WLC 5508 HA With SSO

WLC 5508 HA with SSO
Setup Guide
Version 1.1
Another offering from team MIDAS

March 10th, 2014
Table of Contents
Introduction......................................................................................................................... 3
Logical Topology ................................................................................................................. 4
Physical Topology ................................................................................................................ 6
Disclaimer............................................................................................................................ 8
Build Information ................................................................................................................ 8
Prerequisite knowledge....................................................................................................... 8
Guide Overview ................................................................................................................... 9
Part 1: Review and Prepare the Current Network for HA ................................................. 10
Part 2: Configure the Secondary WLC 5508 to Support HA .............................................. 25
Part 3: Configure High-Availability with Stateful Switchover ........................................... 36
Part 4: Test High-Availability with Stateful Switchover Failover ...................................... 57
Appendix A: Final Device Configurations .......................................................................... 77
March 10th, 2014
Introduction
Your integration company has been asked to add redundancy to an existing deployment
of Cisco wireless. The current deployment includes a single 5508 WLC, and four access
points, spanning two switches. The customer, Example.com, plans to have only
corporate users connect to the network wirelessly as is configured currently, and
expects to grow to fifty access points over the next four years. Example.com is also very
concerned about outages to the wireless network, and would like to minimize downtime
as much as possible. It is for this reason that a 5508 High-Availability setup was chosen,
and we will configure Stateful Switchover (SSO).
This guide will cover configuring High-Availability on a pair of 5508 WL Cs in a preexisting network, as well as Stateful Switchover (SSO). Specifics that will be covered are
as follows:
Review prerequisites for 5508 HA.

AP registration in an HA environment.
Configure the network to support the HA.
Configure the secondary 5508 via CLI.
Configure both WLCs via GUI.
Configure High-Availability (HA) and review changes.
Configure Stateful Switchover (SSO)
Test Failover and Redundancy
Test client / AP in Failover and Redundancy.
Please review the diagrams on the following pages carefully before proceeding. The
following diagrams are of the intended layers two and three networks design, and
represent the preexisting network at the start of the guide, as well as the final product
upon completion.
March 10th, 2014
Logical Topology
The diagram below depicts the logical L3 topology, both before and after, of the
network.
Pre-Deployment
March 10th, 2014
Post-Deployment
March 10th, 2014
Physical Topology
The diagram below depicts the L2 topology, including both a before and after
representation of the network.
Pre-Deployment
March 10th, 2014
7
Post-Deployment
March 10th, 2014
Disclaimer
This Guide is intended to demonstrate one way to configure the network, to meet the
specified requirements of this example. There are various ways that this can be
accomplished, depending on the situation and the customers goals/requirements.
Please ensure that you consult all current official Cisco documentation before
proceeding with a design or installation. This lab is primarily intended to be a learning
tool, and may not necessarily follow best practice recommendation at all times, in order
to convey specific information. This is not intended to be a deployment guide. It is
intended for learning purposes only.
Build Information
As of the writing of this document, the current relevant documentation could be found
on CCO at the following links:
3850 Series Configuration Guides
http://www.cisco.com/c/en/us/support/switches/catalyst-3850-series-switches/products-installation-and-configuration-guides-list.html
5500 Series WLC Deployment Guide
http://www.cisco.com/c/en/us/td/docs/wireless/controller/7-0/configuration/guide/c70/c70ovrv.html
The labs were constructed using the following software versions from CCO:
3850
AP 7021
5508 WLC
03.03.02.SE.150-1
15.2.58-SE2*
7.6.100.0
Prerequisite knowledge
A solid understanding of networking, including routing and switching is assumed. Some
background with Cisco Wireless / Mobility is valuable but not required.
March 10th, 2014
Guide Overview
This Guide will cover how to configure High-Availability in an existing
deployment, consisting of a 5508 WLC, upgrading to a pair of 5508s. It will detail the
required licensing, configuration for CLI and GUI, the process of pairing and primary vs.
standby modes, Stateful Switchover (SSO), and finally, testing the completed wireless
network.
The key focus of this document is to gain an understanding of configuration and
capabilities of the 5508 Wireless LAN Controller in a High-Availability solution, as well as
the requirements and limitations.
March 10th, 2014
10
Part 1: Review and Prepare the Current Network for HA

