12-01-2008 05:38 AM - edited 07-03-2021 04:50 PM
Hello,
I would like some clarification on the Mobility groups behaviors. We have 2 WLC 4402 (wlc-a and wlc-b) setup on the same DMZ and 30 AP connecting to the first one (wlc-a). We have setup the same mobility groups on both WLC. AP failover betwen the WLC works fine: if wlc-a disappears all APs go to wlc-b. But the connected clients suffer from this transition (using webauth, dhcp is provided by the wlc). We triied a couple of configuration options but are still facing the same issues at the end.
1- we tried to configure 2 different dhcp pools for the users. When wlc-a fails, APs moves to wlc-b (good), but client needs to negotiate a new IP and therefor looses any existing connections.
2- we tried to configure the same DHCP pool on both WLCs. Obvioulsy this is not a good idea as you end up allocating the same IPs to different clients.
3- we tried to configure the same DHCP on both WLCs and created an anchor to wlc-a. This works fine if wlc-b fails, the transition is seamingless for the clients. But not if wlc-a fails, wlc-b "refuses" to give an IP to the users.
I'm a bit puzzled by the problem and can't find what I'm missing. I was thinking that the two wlc would be able to provide (near) transparent failover for the clients (at least they should not have to get a new IP and reauthenticate).
12-01-2008 11:10 AM
I think option 2 is your best bet, but use an external DHCP server. That way your DHCP is independent of the controllers.
12-01-2008 12:25 PM
Yep. External DHCP is the way to go here. Make addressing completely independent of the controller infrastructure.
Take a look at www.infoblox.com if you're worried about your DHCP server being a single point of failure on your network. They make a very nice clusterable network services appliance.
12-01-2008 12:27 PM
Also, the controller allows for a primary and backup DHCP server address, so that works nicely with a clustered DHCP service.
12-01-2008 12:42 PM
If you failove a wlc-a so that the ap's move to wlc-b, you will have webauth client's loose their connection thus will need to login again. This is not transparent when a failove occurs. I have tried it a bunch of times to see if I can get this to work and no go. This goes the same if you have guest anchor controllers in the dmz and one of the guest anchors fails. Users will have to login again or click accept if you are using passthrough.
DHCP depends on if your users are placed in the dmz.... you don't want to open the FW. usually if you have a dmz anchor controller, then using the wlc for dhcp is fine. Or you can place a DHCP server on the dmz.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide