Hi scott

 

Thanks for your response

 

Cant we do that in local mode? Since each site has its own wlc. The only caveat in ap local mode is that the data traffic needs to pass through the WAN link everytime. Im just wondering how the configuration will be when we implement this kind of scenario. Im thinking of how will i create ap groups for site 1 aps when i am in site 2 wlc gui and switch configs etc

Not really a good design. If was site already has two WLC’s in SSO or N+1, why would you want to add the other site controller for redundancy? You are better off centralizing your WLC’s and running FlexConnect, depending on how far the sites are away from the controller. The issue of having two or more sites as a backup is the fact that sites are usually layer 3 adjacent, meaning that the interfaces on the WLC will be different, so devices connected on site 1 SSID A to site 2 SSID A will break. A good design is for redundancy, but not overly complex as that might cause you more problems. You also have to understand that when you setup N+1, you now have to create mobility between the controllers, this means the ap’s now know of all controllers in the same mobility group, thus ap’s can move to another controller, because it might of lost connecting to the primary. So now, you will have users that associate to an ap on site 1 and roam to an ap that is in site 1 but joined to site 2 and that will cause auto anchoring to happen. That means the device is tunneled to site 2 and then anchors back to site 1 controller. Now if AP1 in site 1 joins site 2 controller, then users whom initially associate to this ap will get an IP address from site 2 and then you have the cut anchoring happening again int he reverse direction I mentioned previously.
So again, this goes back to you requirements, why do you need this redundancy between sites? What happens when the link between the sites goes down? Are your subnets sized to handle all devices in each location in case the controller(s) goes down? What is your decision for local vs flex connect based on? How many ap’s on each site, how far are the sites, what is the bandwidth between sites, how many users per site on wireless, where is your radius servers, DHCP servers, etc. You need to look at all these and make a good decision on the best design.

why do you need this redundancy between sites

> Hi, Scott. 

 

why do you need this redundancy between sites?

It was proposed by our presales team and accepted by our client. i am just part of the implementation team. I know it is a lot of work to do and i have tried to search on the internet if there was already this kind of deployment. In Cisco docs, there is HA (active standby) and N+1 (1 controller is primary and backup controller  has no APs connected). i never saw this kind of deployment on the internet that 2 sites has active wlcs. 

 

May i ask if you have already saw this kind of deployment?

Can you provide what was sold? Four controllers? Two on each site? Or two controllers, one at each site? How far are the site away from each other and what’s the bandwidth and latency? You can design something without know these things.

Hi Scott

 

Can you provide what was sold?

>5500 series controllers

 

Currently the existing setup now is that we have active standby wlc in site 1 and in site 2 there are no WLC but the APs are connected via flexconnect.

 

Now, we will be implementing also active standby wlc in site 2. Both site now will have an active standby WLC. Site 2 WLCs will set as backup controller for site 1 and Site 1 WLCs will be set as backup controllers for site 2.

 

For the Aps

Site 1 APs

Primary --- (management IP of site1)

Secondary---(management IP of site 2)

 

Site 2 APs

Primary ----( management IP of site 2)

Secondary --- (management IP of site 1)

 

Sites are about 5-10kms away and connected via 1G link

Okay, so the end design is two N+1, N+1 at site 1 and another N+1 at site 2. So a couple things here. When you add the two controllers, I’m assuming 5520’s, at site 2, you will need to convert the AP’s from FlexConnect to local, this means that you will probably need to make changes at site 2. So again, if both site AP’s are in local mode, you can’t use the other site as a backup. If that is what they sold, it’s not a recommended design and it will not work well. When you have AP’s in local mode, all controllers need to have interfaces on the same subnet. This can’t happen if your sites are L3 adjacent. The only way you can get both sites to be used as redundant is if all AP’s are in FlexConnect mode because sites with different subnets can’t be used mixed in local mode like I mentioned in my other post. You will not find any documentation on this because it’s not a Cisco Valid Design.

Just to be clear, your existing environment is like this? Site 1 AP’s Site 1 Primary Site 1 Secondary Site 2 AP’s Site 1 Primary Site 1 Secondary You new design should be as follows: Site 1 AP’s Site 1 Primary Site 1 Secondary Site 2 AP’s Site 2 Primary Site 2 Secondary

Hi, Scott.

 

 

The end state will be each site will have an HA SSO deployment meaning in site 1 there is an active and hot standby wlc and also in site 2. All the APs are in local mode.

 

Will this setup will work? Im really not sure how will be the configuration. For example, site 1 wlcs are down and APs will associate to site 2 wlcs, how will we config the AP groups for site-1-APs in the gui of the Site 2 WLC? If we implement mobility group, can the site-2-WLC see the APs in site 1 for us to create AP groups for site-1-Aps?

 

Okay... SSO on both sites, doesn’t require the other site for backup. The problem again is the user subnets when in local mode are not the same between sites. You need to remember that when you setup N+1, all AP’s will know of all controllers in the mobility group. This is dangerous in your case because AP’s can accidentally join the standby controller (other site). Doesn’t matter if you configure high availability on the AP’s, it just happens at times. That is when things might break.
If you want to set this up so that one site backs up the other, all wlans need to be configured the same with the same wlan is, all ap groups with SSID’s need to be defined properly. The only thing that will be different are the hostname, system prompt and interface address.

Hi, Scott

 

So for example, my guest subnet in site 1 is 192.168.1.0/24, when site 1 is down, the Access points in site-1 will associate to the site-2-WLC, do i need to prepare an interface in site-2-WLC for the guest subnet in site 1?

 

Site 1 subnet

Guest - 192.168.1.0/24

Guest subnet when site 2 wlcs are down - 192.168.100.0/24

 

Site 2 subnet

Guest - 172.16.1.0/24

Guest subnet if site 1 is down - 172.16.100.0/24

 

 

i hope you get what i am saying

 

 

 

 

When an ap moves from one controller to another, it picks up the configuration of the new associated controller. So a guest user in site 1 connected to and ap in site 1 and the ap is joined to the site 1 controller. The traffic is tunneled to site 1 controller and will use the interface defined on the controller. When a guest in site one connects to an ap in site 1 but joined to site two controller, the traffic is tunneled to the controller and egress the interface defined. Doesn’t matter what subnet it’s on, users will have to disconnect and reconnect depending if the device still has an up address on site 1.
If your AP’s at site 1 are joined to both site 1 controller and site 2 controller, this can happen, users that roam from AP’s joined to different controllers will create an auto anchor which will then create another tunnel back to the other site.
I don’t think anyone here would deploy that design, but that is up to you and your team. If you do end up having a lot of issue, the fix will to break the mobility between the two sites.

Hi, Scott.

 

Thank you for all your inputs regarding this inquiry. I think we need to talk about this scenario.  I will update this post on the final setup if we will still continue this one. Thanks again

No problem. If you do take a look at any N+1 guides, the controller interfaces reside in the same subnets. FlexConnect guides will show controllers in different locations for redundancy. It’s something you probably need to talk to the pre-sales engineers and try to understand how they decided on that. I don’t think they really thought it through. There is a reason the existing design had both N+1 controllers at the same site and the remote site was using FlexConnect. The wanted redundancy for the primary site so N+1 was the best design, but local mode AP’s on site 2 was not a good design so that was import with FlexConnect. If FlexConnect was working fine in their environment, the both site AP’s should be in FlexConnect with local switching and you can have redundancy.