Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
2
Helpful
5
Replies

Wireless High Availability Design

Najib Akbari
Level 1
Level 1

‎02-25-2025 10:11 AM

Hey All,

 

Just seeking design advice for this scenario:

lets say company A have multiple branches with this existing wireless design:

  - each branch has its own C9800 with 9K APs. the config is unified across all branches but SSID different.

  - the design is FLex local switching and APs configured in a way that act as independent controller ( Authenticator ) means the controller is only needed when new AP associate, AP reloads or any changes to apply on APs other than that shutting WLC will not affect the wireless clients ( existing and new ).

  - two type of SSID there, PSK and dot1.x and for dot1x ISE is the radius

   - each site has single standalone C9800 appliance

   note: for the existing design since all major services are remote at DC, and Flex Local SW then I would do a central HA pair of COntroller rather than having standalone at each site ( but controllers were already purchased and I could not make it happen )

NOW SEEKING High Availability design recommendation:

 - get a secondary node for each site and setup HA ? I personally think based on the existing design this is not a best choice also the cost is high

 - setup an HA pair at DCenter and point secondary controller (Backup primary controller ) on all APs at each site to it, so in case of primary site WLC failure then the APs will associate to the DC controller? and fallback when primary comes back online  I am thinking this is more reasonable option.

 - leave it as it is, and if Controller fails then we have 4hrs RMA and the odds of having APs power outage is low ?

- any other option?

PLEASE assist on this by giving your professional advise with technical explanation of why choose it

Thanks! 

 

 

 

0 Helpful
5 Replies 5

Scott Fella
Hall of Fame
Hall of Fame

‎02-25-2025 10:40 AM

Lets say company A have multiple branches with this existing wireless design:

- each branch has its own C9800 with 9K APs. the config is unified across all branches but SSID different.

Not 100% unified but you can work with that.

- the design is FLex local switching and APs configured in a way that act as independent controller ( Authenticator ) means the controller is only needed when new AP associate, AP reloads or any changes to apply on APs other than that shutting WLC will not affect the wireless clients ( existing and new ).

What do you mean, the controller needs to stay online in local and or FlexConnect mode, an outage is okay, not designed to keep it off.

- two type of SSID there, PSK and dot1.x and for dot1x ISE is the radius

I'm assuming ISE is in the DC?

- each site has single standalone C9800 appliance

This is one of your biggest issues along with the different SSID's but again, there are some work adounds.

note: for the existing design since all major services are remote at DC, and Flex Local SW then I would do a central HA pair of Controller rather than having standalone at each site ( but controllers were already purchased and I could not make it happen )

Let's ignore this then.

NOW SEEKING High Availability design recommendation:

- get a secondary node for each site and setup HA ? I personally think based on the existing design this is not a best choice also the cost is high

ets say company A have multiple branches with this existing wireless design:

  - each branch has its own C9800 with 9K APs. the config is unified across all branches but SSID different.

  - the design is FLex local switching and APs configured in a way that act as independent controller ( Authenticator ) means the controller is only needed when new AP associate, AP reloads or any changes to apply on APs other than that shutting WLC will not affect the wireless clients ( existing and new ).

  - two type of SSID there, PSK and dot1.x and for dot1x ISE is the radius

   - each site has single standalone C9800 appliance

   note: for the existing design since all major services are remote at DC, and Flex Local SW then I would do a central HA pair of COntroller rather than having standalone at each site ( but controllers were already purchased and I could not make it happen )

NOW SEEKING High Availability design recommendation:

 - get a secondary node for each site and setup HA ? I personally think based on the existing design this is not a best choice also the cost is high

It is a higher cost, but the only way is to really have two controllers in the DC since all your ap's are in FlexConnect mode.  You can probably migrate one at a time or buy a controller in the DC, bring that up, move site A ap's to that and then move site A controller to the DC.  Now, the question is, are they different models?

 - setup an HA pair at DCenter and point secondary controller (Backup primary controller ) on all APs at each site to it, so in case of primary site WLC failure then the APs will associate to the DC controller? and fallback when primary comes back online  I am thinking this is more reasonable option.

ets say company A have multiple branches with this existing wireless design:

  - each branch has its own C9800 with 9K APs. the config is unified across all branches but SSID different.

  - the design is FLex local switching and APs configured in a way that act as independent controller ( Authenticator ) means the controller is only needed when new AP associate, AP reloads or any changes to apply on APs other than that shutting WLC will not affect the wireless clients ( existing and new ).

  - two type of SSID there, PSK and dot1.x and for dot1x ISE is the radius

   - each site has single standalone C9800 appliance

   note: for the existing design since all major services are remote at DC, and Flex Local SW then I would do a central HA pair of COntroller rather than having standalone at each site ( but controllers were already purchased and I could not make it happen )

NOW SEEKING High Availability design recommendation:

 - get a secondary node for each site and setup HA ? I personally think based on the existing design this is not a best choice also the cost is high

 - setup an HA pair at DCenter and point secondary controller (Backup primary controller ) on all APs at each site to it, so in case of primary site WLC failure then the APs will associate to the DC controller? and fallback when primary comes back online  I am thinking this is more reasonable option.

> This is fine, you just need to think it out a bit.  

 - leave it as it is, and if Controller fails then we have 4hrs RMA and the odds of having APs power outage is low ?

> What is the customer requirements?

- any other option?

I would try to get two controllers in the DC N+1 and use that for all sites.

 - leave it as it is, and if Controller fails then we have 4hrs RMA and the odds of having APs power outage is low ?

- any other option? 

- setup an HA pair at DCenter and point secondary controller (Backup primary controller ) on all APs at each site to it, so in case of primary site WLC failure then the APs will associate to the DC controller? and fallback when primary comes back online I am thinking this is more reasonable option.

- leave it as it is, and if Controller fails then we have 4hrs RMA and the odds of having APs power outage is low ?

Its up to the customer requirements.

- any other option?

-Scott
*** Please rate helpful posts ***

Najib Akbari
Level 1
Level 1
In response to Scott Fella

‎02-25-2025 12:25 PM - edited ‎02-25-2025 12:26 PM

Q: > What do you mean, the controller needs to stay online in local and or FlexConnect mode, an outage is okay, not designed to keep it off.
depends on the implementation, in this setup the APs are in Flex mode local switching and central authe is off on the policy hence
any wireless connection request (PSK or dot1x ) will rely on AP (Authenticator ) and of course the AP needs to be added as network device in ISE. so no need for the controller to be online.
I have done this and tested and works with no issue. some may say its putting load on AP but in this design average client per AP is 20.

> I'm assuming ISE is in the DC?
Yes

> It is a higher cost, but the only way is to really have two controllers in the DC since all your ap's are in FlexConnect mode. You can probably migrate one at a time or buy a controller in the DC, bring that up, move site A ap's to that and then move site A controller to the DC. Now, the question is, are they different models?
Same model.


> What is the customer requirements?
customer wants a sort of HA

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Najib Akbari

‎02-25-2025 02:06 PM - edited ‎02-25-2025 02:07 PM

The controller still needs to perform RRM and management stuff.  I don't think you should ever turn off the controller, it is not designed to operate that way and with an outage, some things don't work anymore. Why even have it there then?

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-16/config-guide/b_wl_17_16_cg/m-sniffer-cg.html?bookSearch=true#restrictions-for-flexconnect-specific-details

If customer wants some sort of HA, then ether look at using the DC as a backup, but you will just have to build tags for each location in the DC so things work as expected. That is your cheapest route.  Typically you have two at each location or you have two in the DC and that can support all your FlexConnect ap's.

-Scott
*** Please rate helpful posts ***
0 Helpful

Najib Akbari
Level 1
Level 1
In response to Scott Fella

‎02-25-2025 03:08 PM

I Agree, just need to clarify: I am not saying turn it off, I am saying the wireless still will work if the controller fails, i just as example said turn it off and it works ( i understand RRM and some stuff will not work ) and the client still can get connected and browse, of course not optimal but it will survive for some hrs till we get the controller fixed.

0 Helpful

Scott Fella
Hall of Fame
Hall of Fame
In response to Najib Akbari

‎02-25-2025 03:44 PM

You have various options but not really knowing the environment it’s hard to tell you what you can do. You can possibly save money and just use another site as backup. 

site A - site B

site B - site A

site C - site D

site D - site C

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card