We have a new Data Centre with a new ISP design. I have 4 x 5500 WLC's:-
2 x Anchor Controllers sit on the DMZ one in each Data Centre
2 x Foreign Controllers (one as Primary Master Controller these manage the internal AP's)
Between each Data Centre DMZ there is a Firewall cluster pair, Primary FW and Standby FW.
Both WLC's share the same external interface subnets as is each Firewall member. The DC's are stretched with DWDM on their independent L2/L3 DMZ Switch Domain
I have joined the Mobility Groups with each Anchor WLC and each Foreign WLC.
I would like to make our Anchor WLC's mirror the Firewall Cluster and keep all Guest & BYOD traffic through the Primary Firewall and make one WLC Primary Anchor and keep the other Anchor Controller as Standby.
Is there a way I could make one of the Anchor controllers as a Primary and Standby?
(bear in mind these Anchor controllers do not manage any AP's. Anchor's purely act as a DMZ DHCP Server for Guests & BYOD clients and offload to the internet)
I've looked at this document http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.pdf
Note there is 60km distance between Data Centres and each Anchor WLC approx 0.5ms
Using auto-anchor you can specify two anchors but clients will just get round-robined between them.
Would your scenario permit both anchors to pass traffic and then, in the event of an outage to one the other will service all clients until the other recovers?
The other option is the one you've listed with HA SSO as the document you've referenced specifies that quite nicely!
For SSO though you'll need to span a Layer 2 VLAN across your DCs for the redundancy port to work.
Client SSO will work with Anchor-Foreign mobility setup as well as Guest Anchor scenarios.
Presently I have auto-anchor setup and yes clients get round robin balanced between Anchor WLC's.
I don't mind this setup in the new Infrastructure, however our Primary Firewall and Primary ISP Router are in one Data Centre, Standby in the other DC. I suppose if I chose auto-anchor to roll out to Production the delay would be minimal, a few milliseconds whilst it routes across my DWDM link. It would be nice to have a Primary Anchor WLC in one site. I really don't think it's possible in my setup.
SSO is a great feature and I do span L2 across DC's but this scenario would only be helpful if all your WLC's manage AP's, in my case the Anchor WLC's manage zero AP's and Anchors manage Guest & BYOD SSID only, my Foreign WLC's manage all 8 SSID's.
I don't think it would matter as you have very good latency between the DCs unless of course that link becomes congested.
The advantage of SSO in this scenario isn't for AP SSO but for client SSO on the anchors which is supported.
I'm going to upgrade to Cisco's AssureWare latest version 184.108.40.206 and Field Image 220.127.116.11 firstly as documents says SSO client is supported from 7.5.x I'm running AssureWare 18.104.22.168
And yes it shouldn't cause any sort of significant delay RRing client traffic between WLC's. Once I upgrade and setup Redundant & Eth1 ports on both controllers I'll configure client SSO across DC's lets see if this works!