Showing results for 
Search instead for 
Did you mean: 

Wireless Controller Design



I would like to check if the following are feasible,

1. 4x WLC with foreign-anchor design (2x for internal with SSO HA and 2x for guest SSO HA) in primary DC and 2x WLC (1x for internal and 1x for guest) as N+1 HA in my DR?

2. In the event that all of my internal (not the guest) WLC in PDC goes down, the internal WLC located in DR will kicks-in automatically associating all access points, can I force my guest to use the guest controller in DR instead of the one in PDC?

Thank you

14 Replies 14

Hi @fatalXerror 

 This scenario seems to be possible but you need to ajust your expectation with this part "In the event that all of my internal (not the guest) WLC in PDC goes down, the internal WLC located in DR will kicks-in automatically associating all access points"

Only HA SSO provide you this level of redundancy.  If the pair of wlc goes down in PDC, the AP will disconnect, will reload and will stablish a new capwap tunnel with DR. This process will take a few minutes depeding on the AP model and link speed.

Hi @Flavio Miranda , thanks for the help.

I think that's okay. May I ask, the SSO HA requirement needs to be in the same subnet or I can do SSO HA via L3 meaning different subnet? Thanks

Same subnet


  • Both devices must have redundant IPs in the same subnet. IP addresses used for redundancy must be unroutable without a gateway present in the subnet.

This is how the topology looks like.





Note the APs do not need to reload to switch to the backup (N+1) WLC - it's simply a CAPWAP restart.
The primary and secondary WLC should be configured in the AP HA settings and you should have mobility configured between primary and backup WLC.


Hi @Flavio Miranda , I see meaning I need to stretch my VLAN across two or multiple sites. In the SDA or ACI design, possible 1x WLC in each DCs then using SSO HA?

That would be recommended if you are able to extend the vlan between DCs.  As long as you keep the traffic in Layer2, you can use separated geography. 

Hi @Flavio Miranda , for the SSO HA of controller, the communication of my AP should be also be the same subnet as the controller or it is not necessary to be in same subnet? Thanks

Not necessary.  As long as the AP can communicate with WLC, they will join.

Rich R

As Flavio says no need for APs to be in the same subnet - in fact I'd say they should not be - but you do need to think about the discovery mechanism they'll use to find the WLC - I'd recommend DHCP with option 43 configured with primary and secondary WLC IPs.

Hi @Flavio Miranda / @Rich R , can I use different WLC model for the anchor?


Hi, going back to Foreign-Anchor design, would it be possible that my corporate SSID is in local switching and my guest will be central switching making the guest gateway to be at the anchor WLC? Thank you

Yes.  The APs should be in Flexconnect mode to support local switching on the corporate SSID and you can still have centrally switched WLAN(s).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: