Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
462
Views
35
Helpful
9
Replies
kenneth.gregersen
Beginner
Beginner
‎11-25-2020 02:11 PM
‎11-25-2020 02:11 PM

Cisco Wi-Fi - Prevent AP from joining wrong WLC (5508 - 9800-CL)

Hi

We have been running a cluster of Cisco 5508 WLCs for many years, and the way that the APs has discovered the WLC is via DNS (cisco-capwap-controller.my.domain).

A while back we installed several 9800-CL WLCs, and we found that the best way to add new APs, and (slowly) migrate compatible APs to the new WLC, was to use DHCP Option 43 (for specific VLANs) to direct the APs to the new WLC.

So, currently we are living in a mixed Wi-Fi enviroment.

 

The problem is, that on the new 9800 WLC we have APs that we want to keep on the new WLC, but are still compatible with the 5508 WLCs. If a situation occurs that makes the APs loose connection to the WLC (reboot, upgrade etc...) they will go to the 5508 WLC since the APs will fail on DHCP Option 43 and fall back to DNS resolution.

Forcing them to be downgraded, which can be a lengthy process. And when we move them back to the 9800 WLC, where are are once again upgraded - which is a lengthy process.

 

Is there a way to prevent APs, that we want to "lock" to the 9800 WLC, from joining the 5508 WLC?

9 REPLIES 9
Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
‎11-25-2020 03:06 PM
‎11-25-2020 03:06 PM

@kenneth.gregersen wrote:

Is there a way to prevent APs, that we want to "lock" to the 9800 WLC, from joining the 5508 WLC?

Manually configure the Primary WLC/Secondary WLC details.

Jurgens Lombard
Participant
Participant
‎11-25-2020 08:07 PM
‎11-25-2020 08:07 PM

As Leo mentioned the best way to do this is assigning the WLC's and their IP's under the high availability options of the AP. The reason for is due to the election process the AP uses to discover WLC's where the static configuration will override DNS or DHCP option 43 if WLC's are available. Reference below explains in greater detail.

https://community.cisco.com/t5/wireless-mobility-documents/joining-process-of-an-cisco-access-point/ta-p/3149279

 

kenneth.gregersen
Beginner
Beginner
‎11-25-2020 09:13 PM
‎11-25-2020 09:13 PM

Thanks @Leo Laohoo and @Jurgens Lombard 

 

I was aware of this possibilty, but I was under the impression that the AP would still ignore the configured IP address of intended WLCs in the NVRAM of the APs if the configured WLC was unavailable. Meaning that it would just fall back to either DHCP Option 43 and DNS resolution.

But, if I understand you correctly the AP will only use configured WLC(s)  - and not move on to other methods of discovering the WLC?

 

0 Helpful
Leo Laohoo
VIP Community Legend VIP Community Legend
VIP Community Legend
In response to kenneth.gregersen
‎11-25-2020 09:59 PM
‎11-25-2020 09:59 PM

@kenneth.gregersen wrote:

I was aware of this possibilty, but I was under the impression that the AP would still ignore the configured IP address of intended WLCs in the NVRAM of the APs if the configured WLC was unavailable.

This uses the Parent-and-Child system:

  • Global configuration is followed if no configuration is present on the AP.
  • If AP-specific configuration is present then this will overrule the global command.  
0 Helpful
kenneth.gregersen
Beginner
Beginner
‎11-25-2020 10:50 PM
‎11-25-2020 10:50 PM

Thanks @Leo Laohoo for the clarification.

I have one more question about setting the configuration per AP.

In the 9800 WLC there is something called an AP Join Profile.

In the CAPWAP settings one can specify Primary Controller and Secondary Controller, but it doesn't look like this is related to the High Availability setting - that is set per individual AP.

Or am I misunderstanding?

 

 

 

0 Helpful
rrudling
Rising star
Rising star
In response to kenneth.gregersen
‎11-26-2020 05:46 AM
‎11-26-2020 05:46 AM

- AP can fallback to other options if unable to find configured primary/secondary

- The global settings should apply to all APs which don't have their own static config applied (if it's like AireOS but I have not checked the docs).

Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to kenneth.gregersen
‎11-26-2020 06:05 AM
‎11-26-2020 06:05 AM

Typically you just want to assign tags as that will have the primary and secondary. This is sort of the same as aireos, but I believe they wanted it to be simple in ios-xe. If you want to define on each access point, then you can do that by configuration on each ap in the Configure > Access Point and choosing the AP or by the cli:

9800HA#ap name test controller primary test 1.1.1.1
-Scott
*** Please rate helpful posts ***
kenneth.gregersen
Beginner
Beginner
‎11-26-2020 08:33 AM
‎11-26-2020 08:33 AM

Thanks again for all input.

To summarize; it's possible to direct an AP to a specific WLC (as the preferred choice) - but if there exists alternate methods in the network to discover other WLC(s) (DNS/DHCP Option 43) the AP will use it if preferred WLC is unavailable.

Meaning, there is no way (in our current network setup) to prevent the AP from joining the "wrong" WLC if preferred WLC is down.

Scott Fella
Hall of Fame Master Hall of Fame Master
Hall of Fame Master
In response to kenneth.gregersen
‎11-26-2020 06:42 PM
‎11-26-2020 06:42 PM

Look at it this way. You have methods of an ap discovering the controller which everyone mentioned. So if you have for example one of the methods in which the ap can join the wrong controller, then that is where your issues lies. If you want to not allow an ap to join, you would use Mac filter and enter the MAC address of the AP’s.

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/98848-lap-auth-uwn-config.html#anc7

When you are designing for a migration or brining up a new controller, the first thing you should of looked at was to place the new controllers on a w subnet in which your existing ap can’t discover and join. This is the same for the new environment.
-Scott
*** Please rate helpful posts ***
Latest Contents
Cisco IOS-XE 17.5.1 for the Catalyst 9800 Wireless Controlle...
Created by anandg on 04-02-2021 11:02 AM
5
15
5
15
  It’s been about two and half years, since the launch of next generation Cisco Catalyst 9800 Wireless LAN Controllers that has the most deployment flexibility and runs the modular, scalable, highly reliable, open and programmable operating system, I... view more
Wi-Fi 6 and Embeded Wireless Controller (EWC) Demo
Created by eugenelee28 on 03-21-2021 01:48 AM
3
5
3
5
Hi All, I have made this video for Cisco Pitch the Future Contest in Malaysia which talks about Wi-Fi 6 and EWC Demo. Please feel free to view the video below and please support me for this contest by giving the video a like as the Contest will end o... view more
Cisco Wants your Feedback on the Cat9800-80!
Created by caiharve on 03-09-2021 03:43 PM
0
5
0
5
Review the Cisco Catalyst 9800-80 Wireless Controller on TrustRadius and receive a $25 gift card!   
EEM Scripts to Enable/Disable the RLAN Ports on APs Connecte...
Created by justloo on 03-07-2021 10:43 AM
0
10
0
10
Overview On the Cisco Catalyst 9800 Series WLC, enabling/disabling the remote LAN (RLAN) ports on APs requires going into the configuration for each AP and manually enabling/disabling the ports. However, as the number of APs that need to have their RLAN... view more
An End of an Era for Cisco AireOS Controllers
Created by byronm19 on 03-05-2021 12:30 PM
2
5
2
5
It’s been a long road for our AireOS wireless controllers. In fact these products have been around Cisco in some form since 2005. As you may have heard, Cisco made the decision to End-of-Sale (EOS) these products last month. That means that these AireOS ... view more
Content for Community-Ad