cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4280
Views
50
Helpful
14
Replies

Cisco Wi-Fi - Prevent AP from joining wrong WLC (5508 - 9800-CL)

Hi

We have been running a cluster of Cisco 5508 WLCs for many years, and the way that the APs has discovered the WLC is via DNS (cisco-capwap-controller.my.domain).

A while back we installed several 9800-CL WLCs, and we found that the best way to add new APs, and (slowly) migrate compatible APs to the new WLC, was to use DHCP Option 43 (for specific VLANs) to direct the APs to the new WLC.

So, currently we are living in a mixed Wi-Fi enviroment.

 

The problem is, that on the new 9800 WLC we have APs that we want to keep on the new WLC, but are still compatible with the 5508 WLCs. If a situation occurs that makes the APs loose connection to the WLC (reboot, upgrade etc...) they will go to the 5508 WLC since the APs will fail on DHCP Option 43 and fall back to DNS resolution.

Forcing them to be downgraded, which can be a lengthy process. And when we move them back to the 9800 WLC, where are are once again upgraded - which is a lengthy process.

 

Is there a way to prevent APs, that we want to "lock" to the 9800 WLC, from joining the 5508 WLC?

14 Replies 14

Leo Laohoo
Hall of Fame
Hall of Fame

@kenneth.gregersen wrote:

Is there a way to prevent APs, that we want to "lock" to the 9800 WLC, from joining the 5508 WLC?


Manually configure the Primary WLC/Secondary WLC details.

Jurgens L
Level 3
Level 3

As Leo mentioned the best way to do this is assigning the WLC's and their IP's under the high availability options of the AP. The reason for is due to the election process the AP uses to discover WLC's where the static configuration will override DNS or DHCP option 43 if WLC's are available. Reference below explains in greater detail.

https://community.cisco.com/t5/wireless-mobility-documents/joining-process-of-an-cisco-access-point/ta-p/3149279

 

Thanks @Leo Laohoo and @Jurgens L 

 

I was aware of this possibilty, but I was under the impression that the AP would still ignore the configured IP address of intended WLCs in the NVRAM of the APs if the configured WLC was unavailable. Meaning that it would just fall back to either DHCP Option 43 and DNS resolution.

But, if I understand you correctly the AP will only use configured WLC(s)  - and not move on to other methods of discovering the WLC?

 


@kenneth.gregersen wrote:

I was aware of this possibilty, but I was under the impression that the AP would still ignore the configured IP address of intended WLCs in the NVRAM of the APs if the configured WLC was unavailable.


This uses the Parent-and-Child system:

  • Global configuration is followed if no configuration is present on the AP.
  • If AP-specific configuration is present then this will overrule the global command.  

Thanks @Leo Laohoo for the clarification.

I have one more question about setting the configuration per AP.

In the 9800 WLC there is something called an AP Join Profile.

In the CAPWAP settings one can specify Primary Controller and Secondary Controller, but it doesn't look like this is related to the High Availability setting - that is set per individual AP.

Or am I misunderstanding?

 

 

 

- AP can fallback to other options if unable to find configured primary/secondary

- The global settings should apply to all APs which don't have their own static config applied (if it's like AireOS but I have not checked the docs).

Typically you just want to assign tags as that will have the primary and secondary. This is sort of the same as aireos, but I believe they wanted it to be simple in ios-xe. If you want to define on each access point, then you can do that by configuration on each ap in the Configure > Access Point and choosing the AP or by the cli:

9800HA#ap name test controller primary test 1.1.1.1
-Scott
*** Please rate helpful posts ***

Thanks again for all input.

To summarize; it's possible to direct an AP to a specific WLC (as the preferred choice) - but if there exists alternate methods in the network to discover other WLC(s) (DNS/DHCP Option 43) the AP will use it if preferred WLC is unavailable.

Meaning, there is no way (in our current network setup) to prevent the AP from joining the "wrong" WLC if preferred WLC is down.

