Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1283
Views
0
Helpful
5
Replies

Remove 5520 SSO & Using 1x WLC on 1x subnet and the other on another subnet

Jay_F
Level 1
Level 1

‎03-24-2021 07:02 AM - edited ‎07-05-2021 01:02 PM

Hi,

We currently have 2x 5520's in an SSO pair. I'd like to break the SSO and continue to use the 1x WLC at our Primary site and take the other 5520 to our backup DR site. At other sites we are using 2504's as foreign controllers in a HA pair, which are EOL and are not compatible for use with new APs 9120's. The current AP's are on private ip addressing. My plan was to remove the old 2504's and install the new 9120 AP's and configure with routable IP addresses. So effectively having 2x 5520 controllers at 2x separate sites (primary & DR) and having routable IP's on the AP's located at various other sites (different subnets). Is this even possible?, having AP's on different subnets connecting back to a controller on another subnet i.e primary, and if we lose this wlc that the AP's can connect to the DR wlc ?

Hoping you have some ideas on how this could be configured.

Thanks.

Labels:
0 Helpful
5 Replies 5

patoberli
VIP Alumni
VIP Alumni

‎03-25-2021 06:07 AM

This should be possible if both run standalone. Just make sure that the CAPWAP ports are reachable to the management interface of both WLC (if you want to use the second for backup). 

One big downside to this, both need to be fully licensed for the amount of APs that might connect in a failure situation to it.

Also make sure to have mobility-groups correctly working, if APs from one location might be connected to the two different WLC. 

0 Helpful

Jay_F
Level 1
Level 1
In response to patoberli

‎03-25-2021 06:46 AM

Thanks - is this called inter controller layer 3 roaming or inter subnet roaming?

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Jay_F

‎03-25-2021 08:05 AM

That would then be layer 3 roaming. I would try to avoid that though and never have one sites APs be connected to different WLC. 

0 Helpful

Rich R
VIP
VIP
In response to patoberli

‎03-25-2021 07:07 AM - edited ‎03-25-2021 07:09 AM

Pat has answered most of it for you already but some points to add:

- as Pat said you'll need to buy the same licenses for the 2nd WLC as you currently have on primary (they can't share like SSO)

- yes you absolutely can do that - we do that everywhere (thousands of sites).  Your APs do not need to be internet routable and actually better to keep them isolated on private addressing for security.  Only your WLC (CAPWAP ports UDP 5246 & 5247) needs to be internet reachable.  Just NAT (PAT) the AP CAPWAP traffic on your internet router like you would for any other traffic going to internet.

- Like Pat said make sure mobility is up between the WLCs.  Configure primary and secondary HA WLC on the APs.  You could even split them across the 2 so that a failure would mean only half have to fail over to the other WLC.

- Only thing to watch for is NAT translation timeouts when the AP switches to the other WLC - IOS may keep trying to use the old translation.  We used "config advanced timers ap-primary-discovery-timeout 600" to work around that, and also have EEM script to clear NAT translation entries on routers in case of a local failure that requires NAT to switch to a different backhaul eg from ethernet to dialer.

- And use option 43 on your DHCP to set the primary and secondary WLC for the APs so they can join either directly from the moment you plug them in.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.190.0, latest 9800 releases, 8.5.182.11 (8.5 mainline) and 8.5.182.108 (8.5 IRCM)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Jay_F
Level 1
Level 1

‎04-09-2021 04:16 AM

Could anyone confirm what would happen if I was to disable the SSO on the 5520 controller? or best approach to disabling this when AP's are already connecting. I presume the AP's will then remain on what was the existing primary controller before it was setup to be SSO. Any advice greatly appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card