C9800 FlexConnect Configuration: Deployment, Switching, and ACLs
FlexConnect is a deployment mode that pushes intelligence and processing to the edge of your network, letting you reduce WAN dependency and improve response times at remote sites. If you're managing branch offices, retail locations, or campus sites with high-latency WAN links, FlexConnect can be exactly what you need to give APs local autonomy while maintaining central management from the C9800 controller.
When to Use FlexConnect
FlexConnect shines in specific deployment scenarios. You should consider it when:
- Remote or branch offices are separated from the main campus by high-latency or unreliable WAN links.
- Local switching is preferred to avoid backhaul traffic and reduce latency-sensitive application delays.
- Autonomy during WAN outages matters; APs can continue serving clients if the tunnel to the controller drops.
- Multiple sites need independent roaming domains, and you want to avoid forced full reauthentication when clients move between branches.
In local mode (the alternative), all traffic is tunneled through CAPWAP to the controller, which becomes a bottleneck for data-plane processing. FlexConnect distributes that load to the APs themselves.
FlexConnect vs. Local Mode: Side-by-Side Comparison
| Aspect | FlexConnect | Local Mode |
|---|---|---|
| Data Plane | Locally switched at AP; bypasses tunnel | Centrally switched; all traffic through controller |
| Control Plane | Always centralized via CAPWAP | Always centralized via CAPWAP |
| WAN Dependency | Lower; clients stay connected if WAN fails | High; no AP data forwarding without controller |
| Failover Behavior | APs operate standalone; existing clients authenticated | APs lose all client connectivity on WAN failure |
| Roaming Between APs | Fast, intra-site; slower across FlexConnect sites | Fast across entire controller domain |
| ACL Support | VLAN ACLs, split-tunnel ACLs available | Standard policy-based ACLs only |
| Configuration Complexity | More complex; per-site profiles needed | Simpler; centralized policies apply everywhere |
FlexConnect Switching Modes
Within FlexConnect itself, you choose how traffic flows. The C9800 supports four switching scenarios:
1. Central Switching
All client traffic (regardless of VLAN) is tunneled to the controller. This retains centralized forwarding but still gives you central authentication and policy enforcement. Use this when you want to keep switching logic at the hub.
2. Local Switching Only
All traffic is switched at the AP; VLAN-to-AP mappings determine where each SSID's clients send frames. This minimizes WAN usage and latency. Clients can only communicate with servers on VLANs that exist locally at that AP.
3. Central Authentication with Local Switching
Clients authenticate against the central C9800, but their traffic is switched locally. This splits the workload: the controller handles 802.1X or RADIUS; the AP handles forwarding.
4. Local Authentication with Local Switching
Both authentication and switching happen at the AP (for example, using pre-shared keys). The controller remains the management point only. This is rarely used in enterprise environments but is supported.
You configure which mode applies by setting up a Flex Profile (described below) and assigning it to a Site Tag.
Flex Profile Configuration
A Flex Profile is the core configuration object for FlexConnect behavior. It lives in the C9800 and applies to all APs that inherit it via a Site Tag. You create it in the GUI or CLI.
GUI Path
Navigate to Configuration > Tags & Profiles > Flex > Flex Profile.
Key Settings in a Flex Profile
| Setting | Purpose |
|---|---|
| VLAN-ACL Mapping | Binds a VLAN to a specific access control list for locally switched traffic. |
| Native VLAN | The VLAN a guest SSID uses if no VLAN override is applied. |
| Local Switching VLAN Assignment | Maps SSIDs to VLANs that will be locally switched at the AP. |
| ARP Caching | Enables local ARP processing to reduce broadcast overhead. |
| Split Tunneling | Routes some traffic locally; other traffic through the tunnel to the controller. |
| Flex ACL | An ACL applied to traffic that passes through FlexConnect logic. |
CLI Example: Creating a Flex Profile
wireless profile flex my-flex-profile
description "Remote site flex profile"
vlan-name vlan-100 vlan-id 100
vlan-name vlan-200 vlan-id 200
local-switching vlan-list vlan-100, vlan-200
native-vlan vlan-100
arp-caching enable
exit
Site Tag Configuration for FlexConnect
A Site Tag is the container that ties together APs, policies, and Flex Profiles. Think of it as a virtual "location." When you create a Site Tag and set it for FlexConnect, all APs assigned to that tag inherit its configuration.
Important Points About Site Tags
- One site tag per location is recommended for fast roaming domain alignment. All APs in the same roaming domain (e.g., one floor or building) should share the same site tag.
- FlexConnect site tags can support up to 100 APs per tag (as of release 17.8); this was previously limited like AireOS Flex groups.
- Custom site tags are a must for FlexConnect if seamless roaming is required. Do not use the default-site-tag; fast and secure roaming do not work with the default Flex group in AireOS, and the same applies to C9800.
GUI: Creating and Configuring a FlexConnect Site Tag
Go to Configuration > Tags & Profiles > Site. Create a new site tag with these steps:
- Click + Add to create a new site tag.
- Enter a Name (e.g., "branch-office-1").
- In the AP Join Profile field, select a join profile (or create one).
- In the Flex Profile dropdown, select the Flex Profile you created earlier.
- Check Enable Local Site. This enables FlexConnect mode for APs assigned to this tag.
- Click Save.
Once saved, any AP you assign to this site tag will automatically convert from local mode to FlexConnect (Flex) mode and will use the associated Flex Profile.
Policy Profile Configuration for FlexConnect
The Policy Profile determines which features are enabled and how authentication, DHCP, and VLAN assignment work. For FlexConnect deployments, the policy profile must specify:
| Feature | Configuration |
|---|---|
| Central Switching Toggle | Enable or disable in the policy profile; affects whether traffic tunnels to the controller. |
| Central DHCP | If enabled, DHCP is processed at the controller; if disabled, the AP (or a local DHCP server) assigns addresses. |
| Central Authentication | If enabled, 802.1X flows to the controller; if disabled, the AP authenticates locally (if possible). |
| DNS Processing | Can be central or local; impacts where DNS queries are resolved. |
| VLAN Assignment | Policy tag controls which VLAN locally switched traffic uses. |
Seamless Roaming Across Policy Tags
Starting with C9800 release 17.3, seamless roaming is allowed across policy profiles if they differ only in VLAN and ACL settings. This means a client can roam from one AP to another even if the policy tags are different, as long as the underlying policy profile is the same (or differs only in Layer 2/Layer 3 ACLs). To enable this globally:
c9800(config)#wireless client vlan-persistent
FlexConnect ACLs
FlexConnect supports multiple types of ACLs to control traffic:
VLAN ACLs (Access Control Lists)
VACLs apply to traffic inside a VLAN before it leaves the AP. They run at Layer 2 and are commonly used to block inter-VLAN traffic or drop broadcast/multicast within a VLAN. You define a VACL and then map it to a VLAN in your Flex Profile.
CLI Example:
ip access-list extended VACL-VLAN100
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip any any
wireless profile flex my-flex-profile
vlan-acl-map vlan-100 VACL-VLAN100
exit
Split Tunnel ACLs
Split tunnel ACLs determine which traffic stays local and which goes through the tunnel to the controller. Traffic matching the ACL goes local; non-matching traffic tunnels. This is useful when you want some destinations (e.g., local file servers) to stay local and other traffic to go through the corporate network.
Flex ACLs
A Flex ACL is applied directly to the Flex Profile and affects all traffic processed in FlexConnect mode. Like standard access lists, it can permit or deny based on source, destination, protocol, and port.
Standalone Mode Behavior
When the WAN link to the controller fails, FlexConnect APs do not go offline. Instead, they enter Standalone mode:
- Existing authenticated clients remain connected and can continue to use the network. The AP caches client credentials and state.
- New client authentication can occur if you have configured local authentication (e.g., pre-shared keys or cached RADIUS credentials).
- Management functions are limited. You cannot push new configuration changes until the tunnel is restored.
- Roaming is localized to APs at that site only. Roaming to a different site is not possible without a working WAN link.
Once the WAN link recovers and the AP rejoins the controller, the AP resynchronizes state and returns to normal FlexConnect operation.
End-to-End Configuration Example
Here is a practical scenario: You are setting up a branch office with two APs. You want:
- Corporate traffic (VLAN 100) to be locally switched.
- Guest traffic (VLAN 200) to be tunneled to the controller for policy enforcement.
- All clients to authenticate against the central RADIUS server.
- APs to continue serving clients if the WAN link fails.
