Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
5
Helpful
5
Replies

WLAN 9800 controller Anchor mobility HA

khushbakhat
Level 1
Level 1

‎10-24-2022 11:33 AM

Hello cisco community,

I am new to Anchor Mobility feature. we have 2 9800 controllers in anchor mobility 1 is used as foreign and other in DMZ zone used as Anchor. Now explain me the Scenarios implemented for Redundancy, Is this possible to implement SSO on these 2 Devices if yes how can I achieve that? 

 

Regards :"

Khushbakhat 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎10-24-2022 12:40 PM

Not sure I got it correctly, you looking to deploy HA, or do you already have HA and deploy Anchoring?

check some document can help you :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213912-configure-mobility-anchor-on-catalyst-98.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

khushbakhat
Level 1
Level 1
In response to balaji.bandi

‎10-24-2022 10:49 PM

Basically I want to confirm that both HA and anchor mobility work together if I have only 2 devices 1 is act as foreign and 1 is act as anchor.

0 Helpful

jonathga94
Level 1
Level 1

‎10-24-2022 12:54 PM

 

Hello Khushbakhat,

I would think that you want to do HA-SSO which basically makes the two controllers work as one logical device. If that's your goal, you must meet the following prerequisites:

Maximum RP link latency = 80 ms RTT, minimum bandwidth = 60 Mbps and minimum MTU = 1500
Both controllers must be of same PID. In case of 9800-CL, ensure the host environment (ESXi or KVM or ENCS) is the same for both instances.
Both controllers must run the same version of software.
Both controllers must run in the same Installation Mode (Either Bundle or Install). We recommend Install mode for WLC.
Both controllers must have redundant IPs in the same subnet. IP addresses used for redundancy must be unroutable without a gateway present in the subnet.
Both controllers must have a unique wireless management interface.
Wireless management interface of both devices must belong to the same VLAN/subnet.


if all of the above can be done. You just need to follow the HA-SSO configuration guide for the WLC, which can be found at the link below:

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-1/deployment-guide/c9800-ha-sso-deployment-guide-rel-17-1.pdf

If you are looking for having two logical boxes and load balancing the APs between them, you will need to configure the AP's controller list and assign the primary and backup controllers. The link below shows the steps to accomplish this task:

https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-4/deployment-guide/c9800-n-plus-1-high-availability-wp.pdf

0 Helpful

khushbakhat
Level 1
Level 1
In response to jonathga94

‎10-24-2022 10:47 PM

Thanks,

My concern is that with HA-SSO my 2 devices become 1 logical device than my scenario of anchor mobility is working or not. Logically 1 device but physically 2 devices act as foreign and anchor devices ?

 

0 Helpful

Arshad Safrulla
VIP Alumni
VIP Alumni

‎10-25-2022 05:01 AM

Hi @khushbakhat ,

If you deploy 1 WLC as Anchor and the other as Foreign you will not get redundancy. I would suggest that you create HA-SSO with the WLCs. In order to send the Guest traffic to DMZ you have the below options. 

Options when AP in Local Mode

  1. Create a sub-interface directly on the Firewall for Guest Interface - This way you can use firewall to dictate what access is allowed for Guest subnet. You will simply allow the Guest VLAN on the WLC uplink going to the switch. Keep in mind that SVI for Guest is not mandatory in 9800 WLC.
  2. If you have a physically segregated DMZ already in place - Then you can create 2 uplinks from the WLC. One uplink will be carrying the Corporate Employee VLAN's and will be connected to Core Switch or Firewall inside trusted segment. On this uplink you will allow only Employee/Corporate VLANs. Another uplink from the WLC will be connected to the DMZ segment (Switch/Firewall or Router) and here you will allow only the Guest VLAN.

Options when APs in Flex mode

  1. You can tag the Guest SSID to a VLAN which has a Firewall as the Gateway. Or if you are planning to use the Gateway in a Switch/Router then you can explore VRF option or ACL option to prevent access to other subnets.

 

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card