The setup will be a HA pair of controllers in a L2 in one location and a HA pair in another L2 domain that is connected via a 10g WAN link. 

Let me expand on what I am supporting here. We have these devices called cranes, that are on tracks. There are 4 warehouses that have 3 cranes each that roll back and forth on these tracks, the crane has an AP that acts as the wireless NIC for each crane. I am not sure why this was the solution for the NIC, but that is what they came up with years ago. Each warehouse room has a single AP to connect to these cranes to send updates... The warehouse is like 300 feet long, so if I change the layout of the APs to stagger them along this 300 feet and have 3 APs per warehouse room, then I should be able to better support these cranes only causing the reboot of half of the APs at any given time allowing for better coverage and the ability to have a failure without causing an outage to a crane. 

If I have two HA pairs, can they also act as a backup to each other? So if I lose a building then all APs will register to the other HA pair. I assume so but I will need to read up on the documentation. As for guest we are only going to have a single VM of ISE so a secondary guest controller really does not make sense. 

You have 5 controllers, From what you have said, you also have critical areas you want to keep up. I would look at either one controller in site A and one controller in site B as a minimum in N+1 so that you have the ability to move AP’s to either controller during upgrades or maintenance. Your other option would be Site A has an SSO pair and Site B has an SSO pair and these pairs are in N+1.  That mean you have two controllers used in each site leaving you with only one for the anchor. 

Now the other question is, if you are not spanning the subnets between Site A and Site B, your AP’s will be in FlexConnect mode and not local mode.  In this scenario, you really don’t need SSO pairs just N+1.  The more AP’s you have in your critical areas, the better because you can ensure that you will have AP’s available 100% as long as you don’t have power issues or maintenance that takes these down. 

Let me start by giving the larger picture. I have a corporate campus that we use about 6 buildings, but have about 6 more that are currently being leased to other companies. I will be deploying the WiFi solution to at least 6 or the buildings and I might have to add a small deployment in 1 of the other buildings we own.

Today I have 5508 controllers with about 200 2602 APs in the local campus, I have to have all of these shutdown and replaced by December 31st. We are leasing this equipment and it is not cost effective to extend that lease at this time. We have ordered 5 5520s and 450 4802i APs. I have used Ekahau to do some surveys and then I have also created a predictive survey that will increase our 200 APs to about 350 and I have passed this information to our facilities group to begin running cabling. 

I was toying with the idea of running all APs in flexconnect mode, but for roaming purposes on in the campus i think I need to stick with local mode so I can more easily roam between the buildings. The other locations I plan to stick to flexconnect mode and create logical flex connect groups for upgrades and such. 

I am thinking to stick to 2 SSO pairs and 1 guest anchor. We don't ave too much guest traffic today so if that increases I can add a secondary guest controller at a later date. We have also only purchased a single VM instance of ISE to support the guest environment. We have been toying with a full ISE deployment as well, but cannot get the funding for it at this time. 

So I guess my plan will be to deploy the to pairs off SSO controllers and the single anchor controller. Then where we have the critical APs we will add more APs, create two groups of APs for these and point each group to a different pair of controllers for redundancy. This should help us keep these critical wireless clients up closer to 100% of the time. I will just have to have a discussion with the group that supports them about testing the roaming between APs and doing testing of rebooting the new APs to see how the client reacts prior to bringing it into production. 

That better explains how things need to be designed.

Two SSO pairs in N+1 will help when you do maintenance, one guest anchor is enough.  As long as you have mobility between the two SSO pairs, roaming should work fine.  The question is, in your campus, is the subnets spanned to the locations where your SSO pairs will be located?  Lets start there.

The subnets will not be spanned across the WAN link today. That could change in the future, but some other decisions need to be made before that could happen. 

So having that said then does it make sense to not have SSO and to N+1 and have a tertiary controller then I could save my 5th controller as a backup guest controller or I could do SSO in one building for the campus and have N+1 where the critical wireless infrastructure is in other location? Would it make sense to have a mixed environment like that? 

---

@jmhouse96 wrote:

So having that said then does it make sense to not have SSO and to N+1 and have a tertiary controller then I could save my 5th controller as a backup guest controller or I could do SSO in one building for the campus and have N+1 where the critical wireless infrastructure is in other location? Would it make sense to have a mixed environment like that? 

---

That will depend entirely on your budget and management overhead.  

I've always used HA SSO.  Lately, I've been seeing failures in software that makes HA SSO risky.  SO I have a few APs configured for secondary controller even though both the primary and secondary controllers are in HA SSO (a total of four physical controllers).   

That's the "budget" side of things.  Management overhead means that in order to do primary/secondary controllers, you'll need to copy the configurations, from two controllers, to four controllers (especially allowed VLANs).  And if you miss one of the links with allowed VLANs, things will go from bad to worst very, very quickly.

With that being said then if I did go with two SSO pair of controllers in two locations, then I could have two groups of APs in my critical areas each group pointing to a different SSO pair as primary and when we upgrade the wireless bridge devices would then roam between the APs based on which set of APs are up. So this should affectively keep these devices "always online". That would leave me the single controller to be an anchor. 

I think this would work. This just takes be back to a question I asked earlier. Is there any reason to not create all APs as flex connect? I understand that flex connect works great for remote locations to allow local traffic to stay local... I just am not sure if it really makes a difference or not doing local mode APs. 

---

@jmhouse96 wrote:

That would leave me the single controller to be an anchor. 

---

Single-point-of-failure right there.  What happens if the anchor controller kicks in?  

---

@jmhouse96 wrote:

This just takes be back to a question I asked earlier. Is there any reason to not create all APs as flex connect? 

---

How many APs per site will be running on Flex?  And what is the smallest WAN bandwidth?  

My rule of thumb is 1 Mbps per AP.  If you have a site that has more than 20 APs, it's better to put WLC at the site (like Mobility Express).

We have 3 regional sites or sites within 45 miles of our corporate office and one will have a WLC pair on site. These sites have either a 1gb MPLS and a 1gb P2P link back to the corporate office. I have not redesigned these locations yet to see what the amount of APs will be in each location. One thing to mention is these locations have very little wireless traffic but are large warehouses so there are 50+ APs in each location. 

There are some smaller sites that have a minimum of 100mb MPLS links and have less than 20 APs per site currently. I am not sure what they will be once the project is done. Again understand I say smaller sites, but these might be enormous warehouse type buildings, but there is not any need for wireless in 75% of the building.

How does Mobility Express work with the controllers? I have never used ME before. I am also going to be using ISE and have not had time to create much of a plan for ISE. We were not aware that ACS was end os SW support at the end of the month until very recent. That was a bad oversight.

I have created a basic plan for ISE based on 3 internal ISE nodes for wireless authenticate, TACACS, and vpn auth. Then I will have a standalone node in the DMZ for guest users. I would prefer to do this as a single deployment, but Infosec Policies will probably require the standalone guest node. 

One other item I have been looking at in our current deployment is that the remote sites for the most part have flex connect APs, but we do not have local DHCP servers in any of these locations. I am fairly sure local DHCP services is a best practice so that is something I am trying to work through now as well. 

I really want to thank everyone for their help and responses here. I am getting closer to figuring out what we are going to do, but things keep sneaking up on me here. Between the timeline and things like ACS and Guest NAC going end of support I have too little time and not enough training or experience. In the end it will work out in the end. 

The controllers should arrive in less than 3 weeks and the 4800 APs will be arriving in about 6 weeks. The fun is about to begin.

What do you mean less hassles?