Wlc mobility group

Similar Messages

• WLC Mobility Group Confusion

  Can some please clarify how Mobility groups work and when to use them. I have 2 data centers, each with a WLC, for centralized control. I just want to provide simple redundancy.
  When should I use an Anchor group.
  Thanks for your help.

  To make it simple, any wlc's that will be a primary, secondary or tertiary WLC for lap's will need to be placed in the same mobility group. Now if you have a guest anchor controller for guest, then that will need to be added in the same mobility group. Bottom line, when users roam from AP to AP from WLC to another even getting tunneled (anchor) the WLC's need to be aware of the roaming and that is what mobility group does.
  Anchor is if you want to tunnel users to a specific controller like in a guest wireless situation when the WLC is located in the DMZ. There are other reasons, but this is most likely why.

• WLC MOBILITY GROUP SINGLE WEB AUTHENTICATION

  Hi.
  I have installed two AIR-WLC2112 with mobility group configured and authentication web.
  I want to know if you can create user / password web authentication only in one  WLC.
  Now, when I create a new user / password , I have to create in two WLC.
  Thanks

  Inorder to validate a site issuing a certificate , client should be loaded with a certificate from same Certificate Authority. Else ignore the warning and continue to the site. If you want to know if the site is valid , click on View certificate on the warning page and see if it belongs to the website.

• WLC Mobility Group problem

  Hi to all,
  we've two internal WLC which belong to the same MG (the default one), and one DMZ WLC which belongs to another MG.
  All are running OS 4.2.61
  After configuring Mobility Group using the "edit all" inserting the WLC IP address and MAC of the MGMT interface and the name of the MG which they belong, I notice a strange behaviour:
  - WLC1 has Data path UP with internal's WLC2 and DMZ WLC...but Control path is down.
  - WLC2 has Data path and Control path UP with DMZ WLC and only Data path UP with WLC1
  - DMZ WLC has Data path and Control path UP with DMZ WLC and only Data path UP with WLC1
  MG Secure Mode is disabled on all WLC's seeing the following bug CSCsk36683 (The mobility control path is down when secure mode is enabled).
  Reachability via ping is OK, via eping the same but mping are not working from WLC1 to WCL2 and from DMZ WLC to WLC2
  I've already restarted both controllers without success...what i've noticed is on WLC2 and DMZ WLC msglog there are a lot of these entries with a lot of RX errors ===>>>MM-3-INVALID_PKT_RECVD: Received an invalid packet from X.X.X.X. Source member:0.0.0.0. source member unknown.
  any idea?
  Tnx
  Omar

  Here is the URL for the configuration for the Mobility Group follow the URL which will help you :
  http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00809817ca.shtml

• WLC mobility group between 4404 and 5508 controllers

  Mobility 'Control and Data Path Down' between 4404 and 5508 WLC's.
  Hello, we have 5 x 4404 WLC's running 7.0.240.0 with mobility configured fine between them.
  We have installed a 5508 with HA running 7.4.110.0, and have tried to add it to the mobility group, however we see 'Control and Data Path Down' between the new 5508 and all the 4404 controllers.
  All controllers have:
  The same virtual address
  Management interfaces are in the same VLAN, and indeed all the controllers connect via the same pair of 3750X stacked switches.
  The default mobility domain name is the same
  4404 output when issung the command 'show mobility summary'
  Symmetric Mobility Tunneling (current) .......... Enabled
  Symmetric Mobility Tunneling (after reboot) ..... Enabled
  Mobility Protocol Port........................... 16666
  Default Mobility Domain.......................... SGH-Mobility
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0xe209
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 6
  Mobility Control Message DSCP Value.............. 0
  5508 ouput when issueing the command 'show mobility summary'
  Mobility Architecture ........................... Flat
  Mobility Protocol Port........................... 16666
  Default Mobility Domain.......................... SGH-Mobility
  Multicast Mode .................................. Disabled
  Mobility Domain ID for 802.11r................... 0xe209
  Mobility Keepalive Interval...................... 10
  Mobility Keepalive Count......................... 3
  Mobility Group Members Configured................ 6
  Mobility Control Message DSCP Value.............. 0
  I've spent quite some time double checking all the configurations to no avail.
  Has anybody seen this problem before?
  Kind regards
  Dave Bell

