Best Practices to

Deploy High-
Availability in Wireless
LAN Architectures

Sujit Ghosh, Sr. Mgr. Technical Marketing, EISG

BRKEWN-3014
Cisco Spark
Questions?
Use Cisco Spark to communicate
with the speaker after the session

How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
The new Normal

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Session Objective

What is the acceptable

network downtime?
< 1 second
minute
Minutes are ok

admin

The goal of this session is to show you how to design and deploy a Highly
Available wireless network to reduce the network downtime

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Agenda
• High Availability (HA), the theory of operations:
• What to do at the Radio Frequency layer?
• Controller HA for different Deployment Modes:
• Centralised, FlexConnect, Mobility Express, Prime and MSE high availability

• HA Design and Deployment Practices

• Key takeaways

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
DNA ready Wireless Controller Portfolio
Large Enterprise

Mid-size Enterprise

Small Network Cisco vWLC Cisco 8540

3000 APs
32000 Clients 6000 APs
Flexconnect mode 64,000 clients
40 Gbps

Cisco 3504 Cisco 5520

Mobility Express 150 APs 1500 APs
50 APs/1000 Clients AP 18xx 3000 Clients 20,000 Clients
100 AP/2000 Clients: AP2/3K 4 Gbps 20 Gbps

Up to 100 APs Up to 3000 APs Up to 6000 APs

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
6
Designed to be DNA Ready
Industry’s Most Comprehensive Indoor AP Portfolio:
Enterprise Class Mission Critical Best in Class

1815 1830 1850 2800 3800

Indoor / High-powered
Indoor Wall Plate /  3x3:2SS 80MHz  4x4:3SS 80Mhz  4x4:3SS 160 MHz  4x4:3SS 160 MHz
Teleworker  5 Gbps Performance
 867 Mbps Performance  1.7 Gbps Performance  5 Gbps Performance
 2x2:2SS 80 MHz  Tx Beam Forming  Internal or External Antenna  2.4 and 5GHz or  2.4 and 5GHz or
Dual 5GHz Dual 5GHz
 867 Mbps Performance  1 GE Port Uplink  Tx Beam Forming
 2 GE Ports Uplink  2 GE Ports Uplink or
 Tx Beam Forming  USB 2.0  2 GE Ports Uplink
1 GE + 1 mGig (5G)
 Integrated BLE Gateway1  USB 2.0  CleanAir and ClientLink
 CleanAir and ClientLink
 Max Transmit Power (dBm)  Internal or External Antenna
 StadiumVision
per local regulations2  Smart Antenna Connector
 Internal or External Antenna
 3 GE Local Ports, including  USB 2.0
1 PoE out3  Smart Antenna Connector
 Local ports 802.1x ready3  USB 2.0
 USB 2.04  Investment Proof Modularity

DNA Ready | RF Excellence | CMX | Centralised, FlexConnect or Mobility Express

Dual 5 GHz | Flexible Radio | HDX
BRKEWN-3014 Future
© 2018 Cisco and/or its affiliates. All rights reserved. Proof
Cisco Public 7
Designed to be DNA Ready
Industry’s Most Comprehensive Outdoor AP Portfolio:
1540 1560 1570

New*

 802.11ac Wave 2, MU-MIMO  802.11ac Wave 2, MU-MIMO  802.11ac Wave 1

 2x2:2, 80MHz, 867 Mbps  3x3:3, 80MHz, 1.3Gbps (I)  4x4:3 80 MHz; 1.3 Gbps
 Ultra low profile  2x2:2, 80MHz, 867Mbps (E/D)  External antenna model (EAC)
 Internal antenna only  Internal or External antenna model (I/E)  Cable Modem model (IC/EC)
 PoE (802.3af) power  Internal directional antenna model (D)  SFP/GPS
 Centralised, FlexConnect, Mesh and Mobility  SFP  PoE Out 802.3at (Ext Ant. only)
Express  Flexible Antenna Ports  Flexible Antenna Ports
 CleanAir and ClientLink  CleanAir and ClientLink
 Centralised, FlexConnect, Mesh and  Modularity (Ext Ant. only)
Mobility Express  Centralised, FlexConnect and Mesh
 Cable Modem Version Only (IC/EC)
 DOCSIS 3.0, 24x8
 Internal or External antenna

DNA Ready | RF Excellence | CMX

802.11ac Wave 2 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
BRKEWN-3014
Radio Frequency (RF) Considerations
802.11ac is Here!!

80 MHz channel

But it
comes with
a price

High Signal at the client for 256QAM

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Radio Frequency (RF) High Availability
• RF HA is the ability to build redundancy at the physical layer
• What does it translates to in practice?
• Creating a pervasive, stable, predictable RF environment (Proper Design, Site Survey,
Radio Planning)
• Dealing with coverage holes if an AP goes down (RF Management)
• Identifying, Classifying, Mitigating an interference source (Spectrum Intelligence
Solution)
• Improving client (all clients!) received signal (Beamforming)

• BTW…Cisco has differentiating features/functionalities to address all these

things

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Radio Frequency (RF) High Availability
• Site Survey, site survey….and site survey
• Use “Active” survey
• Coverage vs. Capacity
• Consider Client type (ex. Smartphone vs. Laptop)

My
Myantenna
power isgain
halfisof4
my times
brother
smaller
MacBook

I trythen
and to connect
move totoanother
5GHz
and stay ifconnected
BSSID until
it is REALLY
the signal better
is REALLY bad

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Radio Frequency (RF) High Availability
• Site Survey, site survey….and site survey
• Use “Active” survey
• Coverage vs. Capacity
• Consider Client type (ex. Smartphone vs. Laptop)

• AP positioning and antenna choice is Key

• Use common sense
• Light source analogy
• Internal antennas are designed to be mounted on ceiling
• External antennas: use same antennas on all connectors

• Tools
• What you use is less important than how you use it
• Use the same tool to compare results

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
RF High Availability: Cisco RRM
• What are Radio Resource Manager (RRM)’s objectives?
• Provide a system wide RF view of the network at the Controller (only Cisco!!)
• Dynamically balance the network and mitigate changes
• Manage Spectrum Efficiency so as to provide the optimal throughput under changing conditions

• What’s RRM
• DCA—Dynamic Channel Assignment
• TPC—Transmit Power Control
• CHDM—Coverage Hole Detection and Mitigation

• RRM best practices

• RRM settings to auto for most deployments (High Density is a special case)
• Design for most radios set at mid power level (lever 3 for example)
• Use RF Profiles to customise RRM settings per Areas/Groups of APs

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
RF High Availability: Cisco RRM
RRM DCA in action

 RRM will determine the optimal

1 6 1 channel plan based on AP
layout

 A rogue AP is detected on
channel 11

 RRM will assess the RF and

take a decision in less than
11
10min
1 11

 Channel change is triggered to

improve the RF
11
 Note how the 3 non overlapping
channels are still maintained!

 RRM has a RF system view. AP

view would be limited and could
result in sub-optimal RF plan

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
RF High Availability: Cisco RRM
RRM CHDM in action
 RRM will determine the optimal
Power plan based on AP layout

 Each client RSSI is tracked by AP

and reported to WLC

 If an AP fails…

CHDM = Coverage Hole Detection Mitigation

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
RF High Availability: Cisco RRM
RRM CHDM in action
 RRM will determine the optimal
Power plan based on AP layout

 Each client RSSI is tracked by AP

and reported to WLC

 If an AP fails…

 CHDM algorithms kicks in and

increases power of neighbouring
cells within 90 secs

 Clients roam to new APs

 This happens if the CHDM

conditions are met:
• Clients are below the RSSI threshold
• Min Failed client per AP (#3 default)
• Coverage Exception Level per AP
(25% by default)
• Failed packets (number and %)

 These checks are needed to

avoid false positives
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
RF High Availability: Cisco CleanAir
• Assess impact of interferences and proactively change channel when needed
• Hardware based Spectrum intelligence solution
• Only CleanAir ASIC based solution can reliably detect interference sources:
5MHz scanning resolution 156 kHz scanning resolution

• CleanAir
• Hardware based Solution

• 32 times WiFi chip’s visibility

• Accurate classification
• Multiple device recognition

• Best Practice: always turn it on supported APs (all 802.11ac APs are CleanAir capable)

For more info: http://www.cisco.com/en/US/netsol/ns1070

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
 RF High Availability: Cisco ClientLink
 Cisco ClientLink is Beamforming at the chip level:
 Implemented in hardware, no software component, no performance degradation
 ClientLink creates a better quality RF for all clients (a/g/n/c)
 Do I need a 4x4 AP? Yes, and even more critical with 802.11ac

 Best practice: on by default

For more info: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps11983/at_a_glance_c45-691984.pdf

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Maximise the Spectrum
Avoiding Excessive Management Traffic

• Always aim for 1 SSID

• More SSID’s = Worse Performance
• Why?
• Each SSID requires a separate
Beacon
• Each SSID will beacon at the
minimum mandatory data rate
• Each broadcast SSID will respond
to null probe requests
• Exponential amounts of airtime
wasted

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Maximise the Spectrum
PHY Rate Tuning: Why PHY Rates Matter
• How fast can we talk?
18Mbps • Signal (RSSI) and Noise are
Client near AP: key factors
24Mbps
Higher PHY Rate
• As client moves further
36Mbps
More Efficient 48Mbps
(high signal-to-noise ratio) 54Mbps
from AP or as noise
worsens, client rate-
shifts downward
Client far from AP:
Lower PHY Rate • Lower rate, more airtime
Less Efficient consumed
(lower signal-to-noise ratio)
• 802.11ac Wave 2
example ~15’

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Maximise the Spectrum
PHY Rate Tuning: How-To Basics

18Mbps

24Mbps

36Mbps • Position AP’s and antennas to allow

48Mbps elimination of low rates (i.e., <18mbps)
54Mbps
• Eliminate 802.11b rates
• Avoid disabling MCS rates
• Disabling MCS rates, especially 0-7, can
cause significant client issues

Remember the 3 Key RF Relationships!

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
RRM’s new Flexible Radio Assignment (FRA)

 Software Defined Radio role

 Leverage XoR radio: 2.4 GHz and 5 GHz on the same silicon
 Allows selection of 2.4 GHz or 5 GHz for serving clients (default is 2.4 GHz)
 Allows Serial scanning of all 2.4 and 5 GHz channels (in monitor “WSM” Role)
 Radio can act as a Sensor for the new Assurance solution

 Role selection is Manual or Automatic (RRM-FRA)

Supported on the Cisco Aironet 2800/3800 Series Access Points

http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-
3/b_cisco_aironet_series_2800_3800_access_point_deployment_guide/b_cisco_aironet_series_2800_3800_access_point_deployment_guide_chapter_011.pdf

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
 Flexible Radio Assignment (FRA) – Client Service Mode

 Very useful in High Density environments

 Manage the Flexible Radio Hardware
• Evaluate Radios as potentially Redundant in 2.4 Ghz
• Determine best role for Flexible Radio
• Assign Role

 Radio role determination and assignment is

Automatic
 If set to manual, FRA calculates COF for
manual assigned radios and Administrator
can make role choices

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
FRA – Assignment Priority

1 • Coverage
Pervasive dense –and
too2.4GHz Mark Redundant
5GHz coverage
5GHz 2.4GHz
Serving Serving • Default operating Role

DCA will determine suitability, and

2 5GHz 5GHz
Serving Serving If Unsuitable – then Monitor

5GHz Wireless
3 Serving Security Wireless monitoring of 2.4 and 5 GHz
Monitor

5GHz Wireless
4 Serving Sensor One radio dedicated as a Sensor
(not automatically configured)
TECCRS-2001 32

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Wireless Controller HA
Wireless Controller Deployment modes
NEW NEW

Centralised SD-Access Wireless FlexConnect Mobility Express

Campus LAN
Fabric WAN

Centralised Control Plane Centralised Control Plane Centralised Control Plane Distributed Control Plane
Centralised Data Plane Distributed Data Plane Distributed Data Plane Distributed Data Plane

Target
Campus Campus Branch Branch
Positioning

Purchase
Decision
Wireless Only Wired and Wireless Wireless only Wireless only

• Uses VRRP to elect a

• Full RF HA new controller based on
High • WLC SSO • WLC SSO
• Client SSO when Local a set of priorities. Client
Availability • Most complete solution • MS/MR Redundancy
Switching SSO when local
switching
• Branch with WAN BW
• Overlay solution • Need Fabric capable • Deployments up to100
Key Points and latency
• Full features edge devices (3k, 9k) APs
requirements

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Centralised Mode HA Requirements Benefits
Minimum release: 7.5
Active Client State is synched
3504, 5500, 8500 series
AP state is synched
Client SSO L2 connection between boxes
No Application downtime
Same HW and software
HA-SKU available
1:1 box redundancy
Network Uptime

Release: 7.3 and 7.4

3504, 5500, 8500 series AP state is synched
AP SSO Direct physical connection No SSID downtime
(SSID stateful switchover) Same HW and SW HA-SKU available (> 7.4)
1:1 box redundancy

N+1 Redundancy Available on all controllers

(Deterministic/Stateless HA, Each Controller has to be Crosses L3 boundaries
a.k.a.: configured separately Flexible: 1:1, N:1, N:N
primary/secondary/tertiary) HA-SKU available (> 7.4)

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
 N+1 Redundancy • Administrator statically assigns APs a primary,
WLAN-Controller-A WLAN-Controller-B WLAN-Controller-C
secondary, and/or tertiary controller
• Assigned from controller interface (per AP) or Prime
Infrastructure (template-based)
• You need to specify Name and IP if WLCs are not in the
same Mobility Group

IP Network • Pros:
• Predictability: easier operational management
• Support for L3 network between WLCs
Access Point • Flexible redundancy design options:1:1, N:1, N:N:1

Primary: WLAN-Controller-1 Primary: WLAN-Controller-2 • WLCs can be of different HW and SW (*)

Primary: WLAN-Controller-3
Secondary: WLAN-Controller-2 Secondary: WLAN-Controller-3
Tertiary: WLAN-Controller-3 Tertiary: WLAN-Controller-1
Secondary: WLAN-Controller-2 • “Fallback” option in the case of failover
Tertiary: WLAN-Controller-1
• Can overload APs on controllers (using AP priority)
• Cons:
• Stateless redundancy
8.0 • More upfront planning and configuration

(*) AP will need to upgrade/downgrade code upon joining

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
N+1 Redundancy
Global backup Controllers

• Backup controllers configured for all APs under Wireless > High Availability
• Used if there are no primary/secondary/tertiary WLCs configured on the AP
• The backup controllers are added to the primary discovery response message to the AP

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
N+1 Redundancy
AP Failover mechanism < 30-45 sec (*)
• When configured with Primary and backup
Controllers:
• AP uses CAPWAP heartbeats to validate current
WLC connectivity
AP Boots UP WLC failure
• Upon loosing a CAPWAP heartbeat to the Primary, detected
AP sends 5 consecutives heartbeats every 3 second Reset
(default) Discovery
• Configurable to minimum of 3 keepalive every 2 sec
• If no reply, AP starts the join process to the first
backup WLC candidate: Image Data
• Backup is the first alive WLC in this order: primary, DTLS
secondary, tertiary, global primary, global secondary. Setup
Run
• With N+1 Failover, AP goes back to discovery state
just to make sure the backup WLC is UP and then
immediately starts the JOIN process
Join Config
• With N+1, AP periodically checks for Primary to come
back online and falls back to it (AP fallback can be
disabled)
(*) With Fast Heartbeat and minimum values for keepalive

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
N+1 Redundancy
AP Fast Heartbeat < 30-45 sec (*)

• Fast Heartbeats lower the amount of

time it takes to detect Primary
controller failure
• How Fast Heartbeat works
• AP sends these packets, by default
every 1 sec
• When the fast heartbeat timer expires,
the AP sends a 3 fast echo requests to
the WLC for 3 times (configurable)
• If no response primary is considered dead and the AP selects an available controller from its
“backup controller” list in the order of primary, secondary, tertiary, primary backup controller,
and secondary backup controller.

• Fast Heartbeat supported for Local and Flex mode

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
N+1 Redundancy
AP Primary Discovery Request Timer
• The access point periodically sends primary discovery requests to the Primary
WLC to know when it is back online. Default is 120 sec.
• If AP Fallback is enabled (default), the AP automatically joins back the Primary
controller

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
N+1 Redundancy
Critical AP fails over
AP Failover Priority
• Assign priorities to APs: Critical, High, AP Priority: Critical Overloaded
Controller
Medium, Low
Medium priority
• Critical priority APs get precedence over AP dropped

all other APs when joining a controller AP Priority: Medium

• In a failover situation, a higher priority AP

will be allowed to join ahead of all other
APs
• If backup controller doesn’t have enough
licenses (ex. multiple Primary WLCs fail),
existing lower priority APs will be dropped
to accommodate higher priority APs

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
 N+1 Redundancy < 30-45 sec (*) Geo separated DC

Typical Design WLC-BKP

• Most common Design is N+1 with Primary Buildings IP network

Redundant WLC in a geographically
separate location
WLAN-Local
• Can provide 30-45 sec of downtime when
use faster heartbeat to detect failure WLAN-Local

• Use AP priority in case of over WLAN-Local

APs Configured With:

subscription of redundant WLC Primary: WLAN-Local

Secondary: WLC-BKP

For more info: http://www.cisco.com/c/en/us/td/docs/wireless/technology/hi_avail/N1_High_Availability_Deployment_Guide/N1_HA_Overview.html

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Wireless Controller HA
Centralised Mode – Stateful Switch
Over (SSO)
 < 1 sec
Stateful Switchover (SSO)
Active Controller
• True Box to Box High Availability i.e. 1:1 RP 1
• One WLC in Active state and second WLC in Hot Standby state
• Secondary continuously monitors the health of Active WLC via dedicated link L2 network
Hot Stand-by Controller

• Configuration on Active is synched to Standby WLC

RP 2
• This happens at startup and incrementally at each configuration change on the Active

• What else is synched between Active and Standby?

• AP CAPWAP state in 7.3 and 7.4: APs will not restart upon failover, SSID stays UP – AP SSO
• Client in “RUN”/active state in 7.5: client will not disconnect – Client SSO

• Downtime during failover is greatly reduced:

• 2 - 100 msec for a box failover (Active WLC crashes, system hangs, manual reset or forced switch-over)
• 350-500 msec in the case of power failure on the Active WLC (no direct command for switchover is possible)
• Few seconds in the case of network failover (gateway not reachable)

https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-1/HA_SSO_DG/High_Availability_DG.html

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Stateful Switchover (SSO)
Pairing the boxes
• HA Pairing is possible only between the same type of Active Controller
hardware and software versions
• 3500/5500/8500 have dedicated Redundancy Ports
RP 1
• Direct connection supported in 7.3 and 7.4
L2 network (7.5)
Hot Stand-by Controller
• L2 connection supported in 7.5 and above

• WiSM-2 has dedicated Redundancy VLAN

• Redundancy VLAN should be a non-routable VLAN RP 2

• WISM-2 can be deployed in single chassis OR multiple

chassis
• WISM-2 in multiple chassis needs to use VSS (7.3, 7.4)
• WISM-2 in multiple chassis can be L2 connected in 7.5 and above

• Requirements for L2 connection: RTT Latency: < 80

ms; Bandwidth: > 60 Mbps; MTU: 1500

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Stateful Switchover (SSO)
Failover sequence
ACTIVE STANDBY
ACTIVE
1. Redundancy role negotiation and config sync
2. APs associates with Active controller
Si Si
3. Client associates with Active through AP GARP
4. Active failure: notify peer / or missing keep alive
5. Standby WLC sends out GARP
6. Standby becomes Active:
AP DB and Client DB (7.5) is already synced with standby controller Si
Si
Si
Si
AP CAPWAP tunnel session intact
Client session intact, client does not re-associate*
Campus
Access

Effective downtime for the client is:

Detection time + Switchover time
+ (client association if AP SSO)
Capwap tunnel AP SSO – 7.3

Client Session *Client SSO – 7.5

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Stateful Switchover (SSO)
What’s the impact on client applications?

Ping May loose one ping

VoIP Call Voice call stays up

MS Lync No session drop

Citrix VDI No impact

video: https://www.youtube.com/watch?v=If5F7eZkC3w

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
WLC3504 Series Wireless LAN Controller
Industry’s first Wireless LAN Controller with Multigigabit Ethernet

Access Points 150 in Centralised mode

Clients 3000 in Centralised mode

Throughput 4Gbps

HA Support Dedicated RP for HA SSO

Service Support Dedicated SP

Form factor Side by Side Primary/HA rack mount (1 RU)

I/O interface mGig + 4x1GE, USB

Console: RJ45, mini USB

Compact (1 RU) | mGig ready | Dedicated RP/SP ports | HA SSO | Side by Side rack mount

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Stateful Switch Over (SSO)
Redundancy Management Interface
• Redundancy Management Interface (RMI)
• To check gateway reachability sending ICMP packets every 1 sec
• Peer reachability once the Active does not respond to Keepalive on the Redundant Port
• Notification to standby in event of box failure or manual reset
• Communication with Syslog, NTP, TFTP server for uploading configurations
• Must be in same subnet as Management Interface. From 8.0 the Management VLAN needs to be tagged

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Stateful Switchover (SSO)
Redundancy Port
• Redundancy Port (RP):
• Active/Standby role negotiation
• Configuration synch from Active to Standby (bulk and incremental configuration)
• Peer reachability sending UDP keep alive messages every 100 msec
• Notification to standby in event of box failure
• Time synch with peer, if NTP not available
• Auto generated IP Address where last 2 octets are picked from the last 2 octets of RMI

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Stateful Switchover (SSO) For Your
Reference
Configuration
• Management interfaces on both WLCs
must be on the same subnet
• Mandatory Configuration for HA setup:
• Redundant Management IP Address
• Peer Redundant Management IP Address
• Redundancy Mode set to SSO enable (7.3
and 7.4 would show AP SSO)
• Primary/Secondary Configuration – Required
if peer WLC’s UDI is not HA SKU
• The Primary HA must have valid AP licenses
• Unit can be secondary if it has at least 50 AP
Optional Configuration:
(5508) permanent licenses (no restrictions for • Service Port Peer IP
other WLCs) • Mobility MAC Address
• Keep Alive and Peer Search Timer

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Wireless Controller HA
FlexConnect Mode
FlexConnect quick recap.... Central Site
WLCs

 Control plane, two modes of operation:

• Connected (when WLC is reachable) Centralised
• Standalone (when WLC is not reachable) Trafic

 Data Plane can be:

• Centralised (split MAC architecture) switching
• Local (local MAC architecture) switching

 Traffic Switching mode is configured per AP and per SSID

• From 7.3 split tunnelling is supported on a WLAN basis WAN
 FlexConnect Group:
• Defines the Key caching domain for Fast Roaming, allows backup Radius scenarios
Local
 WAN recommendations: Trafic
• Minimum bandwidth 24 kbps per AP Remote
• Round trip latency no greater than 300 ms for data deployments and 100 ms for data + voice deployments Office

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
FlexConnect HA
Limitations Benefits

L2 roaming Upon WLC failure AP stays up and

FlexConnect Local Flex Groups for AAA Local Auth. clients are not disconnected
Switching Fault Tolerance: Identical Equivalent to Client SSO
configuration on N+1 controllers AAA survivability available

FlexConnect Central Same as Centralised mode Same as Centralised mode

Switching

For more info: http://www.cisco.com/en/US/products/ps11635/products_tech_note09186a0080b7f141.shtml

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
FlexConnect
Central Site
WAN Failure (or single central WLC failure)
• HA considerations:
• Disconnection for centrally switched SSIDs clients
• No impact for connected clients on locally switched
SSIDs
WAN
• Fast roaming allowed within FlexConnect group for
already connected clients
Remote Site
• What about new clients?
• Static keys are locally stored in FlexConnect AP: new
Application
clients can join if authentication is PSK Server

• Can design for AAA survivability (see next slides)

• Lost features
• RRM, CleanAir, WIDS, Location, other AP modes
• Web authentication, NAC
Centrally switched traffic
Locally switched traffic BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
FlexConnect Central Site
WLC failure with Deterministic N+1 HA Secondary Primary

• HA considerations:
• Disconnection for centrally switched SSIDs clients
• No impact for connected clients on locally switched
SSIDs

• FlexConnect AP transitions to Standalone and WAN

then to Connected when joins the Secondary
Remote
• When in Standalone mode, Fast roaming is Office
allowed within the FlexConnect Group
Application
• Fault Tolerant: upon re-syncing with Server

Secondary, client sessions for local traffic are

not impacted, provided that the configuration
on the WLCs are identical

Centrally switched traffic

Locally switched traffic BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
FlexConnect
Central Site
WLC failure scenario with SSO
Standby
• HA considerations: Active
• No impact for locally switched SSIDs
• Disconnection of centrally switched SSIDs
clients with AP SSO
• No/minimal impact for centrally switched client
with Client SSO (7.5 and above) WAN
• FlexConnect AP will NOT transition to
Standalone because SSO kicks in
• AP will continue to be in Connected mode
Application
with the Standby (now Active) WLC Server

Remote
Office

Centrally switched traffic

Locally switched traffic BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
FlexConnect AAA Survivability
AAA Server Backup Central Site
Central RADIUS
• By default authentication is done centrally in connected
mode
• Backup AAA servers are configured at FlexConnect
Group level
• When WLC/WAN fails, AP goes in Standalone mode
WAN
• In Standalone mode, the AP can be configured to
Backup
authenticate new clients with backup RADIUS defined RADIUS
locally at the AP Remote
Office
• Upon WAN/WLC failure:
• Existing connected clients stay connected
• New clients are authenticated to the locally
defined AAA
FlexConnect Group

Central authentication traffic

Local authentication traffic BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
FlexConnect AAA Survivability For Your
Reference
AAA Server Backup Configuration
• Define primary and secondary local backup RADIUS server under FlexConnect
Group configuration

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
FlexConnect AAA Survivability
Central Site
FlexConnect Local Auth Central
RADIUS
• By default FlexConnect AP authenticates clients
through central controller when in Connected
mode
• This feature allows AP to act as an Authenticator
even in Connected mode WAN
Local
• AAA servers are defined at the FlexGroup level RADIUS
Remote
• Useful HA scenarios: Office
• Independent branch: AAA is local at the branch, no
AAA traffic goes through WAN
• WLC goes down but WAN is up. Local users are
authenticated from AP to Central site AAA

Central authentication traffic

Local authentication traffic
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
FlexConnect AAA Survivability For Your
Reference
FlexConnect Local Auth: configuration

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
FlexConnect AAA Survivability
AAA Server on AP Central Site

• By default authentication is done centrally in Central RADIUS

connected mode
• When WLC/WAN fails AP goes in Standalone mode
• In Standalone, the AP can act as a AAA server
WAN
• EAP-FAST, LEAP, PEAP*, EAP-TLS* and a max of
100 clients supported
Remote Site
• Upon WAN/WLC failure:
• Existing connected clients stay connected
• New clients are authenticated to the locally defined AAA

* 7.5 Code and above Central authentication traffic

Local authentication traffic

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
FlexConnect For Your
Reference
AAA server on AP - Configuration
• Check “Enable AP Local Auth” under the FlexConnect Group “General” tab
• Under the “Local Authentication” tab:
• Define EAP parameters (LEAP, EAP-FAST, PEAP, EAP-TLS )
• Define users (max 100) and passwords

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Wireless Controller HA
Mobility Express
Mobility Express
Failure of Access Point running the controller function
• Controller and APs in the same L2 broadcast domain. Based on FlexConnect
architecture. Support central authentication and local switching for clients
• HA considerations:
• No impact for connected clients on locally switched SSIDs
• Fast roaming allowed within FlexConnect group for already connected clients
• What about new clients?
• Static keys are locally stored in FlexConnect AP: new clients can join if authentication is
PSK
• Lost features
• RRM, CleanAir
• Web authentication

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Mobility Express
Failure of Access Point running the controller function
• Election of a new controller using VRRP
• Heartbeat exchanged every 10s with Master AP
• After 3 missed heartbeats, master election is initiated and all Mobility Express capable
APs participate in Master Election
• APs fall into standalone mode while Master Election in-progress and within next 30s, a
new Master is elected
• Standalone Access Points join the new elected master and go to connected mode

• Election Priorities
• Most capable Access Points. 3800 > 2800 > 1800.
• Access Client with least client load
• In case of tie, election based on lowest MAC Address

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Master Election Process AIR-AP1852I-B-K9

AIR-AP2802I-B-K9 AIR-AP1852I-B-K9

Most capable Access Point P

- 1850 vs. 1830 P
AIR-AP1852I-B-K9 AIR-AP3802I-B-K9 AIR-AP1852I-B-K9

MASTER
AP

Least Client Load P

Lowest MAC address AIR-AP13702I-B-K9 AIR-AP3702E-B-K9

AIR-AP2702I-B-K9

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Management and Mobility Services HA
Prime and MSE HA
Prime and MSE HA
Requirements Benefits
 Active / Standby (1:1) mode  No database loss upon failover
 Same software & hardware  Failover Automatic or Manual
Prime HA  Minimum failover time is 15 s  Failback is always manual
 PI 2.2 supports Virtual IP (VIP)  No AP licenses on Secondary
 HA SKU from PI 2.0 and later  Supported across WAN

 HA for all Services supported

 Active / Standby (1:1) mode
 Failover times < 1 min
 Same software and hardware
MSE HA  No HA licenses needed
 Same subnet only (no WAN)
 No licenses on Secondary
 Release 8.0 recommended
 Failover Automatic or Manual

 Active / Standby (1:1) mode  HA for all Services supported

 Same software and hardware  No HA licenses needed
CMX HA  Same subnet only (no WAN)  No licenses on Secondary
 From CMX 10.3  Failover Automatic or Manual

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
CMX HA Overview
• CMX 10.3 is the first release supporting HA with CMX
• Only 2 Box HA is supported with one active and one passive server.
• Prerequisites:
• Both the machines need to be of the same size (same size VM or same physical
machine)
• The CMX software version on both of them should be the same.
• They must be on the same subnet.

• System uses a heartbeat and (optionally a Virtual IP) check pointing between
two systems, active and standby.
• Failover time about 7 mins

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Enable HA from CMX Web Interface
• In CMX navigate to the System tab and click the Settings icon. This will display a modal dialog with a
variety of settings in CMX. Select the High Availability option to display the options required to enable
High Availability.

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
CMX HA Upgrade
• CMX can NOT be upgraded to a new software release while high availability is
enabled. With a high availability setup do the following:
1. Disable High Availability.
2. CMX can now be upgraded on secondary and primary servers now. The
recommendation is to upgrade the secondary first. Once a successful upgrade has
completed the primary can be upgraded. Both servers can be upgraded in parallel if
desired.
• Upgrade Secondary Server
• Upgrade Primary Server
3. Enable High Availability

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
HA Design and Deployment Practices
 HA Design and Deployment Practices
Connecting an AP to the wired network

Recommendations:
• Create redundancy throughout the access layer by
homing APs to different switches
• If the AP is in Local mode, configure the port as
access with SPT PortFast, BPDU guard, etc.
• If the AP is in Flex mode and Local Switching,
configure the port as trunk and allow only the
VLANs you need

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
HA Design and Deployment Practices
Connecting a Controller to the wired network: options

1) To a single Modular Switch or StackWise Modular

Switch/Stack
• Use Trunk EtherChannel(EC)/LAG
• Trunk only the required VLANs to the Controller
WLC
• 2/4/8 ports in a bundle to optimise load sharing
• Spread ports across Line Cards/Stack members

2) To a VSS pair VSS pair

• Same as Option 1
WLC
• Spread ports across VSS members

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
 Connecting a Controller to the wired network
Single AireOS Controllers (3500/5500/8500) Distribution
Layer Switch/Stack
Option 1: to single Modular Switch or StackWise

 Identical configuration on WLC and switch side (EC mode, trunk mode,
allowed VLANs, native VLAN, etc.)
 EC mode: only mode “ON” supported; no LACP, PAgP
 EC load-balancing: no restriction for 3500/5500/8500
• Recommended to include L3 and L4 port for better hash results Trunk
 EC load-balancing for WISM2: Port-channel
• Need to set the EC load balancing method on the switch to “src-dest-IP”. Use CLI
“port-channel load-balance src_dest_ip”
 Note: no STP supported on AireOS Controllers. Do not disable it on switch
side. Use “switchport portfast trunk”
AireOS based WLC

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
 Connecting a Controller to the wired network
Single AireOS Controllers (3500/5500/8500) Distribution
Layer Switch/Stack
Option 1: to single Modular Switch or StackWise

 Identical configuration on WLC and switch side (EC mode, trunk mode,
port-channel load-balance src-dst-mixed-ip-port
allowed VLANs, native
! VLAN, etc.)
 EC mode: only mode “ON” supported;
interface no LACP, PAgP
GigabitEthernet1/0/1
 EC load-balancing: no restriction
description for 5508/2500/7500/8500
to_WLC-1
• Recommended to include L3trunk
switchport and L4 port for better
encapsulation hash results
dot1q Trunk
• On the switch use: “port-channel
switchport trunk load-balance
allowed vlan src-dst-mixed-ip-port”
10,11,20,30,40 Port-channel
 EC load-balancing for WISM2:mode
switchport trunk
• Need to set the EC load balancing
channel-group method
1 mode on on the switch to “src-dest-IP”. Use CLI
“port-channel load-balance src_dest_ip”
switchport portfast trunk
• For Catalyst 6500 with PFC3 use “port-channel load-balance src-dst-ip exclude
vlan” (command supported in 12.2(33)SXH6 and 12.2(33)SXI3 and above)
 Note: no STP supported on AireOS Controllers. Do not disable it on switch AireOS based WLC
side. Use “switchport portfast trunk”

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
 Connecting a Controller to the wired network
Catalyst VSS Pair
Option 2: to a VSS pair

 Single LAG to the VSS pair

 Spread ports across VSS pair
 In case of failure of Primary switch traffic continues to flow
through Secondary switch in the VSS pair
Trunk
 Same recommendations given for Option 1 also apply
Port-channel

Recommended
Network Design

WLC

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Design & Deployment Practice

Connecting a Controller HA pair

 HA Design and Deployment Practices
Connecting AireOS HA Pair to the wired network

Single Switch or stack

Option 1: to single Modular Switch or StackWise
Same configuration
on both Po1 and Po2

• The HA pair of AireOS WLCs should be considered as separated

WLCs with the same exact configuration Po 1 Po 2
• Ports on both WLCs are UP but only the ones on the Active WLC
Trunk
are forwarding data traffic
Port-channels
• On WLC side: use same physical ports are connected to the
network, for ex.: port 1-4 on WLC1 and port 1-4 on WLC2
• On switch side the configuration has to be the same. If using LAG, L2
for example, two Port-channel should be used with the same
configuration (same mode, same VLANs, same native, etc.) AireOS
AireOS
• General recommendations for Option 1 AireOS WLC also apply Active WLC Standby WLC

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
 HA Design and Deployment Practices Recommended
Network
Connecting AireOS HA Pair to the wired network Design

Same configuration
on both Po1 and Po2 Catalyst VSS Pair
Option 2: to VSS pair

• Use EC from each WLC to Distribution VSS

• Spread the links in each EC among the two
physical switches: this will prevent a WLC Po 1 Po 2
switchover upon a failure of one of the VSS switch Trunk
• Same considerations for connecting to a single Port-channels
Distribution switch apply
• General recommendations for Option 1 AireOS L2
WLC also apply
AireOS AireOS
Active WLC Standby WLC

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
 HA Design and Deployment Practices
Connecting AireOS HA Pair to the wired network Distribution
Layer Switches

Option 3: to Pair of Distribution switches Layer 2

• Use ECs to connect to Distribution switches

Po 1 Po 2
• Same exact configuration on both Dist. switches
• Use same physical ports on the WLCs
• Layer 2 between the distribution switches for the Wireless
VLANs
• Use STP on the Distribution switches
L2

AireOS AireOS
Active WLC Standby WLC

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
HA Design and Deployment Practices
Campus
HA Design and Deployment Practices
Campus
• What is the acceptable downtime for your business applications?
• Are 30 sec to few minutes ok? Go with N+1 to have more deployment flexibility
• No downtime? Go with AireOS Stateful Switchover

• SSO: what is the downtime to upgrade a HA pair and how to minimise it?

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
HA Design and Deployment Practices
Upgrading an SSO Pair - standard procedure

Active
8.0 Standby 1. Download the new code on Active
7.6 7.6 2. Code transferred to Standby:
Do NOT reboot at this time!

3. Pre-download software on APs

Campus/WAN

8.0 8.0 8.0 8.0

7.6 7.6 7.6 7.6

CAPWAP tunnel
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
HA Design and Deployment Practices
Upgrading an SSO Pair - Standard procedure

Active
8.0 Standby
8.0 1. Download the new code on Active
7.6 7.6 2. Code transferred to Standby
3. Pre-download software on APs
4. Swap the images on APs
5. Reboot the HA pair
Campus/WAN • APs will reboot and join when Active is UP

Total Network Downtime:

Time for HA pair to reboot + the APs to join
8.0 8.0 8.0 8.0
7.6 7.6 7.6 7.6

5min:12sec with fully loaded 5508

(500 APs/7000 clients)
BRKEWN-3014 © 2018
2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
 HA Deployment Best Practices
Upgrading an SSO Pair – Efficient procedure using N+1

Active
8.5 Standby backup 1. Download the new code on Active
8.3 8.3 8.5 2. Code transferred to Standby
Do NOT reboot at this time!
3. Pre-download software on AP Group

Campus/WAN

8.5 8.5 8.5 8.5 AP Group

8.3 8.3 8.3 8.3

CAPWAP tunnel
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
 HA Deployment Best Practices
Upgrading an SSO Pair – Efficient procedure using N+1

Active
8.5
8.2 8.5 Standby backup 1. Download the new code on Active
8.3 8.3 8.5 2. Code transferred to Standby
Do NOT reboot at this time!
3. Pre-download software on AP Group and
swap the image
Campus/WAN

8.5 8.5 8.5 8.5 AP Group

8.3 8.3 8.3 8.3

CAPWAP tunnel
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
 HA Deployment Best Practices
Upgrading an SSO Pair – Efficient procedure using N+1

Active
8.5
8.2 8.5 Standby backup 1. Download the new code on Active
8.3 8.3 8.5 2. Code transferred to Standby
Do NOT reboot at this time!
3. Pre-download software on AP Group and
swap the image
Campus/WAN 4. Configure APs to join the backup controller
• This can be automated using Prime

5. The APs join the backup WLC

• Downtime is per AP Group
8.5 8.5 8.5 8.5 AP Group
8.3 8.3 8.3 8.3 • It can be isolated per area

CAPWAP tunnel
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
 HA Deployment Best Practices
Upgrading an SSO Pair – Efficient procedure
When all the APs are moved to backup:

Active
8.5 8.5 Standby backup 7. Reboot the HA pair

8.3 8.3 8.5 8. Move the APs back the HA pair

• This can be automated via Prime and done
per area

9. APs will join the Active WLC WITHOUT

rebooting because code is same
• Downtime here is 30 sec per Area
Campus/WAN
Longer Network Downtime:
Time for the APs to move to backup WLC with
reboot: 3min
8.5 8.5 8.5 8.5
8.3 8.3 8.3 8.3
Main Advantage: No system-wide outage. The
downtime is per AP Group or per Area
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
HA Design and Deployment Practice -
Rolling AP Upgrade
Rolling AP Upgrade with Prime v3.3
Prerequisite :
Upgrade the
Secondary (N+1)
WLC

Pick “Upgrade Groups” of

Place AP’s in the Pre-Download AP’s one at a time and
“Upgrade Images for WLC and point this to the Secondary
Groups” AP’s WLC

Workflow

AP’s in the “Upgrade

Point the AP’s to the Upgrade the Primary Groups” Reboot and joins
Primary WLC WLC Image the Secondary WLC

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Scheduled AP Upgrade with Prime 3.3
Cisco Prime 3.3

Primary N+1
WLC WLC
Trigger Rolling Upgrade Already upgraded N+1 Version: X+1
Version :X+1
Version: X controller
8.3
eg. 8.5 eg. 8.5

1. Create Upgrade Groups

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Rolling AP Upgrade
(Upgrade Secondary (N+1) WLC

Upgrade N+1 WLC image

via PI or WLC image
upgrade process

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Rolling AP Upgrade
Upgrade Groups

Select AP’s to be added to a particular Upgrade Group

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Rolling AP Upgrade
Upgrade Groups
• Create a new group

• Add to an existing group

• Import from CSV

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Rolling AP Upgrade
Point AP’s to the Secondary (N+1) WLC 8.3.111.0

Secondary WLC IP (Already Upgraded)

8.3.111.0

Ability to order the Upgrade Groups

Image details for the Primary WLC

Run Now/Schedule

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Rolling AP Upgrade
Once you Submit …

A Job is created

Image is downloaded to the Primary WLC

Pre Download the image to all the AP’s

Take the 1st group of AP’s, point them to the Secondary WLC and reboot the AP’s and wait till then come
up

Take the next group of AP’s, point them to the Secondary WLC and reboot the AP’s and so on ..

After all the AP's are registered to the Secondary WLC, reboot the Primary WLC which comes back with
the new image
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Rolling AP Upgrade
Moving the AP’s back to the Primary

Select this option to automatically

move the AP’s from the
Secondary WLC to the Primary
WLC after the image upgrade

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Rolling AP Upgrade
Job Status

• Provides step-by-
step WLC status

• AP’s status per

Upgrade Group

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
HA Design and Deployment Practice
Branch
HA Design and Deployment Practices
Branch Redundancy: Centralised Controller & Flex (local switching)
HA considerations:
Data Centre • if WAN fails, Flex APs allow a level of redundancy:
Campus Services
• Local Data path stays UP
• Control plane features go down: RRM, CleanAir,
5500 / 8500/ 7510 WebAuth, etc.
ISE • WLC SSO at central site provides Control plane
survivability
Si
WAN
PI
Si
Design considerations:
• WAN requirements:
• General: 24kbps per AP, 300 ms RTT (Data)
Remote • More info here: http://tiny.cc/FlexDG
location
• APs are in Flex Mode = less features and functionalities
compare to Local Mode. Key features missing:
• No L3 roaming, No Bonjour Gateway
• Flex Groups have AP count limit
• 100 APs for 3504/5520/8540
FlexConnect APs • Switchport as Trunk if SSID/VLAN separation needed
BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
HA Design and Deployment Practices
Branch Redundancy: Local Controller, Flex local switching & Central backup Controller

Data Centre High Availability considerations:

Campus Services
• Local Controller for managing the APs and for providing
3504/5520/8540 Control plane survivability in the event of a WAN
failure (RRM, CleanAir, WebAuth, etc.)
ISE
Si
• Why AP in Flex? So that if the local controller fails, the
Si
APs can failover to the central controller but traffic still
PI Internet remains local
WAN
Design considerations:
• AP in Flex mode = less features and functionality
compare to Local Mode. Key features missing:
Remote
WLC
Local Services: location • No L3 roaming, No Bonjour GW
AAA, DHCP, DNS Si
• If using Flex Groups be aware of the AP count limit (100
APs for 3504/5520/8540)
• Switchport as Trunk if SSID/VLAN separation needed
• For large branch is recommended to have DHCP, DNS
FlexConnect and AAA services running locally for better reliability
APs

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Key Takeaways
Key Takeaways

• High Availability for Wireless is a multi level approach, starting from Level 1 (RF)
• You have different solutions to chose based on the downtime that is acceptable
for your business application
• Cisco Controller SSO eliminates the network downtime upon a controller failure

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
 VoD Links
Faster Innovation
• Cisco CMX Solution https://www.youtube.com/watch?v=KQRb8vfU0qM • Fastlane App Demo https://www.youtube.com/watch?v=N1QMUcv3aRQ

• Cisco APIC-EM Wireless PnP Demo https://www.youtube.com/watch?v=_9P2-

• CMX Hyperlocation vs RSSI Demo https://www.youtube.com/watch?v=6ls7EHbSK4A bU66PU

• Cisco Dual 5GHz Wi-Fi https://www.youtube.com/watch?v=mbpjiETvDXc • Cisco Aironet Plug and Play Cloud Redirection
Reduce https://www.youtube.com/watch?v=W7fBZ6xfSxw

Cost & • Cisco Aironet AP-3800 RF Excellence

https://www.youtube.com/watch?v=dBpGsTKeyNM&t=64s • Wireless LAN Controller Dashboard Review
https://www.youtube.com/watch?v=af09TBaafRI&feature=youtu.be
Complexity
• Digital Network Architecture with Wave2 with 802.11ac
https://www.youtube.com/watch?v=ySjN13hPhXY&t=2s • Cisco Wireless Mobile App https://www.youtube.com/watch?v=HyvZ4mbVAWs

• Cisco Aironet Series – Flexible Radio Assignment • WLC Advanced UI Client Troubleshooting
https://www.youtube.com/watch?v=K_-BykT_YIM https://www.youtube.com/watch?v=dZVxI6jOx_Q

• ISE Simplified Wireless Setup

• TechWiseTV: Apple and Cisco: Fast-Tracking the Mobile Enterprise https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
https://www.youtube.com/watch?v=bh8rEvrzm7Y&feature=youtu.be
Lower • Cisco Wireless TrustSec Demo
• Prioritised Business Apps https://www.youtube.com/watch?v=A3F2DrFu7Lo&feature=youtu.be
https://www.youtube.com/watch?v=z0EOKNxL964&feature=youtu.be Risk
• Cisco Wireless Netflow Lancope Integration Demo
• Apple and Cisco: Three Solutions Coming Together https://www.youtube.com/watch?v=TuWYkrt94CQ
https://www.youtube.com/watch?v=7MgsDkf55wQ&feature=youtu.be
• OpenDNS Integration with WLC
https://www.youtube.com/watch?v=cMdX8sBBYG4
• WiFi Optimised Feature
https://www.youtube.com/watch?v=xgPfxAolJoQ&feature=youtu.be

BRKEWN-3014 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Q&A
 Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you