CiscoCCNPEnterprise NetworkingIntermediate27 min read

What Is FlexConnect in Networking?

Also known as: FlexConnect, Cisco FlexConnect, FlexConnect explained, CCNP wireless, ENCOR wireless

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

FlexConnect is a Cisco wireless feature for branch offices. It lets access points keep working even if the connection to the central controller fails. This means local users can still reach the internet and local resources without interruption. It also supports local switching of data traffic to reduce delay and improve speed.

Must Know for Exams

FlexConnect is explicitly listed in the CCNP Enterprise (ENCOR 350-401) exam blueprint under Wireless topics. The exam objectives include understanding the architecture and operation of FlexConnect, including its modes (Connected, Standalone), local switching versus central switching, and the role of FlexConnect in branch deployments. The exam may also test your knowledge of FlexConnect’s behavior during WAN outages, backup RADIUS configurations, and how it differs from traditional LWAPP/CAPWAP deployments.

In the CCNA Wireless track (now part of the CCNP Enterprise), FlexConnect appears as a key differentiator between small campus designs and large branch designs. The exam expects candidates to know when to use FlexConnect versus a local WLC, how many VLANs a FlexConnect AP supports (16), and that FlexConnect APs can support local web authentication. The exam also tests the differences between FlexConnect and autonomous APs, as well as FlexConnect versus standard central switching.

Scenarios in the ENCOR exam might present a branch office with limited WAN bandwidth and ask which wireless architecture provides local data switching. The correct answer would point to FlexConnect. Similarly, a question might ask which feature allows an AP to continue authenticating users after the WLC becomes unreachable, referencing FlexConnect’s local authentication capabilities. The exam also tests the CAPWAP tunneling details specific to FlexConnect, such as that control traffic is always sent to the WLC, but data traffic can be switched locally.

Beyond ENCOR, FlexConnect appears in the CCNP Wireless concentration exam (ENWLSI 300-430). This exam dives deeper into FlexConnect configuration, troubleshooting, and advanced features like FlexConnect ACLs, local user databases, and FlexConnect groups. The ENWLSI exam may ask about FlexConnect upgrade procedures, the different backup authentication methods, and how to configure local RADIUS servers for FlexConnect.

The exam objectives also emphasize the concept of FlexConnect groups, where multiple APs are grouped for consistent policy application. A question might ask which group configuration takes precedence over per-AP configuration. Understanding this hierarchy is testable. Additionally, the exam may test the condition for the AP to enter standalone mode: the hold-down timer (default 300 seconds) and the number of missed keepalive heartbeats (default 5).

To prepare for these questions, you should memorize the FlexConnect operational modes, the CAPWAP port numbers, the default timers, and the supported authentication methods. You should also be able to compare FlexConnect with other wireless architectures such as local mode, monitor mode, and sniffer mode. Knowing that FlexConnect is the only mode that allows data switching at the AP during controller disconnection is a key point for exam success.

Simple Meaning

Imagine you are managing a library network that connects to a central server in another city. Normally, every time a visitor checks out a book, the library computer asks the central server for permission. This works fine as long as the internet link is fast and reliable. But what if the internet goes down? Then the library computers cannot check out books, look up member records, or print receipts. The whole library stops working.

Cisco FlexConnect solves this problem for wireless networks. It allows certain access points (the Wi-Fi devices you put on the ceiling) to make local decisions. When the connection to the central controller is healthy, everything runs normally. But if the connection fails, the access point can still handle traffic locally. It forwards internet traffic directly to the local internet router without sending it back to the controller first. This keeps people working even when the wide area network is down.

FlexConnect is designed for branch offices, remote sites, or small campuses where you have limited staff and want to avoid buying a separate controller for each location. The access points register with a central controller but keep a backup configuration. This backup includes what to do with client traffic, which network segments to use, and how to authenticate users. When the connection is lost, the access point switches to standalone mode using this backup. The key idea is local switching and local authentication, with central management when possible.