  Thanks Sandeep.
  I am well versed with WLC's and mobility, however trying to add a 5508 to a mobility group with 4404's has come up with a bit of a curve ball.
  All the 4404 controllers all joined the mobility group fine, no problems at all - its only the 5508 I am struggling with.
  In theory its simple, populate the IP address, and MAC addres of the management interface of the remote WLC, as long as the management interfaces are in the same VLAN, and the Default Mobility Domain Name are the same it should come up.
  Interestingly I have found the 5508 reports its own management interface MAC address incorrectly when viewing the Mobility Groups:
  For example:
  {Screen shot WLC1.jpg}
  5508 management address is 10.95.x.x and when viewing the Mobility Management screen it shows its own MAC address as bc:16:65:f9:37:60.
  however!
  From our router is I do an sh arp | i 10.95.x.x (controller management address), I see:f872.eaee.becf.
  {Screen shot wlc2.jpg}
  Hence the WLC reports as: bc:16:65:f9:37:60
  and
  The network reports as: f872.eaee.becf for the same IP address.
  I have changed the other WLC's to the MAC adress seen on the network for the new controller, aka changed from
  bc:16:65:f9:37:60
  to
  f8:72:ea:ee:be:cf
  I now see the controllers reporting the mobility with the new controller as 'Control Path Down', however I am at a loss as to what may be causing this?
  Kind regards
  Dave Bell

• Replace WLC Mobility Group Anchor

  We have 2 5508 and 1 4402 WLCs and all belong to the same mobility group. The 4402 does not have any access points and does nothing more than serve as a mobility anchor for our public wireless SSID. We are planning to replace the 4402 with a new 2504 unit which will have the same configuration including IP as the 4402. Is there anything I need to do with the mobility groups when we remove the 4402?
  Thanks for any help.
  Jeff

  you'll need to add the MAC of the 2504 to the mobility group, and remove the entry for the 4402.
  Out of Curiosity...how many concurrent guest users to you have usually?
  Steve

• WLC 5508 and mobility groups

  Hi,
  We are using 2 WLC 5508 running 7.0.98.0 sw (AP's are 1142) at our primary site. They are hosting 3 different WLAN/SSID's, one for guest and the
  other 2 are for corporate access. We have put the WLC's in a mobility group, say "AAAA".
  Now we have the need for our UK peer site to publish a corp WLAN that exists in UK - at our site, and when trying to configure for that (following the c70cg.pdf) - I put the WLC's for UK in a new mobility group, say "BBBB". But i can't add our WLC's into that mobilty group
  (i get a duplicate mac address message).
  What's the correct way of configuring this, does all WLCs need to be in the same mobility group?
  Is there some reason why we can't have 2 mobility groups? Is there any upside/downside to configuring 2 mob. groups?
  Any clearification would be greatly appreciated
  BR
  //Mikael

  I think you are misunderstanding , so far what you did on your local swedish site is correct. Your two swedish WLCs have to be in their own same mobility group so you can give seamless roaming to your wireless users across your swedish area without interruption.
  On a WLC mobility group config page, you can have only one entry  per WLC, this is why you are getting the duplicate error message.
  WEBGUI - CONTROLLER - MOBILITY MANAGEMENT - MOBILITY GROUPS
  If you want to put your 4 WLCs so they exchange mobility messages, the following has to happen on all 4 WLCs.
  xx:xx:xx:xx:xx:xx  192.168.1.1  uk
  yy:yy:yy:yy:yy:yy 192.168.1.2 uk
  zz:zz:zz:zz:zz:zz  172.17.1.1  sweden
  aa:aa:aa:aa:aa:aa  172.17.1.2  sweden
  Note when you add WLC on the mobility section, the WLC start sending messages to each like, hey i have this client and you have that client and so on. But this has nothing to do with what you are trying to achieve.
  With regards to the execs that are coming, yes, replicate the SSID and point it to the Radius Server they have in UK, add your swedish WLC(s) as a NAS on the Radius Server and it should work as if they were in UK. that should be enough and i advise you to do the following for mobility groups config.
  on the two UK WLCs
  xx:xx:xx:xx:xx:xx  192.168.1.1  uk
  yy:yy:yy:yy:yy:yy 192.168.1.2 uk
  on the two Swedish WLCs
  zz:zz:zz:zz:zz:zz  172.17.1.1  sweden
  aa:aa:aa:aa:aa:aa  172.17.1.2  sweden
  hope i cleared it out for you. greeting from cold Belgium tonight :-) and hope the execs will enjoy Sweden!

