Solved: Re: AP staged upgrade WLC 9800

sirajuddeen t p · ‎02-24-2023

Hi Support team,

I have a requirement to replace current 5508 WLC HA cluster to 9800 WLC at customer DC. The access points are distributed in different countries and centrally managed from the DC WLC. As far as I know the APs will start upgrading as soon as they are registered to new WLC. Is there a way we can prevent this and do staged upgrade. I checked document "High Availability using Patching and Rolling AP Upgrade on Cisco Catalyst 9800 Wireless Controllers". Does it covers migration of APs to new WLC? or it is only possible for the APs currently active under the 9800 WLC?

It would be great help if there is a step by step approach you can share.

Thank you.

Scott Fella · ‎02-24-2023

Make sure the ap's are supported on the code you are running on the 9800!!! Also if you are not going to do a full site at once, then you need to make sure you have mobility configured from the 5508 to the 9800. There is a supported code version for that and the guide: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html

From my experience, the current environmnet is up and you just need to validate that the high availabiliity is configured on the access points to point to the existing controller. I'm assuming it is, but if not, make sure this is done. Now you can bring up the new 9800 in parallel, but you don't have to worry, becuase you didn't define the 9800 in the high availability. Make sure you don't add or change option 43 or DNS for controller discovery if you have that in place. You can change that later when you have migrrated all your ap's off the 5508. Now when you are done testing and want to push out a few ap's to test, all you have to do is configure the access point high availability to point to the 9800 as the primary and the 5508 as the secondary. This way in case anything goes wrong, the ap knows to try the 5508.

Now if this is successful, you can then script out the change from the 5508 to the ap's you want to move. If you are not going to move all the ap's in a site at once and need to support roaming between the two environmnets, then make sure you have mobility. Make sure the SSID's are configured exactley the same or else roaming can break. Once you are done with the migration, you can then script the change to change the high availability so that the primary is the 9800 and the secondary is another 9800. Keep in mind that the high availabity is case sensitive for the controller name. ALso note that you can't blank our an entry from the cli, but you can add a blank space to the command.

config ap primary-base " " CAP01 0.0.0.0 <-- 1 space
config ap secondary-base " " CAP01 0.0.0.0 <-- 2 space
config ap tertiary-base " " CAP01 0.0.0.0 <-- 3 space

This is the method I use when moving ap's I'm testing to other controllers. Hope this helps.

-Scott
*** Please rate helpful posts ***

View solution in original post

Scott Fella · ‎02-24-2023

Make sure the ap's are supported on the code you are running on the 9800!!! Also if you are not going to do a full site at once, then you need to make sure you have mobility configured from the 5508 to the 9800. There is a supported code version for that and the guide: https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html

From my experience, the current environmnet is up and you just need to validate that the high availabiliity is configured on the access points to point to the existing controller. I'm assuming it is, but if not, make sure this is done. Now you can bring up the new 9800 in parallel, but you don't have to worry, becuase you didn't define the 9800 in the high availability. Make sure you don't add or change option 43 or DNS for controller discovery if you have that in place. You can change that later when you have migrrated all your ap's off the 5508. Now when you are done testing and want to push out a few ap's to test, all you have to do is configure the access point high availability to point to the 9800 as the primary and the 5508 as the secondary. This way in case anything goes wrong, the ap knows to try the 5508.

Now if this is successful, you can then script out the change from the 5508 to the ap's you want to move. If you are not going to move all the ap's in a site at once and need to support roaming between the two environmnets, then make sure you have mobility. Make sure the SSID's are configured exactley the same or else roaming can break. Once you are done with the migration, you can then script the change to change the high availability so that the primary is the 9800 and the secondary is another 9800. Keep in mind that the high availabity is case sensitive for the controller name. ALso note that you can't blank our an entry from the cli, but you can add a blank space to the command.

config ap primary-base " " CAP01 0.0.0.0 <-- 1 space
config ap secondary-base " " CAP01 0.0.0.0 <-- 2 space
config ap tertiary-base " " CAP01 0.0.0.0 <-- 3 space

This is the method I use when moving ap's I'm testing to other controllers. Hope this helps.

-Scott
*** Please rate helpful posts ***

sirajuddeen t p · ‎02-24-2023

Thank you Scott for the guideline. I will workout based on this plan.

