Local mode and FlexConnect are the two fundamental ways a Cisco Catalyst 9800 can hand off client traffic, and the choice shapes almost everything else in your design — WAN utilisation, failure behaviour during a controller outage, the identity of the VLAN clients land on, where ACLs get enforced, how AAA survives a link flap, and whether you can even deploy WPA3 on the SSID you just built. Pick the wrong mode and you'll spend the next two years fighting symptoms. Pick the right one and most of your operational pain goes away.
This guide compares the two modes at the design level, not the button level. You'll see where each one shines, where each one breaks, and the decision framework I recommend for choosing between them on a per-site basis.
What Each Mode Actually Does
In local mode (also called central switching), every client frame is tunnelled inside CAPWAP from the AP back to the C9800 and decapsulated there. The controller is the Layer 2 anchor for the client's VLAN, so a client connecting to an AP at a branch office will land on a VLAN that only exists at the data centre where the WLC lives. All policy — ACLs, QoS, URL filtering — is enforced on the WLC. The AP is effectively a dumb radio head.
In FlexConnect mode (often called local switching), the AP still joins the C9800 over CAPWAP and still takes its configuration from it, but client data frames are bridged locally onto a VLAN that exists at the AP's site. The WAN carries only the CAPWAP control channel and any centrally-switched SSIDs you've opted in on. Policy can be enforced either centrally (via the C9800) or locally (via Flex ACLs on the AP), depending on how you configure the Flex Profile.
That single difference — where the client frame exits onto the wired network — drives everything else.
| Behaviour | Local mode | FlexConnect |
|---|---|---|
| Client data path | AP → CAPWAP tunnel → WLC → wired | AP → local switch → wired |
| Client VLAN location | Must exist on the WLC | Must exist at the AP's site |
| WAN bandwidth consumed by client traffic | 100% — everything traverses the WAN | ~0% for locally-switched SSIDs |
| Behaviour if WAN fails | All clients disconnect; APs go offline | Clients stay connected via Standalone mode; new associations possible with local auth |
| Policy enforcement point | WLC (IOS-XE policy) | WLC for central-switched; AP Flex ACLs for local-switched |
| AAA survivability | None — if AAA is unreachable, auth fails | Supported via local EAP or AAA cache |
| Supported feature set | Full | Most features; a handful are central-only |
| Typical WAN type | High bandwidth, low latency (campus, DC) | Any — branch, MPLS, SD-WAN, broadband |
When Local Mode Is the Right Answer
Local mode is the default for a reason. When the AP is on the same high-bandwidth, low-latency fabric as the controller, centralising traffic is simpler, more consistent, and easier to troubleshoot. A single enforcement point means a single policy to reason about, a single place to run packet captures, and a single place to apply QoS.
You should use local mode when:
- Your APs live in the same campus as the WLC, connected over a high-bandwidth LAN with RTT measured in single-digit milliseconds. This is the default case for headquarters, large campuses, and anywhere that doesn't have a "branch" conversation.
- You want uniform policy. Central ACLs, central AVC, central URL filtering, central Layer 7 application visibility — all simpler to design, deploy, and audit when there's one enforcement point.
- You're running features that are not fully Flex-capable. Some edge features (certain Hyperlocation workflows, certain mDNS gateway behaviours on older releases) behave better or only work in local mode. Read the release notes for the IOS-XE version you intend to deploy before you commit.
- You need tightly controlled IP allocation. Centralised DHCP on the WLC's subnet, central anchor for guest traffic, and consistent NAT behaviour are easier when every client gets its IP at the same subnet boundary.
Local mode's failure mode is also predictable: if the WLC goes down and SSO doesn't take over, your APs disconnect. That's the tradeoff you accept for simplicity, and for a single-campus deployment with SSO HA that tradeoff is usually fine.
When FlexConnect Is the Right Answer
FlexConnect exists because not every AP can live next to its controller. Branch offices, retail stores, clinics, remote classrooms, and WAN-connected field sites need wireless to survive independent of the central WLC, and they need the WAN link to carry control traffic, not the entire user-data plane.
You should use FlexConnect when:
- The AP is WAN-separated from the WLC. If the CAPWAP tunnel traverses an MPLS circuit, SD-WAN overlay, or internet VPN, you almost always want FlexConnect local switching. Forcing a 1 Gbps office's worth of user traffic through a 100 Mbps WAN link back to a data centre is a classic over-budget pattern.
- You need wireless to keep working during a WAN outage. A FlexConnect AP that loses its CAPWAP tunnel enters Standalone mode and keeps bridging existing clients. With local EAP or an AAA survivability cache, it can even authenticate new clients during the outage.
- Latency between the AP and the WLC exceeds ~100 ms. CAPWAP tolerates latency in the tens of milliseconds without much drama; once you're past ~100 ms, client traffic tunnelled to a distant WLC starts feeling sluggish and jitter-sensitive applications (voice, video) suffer.
- You want site-local traffic to stay site-local. A printer, a file server, or a Sonos system at the branch should not traverse the WAN to reach a client on the same branch. Local switching keeps the path direct.
The trade-off is configuration complexity. FlexConnect introduces a Flex Profile, per-site VLAN mappings, Flex ACLs, native VLAN decisions, AP-to-switchport trunk considerations, and a survivability configuration that you have to plan rather than accept by default.
Standalone Mode: The Feature You Buy FlexConnect For
The single biggest reason to deploy FlexConnect in branch environments is Standalone mode. When an AP in FlexConnect mode loses connectivity to the WLC, it doesn't disconnect clients — it transitions into Standalone, and from that moment on it behaves like an independent bridge until the WLC comes back.
What works in Standalone mode depends on what you configured in the Flex Profile:
| Function | Standalone behaviour | Required configuration |
|---|---|---|
| Existing connected clients | Stay connected, keep bridging | None — default |
| New client association (open SSID) | Works | None |
| New client association (PSK SSID) | Works | PSK material must be cached on the AP |
| New client association (802.1X) | Works only if local EAP or AAA cache configured | Local EAP profile in the Flex Profile, or backup RADIUS |
| Roaming between APs at the site | Works if APs are in the same FlexConnect group | Flex group configured with shared key caching |
| Guest / web-auth | Does not work in Standalone | Expect guest SSIDs to fail during a WAN outage |
The practical advice: if branch wireless must survive a WAN outage, configure local EAP or an AAA survivability cache in the Flex Profile, and group the branch APs into a FlexConnect group. Without those pieces, Standalone mode exists but is much less useful.
The VLAN Question
The VLAN decision is the one that trips up most new FlexConnect designs. In local mode, you pick a VLAN ID, map it to the Policy Profile, and done — that VLAN only needs to exist on the WLC's wired interface. In FlexConnect, that same VLAN ID has to exist on the switchport the AP is plugged into, at every site where that Policy Tag lands.
You have two strategies:
Strategy 1: Consistent VLAN IDs across all sites. Every branch uses the same VLAN numbering scheme (say, VLAN 100 for employees, VLAN 200 for guests, VLAN 300 for voice). The Flex Profile does a 1:1 mapping. This is the simplest design and the easiest to troubleshoot. It requires coordination with the networking team to reserve VLAN IDs globally.
Strategy 2: VLAN override per site via Flex Profile mapping. Every branch uses whatever VLAN IDs it already has, and the Flex Profile maps the SSID to different VLAN IDs at different sites. The Policy Profile references an SSID-to-VLAN-name mapping, and the Flex Profile translates the VLAN name to a local ID per site.
Strategy 1 is cleaner. Strategy 2 is necessary when you're deploying wireless into a network with existing, unchangeable VLAN schemes.
C9800(config)#wireless profile flex flex-branch-1
C9800(config-wireless-flex-profile)#native-vlan-id 10
C9800(config-wireless-flex-profile)#vlan-name employee
C9800(config-wireless-flex-profile)# vlan-id 100
C9800(config-wireless-flex-profile)#vlan-name guest
C9800(config-wireless-flex-profile)# vlan-id 200
C9800#show wireless profile flex detailed flex-branch-1
Flex Profile Name : flex-branch-1
Native Vlan Id : 10
Vlan Name Vlan Id ACL
-------------------------------------------------
employee 100 FLEX-EMP-ACL
guest 200 FLEX-GUEST-ACLPolicy Enforcement: Two Modes, Two Enforcement Points
In local mode, policy (ACLs, QoS markings, URL filters, AVC) is applied on the WLC because that's where the client's frame lives. You create the ACL once, attach it to the Policy Profile, and every AP tagged with that Policy Tag inherits the behaviour.
In FlexConnect, policy is applied at one of two places depending on the traffic direction:
- Central switching on a Flex AP — traffic is tunnelled to the WLC, so WLC-side policy applies. This is how you mix a guest SSID (tunnelled to a DMZ anchor) with a corporate SSID (locally switched) on the same FlexConnect AP.
- Local switching on a Flex AP — traffic exits the AP directly, so policy must live on the AP as a Flex ACL. You define the ACL on the WLC but it's pushed to the AP and enforced there.
The implication is that you need to think about where your policy lives before you design the Flex Profile. If you have a complex URL filtering workflow that's easier to maintain centrally, you might choose to central-switch that SSID while keeping the employee SSID local. Mixing is allowed and is in fact the point.
Choosing: A Practical Decision Framework
Here is the decision tree I use:
| Question | If "Yes" | If "No" |
|---|---|---|
| Is the AP in the same physical site as the WLC (campus/DC)? | → Local mode | → Go to next question |
| Is the link between the AP and the WLC a WAN link (MPLS, SD-WAN, internet VPN)? | → FlexConnect | → Go to next question |
| Does RTT between AP and WLC exceed ~100 ms? | → FlexConnect | → Go to next question |
| Must wireless survive a total WAN outage? | → FlexConnect with local EAP / AAA cache | → Go to next question |
| Does site-local traffic (printers, file servers, Sonos) dominate usage patterns? | → FlexConnect | → Local mode is probably fine |
The default bias should be: local mode for campus, FlexConnect for branch. Only deviate from that default when you have a specific reason, and document the reason in your design doc so the next engineer knows why.
A Few Things People Get Wrong
Three mistakes I see repeatedly, all of which are cheap to avoid if you know about them:
Mismatched native VLAN. The Flex Profile has a native-vlan-id setting that must match the native VLAN on the switchport the AP is plugged into. If they don't match, the AP will appear to join fine but client traffic won't make it past the first hop — you'll see joined APs and no client connectivity.
Running guest in Flex local-switch mode. Guest typically anchors to a DMZ C9800, which requires central switching. If you try to run a guest SSID as locally-switched on a Flex AP, either the auto-anchor breaks or you end up with guest traffic landing on a branch VLAN it has no business touching. Central-switch guest SSIDs even on Flex APs.
Forgetting Efficient AP Join Image Download. When a branch FlexConnect site has 40 APs and the WAN is 100 Mbps, upgrading all 40 APs from a central WLC kills the WAN for hours. Enable Efficient AP Image Upgrade so that one AP downloads the image from the WLC and the rest peer from it over the local LAN. This is a branch-saver and should be on by default.
C9800(config)#wireless profile image-download default
C9800(config-wireless-image-download-profile)#image-download-mode capwap
C9800(config-wireless-image-download-profile)#parallel
C9800(config-wireless-image-download-profile)#max-parallel 15
C9800#show ap image
Total number of APs : 412
Predownloading : 412
Completed predownloading : 398Key Takeaways
Local mode is the right answer when the AP and the WLC share a campus; FlexConnect is the right answer when the AP is on the far side of a WAN. Standalone mode is the reason branches run FlexConnect — configure local EAP or AAA survivability cache or you won't actually get the resilience you're paying for. VLAN design is where FlexConnect deployments fail: keep numbering consistent across sites if you can, and use per-site VLAN mapping only when you must. Mix central and local switching on the same Flex AP when your policy or guest workflow demands it. Default to local mode in the campus, FlexConnect in the branch, and don't deviate without a written reason.