Solved: They will if they does not

MUQ_1899_ · ‎09-10-2015

We have a customer with two sites connected via Site-to-site VPN. In each site there is a local WLC - 2504 which serves each location. All the guides I find are explaining that the backup controller have to be an HA-SKU.

Would it be a problem if I configure for the APs in the first location the controller in the other as backup and vice versa? We have enough licenses.

Flavio Miranda · ‎09-10-2015

Cisco allows for more then one scenario when it comes to redundancy. The information you have found about HA-SKU is correct but, it does not means you cannot do in a different way.

HA-SKU is for AP/CLIENT SSO redundancy and is nice because one WLC need not to have licenses, lowering project cost. But if you have two normal WLC with up to 50 AP licenses, you can setup AP/CLIENT SSO redundancy normally as well.

Considering the scenario where WLCs are in different place interconnected by VPN, HA-SKU will not work for you. To have SSO redundancy with HA-SKU you need to have both WLC in the same place, interconnected via Redundant port and one of them will be hot-standby whilst the other one will be the active.

The best solution for you is exactly what you said. Configure APs in the first location to the WLC in the other as backup and vice versa. Just make sure you have connectivity and your link attends the minimum requirements.

To make even better, go to the Wireless Tab on WLC web page, Global Configuration and under High Availability, configure Back-up Primary Controller IP Address(Ipv4/Ipv6) and Back-up Primary Controller name in both WLC. If one WLC goes down and your network is ok, APs will be available again on the other WLC pretty fast.

But, not everything is perfect here! If your APs are in Local mode, they will transport all the client traffic to the other site passing through your VPN. Depends on the amount of clients, this can create a huge bandwidth problem for your WAN link.

On the other hand, if your APs are in Flexconnect mode, take care about VLAN configuration.

View solution in original post

Flavio Miranda · ‎09-10-2015

Cisco allows for more then one scenario when it comes to redundancy. The information you have found about HA-SKU is correct but, it does not means you cannot do in a different way.

HA-SKU is for AP/CLIENT SSO redundancy and is nice because one WLC need not to have licenses, lowering project cost. But if you have two normal WLC with up to 50 AP licenses, you can setup AP/CLIENT SSO redundancy normally as well.

Considering the scenario where WLCs are in different place interconnected by VPN, HA-SKU will not work for you. To have SSO redundancy with HA-SKU you need to have both WLC in the same place, interconnected via Redundant port and one of them will be hot-standby whilst the other one will be the active.

The best solution for you is exactly what you said. Configure APs in the first location to the WLC in the other as backup and vice versa. Just make sure you have connectivity and your link attends the minimum requirements.

To make even better, go to the Wireless Tab on WLC web page, Global Configuration and under High Availability, configure Back-up Primary Controller IP Address(Ipv4/Ipv6) and Back-up Primary Controller name in both WLC. If one WLC goes down and your network is ok, APs will be available again on the other WLC pretty fast.

But, not everything is perfect here! If your APs are in Local mode, they will transport all the client traffic to the other site passing through your VPN. Depends on the amount of clients, this can create a huge bandwidth problem for your WAN link.

On the other hand, if your APs are in Flexconnect mode, take care about VLAN configuration.

MUQ_1899_ · ‎09-11-2015

What about a downtime if all the APs are in flexconnect mode - central auth / local switch and N+1 redundancy ? When the primary controller fails all APs should continue to serve the authenticated clients. Will there be any downtime during the registration of the APs to the backup controller?

Flavio Miranda · ‎09-11-2015

They will if they does not try to reassociate in another WLC.

Reassociating,they will reboot and all clients will have to reauthenticate again.

Keep in mind that this redundant mode does not meant to be seamlessly. It only helps you to have all AP available again after primary WLC crashed.

N+1 High Availability