Step 1: Create the Flex Profile
c9800(config)#wireless profile flex branch-flex
c9800(config-flex)#description "Branch office local switching"
c9800(config-flex)#vlan-name corp vlan-id 100
c9800(config-flex)#vlan-name guest vlan-id 200
c9800(config-flex)#local-switching vlan-list corp
c9800(config-flex)#native-vlan corp
c9800(config-flex)#arp-caching enable
c9800(config-flex)#exit
Step 2: Create the Site Tag
c9800(config)#wireless tag site branch-site-1
c9800(config-site)#description "Branch Office 1"
c9800(config-site)#ap-join-profile default-ap-profile
c9800(config-site)#flex-profile branch-flex
c9800(config-site)#local-site enable
c9800(config-site)#exit
Step 3: Create or Modify the Policy Profile
Ensure your policy profile has these settings:
c9800(config)#wireless profile policy corp-policy
c9800(config-policy)#description "Corporate policy with local switching"
c9800(config-policy)#central-switching disable
c9800(config-policy)#central-dhcp enable
c9800(config-policy)#central-authentication enable
c9800(config-policy)#vlan-name corp 100
c9800(config-policy)#exit
Step 4: Create an SSID and Assign Tags
c9800(config)#wireless ssid CorpNet
c9800(config-ssid)#type enterprise
c9800(config-ssid)#security wpa3 personal
c9800(config-ssid)#exit
c9800(config)#wireless ap profile-tag AP-NAME policy corp-policy site branch-site-1 rf default-rf-tag
Step 5: Assign APs to the Site Tag
Either use the GUI under Configuration > Access Points > AP Name and set the Site Tag to "branch-site-1", or use CLI:
c9800(config)#wireless ap site-tag AP-NAME branch-site-1
Verification Commands
After configuration, verify that APs and policies are correctly applied:
Show AP Summary
c9800# show ap summary
Number of APs: 2
Number of APs not connected: 0
Hostname IP Address Mode Status
---------- --------------- ----------- -------
AP-BRANCH1 192.168.1.10 FlexConnect Connected
AP-BRANCH2 192.168.1.11 FlexConnect Connected
Show Wireless Tag Site Summary
c9800# show wireless tag site summary
Site Tag Name Flex Profile AP Count Local Site
----------------- -------------------- --------- ----------
branch-site-1 branch-flex 2 yes
default-site-tag N/A 0 no
Show Wireless Profile Flex Summary
c9800# show wireless profile flex summary
Flex Profile Name VLAN Count Tunneled VLANs Local VLANs
----------------- ----------- ---------------- ----------------
branch-flex 2 guest corp
Show AP Configuration Details
c9800# show ap name AP-BRANCH1 config general
AP Name..................... AP-BRANCH1
IP Address.................. 192.168.1.10
AP Mode..................... FlexConnect
Site Tag.................... branch-site-1
Policy Tag.................. corp-policy
RF Tag...................... default-rf-tag
Flex Profile................ branch-flex
Key Takeaways
FlexConnect is a powerful deployment mode when you need to reduce WAN dependency and give remote APs autonomy. Here's what you need to remember:
- Use FlexConnect for remote sites where WAN latency or unreliability is a concern, or where local data processing reduces costs and improves performance.
- Site Tags define your roaming domain. One tag per site ensures fast roaming within that location; do not share a site tag across geographically separated buildings.
- Flex Profiles control switching, VLAN mapping, and local intelligence. They are the heart of FlexConnect configuration and must be assigned to a Site Tag to take effect.
- Policy Profiles handle authentication, DHCP, and ACLs. Ensure your policy profile has the correct settings for your business requirements (central vs. local authentication and switching).
- ACLs in FlexConnect are diverse. Use VLAN ACLs for Layer 2 control, split-tunnel ACLs for traffic steering, and Flex ACLs for broader access control.
- Standalone mode keeps the network running when the WAN fails. Existing clients stay connected; new clients can authenticate if you have configured local authentication. Plan for this in your deployment.
- Seamless roaming across policy tags is supported (with the
wireless client vlan-persistentcommand) if the policies differ only in VLAN or ACL settings. This gives you flexibility in large branch environments. - Always verify with show commands. Use
show ap summary,show wireless tag site summary, andshow wireless profile flex summaryto confirm your configuration is active and correct.
By following these guidelines and using the configuration examples in this article, you can deploy FlexConnect in your C9800 environment with confidence, improving reliability and performance at remote locations while keeping central management and control.