Sunday, April 16, 2017

Configuring N+1 Redundancy on a Cisco WLC

I had a quick visit to Dubai and went to the City of Gold which is a popular gold market place. You'll see a lineup of gold retail stores and souvenir shops within the area. Not too far away you'll find Dubai Creek and the Dubai Old Souk Station where you can ride an Abra water taxi for just 1 Dirham. The boat ride was an unforgettable experience and you'll see more local shops once you get to the other side of the creek.





Building Redundancy

Building a wireless network with one controller and some APs is straightforward, but it does not address what would happen if the controller fails for some reasons. Adding another controller or two could provide some redundancy, as long as the APs know how to move from one controller to another when the time comes.

Redundancy is best configured in the most deterministic way possible. The following sections explain how you can configure APs with primary, secondary, and tertiary controller fields to implement various forms of redundancy. As you read through the sections, keep in mind that redundant controllers should be configured similarly so that APs can move from one controller to another without having to undergo any major configuration changes.


N+1 Redundancy

The simplest way to introduce HA into a Cisco unified wireless network is to provide an extra backup controller. This is commonly called N+1 or N:1 redundancy, where N represents some number of active controllers and 1 denotes the one backup controller.

By having one backup controller, N+1 redundancy can withstand a failure of only one active controller. As long as the backup controller is sized appropriately, it can accept all of a failed controller's APs. However, once an active controller fails and all its APs rehome to the backup controller, there will be no space to accept any other APs if a second controller fails.

To configure N+1 redundancy, you configure the primary controller field on all APs with the name of an active controller (WLC-A, for example). The secondary controller field is set to the name of the backup controller (WLC-Z).


I've added a Secondary WLC (WLC2) in my wireless lab in order to test out N+1 high availability with the Primary WLC1. WLC1 Management IP address is 192.168.1.4/24 while WLC2 is 192.168.1.5/24.





To configure N+1 Redundancy on the Primary WLC1, go to Wireless > Access Points > Global Configuration > type the Backup WLC IP Address (192.168.1.5) and Controller Name (WLC2) > click Apply.



Configure an AP associated on WLC1 for High Availability under Wireless > Access Points.



Click a specific AP Name > go to High Availability tab.



Type the Primary and Secondary Controller Name (case sensitive) and Management IP Address.
 


Configure a Mobility Group  on both WLC1 and WLC2 by going to Controller > Mobility Management > Mobility Groups > New. Take note of the Member IP Address and MAC Address on each WLC.




On WLC1, type the Member IP Address (192.168.1.5) and MAC Address (c8:00:84:50:96:c0) of WLC2 > click Apply.
 


Notice the Status of Control and Data Path is Down.
 


On WLC2, type the Member IP Address (192.168.1.4) and MAC Address (10:f3:11:a5:49:80) of WLC1 > click Apply.



Click Refresh (on the upper-right hand corner above Home) to view the Status changed to Control Path Down to Up.
 




The Mobility Group Status on WLC1 also went Up (click Refresh). Click Save Configuration.



Enable both AP Fallback and HA SKU secondary unit on WLC2 > click Apply > Save Configuration.
 



In WLC2 CLI, type config redundancy unit secondary command.

(Cisco Controller) >config ?

802.11-a49     Configures 802.11a 4.9 subband parameters.
802.11-a58     Configures 802.11a 5.8 subband parameters.
802.11-abgn    Configures 802.11-abgn parameters.
802.11a        Configures 802.11a parameters.
802.11b        Configures 802.11b parameters.
802.11h        Configures 802.11h parameters.
aaa            Configures AAA related items.
acl            Configures Access Control Lists.
advanced       Advanced Configuration.
ap             Configures Cisco APs
assisted-roaming Configures Assisted Roaming Global Parameters.
auth-list      Configures ap authorization list.
auto-configure Single command to auto-configure.
avc            Configures AVC (Application Visibility and Control).
band-select    Configures Band Select.
boot           Configures the default boot image.
ccx-lite       Enable or disable CCX-lite feature
cdp            Configure Cisco Discovery Protocol
certificate    Configures SSL Certificates.
client         Configures a client.
coredump       Configures the Core Dump Setting
country        Configure the countries of operation.
cts            Configure Cisco TrustSec SXP Protocol
custom-web     Configures the custom web authentication page.
database       Configures the local database
dhcp           Configures system dhcp server.
exclusionlist  Manages exclusion-list.
flexconnect    Configure controller flexconnect parameters.
flow           Configure flow.
guest-lan      Configures the Wireless LAN Network.
icons          Configures the ICON details.
interface      Configures system interfaces.
ipv6           Configure IPv6 related parameters.
lag            Enables/Disables Link Aggregation (LAG)
ldap           Configures LDAP servers (ipv4 or ipv6).
license        Configure software license parameters.
linktest       Configures linktest frame size and number of frames to send.
load-balancing Configures Aggressive Load Balancing.
local-auth     Configures Local EAP Authentication.
location       Configure Location parameters
logging        Configures Logger parameters.
loginsession   Manage User Connections to the Switch.
macfilter      Configure static MAC filtering.
mdns           Configures mDNS Services/Profiles
media-stream   Configure Media Stream
memory          Configures memory monitoring for certain types of errors/leaks.
mesh           Config mesh ap parameters.
mgmtuser       Manages local management user accounts.
mobility       Configures the Inter-Switch Mobility Manager
msglog         Configures the system msglog parameters.
netuser        Configures network user policies and local network user accounts.
network        Configuration for inband connectivity.
nmheartbeat    Configures the network manager heartbeat Setting
nmsp           Configure NMSP parameters.
oeap-acl       Configures Access Control Lists for OEAP Split Tunnel.
paging         enable or disable scrolling the page.
passwd-cleartext Enable or Disable the showing of passwd in cleartext
policy         Configure native profiling policy.
port           Configures port mode and physical settings.
profiling      Enabling Local profiling update
prompt         Change the system prompt.
qos            Configure qos parameter.
radius         Configures RADIUS Servers.
redundancy     Configure WLC redundancy parameters
remote-lan     Configures Remote LAN Connections.
rf-profile     Configures RF Profile parameters.
rfid           Configure options for RFID tag tracking
rogue          Configures rogue devices.
serial         EIA-232 parameters and serial port inactivity timeout.
service        Modify network based services.
sessions       Configure CLI session parameters.
slot           Configures the slot
snmp           Configures SNMP.
split-tunnel-network-list Configure split tunnel network lists. Only become active in split tunnel mode 2.
stats-timer    Configures system stats timer.
switchconfig   Configure parameters that apply to the switch.
sys-nas        Configures the system nas id.
syslog         Configures the system syslog mode.
sysname        Configures the system name.
tacacs         Configures TACACS+ Servers.
time           Configures system time or servers.
trapflags      Enable or Disable trap flags that apply to the switch.
wgb            Configure WGB related parameters
wlan           Configures the Wireless LAN Network.
wps            Configures WPS settings.

(Cisco Controller) >config redundancy ?

unit           Configure redundancy unit [primary | secondary]

(Cisco Controller) >config redundancy unit ?

primary        Redundancy unit type is primary
secondary      Redundancy unit type is secondary

(Cisco Controller) >config redundancy unit secondary


You can use the show redundancy summary command to verify which WLC is acting as Primary or Secondary.

(Cisco Controller) >show redundancy ?

summary        Display Redundancy Facilitator States.

(Cisco Controller) >show redundancy summary

Type of the Unit = Primary        // WLC1


(Cisco Controller) >show redundancy summary

Type of the Unit = Secondary      // WLC2



You’ll need to reboot WLC2 for AP failover to take effect. You can reboot the WLC under Commands > Reboot > Reboot.
 

To test AP failover to Secondary WLC2, I've shutdown WLC1 (port 1) on SW1 FastEthernet0/13.


SW1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
APf872.eaa6.e203 Fas 0/14          161          T B I     AIR-CAP26 Gig 0
WLC1             Fas 0/13          168            H       AIR-CT250 Gig 0/0/1
WLC2             Fas 0/16          136            H       AIR-CT250 Gig 0/0/1

SW1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW1(config)#interface fastethernet0/13
SW1(config-if)#shutdown


AP1 generated failover logs below:

*Apr 12 22:03:50.107: %WIDS-4-SIG_ALARM: Attack is detected on Sig:Standard Id:2 Channel:1 Source MAC:0432.f407.5527
*Apr 12 22:20:37.103: %WIDS-6-SIG_ALARM_OFF: Attack is cleared on Sig:Standard Id:2 Channel:1
*Apr 12 22:21:54.999: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.4:5246
*Apr 12 22:21:55.055: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Apr 12 22:21:55.083: %LWAPP-4-CLIENTEVENTLOG: Not sending change state post as the radio admin is down, lrad state = 5
*Apr 12 22:21:55.087: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Apr 12 22:21:55.087: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Apr 12 22:21:55.091: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:21:55.711: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 12 22:21:56.087: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:21:56.115: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 12 22:21:56.123: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 12 22:21:57.107: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:21:57.115: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 12 22:21:57.143: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 12 22:21:57.151: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 12 22:21:57.159: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 22:21:58.143: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Apr 12 22:21:58.151: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:21:58.179: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:21:59.179: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:22:01.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.5 peer_port: 5246
*Apr 12 22:22:01.431: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.5 peer_port: 5246
*Apr 12 22:22:01.431: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.5

*Apr 12 22:22:02.059: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 12 22:22:02.127: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 22:22:02.935: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:22:03.135: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:22:03.567: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC2
*Apr 12 22:22:03.687: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 12 22:22:03.807: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 12 22:22:03.935: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 12 22:22:03.935: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Apr 12 22:22:04.547: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:22:04.715: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 12 22:22:04.723: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 12 22:22:04.731: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 22:22:05.715: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Apr 12 22:22:05.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:22:05.751: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:22:06.751: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up


You can verify if the AP joined WLC2 by going to Wireless > Access points or issue a show ap summary command in CLI.


(Cisco Controller) >show ap summary

Number of APs.................................... 1

Global AP User Name.............................. Not Configured
Global AP Dot1x User Name........................ Not Configured

AP Name             Slots  AP Model              Ethernet MAC       Location          Country  IP Address       Clients
------------------  -----  --------------------  -----------------  ----------------  -------  ---------------  -------
APf872.eaa6.e203     2     AIR-CAP2602I-S-K9     f8:72:ea:a6:e2:03  default location  SG       192.168.1.6      0



I’ve re-enabled WLC1 on SW1.

SW1(config)#interface fastethernet0/13
SW1(config-if)#no shutdown
SW1(config-if)#
*Mar  1 02:15:51.327: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to down
*Mar  1 02:15:53.558: %LINK-3-UPDOWN: Interface FastEthernet0/13, changed state to up
*Mar  1 02:15:54.565: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/13, changed state to up

SW1#show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID
APf872.eaa6.e203 Fas 0/14          164          T B I     AIR-CAP26 Gig 0
WLC1             Fas 0/13          131            H       AIR-CT250 Gig 0/0/1
WLC2             Fas 0/16          160            H       AIR-CT250 Gig 0/0/1


AP1 re-joined the Primary WLC1:

*Apr 12 22:22:30.899: %CLEANAIR-6-STATE: Slot 0 disabled
*Apr 12 22:22:30.899: %CLEANAIR-6-STATE: Slot 1 disabled
*Apr 12 22:26:01.859: %DTLS-5-SEND_ALERT: Send FATAL : Close notify Alert to 192.168.1.5:5246
*Apr 12 22:26:01.919: %WIDS-6-DISABLED: IDS Signature is removed and disabled.
*Apr 12 22:26:01.943: %LWAPP-4-CLIENTEVENTLOG: Not sending change state post as the radio admin is down, lrad state = 5
*Apr 12 22:26:01.943: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to administratively down
*Apr 12 22:26:01.943: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to administratively down
*Apr 12 22:26:01.947: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:26:02.567: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 12 22:26:02.947: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:26:02.975: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 12 22:26:02.983: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 12 22:26:03.967: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:26:03.975: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 12 22:26:04.003: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 12 22:26:04.011: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 12 22:26:04.019: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 22:26:05.003: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Apr 12 22:26:05.011: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:26:05.039: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:26:06.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:26:18.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 192.168.1.4 peer_port: 5246
*Apr 12 22:26:18.427: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 192.168.1.4 peer_port: 5246
*Apr 12 22:26:18.427: %CAPWAP-5-SENDJOIN: sending Join Request to 192.168.1.4

*Apr 12 22:26:19.971: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 12 22:26:19.975: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 22:26:20.643: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller WLC1
*Apr 12 22:26:20.767: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:26:21.015: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:26:21.023: %WIDS-6-ENABLED: IDS Signature is loaded and enabled
*Apr 12 22:26:21.095: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to down
*Apr 12 22:26:21.103: %LINK-5-CHANGED: Interface Dot11Radio1, changed state to reset
*Apr 12 22:26:21.767: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to down
*Apr 12 22:26:22.091: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:26:22.131: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up
*Apr 12 22:26:22.139: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down
*Apr 12 22:26:22.147: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
*Apr 12 22:26:23.131: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up
*Apr 12 22:26:23.139: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to down
*Apr 12 22:26:23.167: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up
*Apr 12 22:26:24.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up
*Apr 12 22:26:41.643: %CLEANAIR-6-STATE: Slot 0 disabled
*Apr 12 22:26:41.643: %CLEANAIR-6-STATE: Slot 1 disabled