cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4859
Views
4
Helpful
5
Replies

Temporarily stop AP's from associating with a WLC?

nstrech
Level 1
Level 1

I’m currently faced with a situation where WCS is  in place and two WLC’s have been configured.  A controller temple  was not used for the original setup; both WLC’s were configured independently.

- WLC1 is currently up and running with a nice  configuration.

- WLC2 is currently offline and is not configured  correctly.

The catch is that a few hundred AP’s point to WLC2 as  their primary controller.  Is there a way to bring WLC2 online in  some sort of administratively down state so that the AP’s don’t connect to it?   (Note that I can currently access WCS2 via the service port)

I’d like to bring it online so that I can first create a  new template using the config on WLC1 and then push that working config to  WLC2.  Only then would I like to allow AP’s to connect back to  WLC2.

If what I mentioned is not possible I guess I have a  second question.  Does changing the ‘primary controller’ setting on  the AP’s interrupt the wireless service if they’re already connected to the  desired WLC?  I could then make all AP's point to WLC1 as their primary allowing  my to bring the mis-configured WLC2 online.

We cannot have any wireless  downtime.

Thanks in advance!

Nate

1 Accepted Solution

Accepted Solutions

weterry
Level 4
Level 4

What is your primary concern here?

Is it that when you turn on WLC2, all your APs pointing to it are going to drop off WLC1 and move to WLC2?

If that is the case, then I would just disable AP Fallback on the WLC1, which is the feature that instructs an AP to look for and go to its primary if available. With this feature disabled, the only APs that are going to go to WLC2 are the ones that are rebooted or go into discovery mode from some other network.

With that said, it would probably be easy to just push a new AP Configuration template which sets the primary WLC (and IP) to be WLC1. You can always push the template back to correct the configuration when you are ready (again,  turn off AP fallback or they APs will move within a minute or two of you configuring a different primary controller name)

Another possible solution would be to just rename WLC2 before it is connected to network and then APs wouldn't consider it the primary as the name doesn't match...

Bottom line though, I believe there is no current method to have an "online" WLC reject AP Discovery/Join (as in no way to "Admin Disable" the entire WLC).

View solution in original post

5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

WLC2 is currently offline and is not configured  correctly.

Does this mean that if WLC2 is "offlilne" then NO WAPs are joined to this AP?

Does changing the ‘primary controller’ setting on  the AP’s interrupt the wireless service if they’re already connected to the  desired WLC?  I could then make all AP's point to WLC1 as their primary allowing  my to bring the mis-configured WLC2 online.

This sounds better.  Change all the APs "High Ability" tab and REMOVE all details relating to WLC2.

weterry
Level 4
Level 4

What is your primary concern here?

Is it that when you turn on WLC2, all your APs pointing to it are going to drop off WLC1 and move to WLC2?

If that is the case, then I would just disable AP Fallback on the WLC1, which is the feature that instructs an AP to look for and go to its primary if available. With this feature disabled, the only APs that are going to go to WLC2 are the ones that are rebooted or go into discovery mode from some other network.

With that said, it would probably be easy to just push a new AP Configuration template which sets the primary WLC (and IP) to be WLC1. You can always push the template back to correct the configuration when you are ready (again,  turn off AP fallback or they APs will move within a minute or two of you configuring a different primary controller name)

Another possible solution would be to just rename WLC2 before it is connected to network and then APs wouldn't consider it the primary as the name doesn't match...

Bottom line though, I believe there is no current method to have an "online" WLC reject AP Discovery/Join (as in no way to "Admin Disable" the entire WLC).

Stephen Rodriguez
Cisco Employee
Cisco Employee

Changing the primary WLC should not cause the AP to reboot.  If both WLC were online, it would move to it's new primary and clients should not know the difference.

As I read what you are asking, you already have WLC2 down, so the AP's should be joined to WLC1.  IF this is the case, then you dont' need to do anything with them.

Hit the console port of WLC2, reboot it and then do a Recover-Config.  once you have done this, the WLC will be at factory default.  Then go through the wizard and set an IP address, only.

Once you have the IP address, you can then join it to WCS and push templates around to your hearts content so that the configurations match.

Cheers,
Steve

--

If  this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

HTH,
Steve

------------------------------------------------------------------------------------------------
Please remember to rate useful posts, and mark questions as answered

nstrech
Level 1
Level 1

Thanks everyone,

I ended up using the AP Templates to make WLC1 the primary controller for all of my AP's and this did not have any effect on our wireless service as all AP’s were already connected to this controller.

Secondly I disable the AP Fallback on WLC1 just as a secondary measure.

Next I was able to create a new Controller Config Group having it extract the settings from the working WLC1.

Finally I powered on WLC2, added it to my new Controller Config Group, and pushed the working group settings down to this new controller.

In hindsight I should have started with a factory default config on WLC2 as mentioned by Stephen.  My WLC2 recieved all of the working configurations and we’re up and running but I did have to go back into WLC2 and manually remove a few of the misc. unessesary configurations.

Best Regards,

Nate

CRAIG NORBORG
Level 1
Level 1

Found this discussion while trying to attempt something similar myself.  

What I ended up doing, that might be a better solution, was to go into "Security" and "AP Policies" and change it from "Accept Manufactured Installed Ceritificate" to "Authorize LSC APs against auth-list".  How exactly you do it depends on how you authenticate your AP's to your controller though.  In my case I used MIC's and not LSC AP's, and >definitely< didn't define an auth list.  So by changing it, I effectively told it not to allow any AP's to connect at all.

Worked fine for me, after I got done doing what I needed to do, I changed it back and they were able to authenticate again.

Review Cisco Networking for a $25 gift card