This part will cover the prerequisites required to configure High-Availability. This part
will also include coverage of the current configuration of the existing 5508, DNS, DHCP,
5508 Code and License Levels, as well as adding the required connections for the new
WLC.
Section 1.1 Review the current configuration of the existing WLC 5508-A
This section will detail what is required to be the same on each WLC in order to
configure HA successfully. This section will also cover the port configuration of the
existing 5508, and the current AP registration process.
We begin by accessing the GUI of the existing 5508, shown below in the layer two and
three diagrams. Please take a moment to review the diagram, and become familiar with
the topology.
March 10th, 2014
11
In order to access the existing 5508 WLC, we navigate to the address below. This
address is assigned to the wireless management port of the WLC connected into the
Switch-A in VLAN 3.
https://10.1.30.254
March 10th, 2014
12
We click Proceed anyway to accept the warning message that the WLC is using a selfsigned certificate for HTTPS connections, and are redirected to the page shown below.
On the login page shown above, we login with the following username and password.
Username: admin
Password: Cisco123
March 10th, 2014
13
The resulting monitor page is shown below.
In order to configure High-Availability, there are a few prerequisites requirements. First

is that the Primary and Standby Controllers both have the same version of Software.
Below is a screenshot of the Controller Summary section on the Monitor page in the
WLC GUI.
Note that the current running software version is 7.6.100.0 on 5508-A. The WLC which it
is paired with WILL need to have the same version. Also note the Field Recovery Image
Version just below it. It is NOT required that both WLCs have the same recovery code in
order to pair.
Now we navigate to the CONTROLLER section of the WLC GUI.
March 10th, 2014
14
On the resulting CONTROLLER page, expand the NTP dropdown and click on the
Server link.
On the resulting Server page, review the current configuration shown below.
March 10th, 2014
15
Notice that 5508-A is currently configured to receive its system time for a remote NTP
server. In order for preform in a predictable manner, it is critical that both controllers
have the same system time configured, before attempting to pair the systems.
Now we navigate to MANAGEMENT, to review the current system licensing.
From the MANAGEMENT page, we expand the Software Activation dropdown on

the left side, and click on the Licenses link beneath.
On the Licenses page shown below, take note of the currently active license.
March 10th, 2014
16
In order to configure High-Availability, we will need at least 50 Permanent AP licenses

active on the controller. If the Primary Controller does not have the required licenses (At
least 50 Permanent AP licenses) when it is paired, the Secondary will enter Maintenance
Mode. The recommended licensing for a 5508 High-Availability configuration with
Stateful Switchover (SSO) is for both Active and Hot Standby Controllers to be licensed
with 50 Permanent AP licenses. This is the licensing we will be using today in our
configuration. For more information on Licensing, refer to the 5500 Series High
Availability (SSO) Deployment Guide linked below.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html#pgfId-44069
Now that we have covered this requirement to successfully configure High-Availability

on a pair of 5508 WLCs, let us talk about the Redundant Port, and how it should be
cabled.
Below is a picture of the faceplate of a Cisco Systems 5508 Wireless LAN Controller,
taken directly from the Cisco 5500 Series Wireless Controller Installation Guide linked
below.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/5500/install/guide/ctrl5500.html
The Redundant Port shown in the above diagram as 1, is an Ethernet port that is used
to connect the Primary and Secondary Controllers, so that they may enter into a HighAvailability configuration.
March 10th, 2014
17
The new architecture for HA is for box-to-box redundancy. In other words, 1:1, where
one WLC will be in an Active state, and the second WLC will be in a Hot Standby state
continuously monitoring the health of the Active WLC via a Redundant Port. Keep-alive
packets are sent on the Redundancy Port from the Standby to the Active WLC every 100
msec (default timer), in order to check the health of the Active WLC.
Today we will be connecting 5508-A to 5508-B, via a single crossover cable from
Redundant Port to Redundant Port. A direct physical connection between Active and
Standby Redundant Ports is highly recommended. The distance between the
connections can go up to 100 meters as per Ethernet cable standards.
For more information on the Redundant Port, consult the 5500 Series High Availability
(SSO) Deployment Guide linked below.
http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/7-5/High_Availability_DG.html
Now, let us consider the process used to register Access Points with the Wireless LAN
Controller in the current configuration. To do this, we will access the DNS/DHCP
windows server depicted in the section of the layer three pre-deployment diagram
shown below.
March 10th, 2014
18
Below is shown the dnsmgmt window of the server.
From here we expand the Forward Lookup Zones for example.com, and notice the
entry shown below highlighted in blue.
This configuration is currently utilizing a DNS entry for CISCO-CAPWAP-CONTROLLER to

direct Access Points to 10.1.30.254 for registration. Based on this method of
March 10th, 2014
19
registration, we know we will not need to make any changes in order to implement
High-Availability.
Remember that the Active controller will always use the IP addresses from the
configuration XML file it synchronizes across the Redundant Port. This means that Active
controller, be it 5508-A or 5508-B, will be utilizing 10.1.30.254 as its Wireless
Management IP Address.
Still here on the DNS/DHCP Windows server that is part of our example.com existing
network, let us take a look at current DHCP configuration. Below is a screenshot of the
DHCP window.
Here we can see that DHCP for Access points is handled by this server, as well as DHCP
for wireless clients connecting the Corporate WLAN. This means that we will not need to
worry about DHCP leases as part of our High-Availability deployment.
Now in the GUI of 5508-A ,let us navigate to the CONTROLLER page.
From the controller page, we click on Interfaces on the left hand side.
Here is the resulting Interfaces page shown below.
March 10th, 2014
20
Notice that there are currently two interfaces in use (Corporate and Management) with
addresses. In order for the Secondary (Hot Standby) WLC to take over functionality in
the event of a failure, it must also have the same interfaces attached to the same VLANs
or networks, via the same physical ports on the device. With this in mind, take a look at
the layer two diagram of the existing network below.
The Secondary (Hot Standby) WLC will need to be connected to VLANs 2 and 3 over
ports 1 and 7, just as the Primary (Current) WLC is now, in order for High-Availability to
function as intended. In the next section we will make the required network
configurations to support the additional WLC.
March 10th, 2014
21
Section 1.2 Configuring the Network to Support the New WLC 5508-B
This section will cover configuring the switched network to support an additional WLC,
as described in the end of Section 1.1 above.
We begin by reviewing the intended (Final) layer two diagram of the network shown
below.
We will begin by accessing Switch-B, that will handle the two network connections from
the additional 5508 WLC. Below is the login prompt of Switch-B.
We login with the credentials below, and enter configuration terminal mode.
March 10th, 2014
22
Username: admin
Password: cisco123
Before we configure the two ports that will connect to the additional 5508, let us look at
the current port and VLAN configurations.
show run int g1/0/23
show vlan
March 10th, 2014
23
Now we will configure the first port to support the corporate VLAN on the additional
5508.
config t
int g1/0/23
switchport mode access
switchport access vlan 2

switchport nonegotiate
no shut
exit
Now let us configure the second port supporting the Management VLAN 3.
int g1/0/24
no shut
exit
March 10th, 2014
24
Now we confirm the updates, and save the configuration to flash.

The network infrastructure is now prepared for the implementation of the HighAvailability deployment. Let us now move on to configuring the secondary 5508 WLC.
March 10th, 2014
25
Part 2: Configure the Secondary WLC 5508 to Support HA

Part 2 will cover configuring the 5508 Wireless LAN Controller via the Console port,
using the Setup Wizard, in accordance with the HA design, accessing the GUI and
preparing the device to become the standby unit in the High-Availability deployment.
Before we begin configuration, let us again look at the layer two intended
configuration. The links to the additional 5508-B have been cabled, including the cable
to the Redundant Port of each 5508.
Section 2.1 Complete the Setup Wizard via the Console

This section will cover completing the Setup Wizard via the CLI/Console connection.
From the console of the 5508, answer the questions of the Setup Wizard as follows, to
match the intended example topology.
System Name: 5508-B
Admin Username: admin
Password: Cisco123
Password re-enter: Cisco123
March 10th, 2014
26
Service Int IP: DHCP

Enable LAG: NO
Management Int IP Address: 10.1.30.254
Management Int Netmask: 255.255.255.0
Management Int Default Route: 10.1.30.1
Management Int VLAN ID: 0
(Untagged)
Management Int Port Num: 1
(Physical Port)
Management Int DHCP Server IP: 10.1.40.200

Enable HA: NO
(Will Configure Later)
Mobility/RF Group Name: Example
Network Name (SSID): Example-Corp

DHCP Bridging Mode: NO
Allow Static IP: YES
Configure Radius Server: NO
March 10th, 2014
27
Enter Country Code: US
Enable 802.11b: YES
Enable 802.11a: YES
Enable 802.11g: YES
Enable Auto-RF: YES
Configure a NTP Server: YES

NTP Server IP Address: 206.246.122.250
Polling Interval: 5400
Configuration Correct (Save and Reload): YES
Once the 5508 has reloaded, it will have the above options configured. The below login
prompt will appear at the console when the reload is completed.
Let us login now and run a few show commands.
March 10th, 2014
28
User: admin
Password: Cisco123
From the command line of the 5508 controller, let us now review the current HighAvailability configuration. Remember that in the Setup Wizard, we chose not to
configure HA just yet.
show redundancy summary
Now let us look at the current level of licensing in use on the 5508 controller.
show license in-use
Remember, it is required that the active 5508 have at least 50 AP licenses in-use in
order to configure High-Availability with SSO, and that both units having 50+ licenses is
recommended.
March 10th, 2014
29
Section 2.2 Access and Prepare the 5508-B Wireless LAN Controller via the GUI
In this section, we will access the web GUI of the 5508-B Wireless LAN Controller and
review the configuration of the device, as well as complete a few prerequisites required
before configuring HA with SSO.
Now let us access the Wireless LAN Controller, by navigating to the Wireless
Management Interface IP address via HTTPS.
https://10.1.10.253
We login with the configured username and password set in the setup wizard.
User: admin
Password: Cisco123
March 10th, 2014
30
At the resulting MONITOR page, we review a number of important items.
Here we can see that the new 5508 has licensing for up to 62 access points currently
available. We can also see that the current running code matches 5508-A.
Before we configure High-Availability with SSO on the two 5508s, we need to take care
of a few more items. The first of which is to configure the time zone.
From the MONITOR page, we navigate to COMMANDS, to set the time zone.
From the COMMANDS page, we select Set Time from the left hand side of the page.
March 10th, 2014
31
On the resulting Set Time page, we expand the Location dropdown, to select the
Eastern Standard Time zone.
Below is the dropdown menu with the Eastern Standard Time zone selected in blue.
With the time zone now selected, we click on Set Timezone button at the top right, to
confirm the change.
March 10th, 2014
32
We click ok to confirm, in the resulting message.
Next, we need to configure the interfaces of this new 5508, to match the existing unit.
When High-Availability is configured, the Active 5508 will copy its running configuration
to the standby unit. When the standby unit comes active for whatever reason, it will
assume the exact configuration of the originally active Unit. This means that the same
physical interfaces of both 5508s should be connected to the same subnets, to prevent
any unintended consequences.
Now let us configure the interfaces of 5508-B, to line up with the existing 5508-A ,and
be ready to successfully support a switchover. In the GUI of 5508-B, we navigate to
CONTROLLER from the top links shown below.
On the resulting CONTROLLER page, we navigate to Interfaces, from the left hand
links.
March 10th, 2014
33
On the Interfaces page, notice that there is not yet a corporate interface configured.
In order to configure this interface, we click the New button in gray at the top right
of the screenshot below.
On the resulting Interfaces > New page shown below, we fill in the information to
match the 5508-A configuration.
Interface Name: Corporate
VLAN Id: 0
After filling in the information, we click the Apply button at the top right. The resulting
page is shown below.
March 10th, 2014
34
On this page as wel,l we fill in the information to match the configuration of the 5508-A,
but adjust the IP address to prevent a conflict.
Port Number: 7
IP Address: 10.1.20.253
Netmask: 255.255.255.0
Gateway: 10.1.20.1
Primary DHCP Server: 10.1.40.200
Once the information is filled in, we click Apply again, to confirm the changes.
March 10th, 2014
35
We accept the message, by clicking OK to continue.
At this point, we will save the configuration. These controllers are now prepared to
support High-Availability. To save the configurations, we click on the Save
Configuration link at the top left of the page shown in orange below.
Upon clicking Save Configuration, the message below appears. We click OK to

continue on.
Once the first message is accepted, the second message below appears, confirming the
configuration was properly saved to flash.
At this point, we will move on to configuring High-Availability with SSO.

March 10th, 2014
36
Part 3: Configure High-Availability with Stateful Switchover

This Part will cover the configuration of High-Availability (HA) with Stateful Switchover
(SSO) via the GUI of each controller. Each of the 5508 WLCs will reboot as part of the
process. The secondary WLC may reboot up to three times.
Section 3.1 Configure High-Availability with SSO via the GUI
This section will cover the configuration for each WLC for HA with SSO via the GUI of
each controller. For the GUI of each 5508, we will configure the unit as primary or
secondary, specify the implementation of Stateful Switchover (SSO), as well as the IP
addresses of the Redundant Ports.
To begin, we access the GUI of the original 5508-A shown below.
Username: admin
Password: Cisco123
Once at the MONITOR page below, we confirm again that our APs are registered, and
at least 50 AP licenses.
March 10th, 2014
37
In order to configure High-Availability through the GUI, we navigate to CONTROLLER

from the top of the page.
On the CONTROLLER page, we expand Redundancy, and select Global

Configuration.
March 10th, 2014
38
Let us now take a moment, and review the options on the resulting page.
Before we fill in any parameters, let us review the foot notes in blue. The first foot note
states that the redundant port and its peer port must be addressed here. The second is
the keep-alive timer is set in milliseconds, incremented by 50. The third is that if SSO is
not enabled, it will result in the standby unit rebooting, as well as the standby units
interfaces being disabled to prevent an IP conflict on the network.
With these items taken into consideration, we will now fill in the required information,
but before doing so, we will again review the layer three final diagram.
March 10th, 2014
39
The HA-MGMT network between the two 5508s is for our redundancy IP information. If
you look closely at the segment, you will notice that it overlaps with that of the VLAN 3
MGMT network just above it. This is not by mistake, but rather by design. The
redundant port of each 5508 utilizes an IP address from the same network as the
management interface. Below are the parameters we set on the controllers GUI
redundancy global configuration page.
Redundancy MGMT IP: 10.1.30.201
Peer Redundancy MGMT IP: 10.1.30.202
Redundancy Unit: Primary
Before we apply these changes or navigate away from this page, we will enable Stateful
Switchover (SSO), by selecting Enabled from the dropdown menu.
March 10th, 2014
40
Once Enabled is selected, some of the sections filled in previously will become grayed.
Two more items will also appear below the SSO dropdown. These two new sections
apply to the service port. The service port is intended for management access to the
5508, as well as a few other things, but it is not a requirement of High-Availability and or
SSO.
Now that the intended configuration has been selected, we will click Apply to confirm
and begin the process.
After clicking the Apply button, the below message appears. As part of the process,
this 5508 (The current controller servicing APs and Clients) needs to reboot.
Configuring HA with SSO will be disruptive to network activity. Make sure to use a
change window or plan ahead for these interruptions.
We now click OK to confirm the reboot of the 5508. The reboot will take a few
moments. We will watch the boot process of the 5508 from the console.
March 10th, 2014
41
The 5508 will boot as usual for the most part, but the 5508 will now also look for its
peer to associate with.
March 10th, 2014
42
At this point in the boot process shown above, the 5508 begins to search for its peer.
After 120 seconds, if there is not a positive response from the 5508 connected across its
redundancy port, it will finish booting as the active controller.
March 10th, 2014
43
Once the User prompt is reached, the 5508 is booted.

Now we will configure 5508-B in the same way that we did 5508-A, but as the secondary
controller.
We begin by returning to the GUI of 5508-B.
Username: admin
Password: Cisco123
March 10th, 2014
44
From the resulting MONITOR page of the GUI, we navigate to CONTROLLER, to