Think of FlexConnect like a smart power strip with a battery backup. When the main electricity works, the power strip passes through normal power and also charges its battery. When the main power fails, the battery kicks in and the power strip continues to supply electricity. Similarly, FlexConnect access points use a local power source (backup config and local internet uplink) to keep Wi-Fi users connected during outages. This design makes branch networks more resilient and easier to manage from a single controller.

Full Technical Definition

FlexConnect is a Cisco wireless solution originally called Hybrid Remote Edge Access Point (H-REAP). It enables access points (APs) in remote or branch offices to locally switch client data traffic while maintaining management connectivity with a centralized Wireless LAN Controller (WLC). The AP tunnels management and control traffic to the WLC using the Control and Provisioning of Wireless Access Points (CAPWAP) protocol, but can forward data traffic locally based on the configuration pushed by the WLC.

In a standard lightweight AP deployment, all traffic—both management and data—is encapsulated in CAPWAP tunnels to the WLC. The WLC then forwards the data to the wired network. This can introduce latency and bandwidth bottlenecks when the WLC is located at a central data center far from the branch. FlexConnect changes this by allowing the AP to decapsulate client data frames and forward them directly onto the local wired network. This is called local switching.

FlexConnect supports three primary operational modes. In Connected mode, the AP maintains a CAPWAP tunnel to the WLC. The WLC can authenticate clients via 802.1X or other methods, and the AP switches data locally or centrally based on the VLAN configuration. In Standalone mode, the AP loses connectivity to the WLC but continues to serve clients using its locally stored configuration. Authentication can be performed using locally configured RADIUS proxy, pre-shared keys, or by falling back to a backup WLC. The third mode, Hybrid mode, is actually a misnomer in modern implementations; typically an AP can run both local switching for some VLANs and central switching for others at the same time.

FlexConnect access points support up to 16 VLANs per AP, and each SSID can be mapped to a specific VLAN for local switching. For environments requiring local authentication during WAN outages, FlexConnect supports local RADIUS proxying, where the AP communicates with a local RADIUS server on the branch network. It can also cache client credentials for a short time to allow reauthentication without reaching the controller.

A key technical detail is that FlexConnect operates at the AP level, not the client level. The AP decides how to handle traffic based on its configuration and connection state. The WLC pushes a complete backup configuration to the AP, which includes local switching rules, VLAN mappings, ACLs, and authentication settings. If the AP reboots or loses the CAPWAP tunnel for more than a configurable timeout (usually 300 seconds), it enters Standalone mode and uses this backup configuration.

FlexConnect also supports advanced features like local web authentication (with a local splash page), local user authentication via a local user database, and local storage of authentication credentials. These features are critical for enabling branch workers to access the network even when the WAN link is down. For security, FlexConnect APs can still apply Access Control Lists (ACLs) locally, and they can report client roaming events to the WLC once the tunnel is restored.

The protocol details include CAPWAP encapsulation for control traffic (UDP ports 5246 and 5247). In Connected mode, the AP keeps a keepalive heartbeat with the WLC. If the heartbeat fails for a specified interval (default 30 seconds), the AP starts a hold-down timer. The AP may attempt to discover a backup WLC via DNS, DHCP, or a pre-configured backup controller list. If no backup is found, it enters Standalone mode after the hold-down timer expires.

In real enterprise deployments, FlexConnect is often used with dual homing—two uplinks from the AP to different switches in the branch—to further improve resiliency. It is also common to pair FlexConnect with AutoQoS and Bandwidth Contracts to guarantee voice and video quality during congestion. The architecture is well-suited for retail stores, remote clinics, and small branch offices where a dedicated WLC would not be cost-effective.

Real-Life Example

Think of a large company with a headquarters in New York and a branch office in Denver. The New York office has a security guard at the front desk who checks every visitor against a central database before allowing them inside. This is like a traditional wireless network where every Wi-Fi user must be verified by the central controller. Now imagine the Denver branch office also has a security guard, but that guard works remotely—they call New York every time someone wants to enter. This is fine when the phone line works, but if the line goes dead, the Denver guard cannot let anyone in. The branch becomes locked down.

