Showing results for 
Search instead for 
Did you mean: 

Anchor WLC High Availability


We have a new Data Centre with a new ISP design. I have 4 x 5500 WLC's:-

2 x Anchor Controllers sit on the DMZ one in each Data Centre

2 x Foreign Controllers (one as Primary Master Controller these manage the internal AP's)

Between each Data Centre DMZ there is a Firewall cluster pair, Primary FW and Standby FW.

Both WLC's share the same external interface subnets as is each Firewall member. The DC's are stretched with DWDM on their independent L2/L3 DMZ Switch Domain

I have joined the Mobility Groups with each Anchor WLC and each Foreign WLC.

I would like to make our Anchor WLC's mirror the Firewall Cluster and keep all Guest & BYOD traffic through the Primary Firewall and make one WLC Primary Anchor and keep the other Anchor Controller as Standby.

Is there a way I could make one of the Anchor controllers as a Primary and Standby?

(bear in mind these Anchor controllers do not manage any AP's. Anchor's purely act as a DMZ DHCP Server for Guests & BYOD clients and offload to the internet)

I've looked at this document

Note there is 60km distance between Data Centres and each Anchor WLC approx 0.5ms

6 Replies 6

Ric Beeching
Rising star
Rising star

Using auto-anchor you can specify two anchors but clients will just get round-robined between them.

Would your scenario permit both anchors to pass traffic and then, in the event of an outage to one the other will service all clients until the other recovers?

The other option is the one you've listed with HA SSO as the document you've referenced specifies that quite nicely! 

For SSO though you'll need to span a Layer 2 VLAN across your DCs for the redundancy port to work.

Client SSO will work with Anchor-Foreign mobility setup as well as Guest Anchor scenarios.

Please rate helpful / correct posts

Presently I have auto-anchor setup and yes clients get round robin balanced between Anchor WLC's.

I don't mind this setup in the new Infrastructure, however our Primary Firewall and Primary ISP Router are in one Data Centre, Standby in the other DC. I suppose if I chose auto-anchor to roll out to Production the delay would be minimal, a few milliseconds whilst it routes across my DWDM link. It would be nice to have a Primary Anchor WLC in one site. I really don't think it's possible in my setup.

SSO is a great feature and I do span L2 across DC's but this scenario would only be helpful if all your WLC's manage AP's, in my case the Anchor WLC's manage zero AP's and Anchors manage Guest & BYOD SSID only, my Foreign WLC's manage all 8 SSID's.

I don't think it would matter as you have very good latency between the DCs unless of course that link becomes congested.

The advantage of SSO in this scenario isn't for AP SSO but for client SSO on the anchors which is supported.

Please rate helpful / correct posts

I'm going to upgrade to Cisco's AssureWare latest version and Field Image firstly as documents says SSO client is supported from 7.5.x I'm running AssureWare

And yes it shouldn't cause any sort of significant delay RRing client traffic between WLC's. Once I upgrade and setup Redundant & Eth1 ports on both controllers I'll configure client SSO across DC's lets see if this works! 

Sounds good, let us know how you get on!


Please rate helpful / correct posts

Will do, thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: