topic Re: Moving 5520 SSO in Wireless

Moving 5520 SSO

Moudar — Tue, 07 Mar 2023 08:25:18 GMT

Hi,

We have 2 pieces 5520 which are SSO active and hot standby.

We need to move the one which is hot standby to another building (to have redundancy if fire or like things happen).

There is a fiber (layer 2) connection between these 2 buildings.

What gonna happen when we remove the redundancy cable? How to rejoin them as active and standby without disrupting the wifi network?

Re: Moving 5520 SSO

Mark Elsen — Tue, 07 Mar 2023 08:50:00 GMT

- The best thing to do is to power down the standby 5520 first before removing the redundancy cable , then things are 'clear' for the active controller and there will be no impact , if all is hardware wired on the new location then boot the standby controller again and check redundancy states , normally there will be no impact because there are no actions involved on the current active controller.
Use this command to check redundancy afterwards : show redundancy summary (on the active controller)

Re: Moving 5520 SSO

Arshad Safrulla — Wed, 08 Mar 2023 20:45:22 GMT

I completely agree with @Mark Elsen suggested here, but one thing I would do different is that I will test the HA before shutting down one WLC. You can shutdown the active controller to see whether the standby WLC is ready to takeover the AP and clients without any impact before the physical shift. This can be done on the same maintenance window where the WLC will be shifted or before that, so this should give you the opportunity to review the config.

Also in 5520 RP is a RJ45 port, so how you are planning to connect it? Using media converters will add more fail points and also could induce unforeseen issues, so this not a recommended solution at all. You may check the RP via switch option as below.

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/High_Availability_DG.html#pgfId-78161:~:text=redundancy%20mode%20sso-,RP%20Connectivity%20via%20Switches,-Figure%202%20RP

However please note that this is not a recommended option by Cisco, however supported by TAC as long as switch is properly configured. Optionally you can also explore the option of N+1, but this will require additional licenses and more importantly can increate the day to day management overhead as teams have to manage 2 different controllers.

Re: Moving 5520 SSO

Scott Fella — Wed, 08 Mar 2023 23:24:40 GMT

I think you will have more work than you think. SSO requires the interfaces to be on the same subnet. You can’t fail over to one and expect that the dynamic interfaces will have the same ip subnets unless the other building you are spanning the subnets. I don’t think so…

You need to look at N+1 if your subnets are not available on each site.

Re: Moving 5520 SSO

AdamF1 — Thu, 09 Mar 2023 01:12:38 GMT

Scott is on point here. This is the perfect time to split into n+1. Cisco sso is not good.

Re: Moving 5520 SSO

Moudar — Thu, 09 Mar 2023 07:29:37 GMT

my thought is as below:

I don't really understand why it would not work!

Re: Moving 5520 SSO

Rich R — Thu, 09 Mar 2023 14:04:27 GMT

It can work but as the others have already pointed out you're introducing multiple points of failure in the RP<->RP port connection and your diagram is missing the connection (already pointed out by the others) that WLC-1 and WLC-2 AP management interface need to be connected to the same subnet, so are you planning to tunnel/trunk that subnet between the data centres too? This type of design assumes you should have ultra reliable and resilient connections between the data centres (dual fibres, dual switches, dual power supplies etc) otherwise there's a high risk of the WLCs going active/active when there is any break in comms between the 2 DCs. And then when comms recovers they'll be un-synced so one of them will likely go into maintenance mode. That's why everyone is suggesting to seriously consider N+1 if you haven't considered the requirements for SSO fully.

If you really want ultra-high, 99.999%, availability across data centres then you do what we do: DC1: [pair of HA-SSO WLC] <--- N+1 HA with mobility ---> DC2: [pair of HA-SSO WLC]. That protects (as much as can be done) against all possible failure scenarios including DC disaster (which we have actually experienced with UPS failure). Under normal WLC failures HA-SSO ensures (almost) seamless failover and in DC failure APs take a little longer to move to the other DC. If you spread APs across both DCs then only ~50% are affected in case of DC failure.

Re: Moving 5520 SSO

Moudar — Thu, 09 Mar 2023 15:23:40 GMT

The active 5520 is connected to C4500X-16 and the standby 5520 is connected to another C4500X-16.

the second C4500X-16 is waiting if the first C4500X-16 fails, and this is done with HSRP and some EEMs.

I mean C4500X-16 at both sides are configured 100% same, the only difference is that the second one waits the other one to fail

Re: Moving 5520 SSO

Rich R — Thu, 09 Mar 2023 23:31:21 GMT

That might work but it's not clear what you mean by the second switch being standby - there needs to be an active live connection between the WLCs. If you're satisfied that it meets all those HA requirements then go for it but be aware of the risks you're introducing and be prepared for dealing with the situations you could be faced with.

I'd also suggest testing it extensively for all possible different failure scenarios.