05-12-2024 12:13 AM - edited 05-12-2024 12:15 AM
Dear Gents,
What are the recommendations that should be followed if we have a local site with wireless APs operating in Local Mode and registering on a local Primary WLC on the same network. and in the case of Primary WLC failure, the APs will register on a secondary WLC which his hosted on over internet in a remote site. and we need to have the AP to register in Local mode.
Are the below are fine or is there some more points to considered:
1- Internet link latency should be 100 ms.
2- IPSec Tunnel should be established between Remote Site and Local Site to access the private IP of the WLC on Remote Site
3- WLC in Remote Site will be Secondary WLC while WLC in Local Site will be Primary WLC and their configuration should always be identical and managed by the network administrator.
attached 3 pages will explain this scenario in diagrams.
BR
05-12-2024 07:41 AM
1. For APs in local mode latency should be <20ms:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-6/b_Cisco_Wireless_LAN_Controller_Configuration_Best_Practices.html
For flexconnect mode APs latency should be <300ms:
https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/112042-technote-wlc-00.html
2. If the WLC does not have a public IP then yes you will need some means of tunnelling the traffic between the APs and WLC between the private IPs on the two sites and that could be IPSEC.
3. Correct.
Depending on how the WLANs are configured (and which features they use) you might need to change the APs to flexconnect mode. For example when you use MAB with radius and central authentication APs in local mode are prone to association timeouts causing problems for clients if latency to WLC ever gets close to or exceeds 20ms. So I would recommend changing your APs to flexconnect mode if you plan to use this setup. That allows the AP to manage client association locally while the central authentication takes place preventing client association timeouts.
05-13-2024 02:07 AM
Thanks for the prompt reply.
So, if the (20 ms) is not guaranteed on the internet link and if we considered to operate the Wireless AP in FlexConnect mode (as a better option for above senario) can you support me on the below:
1- will the AP in FlexConnect mode register to the Local Primary WLC on the local network as its main primary WLC controller and when the Local Primary WLC fails then the AP in FlexConnect mode can failover and register to the remote WLC over the internet with no need for a VPN tunnel over the internet. and we shall guarantee that the internet link latency should be 100 ms. see attached diagram 3 pages.
2- what we will lose feature wise if we operate the APs in flex connect mode vs operating them in local mode in our scenario
BR
05-13-2024 02:58 AM
1. Local/Flexconnect mode makes no difference to which WLC the AP registers with first. That is determined by the Primary/Secondary/Tertiary WLC AP HA settings. The AP will need internet access (on UDP 5246 and 5247) and the WLC will need a public IP if you want it to be remotely accessible over the internet. Obviously you should have appropriate firewall and protection in place for anything you expose to the internet in this way and ensure that only your own APs can register to the WLC (AP authentication).
2. There is a small list of features which are only supported in Local Mode and some features may have specific restrictions but as long as you keep using central authentication and central switching for your WLANs 99% of regular features will keep working just as before. Check the config guides for any features you are using to make sure none of them are restricted/limited in flexconnect mode.
05-13-2024 03:09 AM
Again Many thanks for your ultimate support.
Can I configure the AP to register in (local mode) for the Local Primary WLC, and in case the Local Primary WLC fails then the AP will register in (FlexConnect mode) for the Remote Secondary WLC located over the internet ? or it is a must to operate the AP either in FelxConnect mode OR Local mode ? and we can't mix the mode of operation on the AP ?
05-13-2024 03:18 AM
The AP must be in Local or Flexconnect mode - there is no auto-changing of mode.
You can have some APs in Local and some in Flexconnect - there's no restriction on that but you will need to make sure any feature you configure is compatible with both AP modes if you mix them (which I generally wouldn't recommend)
05-14-2024 12:15 AM
your support is highly appreciated.
So, as a conclusion since the AP works only in one mode. lets say for our scenario we configure the AP to work in FlexConnect mode and its Primary WLC located at the local network with a private IP and the Secondary Controller is located over the internet with a public IP and we need to make sure that the internet latency is in range of 300 ms and it is better to be 100 ms. the APs will be configured with (local switching) and the (AAA server) will be located at the local site.
So, my question if the Primary Controller goes down then the estimated failover time is between 45 to 80 seconds for the AP to register to the secondary WLC over the internet. is that right ?
BR
05-14-2024 01:55 AM - edited 05-14-2024 01:56 AM
There is a little bit of variability in the failover time but you can tune it.
Check the blog of one of our community experts on the subject:
https://mrncciew.com/2013/04/07/ap-failover/
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide