Re: How to deploy HA between 2 sites with each having 2 WLC working as

mm-501 · ‎07-15-2024

Hi guys

I’m struggling with a situation on my work that needed to be deployed.

The current situation we are in at the moment, we have multiple branches that contains an AP’s connected to single WLC in one sites which is It is considered as SPOF.

In our case We have 2 sites let’s name it A and B.

We intend to deploy a separate wireless network in A and B sites having 2 WLC in each working as an HA making it 4 in total (Primary and secondary in each site), which I believe it is called stateful switch over (SSO).

,in addition we want the WLC in the 2 sites to work as a backup for each other, so for example in case of any complete shutdown or lack of consumed power in site A, the AP’s will directly connects to the WLC in site B with a unnoticeable delay, and we reconnects to the WLC in site A when it powers on again.

We have other multiple small branches but it connects to one of A or B sites depending on the distance.

Any hint will be helpful

MHM Cisco World · ‎07-15-2024

Two site two wlc sso' I dont think it work' wlc sso need l2 connection

Best is config two wlc and make AP select close wlc

MHM

marce1000 · ‎07-15-2024

>...., so for example in case of any complete shutdown or lack of consumed power in site A, the AP’s will directly..
Ok , but will the APs then remain alive too ? Will it be reasonable to keep a wireless service running for customers ?
Anyway you can look at N+1 redundancy between HA-SSO pairs on different sites , for instance.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

met-m2000 · ‎07-15-2024

I'm afraid my idea wasn't clear enough, i will try to explain with a an illustrative image

so, let's imagen that in Site the controller management IP is 192.168.1.50/24 with its having its own standby controller if its fails.

the other site controller management IP is 1.1.1.50/24 with its having its own standby controller if its fails.

I want if site A both primary and secondary controller fails it migrates all its AP's and wlan to the controller in site B until it the primary controller in site A reconnects back, and vise versa.

Flavio Miranda · ‎07-15-2024

Hello @mm-501

One possible scenario for you would be the AP from site A to have the WLC cluster management IP address from site B as a secondary WLC in the AP availability tab. The same you can do on the site B using the management IP address from site A.

This way, if one side goes down, the AP will migrate to the other side and this is called HA N + 1.

Keep in mind, however, during the AP migration there will be clients disconnection as the AP will reload.

For WLC 9800 look at "Configuration on Access Points"

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-4/deployment-guide/c9800-n-plus-1-high-availability-wp.pdf

met-m2000 · ‎07-15-2024

Meaning, is it impossible to have N+1 and SSO at the same time ??

Flavio Miranda · ‎07-15-2024

Actually the idea I provided uses both at the same time. The HA SSO will be used between WLC on the same site, this is what you have today.
The N + 1 is done by pointing the high availability tab on the AP to the other site on the Secondary WLC option

met-m2000 · ‎07-16-2024

hello flavio,

Actually, from my point of view it appears to me that you are talking about different situation, you can see in the attached picture what i'm saying is that each DC will have SSO between primary and secondary.

MHM Cisco World · ‎07-16-2024

First of all

Ap discover only IP of active Wlc sso,

So now we have two IP

Ip of wlc sso of dc1 and wlc sso of dc2

You can config primary abd secondary IP but the issue is all AP will join the primary and if it failed the it will use secondary.

Or we can do some AP limit number to make some load sharing between two sites but that not make ap in dc1 sure join wlc sso in dc1 it can join wlc sso in dc2.

That my view for this issue

MHM

Flavio Miranda · ‎07-17-2024

You need to think about WLC is HA SSO as one WLC. Once you joined an AP in a WLC which is part of an HA SSO cluster, from the AP perspective is like it is joined in one WLC. If one WLC crash the other take over and this is totally transperent to the AP and clients.

Now you want redundancy netween data certers. Between Data Centers you are not going to have HA SSO because you can not have HA SSO between more than two WLC. The only way to have redundancy between Data Center on this case is using N + 1, which you can achieve by adding the other Data Center's WLC on the High Availability tab of each Access Point

Rich R · ‎07-16-2024

@mm-501 that's exactly how we run our networks for 99.999% availability of over 23,000 APs and allowing for total DC failure.

HA pair 1 in DC1 (WLC1) + HA pair 2 in DC2 (WLC2)
AP is configured for N+1 redundancy with WLC1 as HA primary and WLC2 as HA secondary or vice versa (we split them across the 2 so we would never lose more than half in case of a DC failure).

- You should configure mobility between the 2 WLCs.
- APs do not reboot when moving between the WLCs (as Flavio suggested) they simply do a CAPWAP restart.
- Obviously you need to maintain the exact same config on both WLCs. Keep the AP groups and WLANs identical - even the same order of WLANs in the AP group as there have been numerous bugs over the years triggered by differences.
- Keep the same code version on both WLCs.
- Since either WLC could have to support all APs you should never fill either beyond 50% capacity or licenses.

APs and clients should not have any disruption in case of a local SSO switchover (in theory but sometimes they might anyway...) and there's a short interruption if you lose one DC and the AP has to move to the other DC. If you use flexconnect local switching and authentication then the clients will not be affected at all because the AP can go to standalone mode without affecting clients. We use "config advanced timers ap-primary-discovery-timeout 600" so generally an AP should switch back to primary WLC within 10 minutes of the WLC coming back online. Configure your DHCP option 43 for both WLCs, in whichever order you want the AP to use them as primary/secondary so it can always find a WLC on bootup.

ps: What WLCs are you using?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

met-m2000 · ‎07-17-2024

Sorry, forgive me if I'm a little bit confused now, are you gusseting that we deploy the situations as the attached figure ?

Rich R · ‎07-18-2024

Yes, which matches the first diagram you attached. The SSO configs automatically stay in sync (that's what SSO redundancy does) so you treat the SSO pair as a single WLC (from AP point of view). So you just need to keep the configs in sync between site A and site B.

You second diagram shows 3 sites with SSO WLC in site A and single WLC and sites B & C - also possible.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

How to deploy HA between 2 sites with each having 2 WLC working as SSO