CCKM/OKC roaming without full RADIUS re-authentication; (3) central DHCP override — controls whether clients use a local or central DHCP server.
The native VLAN on the AP (set in WLC GUI under AP → FlexConnect) must exactly match the switchport trunk native vlan on the branch switch port connected to the AP. A mismatch causes CAPWAP and management traffic to be incorrectly tagged, preventing AP registration.
FlexConnect VLAN mappings must be configured on each AP — each WLAN ID is mapped to a local branch VLAN. Without VLAN mapping, locally switched traffic is placed on VLAN 1 (the default untagged VLAN), which is typically incorrect and may cause security issues.
For standalone mode survivability, three things must all be in place: (1) the SSID must have local switching enabled, (2) a local DHCP server must be available at the branch (central DHCP at HQ is unreachable when WAN is down), and (3) FlexConnect Group local authentication must be enabled with pre-cached credentials for WPA2-Enterprise SSIDs.
show ap config general [AP-Name] is the primary verification command — confirm AP Mode: FlexConnect, Local Switching: Enabled, FlexConnect Group is populated, and Local Auth: Enabled. show ap flexconnect [AP-Name] shows per-SSID switching mode and VLAN mapping.
On the exam: know the two FlexConnect operating modes (Connected vs Standalone), the two SSID switching modes (Local vs Central) and their standalone behaviour, the three purposes of FlexConnect Groups, and the required switch trunk configuration for the AP uplink (trunk mode, native VLAN match, allowed VLANs). Also review AAA Overview for the authentication framework underpinning local auth.

Next Steps: For the guest WLAN WebAuth scenario that FlexConnect must handle at the branch, see Guest WLAN with WebAuth. For 802.1X port authentication that backs the WPA2-Enterprise SSID on the wired side, see 802.1X Port Authentication. For the branch-to-HQ site-to-site VPN that protects management traffic and centrally switched SSID traffic over the WAN, see Site-to-Site IPsec VPN. For autonomous (non-CAPWAP) AP configuration as an alternative to FlexConnect for very small branches, see Autonomous AP Configuration. For RF channel and power planning that supports multi-AP FlexConnect branch deployments, see Wireless RF Channel & Power Planning.

TEST WHAT YOU LEARNED

1. What is the fundamental difference between a FlexConnect AP in "Local Switching" mode and one in "Central Switching" mode when carrying corporate SSID traffic?

A. Local Switching means the AP handles 802.11 encryption locally without offloading to the WLC; Central Switching means the WLC handles all encryption — the AP sends raw unencrypted frames over CAPWAP B. In Local Switching mode, the AP decapsulates the 802.11 frame at the branch and forwards the 802.3 Ethernet frame directly onto the local VLAN — the WAN carries only the CAPWAP control channel and client data never crosses the WAN for local destinations. In Central Switching mode, every client data frame is re-encapsulated inside a CAPWAP tunnel and sent across the WAN to the WLC at headquarters, even if the destination is another device on the same branch LAN C. Local Switching and Central Switching produce identical traffic forwarding — the difference is only in which device maintains the client authentication state (AP vs WLC) D. Local Switching uses 802.11ac frequencies while Central Switching uses 802.11n — the mode determines which radio band is used for client connections

Correct answer is B. This is the core concept of FlexConnect. In Local Switching, the AP terminates the 802.11 wireless frame, converts it to an 802.3 Ethernet frame, applies the configured 802.1Q VLAN tag, and forwards it directly to the local branch switch — the WAN and WLC are not in the data path. The WLC only receives CAPWAP control traffic (AP management, configuration updates, statistics). In Central Switching, the AP does not forward data locally — it wraps every client frame in a CAPWAP UDP tunnel header and sends it across the WAN to the WLC, which then forwards it to the destination. For a branch client trying to print to a local printer with central switching, the print job travels across the WAN to HQ, the WLC forwards it back across the WAN, and it arrives at the branch printer — an extremely inefficient path. Local Switching eliminates this hairpinning for branch-local traffic.

2. A branch office has two SSIDs on its FlexConnect APs — a corporate SSID (local switching) and a guest SSID (central switching). The WAN link to HQ fails. Which of the following accurately describes what happens?

A. Both SSIDs go down immediately — FlexConnect requires WLC connectivity for all operations including local switching B. Both SSIDs remain up — FlexConnect caches all configurations locally and all traffic is automatically switched locally during WLC outages regardless of the per-SSID switching mode setting C. Both SSIDs go down for approximately 60 seconds while the AP resets, then both come back up in a degraded state with limited functionality D. The corporate SSID (local switching) remains up — the AP enters standalone mode and continues forwarding corporate client traffic locally using its cached configuration. The guest SSID (central switching) goes down — without the CAPWAP data tunnel to the WLC, there is no forwarding path for centrally switched traffic. New corporate clients can still associate (using cached PSK or locally cached WPA2-Enterprise credentials), but new guest clients cannot associate because the centrally switched SSID requires the WLC

Correct answer is D. This is precisely the FlexConnect standalone mode behaviour and a common exam scenario. When the WLC becomes unreachable, FlexConnect APs automatically transition to standalone mode. In standalone mode: (1) locally switched SSIDs remain operational because the AP has all the information it needs — the SSID configuration, the PSK or local credential cache, and the VLAN mapping — cached from the WLC before the outage. No WLC is needed for the data plane. (2) Centrally switched SSIDs lose their data path — the AP cannot forward CAPWAP-encapsulated data frames without the WLC terminating the tunnel at the other end. The SSID may still broadcast beacons (clients see it in their scan list) but client associations and data forwarding fail. This design is intentional — the corporate SSID is locally switched so it survives WAN outages, while the guest SSID is centrally switched so it fails safe when HQ connectivity is lost.

3. What are the three primary purposes of a FlexConnect Group, and why is it important that all APs at the same branch belong to the same group?

A. A FlexConnect Group provides: (1) Local Authentication — credentials are pre-downloaded to all APs in the group, enabling WPA2-Enterprise authentication during standalone mode when the RADIUS server at HQ is unreachable; (2) Fast Roaming — APs in the group share a PMK (Pairwise Master Key) cache, allowing clients to roam between APs without a full 802.1X re-authentication; (3) Central DHCP Override — controls the DHCP server assignment for locally switched clients. All branch APs must be in the same group so the credential cache and PMK cache are shared between all of them, making local auth and roaming work branch-wide B. A FlexConnect Group is purely an administrative container — it has no effect on client authentication, roaming, or DHCP. It is used only for WLC bulk configuration management so administrators can push settings to multiple APs at once C. A FlexConnect Group defines the WAN failover priority — the group determines which AP takes over as the primary access point if one AP fails, functioning like HSRP for wireless APs D. A FlexConnect Group is required for local switching to function — without a group assignment, the AP cannot switch traffic locally regardless of the SSID switching mode setting

Correct answer is A. FlexConnect Groups have three distinct and meaningful functional roles beyond being an administrative label. Local authentication (standalone mode survivability): the WLC pre-downloads cached credentials to every AP in the group. When the WAN fails and WLC is unreachable, branch users can still authenticate to the WPA2-Enterprise SSID using these locally cached credentials — the AP acts as a local RADIUS server. Fast roaming (CCKM/OKC): all APs in the group share the PMK (Pairwise Master Key) generated when a client first authenticates. When a client roams from AP1 to AP2 within the group, it presents its PMK to AP2 — AP2 accepts it without contacting the RADIUS server. A full EAP exchange takes 300–800ms which causes noticeable interruption to voice/video. OKC roaming takes under 50ms. Central DHCP override: the group setting controls whether locally switched clients get IPs from a local DHCP server or a central one. All branch APs must be in the same group so the credential cache and PMK database are shared across all APs at the site — otherwise a client roaming to an AP outside the group would trigger a full RADIUS re-authentication.

4. After converting an AP to FlexConnect mode and configuring local switching on the corporate WLAN, `show ap flexconnect Branch-A-AP1` shows WLAN 1 as "Central Switching" instead of "Local Switching." What is the most likely cause?

A. The AP is still in Local mode — FlexConnect mode conversion was not completed. The AP must be rebooted manually before local switching takes effect B. The FlexConnect Group must have local switching enabled at the group level before the per-WLAN switching mode takes effect on individual APs C. FlexConnect Local Switching was not enabled on the WLAN itself in WLANs → [WLAN] → Advanced → FlexConnect Local Switching. The AP being in FlexConnect mode is necessary but not sufficient — each WLAN must also have local switching explicitly enabled. The default for a WLAN is central switching even when the AP is in FlexConnect mode D. The VLAN mapping on the AP is incomplete — local switching cannot be enabled until every WLAN has a VLAN ID assigned in the FlexConnect VLAN mapping table

Correct answer is C. There are two independent settings that must both be configured for local switching to work on a WLAN: (1) the AP must be in FlexConnect mode (converted from Local mode — done per-AP), AND (2) the specific WLAN must have FlexConnect Local Switching enabled (done per-WLAN in WLANs → [WLAN ID] → Advanced tab → FlexConnect Local Switching checkbox). If only the AP is converted to FlexConnect mode but the WLAN's local switching is not enabled, all SSIDs on that AP default to central switching — the AP is in FlexConnect mode but every WLAN still tunnels its data to the WLC via CAPWAP. This is the most common FlexConnect misconfiguration. The fix is: WLANs → WLAN 1 (NetsTuts-Corp) → Advanced → check FlexConnect Local Switching → Apply → Save Configuration.

5. A FlexConnect AP enters standalone mode during a WAN outage. WPA2-PSK clients reconnect successfully, but WPA2-Enterprise clients (802.1X/PEAP) fail to authenticate. What is missing?

A. WPA2-Enterprise is not supported in standalone mode — clients must switch to WPA2-PSK during WAN outages B. The AP's RADIUS server IP was configured to point to the HQ RADIUS server — change it to point to a local RADIUS server at the branch C. The AP needs a valid digital certificate installed locally for EAP-TLS authentication — the corporate CA certificate was not pushed to the AP before the outage D. FlexConnect Local Authentication was not enabled on the FlexConnect Group — without this, the AP has no local RADIUS capability and cannot authenticate 802.1X clients when the WLC (and the HQ RADIUS server behind it) is unreachable. Enable Local Radius Server on the FlexConnect Group, configure the EAP type (EAP-FAST or PEAP), and add the branch users' credentials as local net users in the group. These credentials are pre-downloaded to the APs and used for standalone-mode 802.1X authentication

Correct answer is D. WPA2-PSK clients reconnect successfully because the PSK (pre-shared key) is stored locally on the AP and does not require any server interaction — the AP validates the PSK during the 4-way handshake locally. WPA2-Enterprise (802.1X) normally requires a RADIUS server to validate EAP credentials. In standalone mode, the HQ RADIUS server is unreachable (WAN is down), so 802.1X authentication fails — the AP cannot contact the RADIUS server to validate the client's username and password. FlexConnect Local Authentication solves this by enabling the AP to act as a local RADIUS server using a credential cache pre-downloaded from the WLC via the FlexConnect Group. The FlexConnect Group must have Local Radius Server enabled, the EAP type configured (EAP-FAST is recommended as it is Cisco-native and does not require client certificates; PEAP-MSCHAPv2 is also supported), and the branch users' credentials added. Without this, WPA2-Enterprise always fails in standalone mode regardless of other settings.

6. Why must the Native VLAN configured on a FlexConnect AP in the WLC GUI exactly match the `switchport trunk native vlan` on the branch switch port connected to that AP?

A. The Native VLAN setting on the AP determines which VLAN is used for wireless client traffic — a mismatch places all clients on the wrong VLAN but has no effect on AP management B. The Native VLAN carries untagged traffic — this includes the AP's own management traffic and the CAPWAP control channel between the AP and WLC. If the AP sends its management frames untagged on VLAN 10 but the switch expects untagged frames to belong to VLAN 1 (or any other VLAN), the switch places the management traffic in the wrong VLAN. The AP cannot reach the WLC's IP address in the wrong VLAN, causing the AP to fail to join or stay joined to the WLC C. The Native VLAN mismatch only affects locally switched client traffic — CAPWAP control traffic is always sent tagged with VLAN 1 regardless of the native VLAN setting, so AP registration is not affected D. Cisco switches automatically negotiate native VLAN via VTP — a manual mismatch is corrected by the switch within 30 seconds, so it is a temporary issue only

Correct answer is B. The native VLAN is the VLAN that 802.1Q trunk ports use for untagged frames. A FlexConnect AP sends its management traffic (including CAPWAP control packets to the WLC) as untagged frames on the native VLAN. If the AP is configured with Native VLAN 10 (it sends management frames untagged, expecting the switch to place them in VLAN 10), but the switch trunk port has native VLAN 1 (it puts all received untagged frames into VLAN 1), then the AP's CAPWAP packets land in VLAN 1 instead of VLAN 10. If the WLC management IP is reachable from VLAN 10 but not VLAN 1 (as is typical — the WLC IP is on the management network, not on the default VLAN 1), the AP cannot reach the WLC and the CAPWAP tunnel fails. This is one of the most common AP join failures in FlexConnect deployments. Option D is incorrect — native VLAN is not negotiated by VTP. VTP carries VLAN database information but does not synchronise native VLAN settings on trunk ports.

7. `show ap config general Branch-A-AP1` shows AP Mode: FlexConnect but FlexConnect Group is blank. What capability is missing as a result?

A. Local switching is disabled — FlexConnect local switching requires group membership to function B. The AP cannot register with the WLC without a FlexConnect Group — group membership is mandatory for FlexConnect mode C. Local authentication and fast roaming are not available. Without group membership, the AP has no local credential cache — WPA2-Enterprise clients cannot authenticate during standalone mode. The AP also has no PMK cache sharing with other branch APs — roaming clients must perform a full 802.1X re-authentication at each AP transition, causing 300–800ms interruptions on voice or video sessions D. VLAN mapping is disabled — the AP cannot map WLANs to local VLANs without being in a FlexConnect Group

Correct answer is C. An AP in FlexConnect mode without a FlexConnect Group assignment is still a functional FlexConnect AP — it can locally switch traffic (option A is wrong), it can register with the WLC (option B is wrong), and it can use VLAN mappings (option D is wrong). What it loses is the group-level shared capabilities: (1) Local Authentication — the credential cache (pre-downloaded user accounts for standalone-mode 802.1X) is configured at the group level and distributed to all APs in the group. Without group membership, the AP has no local credential cache and cannot authenticate WPA2-Enterprise clients during standalone mode. (2) Fast Roaming — the PMK cache is shared between APs in the same group. Without a shared PMK cache, each time a client roams to this AP it must perform a full EAP exchange with the RADIUS server. For most data applications this is acceptable, but for voice/video it causes perceptible audio dropouts or video freezes during the 300–800ms re-authentication. The fix is to add the AP to the appropriate branch FlexConnect Group in Wireless → FlexConnect Groups.

8. What does the "Learn Client IP" setting in FlexConnect local switching enable, and why is it important for network management?

A. When local switching is active, client data traffic bypasses the WLC entirely — the WLC never sees the actual client IP addresses in data frames. "Learn Client IP" tells the AP to passively observe locally switched client traffic and report client IP-to-MAC mappings back to the WLC over the CAPWAP control channel. This allows the WLC to populate its Monitor → Clients table with IP addresses for locally switched clients, enabling proper network management, troubleshooting, and security reporting even though data does not pass through the WLC B. "Learn Client IP" enables the AP to act as a DHCP server for locally switched clients — it assigns IP addresses from a local pool without requiring a separate DHCP server at the branch C. "Learn Client IP" enables IPv6 address learning — without it, the WLC only tracks IPv4 addresses for locally switched clients D. "Learn Client IP" is required for WPA2-Enterprise authentication — without it, the RADIUS server cannot verify the client's IP address against its certificate, causing 802.1X authentication to fail

Correct answer is A. In central switching mode, the WLC sees every data frame and trivially knows each client's IP address. In local switching mode, client data frames exit the AP directly onto the local VLAN and never pass through the WLC — from the WLC's perspective, the client has an 802.11 association but no IP address (or a stale IP from a previous session). This creates a blind spot in network management: show client detail on the WLC shows no IP address, Monitor → Clients shows no IP, and security tools using the WLC as a data source cannot identify clients by IP. "Learn Client IP" solves this by having the AP snoop DHCP transactions in the locally switched traffic — when it sees a DHCP ACK for a client, it extracts the assigned IP and MAC address and reports this mapping to the WLC via the CAPWAP control channel. The WLC then populates its client database with the IP, even though the data never passed through the WLC. This is critical for NOC tools, security correlation, and compliance reporting that query the WLC for client information.

9. An engineer needs to verify that a specific client associated to a FlexConnect AP is actually having its traffic switched locally and not being tunnelled to the WLC. Which command and output field confirms this?

A. show ap summary — the State field for the AP must show "FlexConnect" to confirm local switching is active for all clients B. show wlan [ID] — the FlexConnect Local Switching field must show Enabled to confirm all clients on that WLAN are locally switched C. show ap flexconnect [AP-Name] — the WLAN switching mode column for the client's WLAN must show "Local Switching" D. show client detail [MAC-Address] — the FlexConnect Data Switching field must show Local. This is the per-client confirmation — it shows the actual switching mode in use for that specific client's current session, distinguishing it from the WLAN-level setting. A value of "Central" means the client's traffic is going to the WLC despite FlexConnect being configured, indicating a misconfiguration or fallback condition

Correct answer is D. The question asks for per-client confirmation that a specific client's traffic is locally switched — not just that the WLAN or AP is configured for local switching. Options A, B, and C confirm configuration-level settings (what should happen) but not per-client operational state (what is actually happening for this specific client right now). show client detail [MAC] shows the operational state for that specific client session, including: "Data Switching: Local" (the general switching mode), "FlexConnect Data Switching: Local" (the FlexConnect-specific confirmation), and "FlexConnect DHCP Status: Local" (DHCP source). If FlexConnect Data Switching shows "Central" for a client on a WLAN that should be locally switched, it indicates the client fell back to central switching — possible causes include the AP not being fully in FlexConnect mode, a configuration mismatch, or the AP being in a transition state. Options A and C are good for WLAN/AP level confirmation but cannot tell you the per-client actual switching mode.

10. A network engineer is deploying a branch office with two FlexConnect APs, a corporate SSID (WPA2-Enterprise), and a guest SSID (WebAuth). Which combination of settings ensures corporate clients have full LAN access during a WAN outage AND guest traffic is filtered at HQ during normal operation?

A. Corporate SSID: Central Switching, no FlexConnect Group; Guest SSID: Local Switching, FlexConnect Group with local auth B. Both SSIDs: Local Switching; FlexConnect Group with local auth for both; Guest WebAuth configured as local WebAuth on the AP C. Corporate SSID: Local Switching + FlexConnect Group with Local Authentication enabled + local branch DHCP server; Guest SSID: Central Switching (so guest traffic is hairpinned to the WLC at HQ for WebAuth and filtering). The corporate SSID survives WAN outages because it is locally switched with cached credentials; the guest SSID is centrally switched so HQ maintains full control and filtering — guest access simply fails during WAN outages, which is acceptable D. Both SSIDs: Central Switching; FlexConnect Group configured for all APs — central switching with a FlexConnect Group automatically provides local failover for all SSIDs during WAN outages

Correct answer is C. This is the canonical FlexConnect branch deployment design that balances business continuity and security. Corporate SSID: local switching so branch employees retain LAN access (file servers, printers, local applications) when the WAN fails. FlexConnect Group with local authentication so WPA2-Enterprise 802.1X authentication succeeds in standalone mode using cached credentials. Local branch DHCP so clients get IPs without a WAN connection. Guest SSID: central switching so all guest traffic is hairpinned to HQ — the WLC handles WebAuth (captive portal), the HQ firewall filters guest internet traffic, and HQ has full visibility and logging of guest sessions. Guest access fails during WAN outages, which is the correct business decision — losing guest internet is acceptable; losing corporate employee LAN access is not. Option D is incorrect because central switching provides no standalone-mode benefit — all centrally switched SSIDs go down when the WLC is unreachable, regardless of FlexConnect Group membership.

Back to Home