Solved: Two Controllers in different locations

MUQ_1899_ · ‎05-15-2015

Hello,

Our custommer has two controllers in two different locations. For certain reasons all of the APs are in Flex Connet mode.

We want to implement a failover solution so if one of the controllers fails, the APs in this location to be able to register with the second controller.

My question is how to do that with regard to the IP networks and VLANs. In location A we have for example VLANs 3,4 and 5 with networks 192.168.3.0, 192.168.4.0 and 192.168.5.0. In location B we have for example VLANs 6,7 and 8 with networks 192.168.6.0, 192.168.7.0 and 192.168.8.0.

How should I configure the controller in location B so when controllers A fails, the APs in site A to continue to work with their previous IP networks?

Is this scenario possible?

Scott Fella · ‎05-16-2015

In your case, if all your WLAN's are configured for FlexConnect local switching, then you don't need to have a valid interface. What I mean is that I would typically create a bogus/black hole interface and map that interface to all the FlexConnect WLAN's. Since you are using NPS to assign the true interface that the user will be placed on, then the WLAN to interface mapping on the WLC can be anything you want.

It is only if your tunneling traffic back to both controllers that you need to having interfaces on the same subnet on all controllers that are used for failover. FlexConnect central switching is just like local mode. If your using local switching then the interface on the WLAN does not matter.

-Scott

-Scott
*** Please rate helpful posts ***

View solution in original post

Leo Laohoo · ‎05-15-2015

There are currently two methods of doing APs fail-over implementation (regardless of physical location of the two WLC).

First method is using HA SSO. The main point to consider for this are:

1. Redundant Ports must be in the same Layer 2, VLAN. No Layer 3 allowed.

2. The Management IP address of both controllers must be in the same subnet and the same VLAN.

The second method is using the old method of assigning primary/secondary/tertiary WLC controller details (globally or on a per-AP basis). With this method, fail-over of the APs can sometimes take a minimum of 20 seconds.

MUQ_1899_ · ‎05-16-2015

We don't have L2 connectivity between the locations so I think the classical method is the one we can use. My question is how should I define the interfaces on the secondary controller to support APs in the primary location? For example what interface should I define for Vlan 3 and IP network 192.168.3.0 for the clients in Location A since we don't have such networks in Location B? Maybe the question is stupid but I cant find a guide explaining similar scenario. :(

Leo Laohoo · ‎05-16-2015

For the second method to work, the configuration of the two controllers must be the same (except the IP addresses). This also includes the "allowed-vlans" on the switch port trunks and the AP groups.

Scott Fella · ‎05-16-2015

What I try to explain to my customers and peers when deciding where the controllers should go is, do you have the clans in both locations or not? I think the best way to implement a backup or redundant controller is if both controllers can have the interfaces on the same subnet. User subnets are important here especially if you have static addresses on some devices, using mac reservations and or devices don't request for a new DHCP address. When placing a controller in different locations with different subnets, if there is a failover, then devices will be placed on the clan at the backup controller location. This can work if devices are all DHCP and when reassiciating to the SSID, they request a new address.

This is for N+1 like Leo mentioned. SSO, you need them together and the subnets must match.

-Scott

-Scott
*** Please rate helpful posts ***

MUQ_1899_ · ‎05-16-2015

In our scenario we are assigning the VLANs by a NPS server based on user groups in the AD, so for example user Bob will receive always VLAN 3 and address from 192.168.3.0/24. We don't have the same VLANs on the both places. The second interesting thing is that all APs are in FlexConnect Central Auth, Local Switching mode. My confusion is how to define the interfaces on the secondary controller. Can I configure interface in VLAN 3 with address 192.168.3.11 although that network doest not exist in Location B?

Scott Fella · ‎05-16-2015

In your case, if all your WLAN's are configured for FlexConnect local switching, then you don't need to have a valid interface. What I mean is that I would typically create a bogus/black hole interface and map that interface to all the FlexConnect WLAN's. Since you are using NPS to assign the true interface that the user will be placed on, then the WLAN to interface mapping on the WLC can be anything you want.

It is only if your tunneling traffic back to both controllers that you need to having interfaces on the same subnet on all controllers that are used for failover. FlexConnect central switching is just like local mode. If your using local switching then the interface on the WLAN does not matter.

-Scott

-Scott
*** Please rate helpful posts ***

MUQ_1899_ · ‎05-16-2015

Thanks for the explanations!

Scott Fella · ‎05-16-2015

No problem. Hope that helped explain things.

-Scott

-Scott
*** Please rate helpful posts ***

MUQ_1899_ · ‎05-29-2015

I have another question, before deploying the solution.

In normal conditions AP 1 is registerd with the controller A and is placed in AP Group X. When controller A fails and the AP registers with controller B where this AP Group X is also defined.

Do the AP 1 will automaticaly join this group or it will go in the default group?