Wlc remote fallback

Hi,
I have multiple WLC installations on different sites with Local APs. Is there a methodology or plan to solve fallback situation by installing a central WLC in the DataCenter (e.g.) What should I follow to create a solution to this problem? Licensing, choosing wlc controller model, limitations, etc.
Do I have to create a local redundancy first and then at the data center as I saw on a web page? Is it possible to make fallback solution to this type of infrastructure?

You have to look to see what happens if a WLC fails at a site. The issue I have if your in local mode, is that if you have a wlc at a central location as a backup, then all traffic will be tunneled to that WLC and users will have to get a new ip address since you centralized wlc will have interfaces that is local to that site. Typically its best to have a redundant WLC at each location, but you really need to figure out the what if and how does the traffic flow now.
Licensing depends on how many AP's you want to be able to support... maybe you want to have license for one of the largest sites or maybe enough license for two large sites to failover. This will also tell you what controller model you have to go with since there is a max number of AP's depending on WLC.
Thanks,
Scott
Help out other by using the rating system and marking answered questions as "Answered"

Similar Messages

WLC & Remote AP via WAN link

Hi Team,
During centralized WLC 7500 controller connectivity with branch office AP , can we use the public IP address in WLC management , in case we are not having VPN connectivity between Remote to branch location & only had a internet in both end . Will my remote end AP associate with the centralized WLC controller via public IP ( not a private local IP ) or VPN / MPLS solution is must for communication between WLC & Remote AP.

You can configure OfficeExtend on those AP's. You would enable NAT address on the management and put your public address there. Then you would open udp 5246 and udp 5247 from the public side to the WLC management. Then enable data encryption on the AP after it joins. The AP can be in local FlexConnect mode. Here are some links to look at.
http://jenniferhuber.blogspot.com/2011/11/configuring-3500-series-access-point-as.html?m=1
http://www.cisco.com/en/US/docs/wireless/controller/7.0/configuration/guide/c70lwap.html#wp1502674
Sent from Cisco Technical Support iPhone App

WLC RADIUS Fallback Questions

We would like to configure RADIUS fallback to ensure RADIUS authentications always go to their primary ACS while it's available, but the documentation is not very clear with regard to the username configuration.
There is no mention of a password, but if you enable fallback - even with the default "cisco-probe" username, failures of that account show up on the ACS server log, so I'm assuming it's not working.
Can someone shed some light on how exactly this "cisco-probe" should work?
Thanks!

There are three modes to fall back:
off - no fallback
passive - WLC sends the credentials to the 'dead' server when a user tries to authenticate
on - You configure a username, and an interval. WLC sends the credentials to the 'dead' server at configured interval.
The password really doesn't matter, just that the WLC gets a packet back. So getting a reject back from the server would bring it back 'alive' in the AAA list.
make sense?
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered

One WLC for Headquarter and Remote Site

Hi
I have a question about the WLC remote deployment.
We have the following design at the moment:
Headquarter
- Network 192.168.49.0 /24
- WLC 4402 Version 4.2.61.0
-- 3 x LAP1252
-- Layer 3 LWAPP
-- SSID wep
-- SSID wpa
- Windows PDC with Active Directory, DHCP Server and local Data Storage
- ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
Remote Site
- Network 192.168.50.0 /24
- 2 x LAP1252
-- SSID wep
-- SSID wpa
- Windows PDC with Active Directory, DHCP Server and local Data Storage
- ACS Version 3.2 for TACACS and RADIUS authentication --> External DB to Active Directory
Connection between Headquarter and Remote Site
- 2 Mbit ADSL
The problem is, that the wireless clients on the remote site get an ip address out of the headquarter DHCP Range 192.168.49.0 /24. The users on the remote site
most of the time only use the local data server in the remote office. With the actual design the hole traffic is switched over the 2 Mbit ADSL connection the the
WLC in the headquarter and back to the remote site. That works but it is not that performant.
The problem could be solved with HREAP, but what I think is, that it is not possible to have the same SSID at headquarter and remote site with different VLANs.
How can I achieve, that the clients on the remote site connect to the same SSID (wep or wpa), get an ip address from the remote site DHCP server (192.168.50.0)
and the traffic is switched localy.
I hope you understand what the problem is.
Thanks in advance for your help!

Yes, putting the remote AP's in HREAP mode will allow the same WLANs to be available on the AP's but the traffic would be locally switched at the AP instead of being tunneled back to the controller. After you put the AP in HREAP mode you then would configure which VLAN you want traffic for each WLAN to be dumped onto for that AP.

Clarification regarding WLC 's interfaces

Hi Netpros,
I am about to deploy WLC and LWAPP solution. I have only done Autonomous set up in the past and so would appreciated some clarification regardig the below points:
1.- switch port connected to LWAPP access points must be an access port (not trunk) correct ?
2.- switch port connected to WLC 44+ must be a trunk (assuming I need to map SSID to different vlans) correct ?
3.- WLC 44+ port can only be connected to a gigabit port .. so I can't change its speed in order to connect it to a fastethernet port .. correct ?
4.- What exactly is Management interface, service port, AP manager ..etc so many names I am getting confused.
5.- What is layer 2 and layer 3 mode .. I am also confused here.
6.- If I want all my LWAPP access points on vlan 10 (for argument sake) .. which WLC's interface do I need to place on vlan 10 in order for the access points to register ? I want to have LWAPP and WLC on the same vlan but with so many inteface names I don't know which one I have to use (AP manager ? perhaps )
7.- If I want SSID 1 (vlan 11), SSID 2 (VLAN 22). How do I configure the WLC interfaces (which one do I need to use .. create ..?) so that clients using SSID 1 can communicate on its respective VLAN 11
8.- Microsoft IAS and PEAP .. do I need to set up every access point as radius client ? or do I only need to configure the WLC as radius client .. and if so which WLC interface's IP address do I need to use on the radius server (IAS)
I apologize for so many questions and really appreciate your feedback which - as always - I am sure will make things clear.
Cheers,

1.- switch port connected to LWAPP access points must be an access port (not trunk) correct ?
(A) Correct, Cisco recommends no more then 70 or so APs per VLAN. You can do more then 70 and in fact put all of your APs in the same VLAN. But if the controller ever goes dark it could take a bit longer for the APs to join.
2.- switch port connected to WLC 44+ must be a trunk (assuming I need to map SSID to different vlans) correct ?
(A) Yup yup. You can truck the switch or Echannel it and use LAG on the controller.
3.- WLC 44+ port can only be connected to a gigabit port .. so I can't change its speed in order to connect it to a fastethernet port .. correct ?
(A) Yup yup. again. GIG only. Wont connect otherwise.
4.- What exactly is Management interface, service port, AP manager ..etc so many names I am getting confused.
(A)
Manager is the IP address you will use to manage the controller. Its the way the controller see's the world.
AP Manger is used for the APs to phone home to. This interface is not pingable. Nothing special with this interface.
Service Port ... think about out of service management for the WLC. Suppose you lose network connection to the WLC manager interface. You can jack right into the service port. I have also put this on the network before so you can still access the WLC remotely.
5.- What is layer 2 and layer 3 mode .. I am also confused here.
(A)
Layer 2 --- Think about deploying your entire WLAN on one subet. So your APs and WLC are all in the same subnet.
Layer 3 -- This is used when you have your APs on other subnets ect..
You can actually console into the LWAPP ap during the join process. you will see the AP send a 255.255.255.255. This is a join attempt by the AP to find a controller on its subnet.
6.- If I want all my LWAPP access points on vlan 10 (for argument sake) .. which WLC's interface do I need to place on vlan 10 in order for the access points to register ? I want to have LWAPP and WLC on the same vlan but with so many inteface names I don't know which one I have to use (AP manager ? perhaps )
(A) The beauty of the WLC is you dont have to have the APs on the same VLAN as the controller, unless u are layer 2. The access layer teh APs are on just need to be routable to the AP interface.
7.- If I want SSID 1 (vlan 11), SSID 2 (VLAN 22). How do I configure the WLC interfaces (which one do I need to use .. create ..?) so that clients using SSID 1 can communicate on its respective VLAN 11
(A)
You map the SSID to VLAN under the WLANs tab. You Create the wired side info (VLANS) under the controller tab
8.- Microsoft IAS and PEAP .. do I need to set up every access point as radius client ? or do I only need to configure the WLC as radius client .. and if so which WLC interface's IP address do I need to use on the radius server (IAS)
(A) Advantage of the WLC, you use the WLC as the client to a Raduis server. The management address..
I apologize for so many questions and really appreciate your feedback which - as always - I am sure will make things clear.
Cheers,

