I'm currently planning a migration from a Cisco 5508 WLC with 3700/3800 access points to a Cisco 9800 WLC with 9100 series access points. Due to various requirements and constraints, the customer does not want to change the SSID names, authentication and VLAN/IP addressing as a large quantity of devices use static IP addresses. In addition due to cabling issues, the new 9100 access points cannot be installed in parallel to the old access points so it will be one down and one up.
I have read the above Cisco guide and community post so firstly it looks like we need to upgrade the 5508 to an IRCM release so that we can form a mobility/RF group between the WLCs. The Cisco guide also states that it is recommended to use a different VLAN ID for each SSID on the 5508 and 9800, however as this is not always possible (due to static IP addressing which is the issue I have) then the same VLAN IDs can be used. I have also seen recommendations that we should migrate one roaming domain (floor/building) at a time and that we should avoid mixing new and older generation access points in the same roaming domain. So questions......
1) What issues will I face if the VLAN IDs are the same on the 5508 and 9800? The guide states that this is possible as long as I'm running the suggested firmware, however it doesn't really state why the recommendation to use different VLANs IDs in the first place?
2) One of our main challenges will be downtime as we wont be able to take a single floor/building offline for a long period of time so access points will need to be replaced one at a time which means mixing old and new generation access points in the same roaming domain (hopefully for a short period of time) and go against the recommendations. What issues will we face doing this?
"1) What issues will I face if the VLAN IDs are the same on the 5508 and 9800? The guide states that this is possible as long as I'm running the suggested firmware, however it doesn't really state why the recommendation to use different VLANs IDs in the first place?"
They suggest. But I´d follow the software version recommended. I dont see how the vlan ID can be a problem either but this information must be there for a reason. They could be more clear, that´s for sure.
"2) One of our main challenges will be downtime as we wont be able to take a single floor/building offline for a long period of time so access points will need to be replaced one at a time which means mixing old and new generation access points in the same roaming domain (hopefully for a short period of time) and go against the recommendations. What issues will we face doing this?"
I assume you are doing this in a maintenence window and out off business hour, correct? If you can keep the whole floor in one WLC with the same AP you can reduce the probability of problem but chances are that clients roaming from one floor to another, which means, from one WLC to another and this can cause some issue. Not expected if WLC is part of the same RF domain but it is possible to have some roaming problem.
But, if can not replace all the APs at once, this is something you need to align with you manager.
I assume you referring to the 9800 best practice guidelines provided in this document
As you design for migration between AireOS deployment and the new C9800 wireless network, there are some best practices to consider. IRCM guidelines are provided earlier in the Mobility section.
All the roaming between the C9800 and AireOS controllers is Layer 3 roaming. This means that no matter what VLAN the SSID is mapped to on each WLC, the client will always be anchored to the first WLC it joins. In other words, the point of attachment to the wired network doesn’t change with roaming, even if the VLAN on the wired side is the same on both WLCs.
In the migration design phase, when defining a common SSID for roaming, use a different VLAN ID and subnets on the Catalyst 9800 and on the AireOS WLC.
As a result, clients will get a different IP, whether they join the first Catalyst 9800 or AireOS; seamless roaming is guaranteed either way because the client will always keep its IP address on the VLAN/subnet it joined first.
This might not be possible in the following instances because:
● The customer is not willing to change the subnet design to add another VLAN/subnet for clients that join the newly added Catalyst 9800. This might also involve changes in the AAA and firewall settings.
● The customer leverages public IP subnets so they don't have another spare subnet to assign to clients on the same SSID
● The customer is using static IP for wireless devices
When you have to use the same VLAN/subnet on both the Catalyst 9800 and AireOS, then is recommended to use the following releases:
● Cisco IOS XE code: Release 16.12.4a or 17.3.2 and above
● AireOS code: Release 8.5.17x, which is the seventh maintenance release (expected in January 2021) or Release 8.10.142 and above
Here is my responses to your two queries
1. Between 9800/5508 there is no layer 2 roaming supported. It always does a layer 3 roaming (ie client will be anchored to first WLC they associate). Logically when you have the same Layer2 VLAN on both 9800 & 5508, we expect the client session moved to 9800 when roaming instead of both WLC keep client entry with "Anchor" & "Foreign" tag.
It is interesting to see how 9800 & 5508 updates upstream switch about where is the client MAC address if 9800 updates client MAC is with that & if 5508 not moving client database entry to 9800 (as it does not do L2 roam with 9800) that create confusion. Using different VLAN/subnet on 9800 prevent it and hence the recommendation I believe.
2. You can have 5508 or 9800 managed APs in the same environment. If you want to enable smooth roaming between those two environments, it will be a challenge (upgrade 5508 to IRCM & establish mobility tunneling). I would suggest is deploy 9800 using the same layer 2 vlan/subnet (however not enabling inter-controller roaming) & test the functionality of SSIDs in a test environment. Once you confirm everything works with 9800, then you can do rolling migration of AP to 9800 in a maintenance window that will not spread longer duration.
*** Pls rate all useful responses ***
Thank you for taking the time to reply.
The installation of access points is going to be challenging as we wont have the luxury of being able to migrate all access points on a given floor/roaming domain in the same maintenance window. Its a 24 hour operation and due to various requirements, we will only be able to migrate one access point at a time as the old access point will have to be removed and the new access point installed in its place.As a result of this, we will have a mix of old and new generation access points, each connected to a different WLC, within a roaming domain which is not ideal.
We will need to test with and without inter-controller roaming and observe the behavior in a test environment as advised. Two other questions based on the feedback
1) Is it possible to setup just an RF group between the 9800 and 5508 WLCs (so no mobility tunnels) to provide RF cooperation without seamless L2 roaming?
2) There have been some suggestions that if we do setup inter-controller mobility between the 9800 and 5508 WLCs to support seamless roaming, that the AP group names in 5508 must match the policy and RF tags on the 9800-40. Is this correct and still a requirement in the latest versions of IOS-XE as I could not see it documented anywhere?
1. You can have same vlan ID, no issues, it will be more like having same vlan ID on 2 switches in a network
2. Since the AP are 802.11ac, once you deploy 9800, why don’t you move all APs to 9800, that ways you don’t have to worry about roaming between controllers and then replace AP one at a time.
Actually that is a good point. Is there a need to use IRCM if the existing access points are supported on the 9800? What would be the pros and cons of migrating the legacy wave 1/wave 2 access points directly to the new 9800 (in batches per roaming area) and then replacing with the 9100s vs using IRCM?