Scott Fella · ‎02-24-2023

Glad to help.... you want to validate your scripts which you will have a few, one to make the change, one to blank out a line and the other to finalize your ap HA.

Remember, you will get an error if the controller name is already defined in any other controller fields. That is why you need to define a bogus entry using blank spaces, which will allow you to move an entry to another location.

While tinking about this, this is what has worked for me, you might want to adjust this dependign on how may controllers are defined already.

Optional: if you need mobility during the migration, make sure your 5508 is on the supported code and you have defined mobility between the two.

Note:
You can also define ap authorization list and use the local db. This way you define the mac address of the ap's you want to test/allow on the controller.

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213916-catalyst-9800-wireless-controllers-ap-au.html

Since the ap's are joined to the 5508, I would blank out the primary and secondary lines. AP's will stay on the 5508 since it knows about it already.
Add the 5508 to the secondary and if you have another controller for N+1, add that to the tertiary.
When ready to test, add the 9800 to the primary. You will have two/three entries, primary is the 9800, secondary/tertiary is the 5508.
Once the ap moves and hads joined, perform any testing to make sure the new 9800 setup will work in production.
follow steps 1-3 to move access points to the new 9800
Once migrated, I would leave the existing entries just in case! I would only change the high availability after I decomission the 5508 or 100% know that the 5508's will no longer be used.
Remove the 5508 entries in the high availability by using blank entires with different white space. Define the ip address as 0.0.0.0

-Scott
*** Please rate helpful posts ***

marce1000 · ‎02-24-2023

- Adding to other very useful reply : you can at any stage ( but advised before production too) checkout your WLC 9800 configuration with the CLI command : show tech wireless , have the output analyzed by https://cway.cisco.com/tools/WirelessAnalyzer/ , please note do not use classical show tech-support (short version) , use the command denoted in green for Wireless Analyzer. Checkout all advisories!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sirajuddeen t p · ‎02-24-2023

Thank you Marce. I will make sure of this procedure.

sirajuddeen t p · ‎02-24-2023

I will put my story once the activity has been completed.

Leo Laohoo · ‎02-24-2023

What are the models of the AP?

sirajuddeen t p · ‎02-28-2023

Hi Leo,

provided models:
WLC:AIR-CT5508-50-K9
APs: C2702, C3702, C2802 and C3802. We will be replacing the 27xx and 37xx by early next year but not before the WLC migration to 9800.

Rich R · ‎02-25-2023

And to answer your other question - rolling AP upgrade only applies to APs already on the 9800 WLC not migrations.

Also check the TAC recommended code and best practices guide below. Check the compatibility matrix for your APs too. If you're configuring mobility with the 5508 make sure to use 8.5.182.105 (link below).

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

sirajuddeen t p · ‎02-28-2023

One more query as a concern raised by my customer.

When I upgrade SSO HA 9800 WLCs, Can I still control the AP image upgrade in staged manner. When I go through the documentation, it was mentioned with N+1 scenario only.
Thank you for all your expert advise.

marce1000 · ‎02-28-2023

>....When I upgrade SSO HA 9800 WLCs, Can I still control the AP image upgrade in staged manner
Best is to enable the ISSU check box in the WebUI upgrade page. The new software is then downloaded to both controllers. AP predownload then happens. Then both controllers upgrade to the new version one after the other (so that APs always stay joined to one of them). The APs are then joined to WLC running a different software version (which was not possible in aireos) and keep operating. The WLC then reboots APs progressively wave by wave so that they come back with the new version. Neighboring APs are not rebooted at the same time so that there is always one AP to service clients in a given area therefore providing zero downtime. The clients do not even notice anything because if they support 802.11v because the AP sends them an order to move to another AP before rebooting. If the client does not support 802.11v they might be disconnected briefly until they connect to another access point ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

sirajuddeen t p · ‎02-28-2023

HI Marce, the ISSU document says it does not support between major release? In such a case how I leverage the advantage of staged AP upgrade? The customer has vast number of APs and they wan to control AP upgrade during minor/major or maintenance release upgrade.

Scott Fella · ‎02-28-2023

Wait... are you migrating from 5508's to 9800's? Because that would be a manual migration which was covered previously in this thread. If you are upgrading a set of 9800's then that is a different story and different ways to accomplish that.

-Scott
*** Please rate helpful posts ***

sirajuddeen t p · ‎02-28-2023

I will raise a new thread for that.