Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
825
Views
10
Helpful
5
Replies

Cisco APs joining two different WLC on different use networks - for emergency use

jsicuranza
Level 1
Level 1

‎06-21-2021 10:04 AM - edited ‎07-02-2021 09:35 PM

 

 

A large metropolitan organization has an existing enterprise wide WIFI network consisting of roughly ten WLCs 5508-5520 and 8540s with over 2000 access points(2800 class). The same organization has a separate secure network with applications just for emergency use case when the main enterprise network goes down or is under a cyber-attack.

 

The organization would like to utilize the existing WIFI access points across the enterprise organization for select personnel to connect via CAPWAP tunnels over a small WAN separating the two networks to a special purpose use  WLC 9800-40 to access non enterprise resources during this emergency use.

 

The customer is accepting the risk of utilizing shared WIFI APs currently in place throughout the enterprise on the existing switching infrastructure

A WAN will be in place between the existing enterprise environment and the new secure network for emergency use

A separate authentication and DHCP environment will be provided on this secure network for those secure network WIFI users

 

What they want to accomplish is when the enterprise network, during an attack is purposely cut off and the enterprise WLCs are disconnected, is to have those same existing access points connect to the secure network’s special use WLC for select personnel to access systems for status etc.

 

A separate SSID will be provisioned for the secure network

 

Ideally if a single AP can have its current corporate SSIDs in place and have the secure networks SSID(available or dormant and connected to the secure WLC) in place AT THE SAME TIME until an enterprise cut off is conducted, then only the secure SSID is available and for use for select personnel with proper credentials to use during the emergency period.

Once the emergency period subsides and enterprise returns to operation and its WLCs are available again the APs will continue to use their enterprise SSIDs

 

Can this use case actually be accomplished?

Can an AP join two different types of WLC for different use cases?

Are there any design guides or existing use cases to reference?

Any ideas or tips from anyone in the community who may have accomplished same or done something similar is greatly appreciated.

Any assistance or direction is greatly appreciated.

0 Helpful
5 Replies 5

inderdeeps
Level 4
Level 4

‎06-21-2021 10:07 AM

@jsicuranza : No, it will join only one WLC. However you can configure "High Avlailability" with WLC1 details entered as the Primary Controller and WLC2 as secondary.

Scott Fella
Hall of Fame
Hall of Fame

‎06-21-2021 12:03 PM

I think you need to understand what happens when the ap moves to a different controller.  Understand how HA works and the requirements, because that will help you to also understand what will happen when the ap moves to a different controller with different configurations and code.  Anything is doable, but is is what you want and what does it take to bring everything back to normal.

-Scott
*** Please rate helpful posts ***

jsicuranza
Level 1
Level 1

‎06-21-2021 12:51 PM

Thanks fellas, yes I understand how HA works for having deployed WLC in the past and dealing with stickiness etc.  I was curious, outside of utilizing HA mechanics and tertiary type setup, if there was a way maybe from the AP's perspective if there was a way to do this too with a split or multiple profile an AP running SIN(ships in the night) between controllers is one analogy. Can something like that be done from the AP(directly configured etc) or through one of the WLCs(one pushes higher priority profile while other is dormant). 

I know the 9800s have XE and new Tags and Profiles workflow as well as maybe Flexconnect

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to jsicuranza

‎06-21-2021 01:33 PM

What you want is not possible. You need to think of other possible ways that the customer is fine with, knowing that there will be downtime. I don’t know any other vendors that would have that either.
-Scott
*** Please rate helpful posts ***
0 Helpful

AdamF1
Level 1
Level 1

‎06-21-2021 07:18 PM

There are creative ways around this.. one issue you will face is the the 9800 and 55xx lines run 2 different codes so the APs will have to switch codes if at all possible with the 2800 line.

 

In my eyes all you would do is set up the APs to use that controller as a secondary or tertiary controller. When they kill the network it would fail over to the active one. This would cause the APs to reload, grab the other code and advertise the networks on that controller. 

if the management IP stays up you could just anchor that ssid back to the new controller and activate the ssid when needed and shutdown the others. 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card