03-24-2021 07:02 AM - edited 07-05-2021 01:02 PM
Hi,
We currently have 2x 5520's in an SSO pair. I'd like to break the SSO and continue to use the 1x WLC at our Primary site and take the other 5520 to our backup DR site. At other sites we are using 2504's as foreign controllers in a HA pair, which are EOL and are not compatible for use with new APs 9120's. The current AP's are on private ip addressing. My plan was to remove the old 2504's and install the new 9120 AP's and configure with routable IP addresses. So effectively having 2x 5520 controllers at 2x separate sites (primary & DR) and having routable IP's on the AP's located at various other sites (different subnets). Is this even possible?, having AP's on different subnets connecting back to a controller on another subnet i.e primary, and if we lose this wlc that the AP's can connect to the DR wlc ?
Hoping you have some ideas on how this could be configured.
Thanks.
03-25-2021 06:07 AM
This should be possible if both run standalone. Just make sure that the CAPWAP ports are reachable to the management interface of both WLC (if you want to use the second for backup).
One big downside to this, both need to be fully licensed for the amount of APs that might connect in a failure situation to it.
Also make sure to have mobility-groups correctly working, if APs from one location might be connected to the two different WLC.
03-25-2021 06:46 AM
Thanks - is this called inter controller layer 3 roaming or inter subnet roaming?
03-25-2021 08:05 AM
That would then be layer 3 roaming. I would try to avoid that though and never have one sites APs be connected to different WLC.
03-25-2021 07:07 AM - edited 03-25-2021 07:09 AM
Pat has answered most of it for you already but some points to add:
- as Pat said you'll need to buy the same licenses for the 2nd WLC as you currently have on primary (they can't share like SSO)
- yes you absolutely can do that - we do that everywhere (thousands of sites). Your APs do not need to be internet routable and actually better to keep them isolated on private addressing for security. Only your WLC (CAPWAP ports UDP 5246 & 5247) needs to be internet reachable. Just NAT (PAT) the AP CAPWAP traffic on your internet router like you would for any other traffic going to internet.
- Like Pat said make sure mobility is up between the WLCs. Configure primary and secondary HA WLC on the APs. You could even split them across the 2 so that a failure would mean only half have to fail over to the other WLC.
- Only thing to watch for is NAT translation timeouts when the AP switches to the other WLC - IOS may keep trying to use the old translation. We used "config advanced timers ap-primary-discovery-timeout 600" to work around that, and also have EEM script to clear NAT translation entries on routers in case of a local failure that requires NAT to switch to a different backhaul eg from ethernet to dialer.
- And use option 43 on your DHCP to set the primary and secondary WLC for the APs so they can join either directly from the moment you plug them in.
04-09-2021 04:16 AM
Could anyone confirm what would happen if I was to disable the SSO on the 5520 controller? or best approach to disabling this when AP's are already connecting. I presume the AP's will then remain on what was the existing primary controller before it was setup to be SSO. Any advice greatly appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide