topic Re: HA N+1 Setup in Wireless

HA N+1 Setup

jccr — Mon, 05 Jul 2021 19:16:27 GMT

We will be having a deployment that 2 sites have both active and standby WLC.

The APs in site 1 will connect to the WLC in site 1 and the APs in site 2 will connect to the WLC in site 2.

If both the active and standby wlc is down on site 1, the APs will connect to site 2.

May we ask how will be the configuration for both wlc? Do we need to replicate the site 1 WLC config to the site 2 WLC? If yes, what configurations must be the same for this setup to work? Thanks in advance!

Re: HA N+1 Setup

Scott Fella — Sat, 11 Jul 2020 15:46:27 GMT

If you want to be able to fail over to a different site that has different subnets, then you will need to look at FlexConnect with local switching. Either way, in any N+1 scenarios, the configuration should be pretty much the same. This goes for wlan, Mobility, radius, etc.
If you had differences in config, then during a failover, you would have devices that most likely fail to connect or fail when roaming. You don’t want that. So even at site 1, both controller need to be configured the same if using N+1.
It’s not easy to just say what you need to do without really understanding the requirements and also understanding where and what each site has. Knowing more information might result in a total different design.

Re: HA N+1 Setup

jccr — Sat, 11 Jul 2020 16:33:10 GMT

Hi scott

Thanks for your response

Cant we do that in local mode? Since each site has its own wlc. The only caveat in ap local mode is that the data traffic needs to pass through the WAN link everytime. Im just wondering how the configuration will be when we implement this kind of scenario. Im thinking of how will i create ap groups for site 1 aps when i am in site 2 wlc gui and switch configs etc

Re: HA N+1 Setup

Scott Fella — Sat, 11 Jul 2020 17:39:27 GMT

Not really a good design. If was site already has two WLC’s in SSO or N+1, why would you want to add the other site controller for redundancy? You are better off centralizing your WLC’s and running FlexConnect, depending on how far the sites are away from the controller. The issue of having two or more sites as a backup is the fact that sites are usually layer 3 adjacent, meaning that the interfaces on the WLC will be different, so devices connected on site 1 SSID A to site 2 SSID A will break. A good design is for redundancy, but not overly complex as that might cause you more problems. You also have to understand that when you setup N+1, you now have to create mobility between the controllers, this means the ap’s now know of all controllers in the same mobility group, thus ap’s can move to another controller, because it might of lost connecting to the primary. So now, you will have users that associate to an ap on site 1 and roam to an ap that is in site 1 but joined to site 2 and that will cause auto anchoring to happen. That means the device is tunneled to site 2 and then anchors back to site 1 controller. Now if AP1 in site 1 joins site 2 controller, then users whom initially associate to this ap will get an IP address from site 2 and then you have the cut anchoring happening again int he reverse direction I mentioned previously.
So again, this goes back to you requirements, why do you need this redundancy between sites? What happens when the link between the sites goes down? Are your subnets sized to handle all devices in each location in case the controller(s) goes down? What is your decision for local vs flex connect based on? How many ap’s on each site, how far are the sites, what is the bandwidth between sites, how many users per site on wireless, where is your radius servers, DHCP servers, etc. You need to look at all these and make a good decision on the best design.

Re: HA N+1 Setup

jccr — Sun, 12 Jul 2020 00:04:39 GMT

why do you need this redundancy between sites

> Hi, Scott.

why do you need this redundancy between sites?

It was proposed by our presales team and accepted by our client. i am just part of the implementation team. I know it is a lot of work to do and i have tried to search on the internet if there was already this kind of deployment. In Cisco docs, there is HA (active standby) and N+1 (1 controller is primary and backup controller has no APs connected). i never saw this kind of deployment on the internet that 2 sites has active wlcs.

May i ask if you have already saw this kind of deployment?

Re: HA N+1 Setup

Scott Fella — Sun, 12 Jul 2020 00:16:27 GMT

Can you provide what was sold? Four controllers? Two on each site? Or two controllers, one at each site? How far are the site away from each other and what’s the bandwidth and latency? You can design something without know these things.

Re: HA N+1 Setup

jccr — Sun, 12 Jul 2020 00:27:37 GMT

Hi Scott

Can you provide what was sold?

>5500 series controllers

Currently the existing setup now is that we have active standby wlc in site 1 and in site 2 there are no WLC but the APs are connected via flexconnect.

Now, we will be implementing also active standby wlc in site 2. Both site now will have an active standby WLC. Site 2 WLCs will set as backup controller for site 1 and Site 1 WLCs will be set as backup controllers for site 2.

For the Aps

Site 1 APs

Primary --- (management IP of site1)

Secondary---(management IP of site 2)

Site 2 APs

Primary ----( management IP of site 2)

Secondary --- (management IP of site 1)

Sites are about 5-10kms away and connected via 1G link

Re: HA N+1 Setup

Scott Fella — Sun, 12 Jul 2020 02:45:42 GMT

Okay, so the end design is two N+1, N+1 at site 1 and another N+1 at site 2. So a couple things here. When you add the two controllers, I’m assuming 5520’s, at site 2, you will need to convert the AP’s from FlexConnect to local, this means that you will probably need to make changes at site 2. So again, if both site AP’s are in local mode, you can’t use the other site as a backup. If that is what they sold, it’s not a recommended design and it will not work well. When you have AP’s in local mode, all controllers need to have interfaces on the same subnet. This can’t happen if your sites are L3 adjacent. The only way you can get both sites to be used as redundant is if all AP’s are in FlexConnect mode because sites with different subnets can’t be used mixed in local mode like I mentioned in my other post. You will not find any documentation on this because it’s not a Cisco Valid Design.

Re: HA N+1 Setup

Scott Fella — Sun, 12 Jul 2020 03:14:09 GMT

Just to be clear, your existing environment is like this? Site 1 AP’s Site 1 Primary Site 1 Secondary Site 2 AP’s Site 1 Primary Site 1 Secondary You new design should be as follows: Site 1 AP’s Site 1 Primary Site 1 Secondary Site 2 AP’s Site 2 Primary Site 2 Secondary

Re: HA N+1 Setup

jccr — Sun, 12 Jul 2020 03:16:34 GMT

Hi, Scott.

The end state will be each site will have an HA SSO deployment meaning in site 1 there is an active and hot standby wlc and also in site 2. All the APs are in local mode.

Will this setup will work? Im really not sure how will be the configuration. For example, site 1 wlcs are down and APs will associate to site 2 wlcs, how will we config the AP groups for site-1-APs in the gui of the Site 2 WLC? If we implement mobility group, can the site-2-WLC see the APs in site 1 for us to create AP groups for site-1-Aps?

Re: HA N+1 Setup

Scott Fella — Sun, 12 Jul 2020 05:37:27 GMT

Okay... SSO on both sites, doesn’t require the other site for backup. The problem again is the user subnets when in local mode are not the same between sites. You need to remember that when you setup N+1, all AP’s will know of all controllers in the mobility group. This is dangerous in your case because AP’s can accidentally join the standby controller (other site). Doesn’t matter if you configure high availability on the AP’s, it just happens at times. That is when things might break.
If you want to set this up so that one site backs up the other, all wlans need to be configured the same with the same wlan is, all ap groups with SSID’s need to be defined properly. The only thing that will be different are the hostname, system prompt and interface address.

Re: HA N+1 Setup

jccr — Sun, 12 Jul 2020 06:10:08 GMT

Hi, Scott

So for example, my guest subnet in site 1 is 192.168.1.0/24, when site 1 is down, the Access points in site-1 will associate to the site-2-WLC, do i need to prepare an interface in site-2-WLC for the guest subnet in site 1?

Site 1 subnet

Guest - 192.168.1.0/24

Guest subnet when site 2 wlcs are down - 192.168.100.0/24

Site 2 subnet

Guest - 172.16.1.0/24

Guest subnet if site 1 is down - 172.16.100.0/24

i hope you get what i am saying

Re: HA N+1 Setup

Scott Fella — Sun, 12 Jul 2020 07:28:27 GMT

When an ap moves from one controller to another, it picks up the configuration of the new associated controller. So a guest user in site 1 connected to and ap in site 1 and the ap is joined to the site 1 controller. The traffic is tunneled to site 1 controller and will use the interface defined on the controller. When a guest in site one connects to an ap in site 1 but joined to site two controller, the traffic is tunneled to the controller and egress the interface defined. Doesn’t matter what subnet it’s on, users will have to disconnect and reconnect depending if the device still has an up address on site 1.
If your AP’s at site 1 are joined to both site 1 controller and site 2 controller, this can happen, users that roam from AP’s joined to different controllers will create an auto anchor which will then create another tunnel back to the other site.
I don’t think anyone here would deploy that design, but that is up to you and your team. If you do end up having a lot of issue, the fix will to break the mobility between the two sites.

Re: HA N+1 Setup

jccr — Sun, 12 Jul 2020 10:42:51 GMT

Hi, Scott.

Thank you for all your inputs regarding this inquiry. I think we need to talk about this scenario. I will update this post on the final setup if we will still continue this one. Thanks again

Re: HA N+1 Setup

Scott Fella — Sun, 12 Jul 2020 16:44:12 GMT

No problem. If you do take a look at any N+1 guides, the controller interfaces reside in the same subnets. FlexConnect guides will show controllers in different locations for redundancy. It’s something you probably need to talk to the pre-sales engineers and try to understand how they decided on that. I don’t think they really thought it through. There is a reason the existing design had both N+1 controllers at the same site and the remote site was using FlexConnect. The wanted redundancy for the primary site so N+1 was the best design, but local mode AP’s on site 2 was not a good design so that was import with FlexConnect. If FlexConnect was working fine in their environment, the both site AP’s should be in FlexConnect with local switching and you can have redundancy.

Re: HA N+1 Setup

patoberli — Mon, 13 Jul 2020 15:39:10 GMT

I'd like to add to Scotts points, don't do the failover with a second site.
If, for example, your WAN link gets overloaded, the APs at the other site will loose their connection to the WLC and start to reboot. You would need to add QoS on the WAN for the CAPWAP packets.
You will also have various issues once you decided to do a software upgrade on one site.
Oh and make sure to have a short enough DHCP lease time, so that if a user puts his laptop into standby at site 1 and then drives to site 2 and wakes it up again, so that the client will do a fresh DHCP handshake (if you use the same SSID at both sites). There are some workarounds for that with the Mobility Group, but not all clients behave nicely.

Re: HA N+1 Setup

jccr — Sun, 19 Jul 2020 12:00:34 GMT

Hi, Scott & patorbeli..

The final setup is that we will be having HA SSO on site 1 and HA SSO on site 2. Meaning we have active and standby wlc in site 1... and active and standby wlc on site 2.

-The access points in site 1 will be configured as local mode and its primary WLC is in site 1, and secondary is the WLC in site 2

-The access points in site 2 will be configured as local mode and its primary WLC is in site 2, and secondary is the WLC in site 1

May we ask for the configuration for this to work? Do i need first to configure mobility group?

I also wanted to ask how will be the ip addressing or subnetting if the WLCs in site 1 is down? Do i need to prepare a new subnet for the users when APs in site 1 connect to WLC in site 2 and vice versa?

Re: HA N+1 Setup

Scott Fella — Sun, 19 Jul 2020 15:45:12 GMT

Like I mentioned before, it’s not a good idea in your design to failover to the other site. However, I think once you test this after you get everything up, you will see how things really work.
So if you are still planning to do this, you would need to have the wlans configured the same, mobility groups configured and the wlans mapping to the same vlan id for consistency. You will have to make sure the subnet one each site is large enough to manage all the devices on that wlan for each site. You can’t map a new subnet when there if a failover.
If site 1 goes down, all AP’s will reboot and have to join site 2. Once the aps join site 2, all traffic will tunnel back to site 2 and be placed on the same subnet as the devices on site 2 using the same wlan.
If and ap at site 1 joins site 2, users whom roam to that ap at site 1 joined to site 2 will be anchored, so you will have anchoring happening. This is what you also want to avoid if possible, so you will have to monitor the controllers to make sure the other sites aps are not joining unless there is a failover.
Make sure you test so that you see how the failover works and the experience the users will see. You will just have to power down both controllers or disconnect both from the network.

Re: HA N+1 Setup

jccr — Thu, 06 Aug 2020 14:38:26 GMT

Hi, Scott.

I hope you are doing good.

The setup is already final both site with HA SSO WLC and if 1 site is down, all the aps will failover to the other site and vice versa

I'm also thinking about the firewall policies for the new subnets. Do we need to also consider this or reachability from APs in site 1 to controller in site 2 is enough?

Re: HA N+1 Setup

Scott Fella — Thu, 06 Aug 2020 15:38:05 GMT

I guess it depends on how your traffic flows. If you don’t have any issues when you do failover, then I don’t think any FW rules need to be added or changed. Just make sure you test and understand what the users will see during a failover.