• WLC 5508 * 2 & Mobility Group

  What I am trying to configure is Mobility Groups.
  My understanding is that this will allow AP to successfully register and fail over over seamlessly if any of the WLC had to fail ?
  It could be I am confusing two things into one :( & I am totally confused and not understanding the benefits of mobility group mentioned above.
  Also when a AP starts up and registers with the WLC ......I click on a registered AP > High Availability ( Primary / Sec / Tertiary ) all fields are blank...
  Initially I also thought that once my SSO is all setup and working than those options "AP > High Availability" will get populated automatically but clearly not unless something is not working.
  My current config is as follows:-
  WLC 5508 * 2
  WLC 1 - Primary
  WLC 2 - HA SKU (Secondary )
  Redundancy = SSO (Both AP and Client SSO)
  =============
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.6.130.0
  Bootloader Version............................... 1.0.20
  Field Recovery Image Version..................... 7.6.101.1
  Firmware Version................................. FPGA 1.7, Env 1.8, USB console 2.2
  Build Type....................................... DATA + WPS
  System Name...................................... WLC5508
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  Redundancy Mode.................................. SSO (Both AP and Client SSO)
  IP Address....................................... 10.31.66.21
  Last Reset....................................... Software reset
  System Up Time................................... 0 days 22 hrs 39 mins 57 secs
  System Timezone Location......................... (GMT) London, Lisbon, Dublin, Edinburgh
  System Stats Realtime Interval................... 5
  System Stats Normal Interval..................... 180
  Configured Country............................... GB  - United Kingdom
  Operating Environment............................ Commercial (0 to 40 C)
  --More-- or (q)uit
  Internal Temp Alarm Limits....................... 0 to 65 C
  Internal Temperature............................. +38 C
  External Temperature............................. +21 C
  Fan Status....................................... OK
  State of 802.11b Network......................... Enabled
  State of 802.11a Network......................... Enabled
  Number of WLANs.................................. 1
  Number of Active Clients......................... 0
  Burned-in MAC Address............................ F8:72:EA:EE:5B:B2
  Power Supply 1................................... Present, OK
  Power Supply 2................................... Absent
  Maximum number of APs supported.................. 500
  ============================================
  TA

  TA,
  Mobility and mobility groups are used for the wireless users roaming. What we know that a wireless users can roam between different APs within the same WLC, but when the SSID is used within multiple WLCs, and the client wanted to roam to an AP joined to another WLC, you would need to configure WLC mobility to maintain seamless roaming. For more info:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_010001101.html
  Now, I understand that your purpose is to have high availability for your APs. No this is done traditionally from the AP page, under HA tab, where you configure the WLCs names and IPs there. This can be done manually on each AP (you can use CLI to make it easier) or you can push a configuration template using a management server (WCS/NCS/CPI).
  Configuring HA on the AP:
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01110000.html
  http://www.cisco.com/c/en/us/td/docs/wireless/controller/8-0/configuration-guide/b_cg80/b_cg80_chapter_01110001.html
  Using CPI to push AP configuration templates:
  http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/2-0/configuration/guide/pi_20_cg/temp.html
  Now mobility may play a role in this, as if you have already configured mobility for your WLCs, then you won't need to configure a "name" for the WLCs when you add them under the HA tab in AP configuration page. That's it.
  BR, Ala

• WLC 7.3.101.0 Mobility group peer cannot up.

  Hi Guys,
  It seems the 7.3.101 version Mobility group peer cannot up,: refer to the attach,
  Peer 1: version: 7.3.101
  Peer 2: version 7.0.98
  Peer3: version 7.2.103
  Today we got new two WLC for Anchor use, and config the mobility group, but it's failed and cannot up, the ping is ok.

  Chris is right here. One thing I tell my clients is to allow everything between the foreign and the anchor WLC's just to verify that the mobility can come up, then lock it down. Here is some links that explain what test is for what port.
  http://www.cisco.com/en/US/products/ps6366/products_qanda_item09186a00809a30cc.shtml#qa8
  Anchor Controller Positioning
  Because the anchor controller is responsible for termination of guest WLAN traffic and subsequent access to the Internet, it is typically positioned in the enterprise Internet DMZ. In doing so, rules can be established within the firewall to precisely manage communications between authorized controllers throughout the enterprise and the anchor controller. Such rules might including filtering on source or destination controller addresses, UDP port 16666 for inter-WLC communication, and IP protocol ID 97 Ethernet in IP for client traffic. Other rules that might be needed include the following:
  •TCP 161 and 162 for SNMP
  •UDP 69 for TFTP
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Depending on the topology, the firewall can be used to protect the anchor controller from outside threats.
  For the best possible performance and because of its suggested positioning in the network, it is strongly recommended that the guest anchor controller be dedicated to supporting guest access functions only. In other words, the anchor controller should not be used to support guest access in addition to controlling and managing other LWAPP APs (LAPs) in the enterprise.
  Sent from Cisco Technical Support iPhone App

• WLC 7.4.100.0 Mobility group control and data path down

  Hi All,
  Today i am facing issue with mobility group. i checked and found  control and data path is down on foreign controller.I am able to ping anchor controller. Required ports are open on firewall but mping and eping fails. Any idea whats wrong. On Anchor controller, i have 7 foreign controller configured and among these 3 are working fine. Having problem with 4 foreign controller. Previously all are working fine and there is no changes made on network or firewall.            

