Re: HA N+1 Setup - Page 2

jccr · ‎07-11-2020

We will be having a deployment that 2 sites have both active and standby WLC.

The APs in site 1 will connect to the WLC in site 1 and the APs in site 2 will connect to the WLC in site 2.

If both the active and standby wlc is down on site 1, the APs will connect to site 2.

May we ask how will be the configuration for both wlc? Do we need to replicate the site 1 WLC config to the site 2 WLC? If yes, what configurations must be the same for this setup to work? Thanks in advance!

patoberli · ‎07-13-2020

I'd like to add to Scotts points, don't do the failover with a second site.
If, for example, your WAN link gets overloaded, the APs at the other site will loose their connection to the WLC and start to reboot. You would need to add QoS on the WAN for the CAPWAP packets.
You will also have various issues once you decided to do a software upgrade on one site.
Oh and make sure to have a short enough DHCP lease time, so that if a user puts his laptop into standby at site 1 and then drives to site 2 and wakes it up again, so that the client will do a fresh DHCP handshake (if you use the same SSID at both sites). There are some workarounds for that with the Mobility Group, but not all clients behave nicely.

jccr · ‎07-19-2020

Hi, Scott & patorbeli..

The final setup is that we will be having HA SSO on site 1 and HA SSO on site 2. Meaning we have active and standby wlc in site 1... and active and standby wlc on site 2.

-The access points in site 1 will be configured as local mode and its primary WLC is in site 1, and secondary is the WLC in site 2

-The access points in site 2 will be configured as local mode and its primary WLC is in site 2, and secondary is the WLC in site 1

May we ask for the configuration for this to work? Do i need first to configure mobility group?

I also wanted to ask how will be the ip addressing or subnetting if the WLCs in site 1 is down? Do i need to prepare a new subnet for the users when APs in site 1 connect to WLC in site 2 and vice versa?

Scott Fella · ‎07-19-2020

Like I mentioned before, it’s not a good idea in your design to failover to the other site. However, I think once you test this after you get everything up, you will see how things really work.
So if you are still planning to do this, you would need to have the wlans configured the same, mobility groups configured and the wlans mapping to the same vlan id for consistency. You will have to make sure the subnet one each site is large enough to manage all the devices on that wlan for each site. You can’t map a new subnet when there if a failover.
If site 1 goes down, all AP’s will reboot and have to join site 2. Once the aps join site 2, all traffic will tunnel back to site 2 and be placed on the same subnet as the devices on site 2 using the same wlan.
If and ap at site 1 joins site 2, users whom roam to that ap at site 1 joined to site 2 will be anchored, so you will have anchoring happening. This is what you also want to avoid if possible, so you will have to monitor the controllers to make sure the other sites aps are not joining unless there is a failover.
Make sure you test so that you see how the failover works and the experience the users will see. You will just have to power down both controllers or disconnect both from the network.

-Scott
*** Please rate helpful posts ***

jccr · ‎08-06-2020

Hi, Scott.

I hope you are doing good.

The setup is already final both site with HA SSO WLC and if 1 site is down, all the aps will failover to the other site and vice versa

I'm also thinking about the firewall policies for the new subnets. Do we need to also consider this or reachability from APs in site 1 to controller in site 2 is enough?

Scott Fella · ‎08-06-2020

I guess it depends on how your traffic flows. If you don’t have any issues when you do failover, then I don’t think any FW rules need to be added or changed. Just make sure you test and understand what the users will see during a failover.

-Scott
*** Please rate helpful posts ***

Arshad Safrulla · ‎08-12-2020

Do you have Cisco Prime in your environment, if so Cisco Prime can be configured for configuration sync between devices. This is the CVD for config sync in N+1.

If not make sure at the time of the configuration that all the AP's are joined to the controller configure all the AP's assign all the AP group, Flex groups etc. Then replicate the config in the second controller but make sure that the dynamic interfaces are properly configured in the N+1 controller

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

jccr · ‎08-12-2020

Hi, Arshadsaf.

Unfortunately we dont have Cisco Prime in this implementation

LukaszC · ‎06-08-2023

Hello guys.

Please review&advice if I'm going into correct HA design or making it worst.

Currently we have similar setup in four countries.
Country A:
2xWLC 5520 in SSO
WLC is located in country HQ where are also AP but manage many AP in branches for this country.
SSID1 - Corporate, Flexconnect local switching, each site/floor has own AP group, Flex group
SSID2 - Guests, central switching (capwap data+control)

Country B,C,D - similar setup so 2XWLC+AP in HQ and some branch offices with AP.

MPLS between sites. Centrally located DHCP (but each site has own subnet, Guests are having common) and ISE as Radius. All managed by Cisco DNA + manually on WLC when needed.
There are mobility groups defined and in wireless global config back-up primary controller (country A + B, and second group country C + D)

I did simulate AP lose connection to WLC and AP did fail-over to back-up primary controller but end user couldn't connect, then I notice Cisco DNA didnt copy AP groups and Flex groups.

Did read this and other treads, some Cisco guides but dint found enough details to plan geo-redundancy for access points.
Is it best practice to fail-over AP with Flexconnect or maybe I should remove back-up primary controller and mobility groups?

patoberli · ‎06-12-2023

I would in this case not failover geo-redundant, but just in the same country where the two WLC are located.

So if Country A has 2 WLC running in SSO, then only failover between those two WLC and don't additionally failover to the WLC in Countries B/C/D.

LukaszC · ‎06-14-2023

Thank you for answer.
I decided to remove mobility group (succeed) but cannot remove on WLC > Wireless > Access Points > Global Configuration > High Availability defined "Back-up Primary Controller IP Address(Ipv4/Ipv6)" and "Back-up Primary Controller name".
I'm deleting those, apply change and those are back, why?

5520/8.10.162.0