Wireless Controller Design

fatalXerror · ‎07-26-2023

Hi,

I would like to check if the following are feasible,

1. 4x WLC with foreign-anchor design (2x for internal with SSO HA and 2x for guest SSO HA) in primary DC and 2x WLC (1x for internal and 1x for guest) as N+1 HA in my DR?

2. In the event that all of my internal (not the guest) WLC in PDC goes down, the internal WLC located in DR will kicks-in automatically associating all access points, can I force my guest to use the guest controller in DR instead of the one in PDC?

Thank you

Flavio Miranda · ‎07-26-2023

Hi @fatalXerror

This scenario seems to be possible but you need to ajust your expectation with this part "In the event that all of my internal (not the guest) WLC in PDC goes down, the internal WLC located in DR will kicks-in automatically associating all access points"

Only HA SSO provide you this level of redundancy. If the pair of wlc goes down in PDC, the AP will disconnect, will reload and will stablish a new capwap tunnel with DR. This process will take a few minutes depeding on the AP model and link speed.

fatalXerror · ‎07-26-2023

Hi @Flavio Miranda , thanks for the help.

I think that's okay. May I ask, the SSO HA requirement needs to be in the same subnet or I can do SSO HA via L3 meaning different subnet? Thanks

Flavio Miranda · ‎07-26-2023

Same subnet

Both devices must have redundant IPs in the same subnet. IP addresses used for redundancy must be unroutable without a gateway present in the subnet.

This is how the topology looks like.

Rich R · ‎07-27-2023

Note the APs do not need to reload to switch to the backup (N+1) WLC - it's simply a CAPWAP restart.
The primary and secondary WLC should be configured in the AP HA settings and you should have mobility configured between primary and backup WLC.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
AP supported channel lookup: https://apchannels.cisco.com/

fatalXerror · ‎07-26-2023

Hi @Flavio Miranda , I see meaning I need to stretch my VLAN across two or multiple sites. In the SDA or ACI design, possible 1x WLC in each DCs then using SSO HA?

Flavio Miranda · ‎07-26-2023

That would be recommended if you are able to extend the vlan between DCs. As long as you keep the traffic in Layer2, you can use separated geography.

fatalXerror · ‎07-26-2023

Hi @Flavio Miranda , for the SSO HA of controller, the communication of my AP should be also be the same subnet as the controller or it is not necessary to be in same subnet? Thanks

Flavio Miranda · ‎07-27-2023

Not necessary. As long as the AP can communicate with WLC, they will join.

Rich R · ‎07-27-2023

As Flavio says no need for APs to be in the same subnet - in fact I'd say they should not be - but you do need to think about the discovery mechanism they'll use to find the WLC - I'd recommend DHCP with option 43 configured with primary and secondary WLC IPs.

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
AP supported channel lookup: https://apchannels.cisco.com/

fatalXerror · ‎07-31-2023

Hi @Flavio Miranda / @Rich R , can I use different WLC model for the anchor?

Flavio Miranda · ‎07-31-2023

Yes, you can. You can check on this guide they doing it with AirOS and IOS-XE

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html

Rich R · ‎07-31-2023

Yes as long as the mobility tunnel is compatible (new/old).

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
AP supported channel lookup: https://apchannels.cisco.com/

fatalXerror · ‎08-07-2023

Hi, going back to Foreign-Anchor design, would it be possible that my corporate SSID is in local switching and my guest will be central switching making the guest gateway to be at the anchor WLC? Thank you

Rich R · ‎08-07-2023

Yes. The APs should be in Flexconnect mode to support local switching on the corporate SSID and you can still have centrally switched WLAN(s).

------------------------------
Please click Helpful if this post helped you and Accept as Solution if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
Field Notice: FN74383 APs Running 17.12.4/5/6/6a May Run Out of Flash Space Preventing Upgrades
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
AP supported channel lookup: https://apchannels.cisco.com/