FlexConnect is like giving the Denver guard a local list of approved employees and a backup radio. Even if the phone line to New York goes down, the guard can check the local list and let authorized employees inside. They can also let visitors use a local sign-in sheet (local authentication) and can direct people to the correct floor (local switching) without calling New York. When the phone line comes back, the guard sends a report back to New York about who entered and left.

To map this to networking: The security guard is the FlexConnect access point. The central database is the WLC. The phone line is the WAN connection. The local list of employees is the backup configuration stored on the AP. The sign-in sheet is local authentication. The correct floor is the correct VLAN or SSID for that user. When the WAN link is up, the AP checks with the WLC for every new user (central authentication). Traffic to the internet can still go directly through the local router (local switching) instead of being sent all the way to New York first. If the WAN link fails, the AP uses the backup config to authenticate users locally and forward traffic directly to the local router. Once the WAN link returns, the AP syncs back with the WLC and resumes normal operation.

This analogy shows how FlexConnect removes the central dependency for data forwarding and authentication, making the branch network self-sufficient during outages. It also reduces latency for internet traffic because that traffic does not have to travel to the controller and back.

Why This Term Matters

FlexConnect matters because it directly addresses the challenges of managing wireless networks across geographically distributed locations. In real IT work, organizations with many branch offices—such as retail chains, banks, hospitals, or schools—need a way to centrally manage Wi-Fi for hundreds or thousands of access points without deploying a controller at every site. FlexConnect allows a single WLC at a data center to manage APs across the world. This reduces hardware costs, simplifies configuration, and ensures consistent security policies.

Network reliability is another critical reason. Branch employees depend on Wi-Fi for daily tasks like accessing email, cloud applications, internal databases, and VoIP phones. A WAN outage can cripple productivity if the wireless network stops working entirely. FlexConnect ensures that even during a WAN failure, local users continue to have internet access and can still reach local printers, file servers, and other local resources. This built-in resiliency directly supports business continuity.

From a performance perspective, FlexConnect improves user experience. Instead of sending all traffic to the central controller and then back to the branch’s local router, FlexConnect APs forward internet-bound traffic directly to the local router. This reduces latency, especially for real-time applications like voice and video. For a branch in Denver connecting to a controller in New York, this can cut round-trip time from 100 milliseconds down to near-zero milliseconds for local traffic.

FlexConnect also simplifies troubleshooting and updates. Since the APs are managed centrally, network engineers can push configuration changes to hundreds of branches from a single interface. They can also monitor the status of each AP and quickly identify which sites are in standalone mode. This centralized visibility reduces the need for on-site IT staff at each branch.

For cybersecurity, FlexConnect supports local ACL enforcement, even in standalone mode. This means that if a device tries to access unauthorized resources, the AP can block it locally without needing the controller. This maintains security posture even when the WAN link is down. Combined with local RADIUS proxying, FlexConnect can authenticate users against a local RADIUS server, ensuring that only authorized users gain network access.

In summary, FlexConnect is a practical, cost-effective solution for enterprise wireless networking. It balances the need for centralized control with the reality of distributed branch environments. IT professionals who deploy and manage wireless networks at scale will encounter FlexConnect as a standard tool for delivering reliable, secure, and performant Wi-Fi to remote sites.

How It Appears in Exam Questions

FlexConnect appears in ENCOR and ENWLSI exam questions in several common patterns. Scenario-based questions describe a company with multiple branch offices and ask you to recommend the best wireless architecture. For example, a question might say: A retail chain has 200 stores, each with two APs and a slow WAN link to the data center. The stores need to keep running even if the WAN goes down. Which WLAN architecture should be deployed? The expected answer is FlexConnect, because it allows local switching and local authentication during WAN outages.

