Mobility groups, failover across different subnets

I've been reading up on 5.1 and am wondering how and if actual failover across subnets is an option.
I understand the roaming of clients from controllers in the same MG on diff subnets.
How does it work if your primary "anchor" isn't alive to replicate the DB entry to the off-subnet controller? Say if my local WIsm's die and the backup is in the next state, how will the AP's maintain connectivity?
thanks!

Yes, but tha ap's will take the new configuration from that WLC. Also... users will get tunneled back to that wlc and be dumped off in that subnet. So make sure you understand the ssid and what ip's clients will get when they associate to different wlc's. That should do it.

Similar Messages

  • Is it possible to cluster appliances across different subnets?

    We are attempting to cluster two appliances across different subnets in order to provide greater survivability. Although we were able to cluster the appliances, the manageability of the appliances has become somewhat impaired. We've opened ports 443, 22 and 2222 between the two appliances. The appliances are C350s running AsyncOS 7.1.3-010. Are we missing something?
    Thanks,
    Rob

    Rob,
    Are these appliances communicating using IP addresses? If yes, in order to a join cluster,using IP addresses there must be a reverse DNS  (PTR) record configured in DNS server for the Cisco IronPort appliance.Please check that if the the reverse lookup works. If not, it might be another issue.
    Regards,
    Jyothi Gandla
    Customer Support Engineer

  • WLC 5500 mobility group failover

    Hey
    I have a Question i am testing  mobility group with
    Failover for redundend connection between 2
    Cisco 5500 Wlc.
    On both the controllers i got the mobility working
    And both the controllers have the same version
    And configuration.
    But when i unplug the main controller the access-
    Points don't convers to the second one
    The just keep on creaming can't find the main controller
    Also with this thus the second wlc need to have the same
    Interface ip address like managment..??
    Thanks

    What do you mean by "convers". An AP will only join one wlc and when that primary wlc is no longer available, should failover to the other/secondary wlc. Mobility is required for an AP to know about all the other APs in that mobility group. And if not configured correct, your AP will only be able to join that wlc.
    Thanks,
    Scott Fella
    Sent from my iPhone

  • Communication across different subnets using DatagramSocket class

    Hi All
    I've written a simple client-server program to send broadcast messages across the network and receive them back after some processing. The problem is that the messages sent by the program are not received across the subnets i.e. my program broadcasts messages only on the one subnet. I am using DatagramSocket class. Is there any way to communicate across the subnets using DatagramSocket class or will I've to use the some other class like MulticastSocket?
    Thanks in advance
    Neeraj

    neejain wrote:
    The problem is that the messages sent by the program are not received across the subnets
    Your router/gateway is probably set up to drop udp. This is usually done by network administrators to prevent things like broadcast storms across large networks. If you have admin access to the router, you should be able to change it to allow routing of udp.
    God bless,
    -Toby Reyelts

  • Sharing across different subnets

    I have successfully connected a remote PC to my WRV54G using QuickVPN.  That remote PC can ping computers across the VPN and those computers can likewise ping the remote PC.  I have even successfully connected with Remote Desktop from that remote PC and controlled a computer across the VPN.
    I can not, however, access shared resources on the computers across the VPN from the remote PC.  (For the sake of discussion, assume that no firewalls exist in my scenario.)  The remote PC has a local IP address of 192.168.1.4 and the computers behind the VPN have a local subnet of 10.109.220.0.  I attempted to use the "run" command in windows and typed "//10.109.220.100/" from the remote PC to open the shared resources on the computer with that address.  This did not work; I only received an error message.  I didn't expect to be able to "see" computers across the VPN since the subnets are different, but I did expect to be able to access shared resources if I knew the IP addresses beforehand.
    Can anyone help me?

    Is the remote computer in the same Workgroup as the local computer? It might help if they are.

  • Possible to ssh tunnel Bonjour traffic across different subnets?

    Hello:
    For quite some time, I have been thinking of buying a couple of iSights to enable audio/visual between two distant computers. But I really don't want to have to leave a dozen ports in my DSL modems opened up in order to use AIM or Jabber servers to iChatAV to my "usual" called parties (I can't help it, I'm paranoid - I have one ssh port open on my DSL modem at home - so most everything I do from afar -- afp (port 548), vnc( port 5900), etc., I tunnel it all over ssh).
    So, in a similar vein, what I would like to do is treat a distant computer as if it were on my local 192.168.x.x NAT subnet, in order to do a Bonjour-like iChatAV connection without having to go to through these public servers and without having to leave a dozen ports open in my firewall (or go through the drill of opening/closing ports every time I want to iChat).
    Now, if I understand this correctly, on one's local subnet, iChat AV works using Bonjour to communicate with other iChat AV users on the same subnet, which, I think, uses multicast packets. So I'm wondering if it is possible to ssh tunnel multicast traffic to a different computer like so:
    ssh -L 5297:localhost:5297 -L 5298:localhost:5298 {called.party.IP.address}
    thus being able to set up a secure point-to-point iChatAV connection?
    Anybody ever do something like this?

    Hin j.v.,
    It is possible to iChat Bonjour over a Virtual Private Network , yes.
    2:33 PM Thursday; May 4, 2006

  • How DLNA Across different Subnet???

    Hi all,
    I have a NAS storage for media server on my VLAN subnet 10.10.30.0 and i have two more VLAN 10.10.10.0 and 10.10.20.0 i want to access my media server on these two VLANs as well. how i can allow broadcast for DLNA(Media Sever) on my router.

    I got this working by using "ip multicast-routing" and adding "ip pim sparse-dense-mode" under the relevant VLAN interfaces.
    I did have to activate the advipservices license on my 881W. Otherwise my device does not support "ip pim".

  • N+1 redundancy and different mobility groups

    Is it possible to backup 2 controllers with 2 different mobility groups (for example GROUP1 and GROUP2) to the same backup controller (running HA SKU N+1 (7.4)) ?
    Since a controller can only be configured in 1 mobility group, this doesn't seem to be possible. Can someone confirm ?
    regards,
    Geert

    Hello,
    As per your query i can suggest you the following solution-
    In all Wireless LAN Controller (WLC) versions earlier than 4.2.61.0, when a WLC goes "down," the LAP registered to this WLC can failover only to another WLC of the same Mobility Group, if the LAP is configured for failover. From Cisco WLC version 4.2.61.0 and later, a new feature called Backup Controller Support is introduced for access points to failover to controllers even outside the Mobility Group. Refer to Wireless LAN Controller and Light Weight Access Points Failover Outside the Mobility Group Configuration Example for more information.
    Hope this will help you.

  • Using DHCP with a cFP-20XX across a different subnet

    I have a cFP-2010 that will work great when set up with a static IP or DHCP as long as it is on the same subnet. If I set it for DHCP then move it to a different subnet, MAX can no longer find it. Do I have to use a static IP when going across subnets, or is there something I'm missing?
    Thanks,
    Steve

    Selmore,
    Not 100% sure this will work for FieldPoint controllers, but for some
    other NI controllers (e.g. CompactRIO) if you give a name to the
    controller in MAX and set it to use DHCP, then when its IP address is
    assigned by the DHCP server its name is registered as a DNS name. That
    means you can use that name to communicate to it from a different
    subnet. By using ping commands you should be able to demonstrate if
    this works for FieldPoint or not; I believe it should.
    Hope my answer is clear enough and helps.
    JMota

  • WLC4402 mobility group for failover

    Anyone know what the return time is for an AP to jump back to the primary controller from the secondary controller once it comes back online? I have a backup controller over a WAN connection that I'm using to backup four different locations. WLC is runnign 3.2.78 code. APs are 1000 series.

    We're trying to figure this out as well; we have a WiSM, and try to get the APs to fail over from one side to the other. They do, but it takes them a good 30 seconds and obviously no traffic is passed during this time. Both controllers share a mobility group, and each mobility group peer can ping the other.
    The APs are converted 1131AGs an 12xx series. We've used http://www.cisco.com/warp/public/102/wlc_failover.pdf to set this up, but there reregistration is hardly immediate, and the APs don't seem to ever switch back to the primary controller once it comes back up. Any suggestions?

  • WLC 4400 - Different minor versions same mobility group?

    Hi all,
    i have 2 WLC 4400 integraded in 3750G.
    One has 6.0.202 and the other 6.0.188.
    They are in different places but now i want to put them in the same mobility group.
    Will this difference be a problem?
    BR
    Anthony

    Yes it will be an issue. You have to remember that the AP gets it firmware from the WLC image. So if an AP has to mi e from one to the other, it will either upgrade or downgrade each time. Best practice is to keep the firmware the same.
    Sent from Cisco Technical Support iPhone App

  • Can ARD 3 now share a screen across 2 different subnets

    We have one central office. Clients access that office via a VPN. We can then share our screen with them as we work on a proof of a project.
    It's a great solution, however, we can't with ARD 2.2 get it to work with two clients at once over the VPN.
    An old Kbase article said that it wasn't possible to route screen sharing to two different subnets in the 2.2 version. But rather required all clients be on the same subnet.
    Does anyone know or have the ability to test to see if this is different is 3.0. I'm hopeful that it is, as I can no longer find the old Kbase article saying that it wasn't possible.
    Thanks,
    Greg

    Still no reply as to if this was resolved. I'm not so much worried about the move on the client side. As once we upgrade we have the luxury of upgrading everyone at once. I think that will be a smooth process.
    However, our motivation to upgrade is dependant on wether or not the ability to route traffice over multiple subents is fixed or not. So we'll wait and see. If anyone can easily test this. I'd love to know. Sounds like a few other people are hoping to hear something as well.
    Thanks in advance,
    Greg

  • Controller failover for different controllers

    Hi,
    I have 3 existing controller with different model, capacity, version and configurations. I have purchased new controller that supports 100 APs.
    Let's say WLC_A has a capacity of 25 APs and caters 20 APs, WLC_B has a capacity of 12 APs and caters 12APs, WLC_C has a capcity of 50 and caters 30APs. the NEW WLC, WLC_NEW has a capacity of 100 and will only have 18 APs registered to it.
    What will be the requirement for me to have WLC_A, WLC_B, WLC_C failover to WLC_NEW, given that all OLD WLCs have different version and configurations? We are trying to make this as HA as possible.

    Let me try to explain this a little better.  If you have the following like you posted earlier and all these WLC's are located in the same building and you mobility between the two.  When a user roams from one WLC to another, it will break and the user will have a hard time accessing the SSID.  This is because you changed the security method.  You can't apply multiple security profiles on a client.
    WLC_A
    SSID: Guest
    Security: none
    VLAN: 20 SW_A
    WLC_B
    SSID:Guest
    Security:web auth
    VLAN: 40 SW_B
    WLC_NEW
    SSID:Guest
    Security:WPA_PSK
    VLAN: 20 SW_NEW
    What you need to do is define your wireless requirements (SSID & Security method)  You want to have the same SSID have the same security method and preferably have the dynamic interfaces on the same subnet if your L2 to the access.
    This is how you should have guest as an example.  All the WLC should be in the same mobility group!
    WLC_A
    SSID: Guest
    Security: WebAuth
    VLAN: 20 SW_A
    10.20.10.20/24
    WLC_B
    SSID:Guest
    Security:WebAuth
    VLAN: 20 SW_B
    10.20.10.21
    WLC_NEW
    SSID:Guest
    Security:WebAuth
    VLAN: 20 SW_NEW
    10.20.10.22
    This setup will allow users to roam from one WLC to another seamlessly.

  • ASA 5505: VPN Access to Different Subnets

    Hi All-
    I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN).  Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN).  Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24).  Is this even possible?  Below is the configurations on our ASA,
    Thanks in advance:
    ASA Version 8.2(5)
    names
    name 10.0.1.0 Net-10
    name 20.0.1.0 Net-20
    name 192.168.254.0 phones
    name 192.168.254.250 PBX
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    switchport access vlan 3
    interface Ethernet0/6
    interface Ethernet0/7
    switchport access vlan 13
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.1.98 255.255.255.0
    interface Vlan2
    nameif outside
    security-level 0
    ip address X.X.139.79 255.255.255.224
    interface Vlan3
    no nameif
    security-level 50
    ip address 192.168.5.1 255.255.255.0
    interface Vlan13
    nameif phones
    security-level 100
    ip address 192.168.254.200 255.255.255.0
    ftp mode passive
    object-group service RDP tcp
    port-object eq 3389
    object-group service DM_INLINE_SERVICE_1
    service-object ip
    service-object tcp eq ssh
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
    access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
    access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list inside_access_in extended permit ip any any
    access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
    access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
    access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
    pager lines 24
    logging enable
    logging timestamp
    logging monitor errors
    logging history errors
    logging asdm informational
    mtu inside 1500
    mtu outside 1500
    mtu phones 1500
    ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (inside) 10 interface
    global (outside) 1 interface
    global (phones) 20 interface
    nat (inside) 0 access-list inside_nat0_outbound
    nat (inside) 1 0.0.0.0 0.0.0.0
    nat (outside) 10 access-list vpn_nat_inside outside
    nat (phones) 0 access-list phones_nat0_outbound
    nat (phones) 1 0.0.0.0 0.0.0.0
    access-group inside_access_in in interface inside
    access-group outside_access_in in interface outside
    route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    timeout floating-conn 0:00:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication enable console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    http server enable
    http 192.168.1.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
    crypto map outside_map interface outside
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment self
    subject-name CN=pas-asa.null
    keypair pasvpnkey
    crl configure
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 28800
    vpn-sessiondb max-session-limit 10
    telnet timeout 5
    ssh 192.168.1.100 255.255.255.255 inside
    ssh 192.168.1.0 255.255.255.0 inside
    ssh Mac 255.255.255.255 outside
    ssh timeout 60
    console timeout 0
    dhcpd auto_config inside
    dhcpd address 192.168.1.222-192.168.1.223 inside
    dhcpd dns 64.238.96.12 66.180.96.12 interface inside
    threat-detection basic-threat
    threat-detection statistics host
    threat-detection statistics access-list
    threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
    ssl trust-point ASDM_TrustPoint0 outside
    webvpn
    enable outside
    anyconnect-essentials
    svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
    svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
    svc enable
    tunnel-group-list enable
    group-policy SSLClientPolicy internal
    group-policy SSLClientPolicy attributes
    wins-server none
    dns-server value 64.238.96.12 66.180.96.12
    vpn-access-hours none
    vpn-simultaneous-logins 3
    vpn-idle-timeout none
    vpn-session-timeout none
    ipv6-vpn-filter none
    vpn-tunnel-protocol svc
    group-lock value PAS-SSL-VPN
    default-domain none
    vlan none
    nac-settings none
    webvpn
      svc mtu 1200
      svc keepalive 60
      svc dpd-interval client none
      svc dpd-interval gateway none
      svc compression none
    group-policy DfltGrpPolicy attributes
    dns-server value 64.238.96.12 66.180.96.12
    vpn-tunnel-protocol IPSec svc webvpn
    tunnel-group DefaultRAGroup general-attributes
    address-pool SSLClientPool-10
    tunnel-group DefaultRAGroup ipsec-attributes
    pre-shared-key *****
    tunnel-group PAS-SSL-VPN type remote-access
    tunnel-group PAS-SSL-VPN general-attributes
    address-pool SSLClientPool-10
    default-group-policy SSLClientPolicy
    tunnel-group PAS-SSL-VPN webvpn-attributes
    group-alias PAS_VPN enable
    group-url https://X.X.139.79/PAS_VPN enable
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum client auto
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
      inspect ip-options
    service-policy global_policy global
    privilege cmd level 3 mode exec command perfmon
    privilege cmd level 3 mode exec command ping
    privilege cmd level 3 mode exec command who
    privilege cmd level 3 mode exec command logging
    privilege cmd level 3 mode exec command failover
    privilege cmd level 3 mode exec command packet-tracer
    privilege show level 5 mode exec command import
    privilege show level 5 mode exec command running-config
    privilege show level 3 mode exec command reload
    privilege show level 3 mode exec command mode
    privilege show level 3 mode exec command firewall
    privilege show level 3 mode exec command asp
    privilege show level 3 mode exec command cpu
    privilege show level 3 mode exec command interface
    privilege show level 3 mode exec command clock
    privilege show level 3 mode exec command dns-hosts
    privilege show level 3 mode exec command access-list
    privilege show level 3 mode exec command logging
    privilege show level 3 mode exec command vlan
    privilege show level 3 mode exec command ip
    privilege show level 3 mode exec command ipv6
    privilege show level 3 mode exec command failover
    privilege show level 3 mode exec command asdm
    privilege show level 3 mode exec command arp
    privilege show level 3 mode exec command route
    privilege show level 3 mode exec command ospf
    privilege show level 3 mode exec command aaa-server
    privilege show level 3 mode exec command aaa
    privilege show level 3 mode exec command eigrp
    privilege show level 3 mode exec command crypto
    privilege show level 3 mode exec command vpn-sessiondb
    privilege show level 3 mode exec command ssh
    privilege show level 3 mode exec command dhcpd
    privilege show level 3 mode exec command vpnclient
    privilege show level 3 mode exec command vpn
    privilege show level 3 mode exec command blocks
    privilege show level 3 mode exec command wccp
    privilege show level 3 mode exec command dynamic-filter
    privilege show level 3 mode exec command webvpn
    privilege show level 3 mode exec command module
    privilege show level 3 mode exec command uauth
    privilege show level 3 mode exec command compression
    privilege show level 3 mode configure command interface
    privilege show level 3 mode configure command clock
    privilege show level 3 mode configure command access-list
    privilege show level 3 mode configure command logging
    privilege show level 3 mode configure command ip
    privilege show level 3 mode configure command failover
    privilege show level 5 mode configure command asdm
    privilege show level 3 mode configure command arp
    privilege show level 3 mode configure command route
    privilege show level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa
    privilege show level 3 mode configure command crypto
    privilege show level 3 mode configure command ssh
    privilege show level 3 mode configure command dhcpd
    privilege show level 5 mode configure command privilege
    privilege clear level 3 mode exec command dns-hosts
    privilege clear level 3 mode exec command logging
    privilege clear level 3 mode exec command arp
    privilege clear level 3 mode exec command aaa-server
    privilege clear level 3 mode exec command crypto
    privilege clear level 3 mode exec command dynamic-filter
    privilege cmd level 3 mode configure command failover
    privilege clear level 3 mode configure command logging
    privilege clear level 3 mode configure command arp
    privilege clear level 3 mode configure command crypto
    privilege clear level 3 mode configure command aaa-server
    prompt hostname context
    no call-home reporting anonymous

    Hi Jouni-
    Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0).  The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
    Per you recommendation, I removed the following configs from my ASA:
    global (phones) 20 interface
    ... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
    global (inside) 10 interface
    nat (outside) 10 access-list vpn_nat_inside outside
    .... removing these two configurations caused the inside LAN to be unreachable.  The phone LAN was not reachable, either.  So, I put the '10' configurations back.
    The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
    "portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
    What do you think?
    Thanks!

  • WLC 5508 and mobility groups

    Hi,
    We are using 2 WLC 5508 running 7.0.98.0 sw (AP's are 1142) at our primary site. They are hosting 3 different WLAN/SSID's, one for guest and the
    other 2 are for corporate access. We have put the WLC's in a mobility group, say "AAAA".
    Now we have the need for our UK peer site to publish a corp WLAN that exists in UK - at our site, and when trying to configure for that (following the c70cg.pdf) - I put the WLC's for UK in a new mobility group, say "BBBB". But i can't add our WLC's into that mobilty group
    (i get a duplicate mac address message).
    What's the correct way of configuring this, does all WLCs need to be in the same mobility group?
    Is there some reason why we can't have 2 mobility groups? Is there any upside/downside to configuring 2 mob. groups?
    Any clearification would be greatly appreciated
    BR
    //Mikael

    I think you are misunderstanding , so far what you did on your local swedish site is correct. Your two swedish WLCs have to be in their own same mobility group so you can give seamless roaming to your wireless users across your swedish area without interruption.
    On a WLC mobility group config page, you can have only one entry  per WLC, this is why you are getting the duplicate error message.
    WEBGUI - CONTROLLER - MOBILITY MANAGEMENT - MOBILITY GROUPS
    If you want to put your 4 WLCs so they exchange mobility messages, the following has to happen on all 4 WLCs.
    xx:xx:xx:xx:xx:xx  192.168.1.1  uk
    yy:yy:yy:yy:yy:yy 192.168.1.2 uk
    zz:zz:zz:zz:zz:zz  172.17.1.1  sweden
    aa:aa:aa:aa:aa:aa  172.17.1.2  sweden
    Note when you add WLC on the mobility section, the WLC start sending messages to each like, hey i have this client and you have that client and so on. But this has nothing to do with what you are trying to achieve.
    With regards to the execs that are coming, yes, replicate the SSID and point it to the Radius Server they have in UK, add your swedish WLC(s) as a NAS on the Radius Server and it should work as if they were in UK. that should be enough and i advise you to do the following for mobility groups config.
    on the two UK WLCs
    xx:xx:xx:xx:xx:xx  192.168.1.1  uk
    yy:yy:yy:yy:yy:yy 192.168.1.2 uk
    on the two Swedish WLCs
    zz:zz:zz:zz:zz:zz  172.17.1.1  sweden
    aa:aa:aa:aa:aa:aa  172.17.1.2  sweden
    hope i cleared it out for you. greeting from cold Belgium tonight :-) and hope the execs will enjoy Sweden!

Maybe you are looking for