Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

WLC geographical redundancy

Hello,

There are two "central" locations each one having one satellite or spoke site. Let's have:

- zone A and its spoke_zone A1

- zone E and its spoke_zone E1.

Both region A and region E have a similar deployment scenarios:

- 1 x 5508 WLC

- several LWAPs in the existing network (local network).

- FlexConnect for other several LWAPs for the spoke zones A for the A1 and E for the E1.

I'm thinking how can I achieve a backup solution for all these 4 sites:

- A1 and E1 can achieve it through FlexConnect and one mode only: local switching & local authentication.

- what about A and E regions? How can I bring some backup WLC solution here? I know of Mobility Groups, still I don't think it helps too much as I have only L3 connectivity between A and E region through MPLS.

What if I try and get L2 connectivity in between using some solutions like "poor-man's EoMPLS" like L2TP v3, I will be able to connect one VLAN pair, will this be enough ?

- what else can I do in case of WLC breakdown in either of the two regions (A or E)?

Thanks in advance!


Everyone's tags (4)
18 REPLIES

Re: WLC geographical redundancy

During these days, here are some advices I received:

Traditionally, utilizing Backup Controllers was the main way to provide redundancy for a WLC failure. For Zone A, you could just select the Wireless LAN Controller at Zone E, and assign that as the Secondary Controller for each AP as desired. You can set the Primary and Secondary controllers for the AP on the controller via the GUI, the CLI. With Backup Controllers, in the case of a WLC failure AP's would begin to search for their Secondary Controller and re-establish their CAPWAP tunnel. The obvious downside to this, is the outage that occurs from the client prospective while the AP drops it's tunnel and begins to build it again to the Secondary Controller.

In response to the need for a somewhat better failover scenario, Cisco brought out High Availability in WLC firmware 7.3. In this scenario, you purchase a second WLC and license it specifically to serve as a standby. You place it adjacent to your existing WLC, and it shares an IP address and session/Config/AP information with the main controller. Now in the event of a WLC failure, the failover from the AP perspective is intended to be transparent.

Now, 'cause of budgeting I can't think of HA solution so I would go for the Backup Controllers, especially now when there are two primary zones only.

Except that I myself though at another solution:

- what if both zone A and E have all LWAPs configured using FlexConnect mode with local switching and authentication? I mean all LWAPs both the APs next to the WLC and also the LWAPs on A1 or E1 zones.

This will result in having only FlexConnect mode APs and of course some features less available, still for the redundancy point of view what do you think of this?

You think would be better or worse than "Backup Controllers" solution?

P.S. the L3 connection between A and E is provided with 150ms or less.

Hall of Fame Super Silver

Re: WLC geographical redundancy

The biggest design consideration in your case is any local mode access points. These would failover to the other WLC and users would have to get a new IP address due to the WLAN to interface mapping. If you put all your AP's in FlexConnect mode, then you can use the other WLC as a backup, but there are features or limitation to FlexConnect when compared to local mode. If this solution works for you then no additional wlc's need to be purchased. If your setup does require local mode AP's due to features that work with local mode AP's and not FlexConnect, then look at either getting an HA sku WLC for each site as a backup. This is cheaper due to the HA sku WLC not having license. You can then use HA AP SSO or HA N+1 setup. I tend to go with redundant wlc's if possible but only if AP's are in local mode. With FlexConnect, it doesn't matter where the WLC's are placed.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

WLC geographical redundancy

Hi Scott,

Thanks for the input. I have couple straight questions:

- on a local-mode configured LWAP if the primary controller fails, it will automatically deauthenticate all associated clients, then after new CAPWAP connection is established with the secondary controller previous/existing wireless clients will get access and accordingly renew their IP addresses?

- a LWAP using FlexConnect mode does still have the same HighAvailability tab for entering primary&secondary controller option, or would be better to stick with local switching&authentication as the backup to any failure solution?


- with an average of 150ms between zone A and zone E do you think the "Backup Controller" solution will work in the first place?

Hall of Fame Super Silver

Re: WLC geographical redundancy

Let me try to answer this

- on a local-mode configured LWAP if the primary controller fails, it will automatically deauthenticate all associated clients, then after new CAPWAP connection is established with the secondary controller previous/existing wireless clients will get access and accordingly renew their IP addresses?

> if the WLC fails and then the AP's move to the other WLC, then yes the clients need to obtain another IP address. This means your dhcp scope has to be able to issues address to both locations. Subnet has to be large enough to support both sites.

- a LWAP using FlexConnect mode does still have the same HighAvailability tab for entering primary&secondary controller option, or would be better to stick with local switching&authentication as the backup to any failure solution?

This depends on what will work for you. Like I mentioned earlier, there are some limitations to FlexConnect vs local.

- with an average of 150ms between zone A and zone E do you think the "Backup Controller" solution will work in the first place?

Sure it would work... Question is local and FlexConnect have different requirements.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

WLC geographical redundancy

I just read 7.5 release notes and here is this paragraph:

Feature

Description

Benefit

High availability (HA): Client SSO

Enables client stateful switchover for 1:1 redundant controller deployments

Industry's first and only controller redundancy solution reduces client downtime to less than a second for business-critical applications, with no client reauthentication needed. The redundant controllers can be geographically distributed over a Layer 2 connection for data center level redundancy

This means it is now possible doing the HA between the controllers from zone A and zone E?

Hall of Fame Super Silver

WLC geographical redundancy

Sure.... layer 2

Feature

#

Description

#

Benefit

#

High availability (HA): Client SSO

#

Enables client stateful switchover for 1:1 redundant controller deployments

#

Industry's first and only controller redundancy solution reduces client downtime to less than a second for business-critical applications, with no client reauthentication needed. The redundant controllers can be geographically distributed over a Layer 2 connection for data center level redundancy

Thanks,

Scott

Help out other by using the rating system and marking answered questions as "Answered"

-Scott
*** Please rate helpful posts ***

Re: WLC geographical redundancy

Hi Scott,

I would love to have this answered, still I don't think I received the solution I need.

Regarding my previous question, do you think L2TP v3 will cover the HA SSO requirements?

Hall of Fame Super Silver

Re: WLC geographical redundancy

In order to use HA AP SSO, the two WLC will need to be in the same subnet. Now however you want to achieve that is up to you. The only question I have is stability. There is more stability when you are on a true layer 2 subnet as when compared to bridging the layer two over different media. Any glitch can cause the WLC to switch and you might have yourself a non stable wireless network. When Cisco states layer two, they mean true layer 2... Same switch infrastructure and no layer 3 routing of any sort. What you may have to do if AP SSO doesn't work is to use the other WLC in N+1 which will work over layer 3.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Gold

WLC geographical redundancy

Florin,

When you talk about "geographical", are you talking about the controllers and/or APs are located in the same countries?

You are talking about FlexConnect, right?  Why bother with a secondary controller?  I mean one of the values of FlexConnect is when the WAN link or the WLC fails, the AP can still accept clients (provided there is a local authentication available at the site). 

Re: WLC geographical redundancy

Leo,

WLCs are located one in zone A(America) and the 2nd one in zone E(Europe). If I am to use L2TPv3 and create this HA do you think it will work ?

I am thinking for local APs on zone A to use local-mode and APs on zone E to use FlexConnect as HA Master will be located in zone A. Also that L2TPv3 will bind one VLAN I will not be able to have a real trunk between the two zones. What are your thoughts?

Hall of Fame Super Gold

WLC geographical redundancy

WLCs are located one in zone A(America) and the 2nd one in zone E(Europe). If I am to use L2TPv3 and create this HA do you think it will work ?

Ok, so you have two WLC located in different countries.  Now the painful question:  What countries are the APs located?

If APs are located in regulatory domain "-A" and "-E" then I don't see the logic as to using your America WLC (-A) to be the backup controller for the "-E" APs.

Like I said in my post, with Flexconnect, the most important thing is a local authentication server.  If your "-E"  AP looses it's WLC then the AP, without the "-A" controller, can accept new clients.  This is my opinion. 

Re: WLC geographical redundancy

I will try sum up all answers and the solution I can extract.

First of all, Leo you are right with FlexConnect and I can use it as a backup solution for site E, but not for site A. Why? Because site A requires some features that for the moment (October 2013) are available only for local-mode APs. This means when WLC on zone A fails, I will have no backup. I could try setting those local-mode APs on zone A with Secondary controller from zone E, still there is more than 100ms timeout in between so I doubt it will work properly.