  Post output of "show mobility summary" of your Anchor WLC & a non-working WLC. Also "show sysinfo" of those two controllers.
  Regards
  Rasika

• Mobility Group Requirements for Guest Anchor WLC

  Hello -
  I've alway assumed you can't create a guest tunnel between a local WLC and an anchor WLC that are in different mobility groups.   However, I was told recently (without much detail) that this is possible.  So I have set out to test this.  
  I am trying to point one of my local WLCs guest SSIDs to a guest anchor WLC in a different mobility group.   I have a maintenance window coming up and I am looking to anchor the clients on one campus to the anchor WLC on the other campus so guest service does not go down.   Each campus is it's own mobility group.   In trying to set this up I went to the "mobility anchors" screen for the guest SSID on one of the local WLCs and I am unable to add the anchor WLC from the other campus because it's non in the drop-down menu.  This is because it's not in the same mobility group.   So my question is how do I anchor clients coming through a local WLC in one mobility group to an anchor WLC in another mobility group?
  To me it doesn't seem possible without significant configuration changes.   I don't want to reconfigure/recreate mobility groups. 
  Thanks
  Chuck

  Not only is it possible, I would recommend it. However, you may be confusing some concepts.
  The Mobility Group is different than the Mobility Domain.  I generally refer to the Mobility Group as those WLCs with the same Default Mobility Group Name, and the Mobility Domain as the entire Mobility List (where you can define up to 72 controllers from various mobility groups).
  The point is that if WLCs 1-10 are GroupA, and WLCs 11-20 are GroupB, for anchoring to work you at least need to add the anchor to the mobility list of the foreign wlc, and vice versa.
  If you notice, when you add a mobility entry to the list, it should ask you for mobility group. If you leave it blank, it should default to that of that WLC,  but on GroupA controllers, you could define GroupB controllers (and specific GroupB) and then you should now have mobility established between your controllers and the Anchor configuration will have your anchors in the drop-down....
  Does that make sense?

• Mobility group same ssid multiple WLC

  I have a 4400 and a 5508 WLC in the same location
  We want to be able to roam between ap joined to both the 4400 and the 5508 using only one ssid
  Do I only need to create a mobility group and add both WLC
  then create only one WLAN on one of the controllers and it will be shared across bot WLC.
  Or something else?

  Resolution :
  Yes you are correct. Please follow this link for Mobility groups and Roaming :
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_mobility.html

• WLC 5500 mobility group failover

  Hey
  I have a Question i am testing  mobility group with
  Failover for redundend connection between 2
  Cisco 5500 Wlc.
  On both the controllers i got the mobility working
  And both the controllers have the same version
  And configuration.
  But when i unplug the main controller the access-
  Points don't convers to the second one
  The just keep on creaming can't find the main controller
  Also with this thus the second wlc need to have the same
  Interface ip address like managment..??
  Thanks

  What do you mean by "convers". An AP will only join one wlc and when that primary wlc is no longer available, should failover to the other/secondary wlc. Mobility is required for an AP to know about all the other APs in that mobility group. And if not configured correct, your AP will only be able to join that wlc.
  Thanks,
  Scott Fella
  Sent from my iPhone

• Unable to add new WLC to the Mobility Group

  Hi,
  Any help will be very welcome.
  I recently add a second CT5508 to the network, but when I tried to add the first 5508 to the mobilty group I received a message like this:
  "error in creating member"
  I've tried different mobility names, via GUI, via CLI and always the same error.
  I've verified twice or more than twice connectivity issues or any error on the entering the MAC and IP of the controllers, everything is fine.
  Any idea?
  I'm using version 7.0.116.0
  Thanks

  Hello Moises,
  Did you load a configuration backup from your first WLC to the new second WLC? If so, it's possible we have a stale duplicate entry from loading a configuration.
  On the WLC where you cannot add the member, let's try clearing out the stale entry from the CLI:
  config mobility group member delete 00:00:00:00:00:00
  Then, try to add the member and see if it works.
  -Pat

• Does a 2504 WLC support mobility group with WiSM1 on 6500 Series

  if a 2504 WLC support mobility group with WiSM1 on 6500 Series.
  Model: WLC 2504
  Software version: 7.3.101.0
  Model: WiSM1
  Software verion: 7.x.x.x

  Yes and no. 
  Yes, mobility is supported.  
  No because I personally won't recommend inter-controller roaming.  This is more true when you're dealing with 4400/WiSM-1.  This is even more true when you've got WLC running two (or more) different codes.