Re: Redundancy with nm-air-wlc6 modules

joni.hakkarainen · ‎11-05-2010

Hello!

The network is purely for testing and educational purposes only. It is not connected to any real networks.

We have 2 Cisco 2811 routers with integrated nm-air-wlc6 modules. We are trying to build a redundant solution.

Routers are connected to 3560 switch which is connected to 2800 series router (simulating Internet in our network).

Behind the "Internet" we have Linux DHCP server. Access points are also connected to the switch.

Redundancy works and access points transfer over to secondary (WLC2) controller. The problem is that the IP of end user PC changes from 172.16.50.x to 172.17.50.x which causes connection to be lost.

Is there a way to prevent this from happening or are we completely on the wrong tracks. Or is redundancy even possible with current devices? See the attached picture for more detail.

We are banging our heads to the wall and we would like some help, please.

Thanks,

Two students from Finland

Nicolas Darchis · ‎11-07-2010

Hi,

well the problem is quite straightforward. The fact that APs change their ip address would not be relevant at all.

However, client PC change their ip address because the client subnet is configured with different ranges on WLC 1 and WLC 2.

Ater APs failed over, how would the backup WLC serve the clients in their "old" subnet if it has no interface for that.

Just configure the same ip range on both WLCs for the user subnet and you should be good.

Regards,

Nicolas

joni.hakkarainen · ‎11-10-2010

Hi!

Thanks for the reply.

We know that, but how is it possible to have same subnet on two different locations (behind two different routers)? I think we tried already that and there were some problems (packets got lost etc.).

We will test it again asap.

Nicolas Darchis · ‎11-10-2010

This is not like having the same subnet on 2 routers. WLC are not routers by the way.

What you need is one and only interface for that subnet, acting as the gateway.

both WLC have a dynamic interface in that subnet (.2 and .3 for example) and their SSID are attached to that interface. Since they point to the same DHCP server, the ip addressing will stay synched.

If you want full redundance, go with a shared gateway mechanism on the routers like HSRP for example.

So in the end it won't be "2 times the same subnet in different places of the network" but "the subnet spreading over the 2 routers and 2 WLC".

Complete example of addressing :

Router 1 interface ip : 172.16.50.2

Router 2 interface ip : 172.16.50.3

shared HSRP ip : 172.16.50.1

WLC 1 ip : 172.16.50.4

WLC 2 ip : 172.16.50.5

The DHCP pool can be pointing to .1, or if you split half the pool on one router and the other half on the other you point ".2" and ".3" as being DHCPs on your WLC.

Nicolas

===

Don't forget to rate answers that you find useful.

joni.hakkarainen · ‎11-11-2010

This is not like having the same subnet on 2 routers. WLC are not routers by the way.

We know that, but in our case the controllers (modules) are integrated in 2811 routers and we can't bypass the routers and therefore we have no way to directly access the controllers.

We have routers connected to 172.16.10.0/24 subnet with interface F0/0 and controller is connected to router via internal connection (wlan-controller1/0). In R1 (and WLC1):

wlan-controller1/0 172.16.1.1 (ap-manager)
wlan-controller1/0.50 172.16.50.1 (end-users)
wlan-controller1/0.100 172.16.100.1 (management)

And controller's side is .100. I hope this clarifies things a bit.

Thanks.

Nicolas Darchis · ‎11-12-2010

Don't you have a way to trunk the vlan between the 2 routers ? The goal is to have the vlan spanning across the 2 routers and having both routers act as gateway.

You wrote

 wlan-controller1/0.50 172.16.50.1 (end-users)
What about configuring the same (with different ip) on the other router and then you just have to allow the vlan 50 between the 2 routers, no ?

Nicolas

joni.hakkarainen · ‎11-12-2010

Not sure what you mean, but we decided to try making a bridge to bypass the router. However we are unable to get it work. We trunk'd link from switch to R1 and from switch to "Internet". We are unable to ping from "Internet" to WLC's management address. The problem is basically in the bridge(?)

In WLC config we have 172.16.10.10 for management and 172.16.10.11 for ap-manager. In Switch, VLAN10 is native, and so is in "Internet". If we manage to get this working with only one router/wlc, adding a second one would be easy.

Here is some config from our "R1" and "Internet":

R1:

bridge irb
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
!
interface FastEthernet0/0.10
encapsulation dot1Q 10 native
bridge-group 10
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
bridge-group 50
!

interface wlan-controller1/0
ip address 172.16.1.1 255.255.255.252
!
interface wlan-controller1/0.10
encapsulation dot1Q 10 native
bridge-group 10
!
interface wlan-controller1/0.50
encapsulation dot1Q 50
bridge-group 50
!

bridge 10 protocol ieee
bridge 10 route ip
bridge 50 protocol ieee
bridge 50 route ip

Internet:

interface FastEthernet0/0.10
encapsulation dot1Q 10 native
ip address 172.16.10.1 255.255.255.0
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
ip address 172.16.50.1 255.255.255.0
!
interface FastEthernet0/1
ip address 192.168.25.1 255.255.255.0
duplex auto
speed auto
!

Nicolas Darchis · ‎11-12-2010

If you put the controller 0.50 in bridge-group 50, then you need the fastethernet0.50 to be in bridge-group 50 as well.

You also need "bridge 50 protocol ieee".

And last but not least, bridge groups require the ip to be on the BVI50 and not the fastethernet.

Nicolas

joni.hakkarainen · ‎12-03-2010

Hello again! Sorry about the delay.

We finally managed to solve our problems. We basically just bridged the WLC routers (made them L2 devices), trunked the links between routers and the switch and created sub-interfaces on "Internet" router. We also had to use the "Internet" router's FastEthernet port 0/0's sub-interfaces as gateways for the controllers.

Here is some of our configuration on R1:

bridge irb
!
interface FastEthernet0/0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
!
interface FastEthernet0/0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
!
interface FastEthernet0/0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100

!

interface wlan-controller1/0
no ip address
no ip route-cache
!
interface wlan-controller1/0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
!
interface wlan-controller1/0.10
encapsulation dot1Q 10
no ip route-cache
bridge-group 10
!
interface wlan-controller1/0.50
encapsulation dot1Q 50
no ip route-cache
bridge-group 50
!
interface wlan-controller1/0.100
encapsulation dot1Q 100
no ip route-cache
bridge-group 100
!
interface BVI1
ip address 172.16.1.1 255.255.255.0
!
interface BVI10
ip address 172.16.10.1 255.255.255.0
no ip route-cache
!
interface BVI50
ip address 172.16.50.1 255.255.255.0
no ip route-cache
!
interface BVI100
ip address 172.16.100.1 255.255.255.0
no ip route-cache
!

bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
bridge 50 protocol ieee
bridge 50 route ip
bridge 100 protocol ieee
bridge 100 route ip

On R2 the config is the same except the IP addresses (.2).

Also an IP address had to be temporarily assigned to the wlan-controller1/0 to access it first time and configurate all the necessary things. After that we removed the address and all the future connections to the controller had to be made with telnet (port 2066) or with webmode.

Now the clients are able to maintain the same IP address when other controller goes down.

Thanks for all your help and patience!