Look at it this way. You have methods of an ap discovering the controller which everyone mentioned. So if you have for example one of the methods in which the ap can join the wrong controller, then that is where your issues lies. If you want to not allow an ap to join, you would use Mac filter and enter the MAC address of the AP’s.

https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/98848-lap-auth-uwn-config.html#anc7

When you are designing for a migration or brining up a new controller, the first thing you should of looked at was to place the new controllers on a w subnet in which your existing ap can’t discover and join. This is the same for the new environment.
-Scott
*** Please rate helpful posts ***

scottdworman
Level 1
Level 1

My question is related, but if I have all 3800i APs joined on a 5508, then what will happen when I introduce the 9800 Controller?  Will hostnames remain the same?  Do the configs for those aps get wiped out.  Can I still use the ap pre-download software on the 9800 to reduce upgrade time?  TIA  - Scott

 

Hi Scott

I'm no expert here, but what I have found so far is that you can take an AP that is associated to the old WLC.

Enter the DNS name/IP address to the new WLC in the High Availability settings.

Reset the AP, and it will join the new 9800 WLC.

The name is kept and also the country code/regulatory domain, but other settings are lost.

 

You will need to add the correct Policy Tag, Site Tag and RF Tag after it has successfully joined the 9800 WLC.

You should wait for it to download the software before adjusting these settings.

 

The problem we have had is that the AP you are migrating is very keen on joining back to the older WLC.

We have had to block access to the old WLC in firewalls and remove DNS entry for cisco-capwap-controller.

Just setting the new WLC IP address using DHCP Option 43 has not been enough for us.

At least not in the migrating phase.

 

/Kenneth

 

Kenneth,

 

I figured that was the case.  We have to wait for new controller since ETA is April.  Aps are in, so we plan to deploy those on the 5508, then move them over to the 9800.

 

In your case, an ACL would help if you block access to the WLAN.  We block access at some of our sites so it is forced to use a specific controller on the local network.

I'd like to thank Kenneth for planting the seed of a solution in my mind. 

 

Solution:  Create a simple ip extended access-list on my Catalyst 9410R switch:

 

ip access-list extended Block-5508
10 deny ip any host 10.15.176.11
20 permit ip any any
Remark Russ S configured this to stop old Wave-1 AP's from joining the 5508 WLC.

 

Now let's apply that ACL on the layer-2 switch ports with the old  2702i and 3702i AP's: 

interface range T7/0/38,T8/0/38

  ip access-group Block-5508 in

end

!

Viola!  The old Wave-1 2700 and 3700 access-point immediately began joining our 9800 controller, which the AP's had configured as their Primary Controller hostname and IP address (which did NOTHING for them).

 

Context: I have to migrate several hundred AP's  (2700 / 3700 / 3800) off of 5508's (8.5.182.0)  and onto 9800-L (17.3.5a).

* If we set the 3800 AP High Availability  Primary Host name and IP address, it joins the 9800-L, no problem.

* If we set the 2700/3700 AP High Availability  Primary Host name and IP address, it does Jack Sh*t) - doesn't go anywhere.

* If we allow Kenneth to open our minds to that fact that, thsi may not be a CAPWAP thing, nor a CERT thing, nor an AireOS-IOS-XE mismatch thing...no, it might be simply that the darn wave-1 AP's keep a death-grip on the initial controller they learned of from DHCP, and digested into their little AP NVRAM's.   I worked on this a few hours, before the though of a simply PACL  (switch port ACL) resolved the issue immediately.

Now, do I want to apply the (ip access-group Block-5508 in) command to hundreds of AP switch ports on migration day, or is there a more ELEGANT want to force 2700/3700 AP's to (disjoin from 5508) and (join 9800-L) ?  

Thanks for the quick work-around meanwhile!  Cheers.

RuSsElLMaN

 

Uh, I suppose powering-off the 5508's on migration day, and letting all AP's configured with the 9800 as the HA Primary, would be easier

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: