Hi Nikhil,

I was also looking for AP group as a solution but the thing is each some location has different SSID and for that i can re-create those SSID on the WLC_NEW. But for example if one SSID from WLC_A is same on WLC_B but has different security how can this be done? I believe AP grouping will associate with same SSID, thus should have same security for each client. as another info for my senario will be as of below:

WLC_A

SSID: TEST_A

Security: WEP

SSID: Guest

Security: none

WLC_B

SSID: TEST_B

Security: WPA_PSK

SSID:Guest

Security:web auth

WLC_C

SSID: TEST_C

Security:WEP

SSID: Guest

Security: WPA_PSK

Guest SSID is common on each WLC but have different security and different VLAN and IP addressing on each site.

one more thing how about the VLANs

WLC_A

SSID: Guest

Security: none

VLAN: 20 SW_A  

WLC_B

SSID:Guest

Security:web auth

VLAN: 40 SW_B

WLC_NEW

SSID:Guest

Security:WPA_PSK

VLAN: 20 SW_NEW

My question here is for the VLANs where SSID:Guest on WLC_A the VLAN is 20, for WLC_B it is on VLAN 40, what is available for guest network on my new network is just vlan 20 also. If all the APs failover, where do my AP clients associate their VLAN on to? is on their respective switch or on the SW_NEW where my new controller is attached? does switching happens on the local Switches where the APs are connected? this is because SW_NEW does not have VLAN 40 and since WLC_A and WLC_NEW's Guest SSID is both on VLAN 20.

If you are AP failover, clients will get IP address from the respective WLAN interface  in the new WLC it joins.

Are you having same vlan with different IP address, say vlan 40 in wlc_A with one ip range , and vlan 40 in wlc_new with another ip range

Thanks

NikhiL

yes i have same VLAN 40 but different IP range and different part of network which traverse through WAN.

And just for verification i need to have same version of OS on all my WLC right?

yes you should or else your AP's will have to downgrade or upgrade depending on which wlc it connects to.

Sent from Cisco Technical Support iPhone App

Hi Scott,

thanks for the verification, how about for the VLAN question?

It's fine... If an AP moves to a different WLC (failover for example) the users will obtain a new ip address from the location the WLC resides.

Users will not keep their ip address.

Sent from Cisco Technical Support iPhone App

Hi Scott,

so if for example wlc_A has vlan_10 with ip address of 10.10.10.0 /24

then when it transfer to wlc_B with vlan_10 of 20.20.20.0 /24, client will get ip address of 20.20.20.X?

Yes you are right.

Sent from Cisco Technical Support iPhone App

Let me try to explain this a little better.  If you have the following like you posted earlier and all these WLC's are located in the same building and you mobility between the two.  When a user roams from one WLC to another, it will break and the user will have a hard time accessing the SSID.  This is because you changed the security method.  You can't apply multiple security profiles on a client.

WLC_A

SSID: Guest

Security: none

VLAN: 20 SW_A

WLC_B

SSID:Guest

Security:web auth

VLAN: 40 SW_B

WLC_NEW

SSID:Guest

Security:WPA_PSK

VLAN: 20 SW_NEW

What you need to do is define your wireless requirements (SSID & Security method)  You want to have the same SSID have the same security method and preferably have the dynamic interfaces on the same subnet if your L2 to the access.

This is how you should have guest as an example.  All the WLC should be in the same mobility group!

WLC_A

SSID: Guest

Security: WebAuth

VLAN: 20 SW_A

10.20.10.20/24

WLC_B

SSID:Guest

Security:WebAuth

VLAN: 20 SW_B

10.20.10.21

WLC_NEW

SSID:Guest

Security:WebAuth

VLAN: 20 SW_NEW

10.20.10.22

This setup will allow users to roam from one WLC to another seamlessly.

Hi Scott / Nikhil,

You are mostly correct but the problem is this setup is already established. and since site_A has same VLAN 20 but different IP (10.10.10.X) from site_NEW which has VLAN 20 (20.20.20.X) this has been the real chalenge. Nikhil was correct too, i can create multiple profile so if client has different configuration for security and have similar SSID then they can still connect with this SSID. but if they were same security and same SSID but different VLAN ip range that will be my problem.

Another problem will be is if the WLC failover and have different IP, most probably the routing of this traffic will pass thru the Gateway of the new site.

Is there a way that even if the WLC fails they will still use the local LAN in which the APs were connected?

Maybe you should look at H-REAP. Using H-REAP will dump traffic local to that site and this your dhcp is local and users will keep their ip address.

Sent from my iPhone