Configuration questions test your knowledge of specific commands and parameters. You might be asked: Which configuration applies a VLAN for local switching on a FlexConnect AP? The command would be something like conf t, ap name AP01, flexconnect vlan 10. Another common question: What is the default RADIUS fallback timeout for FlexConnect? The answer is 300 seconds. These questions require memorizing specific values and command syntax.

Troubleshooting questions present a scenario where the AP is in standalone mode but clients are not getting IP addresses. You might be asked: What is the most likely cause? The answer could be that the local DHCP server is not reachable, or that the AP’s local switching VLAN is not mapped to the correct SSID. Another troubleshooting question: A FlexConnect AP loses connectivity to the WLC and is now in standalone mode, but clients cannot authenticate. Which feature should be configured to allow local authentication? Answer: FlexConnect local authentication or local RADIUS proxy.

Multiple-choice questions often ask about the differences between FlexConnect modes. For example: In which FlexConnect mode does the AP continue to serve clients after losing the WLC? Answer: Standalone mode. Or: Which FlexConnect mode allows both central and local switching simultaneously? Answer: Connected mode, where the AP uses local switching for specific VLANs and central switching for others.

Drag-and-drop questions in the exam may ask you to match FlexConnect features with their descriptions. For instance, match local switching with the description: Data traffic is forwarded directly to the local wired network. Match central switching with: Data traffic is tunneled to the WLC. Match local authentication with: AP authenticates clients using local database or local RADIUS.

Lab-simulation questions (in the ENWLSI exam) may ask you to configure a FlexConnect AP from a template, including setting the primary WLC, backup WLC, local switching VLANs, and local authentication server. You would need to connect via CLI or GUI to the WLC and apply the correct settings.

Finally, there are compare-and-contrast questions: What is the main advantage of FlexConnect over local mode? Answer: FlexConnect allows local data switching and continues operation during WAN failure, while local mode requires constant connectivity to the WLC for all traffic. These questions test your understanding of the architectural trade-offs.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Scenario: A regional bank has a main data center in Chicago and 15 branch offices across the Midwest. Each branch has around 10 employees and one small Wi-Fi network for guests and internal use. The WAN link from each branch to Chicago is a 10 Mbps MPLS connection, which is expensive and can sometimes drop for 30-60 minutes due to weather or ISP issues. The bank needs its branch employees to access the internet for online banking systems, email, and loan processing tools, even if the MPLS link fails. The guests must also have access to the internet for general browsing.

Application of FlexConnect: The bank decides to deploy a Cisco WLC in the Chicago data center and one FlexConnect AP in each branch. The APs are configured with two SSIDs: BankInternal for employees and BankGuest. For BankInternal, the AP is configured to switch traffic locally to the branch’s local switch and router. The AP is also given a local RADIUS server address (a local server in the branch running Microsoft NPS) for backup authentication. For BankGuest, traffic is also switched locally but with a captive portal that is hosted locally on the AP itself (local web authentication). The AP’s backup configuration includes all these settings.

One afternoon, the MPLS link goes down due to a fiber cut. The AP detects the loss of the CAPWAP tunnel and, after the hold-down timer expires, enters Standalone mode. The AP now uses its local config: it authenticates employees against the local RADIUS server, and guests see the local captive portal. All internet traffic from both SSIDs is forwarded directly through the branch’s local internet connection (the backup DSL line). Employees continue to work, and guests can still browse the web. When the MPLS link is restored, the AP reconnects to the WLC, syncs any offline events, and resumes normal connected mode. The bank avoided a costly productivity loss because FlexConnect kept the network alive.

Common Mistakes

Thinking FlexConnect APs cannot work without a controller at all.

FlexConnect is specifically designed to operate independently when the controller is unreachable. In Standalone mode, the AP uses locally stored configurations to continue serving clients and forwarding traffic. The AP does not need the controller to function in this state.

Remember that FlexConnect APs have two modes: Connected (with controller) and Standalone (without controller). In Standalone mode they are fully functional for local traffic and local authentication.

Believing that all traffic from a FlexConnect AP must be tunneled to the WLC.

In FlexConnect, data traffic can be switched locally on the AP. The AP forwards management and control traffic to the WLC, but data (client traffic) can be sent directly to the local wired network. This is the core benefit of FlexConnect.

Distinguish between control traffic (always tunneled) and data traffic (can be switched locally). Only control traffic goes to the WLC.

Assuming FlexConnect and local mode are the same thing.

Local mode APs always tunnel all traffic to the WLC and cannot operate without controller connectivity. FlexConnect APs can switch traffic locally and continue working when the controller is lost. They are fundamentally different architectures.

Remember: Local mode requires constant controller connectivity for all traffic. FlexConnect does not. FlexConnect is for branch resilience; local mode is for centralized campus deployments.

Thinking that FlexConnect APs can support unlimited VLANs.

Cisco FlexConnect APs are limited to 16 VLANs per AP. This is a hardware and configuration limitation. Attempting to use more than 16 VLANs will result in errors or traffic not being forwarded correctly.

Know the specific limit of 16 VLANs per FlexConnect AP. Design branch networks with this limit in mind.

Expecting that FlexConnect APs can perform local authentication without any additional configuration.

By default, FlexConnect APs do not have local authentication enabled. You must explicitly configure local RADIUS proxy, local web authentication, or a local user database for the AP to authenticate clients during standalone mode. Without this, clients will be denied access when the WLC is unreachable.

Always configure at least one local authentication method (local RADIUS, local web auth, or local user database) in the FlexConnect AP backup configuration.

Exam Trap — Don't Get Fooled

An exam question states: A FlexConnect AP in standalone mode cannot apply ACLs to client traffic, so you need to use a separate firewall. True or false? Know that FlexConnect APs store and enforce ACLs locally, even in standalone mode.

The AP caches the ACL configuration from the WLC before entering standalone mode. It can then drop or allow traffic based on those cached ACLs. The statement is false. The AP does not need the WLC to apply ACLs.

Commonly Confused With

FlexConnectvsLocal Mode AP

Local mode APs tunnel all traffic to the WLC and cannot operate without a controller. FlexConnect APs can switch traffic locally and operate in standalone mode when the controller is absent. Local mode is for campus environments with reliable high-speed connections to the WLC, while FlexConnect is for branch offices with limited or unreliable WAN links.

An AP in a university main building uses local mode because the WLC is on the same campus. An AP in a remote rural school uses FlexConnect because the WAN link to the data center is slow and sometimes goes down.

FlexConnectvsAutonomous AP

An autonomous AP runs its own configuration independently without any controller. It does not use CAPWAP and does not rely on a WLC at all. FlexConnect APs are lightweight APs that require a WLC for management but can operate temporarily without it. Autonomous APs are managed individually, while FlexConnect APs are centrally managed.

A small coffee shop uses an autonomous AP that is configured once and never changes. A retail chain uses FlexConnect APs managed from a central WLC in the headquarters.

FlexConnectvsMesh AP

Mesh APs use wireless backhaul to connect to the wired network, forming a self-healing wireless mesh. FlexConnect APs connect to the wired network via an Ethernet cable (wireless backhaul is not a primary feature of FlexConnect). Mesh APs are designed for outdoor or hard-to-wire locations, while FlexConnect is designed for branch offices with existing wired infrastructure.

A warehouse uses mesh APs to extend coverage to remote aisles without running cables. A bank branch uses FlexConnect APs that are wired to the local network switch.

Step-by-Step Breakdown

1

Access Point Boots and Discovers WLC

The FlexConnect AP boots and uses DHCP or DNS to discover the primary WLC. It establishes a CAPWAP control tunnel (UDP 5246) and a data tunnel (UDP 5247) to the WLC. The AP downloads its configuration from the WLC, including local switching rules, VLAN mappings, ACLs, and authentication settings. This step is identical to any lightweight AP.

2

Configuration Synchronization

The WLC pushes a complete backup configuration to the AP. This includes the FlexConnect VLAN map (which SSID maps to which VLAN for local switching), the local authentication settings (local RADIUS proxy, local user database), and the ACLs to apply locally. The AP stores this configuration in its memory for use in standalone mode.

3

Normal Operation in Connected Mode

While the CAPWAP tunnel is up, the AP operates normally. For SSIDs mapped to central switching, traffic is tunneled to the WLC. For SSIDs mapped to local switching, the AP forwards client data frames directly onto the local wired network based on the configured VLAN. The WLC continues to handle client authentication via 802.1X or other methods. The AP sends keepalive messages to the WLC every 30 seconds.

4

Heartbeat Failure Detection

If the AP fails to receive keepalive responses from the WLC for a configurable number of missed heartbeats (default 5, which equals 150 seconds), it starts a hold-down timer. During this time, the AP attempts to discover a backup WLC from a list of up to three backup controllers. If it finds one, it reconnects. If not, the hold-down timer runs out (default 300 seconds total).

5

Transition to Standalone Mode

When the hold-down timer expires and no WLC is reachable, the AP enters Standalone mode. It stops all CAPWAP tunneling and uses its locally stored backup configuration. The AP now switches all client traffic locally based on the VLAN map. It enforces locally stored ACLs. It authenticates new clients using the configured local methods (local RADIUS, local web auth, or local user database). Existing clients remain connected.

6

Local Operation During WAN Outage

In Standalone mode, the AP handles all wireless client services independently. It forwards DHCP requests to local DHCP servers or uses its own DHCP proxy. It performs ARP, DNS, and other Layer 2 and Layer 3 functions locally. Clients continue to access local resources (printers, servers) and the internet through the branch’s local router. The AP logs events to memory for later synchronization.

7

Reconnection and Synchronization

When the WAN link returns, the AP detects it and attempts to re-establish the CAPWAP tunnel to the primary or backup WLC. Once reconnected, the AP uploads any buffered events (client joins, roams, disconnections) to the WLC. The WLC pushes any configuration updates. The AP then resumes Connected mode operation. The transition is seamless to clients already connected.

Practical Mini-Lesson

FlexConnect is one of the most important wireless features for any network engineer managing branch networks. To work effectively with FlexConnect, you need to understand its configuration, limitations, and troubleshooting methods. Let me walk you through the practical aspects.

First, when you configure FlexConnect on a Cisco WLC (3504, 5520, 9800, or vWLC), you must enable FlexConnect on the AP individually or using AP groups. The AP must be in flexconnect mode, not local mode. On the WLC, go to Wireless > Access Points > AP Name > FlexConnect tab. Enable FlexConnect and select the VLAN map. You then create a FlexConnect VLAN map that maps each SSID to a VLAN ID. For example, SSID Corp maps to VLAN 100 for local switching. SSID Guest maps to VLAN 200. You can also choose to tunnel some SSIDs to the WLC (central switching) while switching others locally. This mix is common: internal traffic can go through the controller for security scanning, while internet traffic goes locally.

Next, configure backup authentication. On the WLC, under Security > FlexConnect > Authentication, you can enable local authentication. You can point to a local RADIUS server (which must be reachable from the branch) or configure a local user database on the AP itself. For guest networks, enable local web authentication and upload a splash page. Without local authentication, the AP denies all new client connections in standalone mode. This is a common oversight.

Now, about the 16 VLAN limit. You cannot exceed 16 VLANs per AP. If your branch has 20 SSIDs each needing a different VLAN, you need to combine some VLANs or use a different design. Most branch offices rarely need more than 4-5 VLANs, so this is usually fine. But be aware if you are designing for a large branch.

Troubleshooting FlexConnect issues often starts with checking the AP’s connection state. Use the show ap config general command on the WLC or the show mesh (on the AP) to see if the AP is in connected or standalone mode. If it is stuck in standalone mode, check the WLC connectivity, the IP routing, and the AP’s ability to reach the controller on UDP ports 5246 and 5247. Also check that the AP’s FlexConnect configuration has a valid VLAN map. A common issue is that the local switch port is configured as an access port in VLAN 1, but the FlexConnect AP expects to tag traffic for different VLANs. The switch port must be a trunk port allowing the VLANs used by the AP.

Another practical tip: FlexConnect APs can be upgraded via the WLC even when they are in standalone mode? No—upgrading requires the CAPWAP tunnel to push the new image. If the AP is in standalone mode, it cannot be upgraded remotely until the WAN link is restored. Plan upgrades during maintenance windows when the WAN is stable.

For security, always enable FlexConnect ACLs. On the WLC, under Security > Access Control Lists, create an ACL and apply it to the FlexConnect AP group. The ACL will be downloaded to the AP and enforced locally. This prevents malicious traffic from leaving the branch during a WAN outage.

Finally, remember that FlexConnect is not a replacement for a dedicated firewall. While it can enforce Layer 3 ACLs, it does not perform deep packet inspection or stateful firewall functions. Use FlexConnect to maintain connectivity and basic security, but pair it with a local firewall for comprehensive protection.

Memory Tip

FlexConnect: Think of it as Flex (flexible) + Connect (connection) — flexible enough to switch locally and connect to the controller only for management. Remember the 16 VLAN limit, the 300-second hold-down timer, and the key difference: data can go local, control always goes central.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Can FlexConnect APs work with any Cisco WLC?

FlexConnect is supported on most Cisco WLC platforms including the 9800 series, 5520, 3504, and wireless controllers in IOS XE. Older WLCs like the 2504 also support FlexConnect but with fewer features.

How many backup WLCs can a FlexConnect AP use?

Up to three backup WLCs can be configured per AP. The AP will try to connect to the primary first, then the backups in order. If none are available, it enters standalone mode.

Does FlexConnect support voice over Wi-Fi (VoWLAN) and video traffic?

Yes. FlexConnect supports QoS by mapping traffic to the correct 802.1p and DSCP values locally. Voice and video can benefit from local switching to reduce latency.

Can I change the FlexConnect VLAN mapping on the fly without disconnecting clients?

Changes to the VLAN map require the AP to be in connected mode. Clients may need to reconnect to the network after a VLAN mapping change. Plan changes during maintenance windows.

What happens to client sessions when the AP transitions from connected to standalone mode?

Existing client sessions are maintained. The AP continues forwarding traffic for already authenticated clients. New clients are authenticated using local methods if configured.

Is FlexConnect supported on all Cisco access point models?

FlexConnect is supported on most Cisco 802.11n/ac/ax APs, including the 1800, 2800, 3800, 4800, and 9100 series. Older models may not support it. Always check the datasheet.

Can I mix local switching and central switching on the same FlexConnect AP?

Yes. You can configure some SSIDs to use local switching and others to use central switching. This is a common design for splitting guest and internal traffic.

Do I need a separate license to use FlexConnect?

FlexConnect is a standard feature included with Cisco wireless controllers and does not require additional licensing. However, the number of APs your WLC can manage depends on the licensing tier.

Summary

FlexConnect is a Cisco wireless architecture that gives branch office access points the ability to operate independently when the connection to the central controller is lost. This feature is built on the CAPWAP protocol, but with a critical difference: FlexConnect APs can switch client data traffic locally at the branch, rather than tunneling it to the controller. This reduces latency, conserves WAN bandwidth, and ensures that remote users keep working even during WAN outages.

The AP stores a backup configuration from the WLC, which includes local switching rules, ACLs, and authentication methods. When the WAN link fails, the AP enters Standalone mode and enforces these local settings. For IT certification exams, especially the CCNP ENCOR and ENWLSI, you need to know the operational modes, the 16 VLAN limit, the default hold-down timer of 300 seconds, and the fact that control traffic is always tunneled while data can be switched locally.

Memorize that FlexConnect is the only AP mode that allows continued operation without a controller. Avoid common mistakes like assuming all traffic is tunneled or that local authentication is automatic. Use FlexConnect in your real-world branch designs to deliver resilient, centrally managed wireless networks that meet the needs of distributed enterprises.