So I am to move WLC from zone E to zone A as there are identical hardware and create a HA (this will require update from 7.2 to 7.5; can you guys recommend the right version for 7.5, please?). Then APs from zone A will use local-mode along with all required features. Furthermore APs from zone A1 will use FlexConnect mode.

Back to zone E we are to choose between FlexConnect deployment or buying smaller 2500 family or even virtual WLC.

I had a look on both 2500 and virtual WLC datasheets still I cannot decide what to recommend? What would you choose? Zone E and zone E1 contain about 20 APs with a small growth rate/year.

Finally about FlexConnect:

- if I am to choose local switching but central authentication when the wan link goes down, isn't there a check/an option to automatically revert to local authentication (supposedly I will have local authentication up&running) ?

- if I have the same authentication resources both next to the WLC and next to a remote FlexConnect APs location is there any advantage into using central authentication vs local authentication?

Hall of Fame Super Silver

Re: WLC geographical redundancy

There is only one version of 7.5 out there. Cisco's recommendation is v7.4.110.0 MR1 for HA unless you need features or
Support that requires v7.5.

I would use a 2504 rather than a vWLC just because of stability. They do also sell a HA sky 2504 but only for N+1 not AP SSO.

What Leo is getting at is the country code as that is the main thing that will affect your design. When you have multiple country codes configured on the WLC to support the various country codes that the AP's are manufactured for, the WLC will use the common channels and transmit powers, which can be a show stopper for some. Typically it's best to have a WLC for each country/country code than to try to figure out what changes will be made when adding multiple country codes to a WLC.

As far as authentication, local radius is always good, but that also means local backup domain severs for the radius to communicate back to. Many of my installs are however central deployment in which AD and radius are located in maybe two separated data centers.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
Hall of Fame Super Gold

Re: WLC geographical redundancy

What Leo is getting at is the country code as that is the main thing that will affect your design. When you have multiple country codes configured on the WLC to support the various country codes that the AP's are manufactured for, the WLC will use the common channels and transmit powers, which can be a show stopper for some. Typically it's best to have a WLC for each country/country code than to try to figure out what changes will be made when adding multiple country codes to a WLC.

This is exactly what I've been trying to articulate (not very well, I guess).

Let's just say you have two WLC located in two continents:  WLC A is in the US and WLC B is in Australia.

APs installed/located in US must have a regulatory domain of "-A" while APs installed in Australia must have a regulatory domain of "-N" (PS:  I ain't arguing about the finese about the new "-Z").

Let's say that you configured your APs to fail over to the other WLC in case of WLC failure.  So when your WLC B fails, do you think your AP will fail to WLC A?  Not a chance.  WLC A will look at the incoming request and ask, "And what's your Regulatory Domain?" and the APs all respond with "-N".  WLC A will then respond with "F-O.  I'm doing nothing but Regulatory Domain A".

Now there's a loophole to all of this.  People will say that you can configure WLC with multiple regulatory domain.  My recommendation is don't even bother.  I agree that you can but this will cause a hindrence because your APs will only operate in channels that are COMMON to the different regulatory domain.  Heck, I believe some countries don't even allow 802.11a. 

Re: WLC geographical redundancy

I am to admit I didn't take into consideration this whole regulatory domain implications.

Drawing line to this, you think will be possible to have a HA cluster in USA for the local APs overthere AND also use it with FlexConnect APs located in Europe or China?

Hall of Fame Super Silver

Re: WLC geographical redundancy

That would not be recommended as your AP's might loose connection to the WLC and might become unstable even in FlexConnect. Your better off having an HA in the US and having another WLC for the Europe and Asia sites.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

WLC geographical redundancy

Thanks for the input Scott.

This presumably FlexConnect poor results (instability) would to be caused by the long distance connection mainly?

Hall of Fame Super Silver

Re: WLC geographical redundancy

That is correct. I have seen FlexConnect flap and cause issue even though we all think that it shouldn't because of the fact it's FlexConnect. If you have the ability to test, that would make it easier to decide. My reasons also for not doing that is because of having to add multiple regulatory domains and understanding exactly what your common channels and power is.... Oh.... And checking that again when you upgrade because Cisco can make changes due to regulations. In any of my Cisco and Aruba installs, I would have separate controllers for US, APAC and EMEA. This is also because of separate data-centers in each region.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***
1700
Views
11
Helpful
18
Replies
CreatePlease to create content