Guest Access WLC Help

I have 2 WLc 4402. 1 Remote and 1 DMZ. I have read the deployment guide for guest access 20 times and still cannot get it to work. a couple answers that I don't see in the guide. 1. Do AP's need to be associated with the DMZ WLC? 2. Am I anchoring my management IP or a different Dynamic IP? I have verified with Eping and mping that the tunnels should be able to be created, how do I verify? An issue that concerns me is that I cannot ping (ICMP) my remote WLC mgmt interface from the DMZ WLC. I know I have connectivity because of eping, mping and https mgmt from the same subnet as the DMZ WLC MGMT Interface. should I be concerned about this? It could just be ICMP blocked at the FW.
I am trying no to open a support ticket as I am sure this is a simple issue. One of my problems is that my VLANs cannot be tagged because the DMZ VLAN does not reside on our core switches and hence I cannot do 802.1Q which is discussed on page 4 of the dep. guide. to get around this I configured IF/2 on my Remote WLC to an IP from my DMZ subnet? Is this ok, is it needed?
Summary Internal IF 1.1.1.1 for both WLC
remote WLC
MGMT = 10.160.24.30 IF/1
AP-MGMT = 10.160.24.31
Service = 192.168.0.10
guest = 10.160.80.16 IF/2
DMZ WLC
MGMT = 10.160.80.15
ap-mgmt = 10.160.24.33 (don't need?)
service = 192.168.0.10
internet = public IP to be natd by FW
I am a newbie to the Cisco WIFI world, but not to IT/networking.
Any help would be greatly appreciative

1. Do AP's need to be associated with the DMZ WLC?
a) No
2. Am I anchoring my management IP or a different Dynamic IP?
a) No IP gets anchored. You Anchor the WLAN on one controller to your DMZ. On the DMZ, you anchor that wlan to itself.
3) I have verified with Eping and mping that the tunnels should be able to be created, how do I verify?
a) from CLI: show mobility summary
This will should you if everything is UP, or if control/data path is down. EPING/MPING should verify this as well if they are successful.
I'm not sure what you mean about port 2. Are you placing a link straight out to your DMZ? Normally everything goes out the main interface and "routes" out to your dmz.

AP HREAP NOT WORKING - NO DHCP, NO INTERNET ACCESS

Current Setup
WLC > WAN < AP
AP is in HREAP mode
The Wireless SSID shows up at the remote site
Clients can associate to the SSID on the AP (HREAP)
But it's not handing out DHCP address
From the AP (HREAP mode) I cannot ping the WLC (connected via WAN link)
From the AP (HREAP mode) I cannot ping any network on the remote site.
I can access the WLC remotely.
From the WLC i can ping default gateway for the AP dhcp server
From the WLC i cannot ping the AP
On the WLC i cannot see any AP
AP2-1262#show capwap reap association
SSID: WirelessWLAN on Dot11Radio1
bssid: f4ea.67c1.618e Mode: 0x192, WLAN: 2 , VLAN name: 002 VLAN ID: 66
Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
SSID: WirelessWLAN on Dot11Radio0
bssid: f4ea.67c1.6181 Mode: 0x192, WLAN: 2 , VLAN name: 002 VLAN ID: 66
Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
Please HELP
Thanks!

First off, makes sure the h-reap ap is connected to a trunk port. The native vlan on the trunk port should be the vlan the ap management is on. Now on the WLAN SSID, make sure local switching is enabled in the advanced tab. Go to the h-reap ap and there is a tab on the top that says either h-reap or FlexConnect. Enter the native vlan and hit apply. Go back to that page and click on vlan mapping. Now set your WLAN SSID to the vlan out at the remote site you want to put traffic on.
If you want traffic to come back to the wlc, then you do not need to enable local switching in the WLAN said advanced tab. Your traffic will be tunneled back to the wlc and placed on the interface you chooses in the WLAN general page.
Sent from Cisco Technical Support iPhone App

AP HREAP NOT WORKING - NO DHCP, NO INTERNET

Current Setup
WLC > WAN < AP
AP is in HREAP mode
The Wireless SSID shows up at the remote site
Clients can associate to the SSID on the AP (HREAP)
But it's not handing out DHCP address
From the AP (HREAP mode) I cannot ping the WLC (connected via WAN link)
From the AP (HREAP mode) I cannot ping any network on the remote site.
I can access the WLC remotely.
From the WLC i can ping default gateway for the AP dhcp server
From the WLC i cannot ping the AP
On the WLC i cannot see any AP
AP2-1262#show capwap reap association
SSID: WirelessWLAN on Dot11Radio1
bssid: f4ea.67c1.618e Mode: 0x192, WLAN: 2 , VLAN name: 002 VLAN ID: 66
Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
SSID: WirelessWLAN on Dot11Radio0
bssid: f4ea.67c1.6181 Mode: 0x192, WLAN: 2 , VLAN name: 002 VLAN ID: 66
Key Mgmt 12, Reap flags 0x1, Guest Yes, Current Users 0, Open Auth
Please HELP
Thanks!

Kelly,
You post is confusing.
1. How was your AP able to dowload it's code if there was no connection to the WLC?
An AP firstly gets an IP via dhcp or statically configured and then it searches for a WLC. If the AP doesn't see any WLC, it can never come up. The status lights will keep flashing red and orange.
Since your clients have a layer 2 connection, then that means the AP is up and working with the connection to the WLC. Your problem is solely layer 3.
Check you local vlan mapping on the HREAP AP to ensure that the client vlan is correct. Also check your routing table by using 2 commands on your router: 1.Show ip protocols
2. Show ip route

WLC 5508 8.0.100 AP dropout anf fallback issue

After WLC upgrade to 8.0.100 [ not in HA mode], the AP seem to be dropping out and reconnect using the fallback to IP- inspite of the statically configured IP on the AP
Running Outdoor mesh AIR-CAP1552E-N-K9 on WLC 5508
(Cisco Controller) >show boot
Primary Boot Image............................... 8.0.100.0 (default) (active)
Backup Boot Image................................ 7.6.101.2
=========
Last AP disconnect details
- Reason for last AP connection failure.................... The AP has been reset by the controller
- Last AP disconnect reason................................ Unknown failure reason
Last join error summary
- Type of error that occurred last......................... Lwapp join request rejected
- Reason for error that occurred last...................... No Mwar payload found in join request
- Time at which the last join error occurred............... Dec 03 00:05:26.114
AP disconnect details
- Reason for last AP connection failure.................... The AP has been reset by the controller

We downgraded the WLC to 7.4.121.0 and finally got rid of the DHCP problem
But encountered a new issue
The WGB once connected to the mesh AP does not reconnect to the network , auth failure- AIR-SAP1602E-Z-K9 running - ap1g2-k9w7-mx.152-2.JB2
Local EAP auth configured for WGB client on the WLC
Looks more like the WGB stuck in a state , unable to negotiate its credentials
Controller log
*dot1xMsgTask: Mar 24 10:33:52.737: #DOT1X-3-WPA_SEND_STATE_ERR: 1x_kxsm.c:1404 Unable to send EAPOL-key msg - invalid WPA state (0) - client f4:0f:1b:23:03:37
Attached is the debug and client status from WLC
Any idea what is going on
Thanks

WLC 5508 and remote site (DMVPN) Access Points

Hi All,
We just purchased a WLC 5508 and would like to know if it will control remote VPN site Access Points. Here are the details:
The 5508 will live at our home office. We have multiple remote sites that are connected via Cisco's DMVPN. Each site has one Cisco 1131 Access Point hanging off of either a Cisco 1841 or a 2811 that is using DMVPN back to the home office 2811. Can the 5508 manage the remote Access Points?
Thanks for your help guys!

Are you are talking about OfficeExtend?
Cisco OfficeExtend
https://www.cisco.com/en/US/solutions/collateral/ns340/ns517/ns430/solution_overview_c22-523307_ns348_Networking_Solution_Solution_Overview.html
OfficeExtend supports 1130 & 1140 as long as you have the Wireless PLUS (WPLUS) Software.
OfficeExtend Access Point
http://www.cisco.com/en/US/docs/wireless/wcs/6.0/configuration/guide/6_0apcfg.html#wp1069890

Mesh & Remote AP with WLC

Dears
I have 4 WLCs,3 are active and one is backup Controller with AIR-LAP1522HZ-E-K9
So mesh technology i need i-e- One Rap will be connected through ethernet and 5 MAPs will be through wireless with 100 meter radius and start topology.RAP will be in the middle and MAPs arround the RAP as per my understanding.
I saw a documentaion in which we have to use the mac filter option.But at the same time RAP will be act as MAP.What are the options like for RAP we will say you are RAP and MAP and for MAP we will just instruct that you are MAP only and have to communicate with RAP.
Is there any step by step documentation or any suggestion from forum?
Can any one suggest for Option43 and Option 60? and what if we define DHCP on WLC we need options or not ?
For Remote Failiver which parameters we have to consider
Second i have to use Air Magnet.can some one suggest from forum?
Advance Thanks to All

Hi there!
The first thing you need to do is put mac addresses of all the APs (RAP and MAPS) in the MAC filtering list of WLC (Using GUI is easier for this). Now you have to get ur APs registered to WLC first before you can declare them RAP or MAP (Default setting is MAP so u need to declare only RAP). There are many ways to get APs registered to the controller, I would share the following two:
1. Priming the APs:
connect ur primary controller to a switch and connect all the APs (RAPs and MAPs) to the same subnet (preferably the same switch). Once you have put all the MACs in WLC, the APs will join controller in few minutes. When an AP joins the controller, access it using the gui of the controller and put necessary information like controller IPs and gateway (if u intend to put ur RAP in a different subnet than WLC). Save the configuration and reboot the APs. repeat the procedure for all APs. now the APs are ready to be placed in the network.
2. Using DHCP option 43 and 60:
This procedure is an alternate to priming. Here u prepare ur DHCP server before you connect ur APs in the network. You have to define a few strings and go through some steps. (cisco website has a very good documents available for the details)
Answering ur question you cannot define these DHCP options on WLC. Reason is when the APs boots for the first time, it needs to find the controller and by default, it generates request to the DHCP server on the network (See AP booting sequence for details). When we configure DHCP option 43 and 60, we actually place the controller IP address in the DHCP messages for the APs to find WLC. so configuring DHCP 43 on WLC is just like calling someone on phone to get one's phone number (in short, it wont work)

Cisco 4400 WLC - Accessing web gui remotely

I know how to access the GUI from the service port. However, I am not able to access from Port 0. IPs have all been properly set. We have a management VLAN in our enterprise. I have configured the WLC management interface for an ip on that subnet. Port 0 is connected to a 3560G switch. I have set the switch port to be an access port to the management vlan and I have tried to set the switch port as a trunk, with the native vlan set to the management vlan. I am not able to ping nor access the web GUI remotely via the management vlan. Is this by design?
Jeff

Hi Jeff,
plz try to configure 0 as vlan on managment interface on WLC after configuring native vlan on the switch. if you havent tried it yet.
command - config interface vlan management 0
NOTe - you need to disabl all wlan that r mapped with management interface before doing any changes from CLI.
hope it will solve your prob.
Thanks

WLC "DHCP Option 82 Remote Id field format"

On WLC, does "DHCP Option 82 Remote Id field format" show client hostname on wlc monitor

Hi Jonathan with sub option 2, from your example D is the node identifier.
When seeing the variable per connection type, I would give a safe assumption it is verbose padding the sub type 1.
The verbose pad formatting for the packet should contain
sub option
length
node identifier
port type
interface number
vlan id
For normal pad format it should contain
sub option
length
circuit
length
vlan id
interface number
-Tom
Please mark answered for helpful posts

Keep alive mgs duration of wlc and ap , minimum bandwidth requried to register ap to wlc from remotely

what is the keep alive duration between cisco 1142 ap and 5508 wlc . Can we able to increase it .
How much bandwidth minimum required to register an ap which is in remote brach .

AP heart can be configured on WLC. Wireless>> Access Points>> Global Configuration>> High Availability>>
H REAP WAN Considerations:
http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080736123.shtml#WAN

Design Tradeoffs with Remote WLC vs HREAP

Can anyone tell me what the rule of thumb is for deciding whether to place a controller in a remote office or going with HREAP there instead?
Thanks
Gene

As long as your connection between the remote site and the WLC is less than 100ms then you can do HREAP. Else centralized location
Here are some notes:
Hybrid REAP Guidelines
Keep these guidelines in mind when using hybrid REAP:
â¢A hybrid-REAP access point can be deployed with either a static IP address or a DHCP address. In the case of DHCP, a DHCP server must be available locally and must be able to provide the IP address for the access point at bootup.
â¢Hybrid REAP supports a 500-byte maximum transmission unit (MTU) WAN link at minimum.
â¢Roundtrip latency must not exceed 100 milliseconds (ms) between the access point and the controller, and LWAPP control packets must be prioritized over all other traffic.
â¢The controller can send multicast packets in the form of unicast or multicast packets to the access point. In hybrid-REAP mode, the access point receives multicast packets only in unicast form.
â¢Hybrid REAP supports CCKM full authentication but not CCKM fast roaming.
â¢Hybrid REAP supports a 1-1 network address translation (NAT) configuration. It also supports port address translation (PAT) for all features except true multicast. Multicast is supported across NAT boundaries when configured using the Unicast option.
â¢VPN, IPSec, L2TP, PPTP, Fortress authentication, and Cranite authentication are supported for locally switched traffic, provided that these security types are accessible locally at the access point.

Wlc remote fallback

Similar Messages

Maybe you are looking for