configure High-Availability.
Just like the 5508-A, we expand Redundancy, and select Global Configuration.
March 10th, 2014
45
On the resulting Global Configuration page, we fill in the below information. On this
5508, we specify the unit as secondary, as well as enable Stateful Switchover.
Redundancy MGMT IP: 10.1.30.202
Peer Redundancy MGMT IP: 10.1.30.201
Redundancy Unit: Secondary
Now, we access the console of this 5508, so we can watch its reboot process, just like
we did on the original controller.
With the console open, we now click Apply at the top right of the GUIs Global
Configuration page, to apply the High-Availability and initiate the reboot.
Again after clicking Apply, we receive the message notifying us of the required system
reboot.
March 10th, 2014
46
Once we click OK, the changes take effect and reboot process begins. With the
console window open, we proceed. The process begins just like on the first 5508.
The boot process begins.
March 10th, 2014
47
March 10th, 2014
48
At this point, the 5508 begins to search for its peer.
Once the 5508 finds the peer (5508-A), it looks to see if the configuration files (XMLs)
match. As can be seen below, the XMLs did not match those of 5508-A.
As can be seen above, in order to sync the configuration files across both controllers, a
second reboot is required.
March 10th, 2014
49
March 10th, 2014
50
Again, the controller attempts to find its peer.
After finding its peer, it compares the configuration again, with that of the active
controller (5508-A), and they now match, so no reboot is required.
March 10th, 2014
51
After confirming the XMLs, the unit is designated as standby, shown above at the top of
the screenshot.
After reaching the User: prompt, the 5508 is now fully booted. In the next section, we
will review the results in detail.
March 10th, 2014
52
Section 3.2 Confirm HA and SSO configuration via GUI and CLI
This section covers the screens in the GUI and commands in the CLI, used to view the
current High-Availability state.
We begin by accessing the GUI of the primary controller. To do so, we navigate to the
address below.
https://10.1.30.254
Now let us log in again with the username and password we configured.
March 10th, 2014
53
On the resulting MONITOR page, we can see that under Controller Summary, the
Redundancy Mode is now listed as SSO for both APs and Clients. This means that in
the event of a failover from the primary controller to the secondary, the currently
registered APs and client connections will be shifted almost seamlessly. This prevents
the need for both clients and APs, to re-register or reconnect to the now active
controller.
In order to review the configuration further, we will expand Redundancy on the left
hand of the page, and select Summary.
March 10th, 2014
54
On the resulting redundancy summary page, we can see a dashboard view of the
redundancy and SSO status.
Here, we can see that the current local state (this device) is active. Below that we can
see that the peer state (5508-B) is standby hot. The hot designation implies that
Stateful Switchover (SSO) is in effect. We also can look at the redundancy state, which is
SSO for both APs and Clients to confirm this.
The next major item displayed here is the Switchover History Table at the bottom in
blue. In the event of a failover or switchover, it will be displayed here, including the time
and a possible reason for the event.
Now that we have reviewed the primary units GUI, we will attempt to do the same for
the secondary unit.
https://10.1.30.253
March 10th, 2014
55
Here we can see that the secondary unit (Currently 5508-B) is unreachable via the GUI.
This is intentional and expected. When a unit becomes standby, it inherits the
configuration of the primary unit, and any configuration changes made to the primary
unit are mirrored to the secondary unit. With SSO, the APs mirror the tunnel built with
the active controller to the standby controller. All configuration changes after the
implementation of HA, are intended to be made through the primary unit. For this
reason, the standby units GUI is disabled.
Now in order to review the state of 5508-B, we access its console.
From the console, both before and after logging in, we see that this controller is
designated standby. In standby, many commands are disabled in the CLI. Let us now see
what is still available.
March 10th, 2014
56
Above, we can see that the list is short. Now let us review the High-Availability status.
show redundancy summary
Here we can see that at the top, SSO is enabled and the local state (5508-B) is standby
hot. The peer state (5508-A) is active and this unit is secondary HA SKU. This means that
5508-B has inherited the 62 AP licenses from 5508-A.
Now that we have reviewed the High-Availability with Stateful Switchover configuration,
it is time to test failover.
March 10th, 2014
57
Part 4: Test High-Availability with Stateful Switchover Failover

This Part will cover testing the failover capabilities and convergence time of the HighAvailability configuration, and manually restoring the failed unit to primary.
Section 3.2 Test Redundancy in the event of Active Controller Failure
In this section, we power off the primary controller and watch the secondary unit take
over, as well as note the convergence time of wireless clients.
We will begin by accessing the GUI of the primary controller. Below we have the
MONITOR page of 5508-A.
Here we can see that we currently have 4 access points registered with the controller.
Now let us reconnect the client to the corporate WLAN.

Cisco123
March 10th, 2014
58
From the desktop, we will connect to the Example-Corp WLAN.
March 10th, 2014
59
We enter the pre shared key.

Cisco123
Now we check to make sure we received an IP address, using the command below, in
the CMD prompt launched from the desktop.
ipconfig
March 10th, 2014
60
Above we can see the client successfully connected and received an address in the
10.1.20.0/24 address space.
Now we will start a streaming ping from this client workstation to the firewall in the vlan
5 internet edge network.
Ping 192.168.1.1 -t
March 10th, 2014
61
Now with this ping running and the controller GUI open, we will manually power off
5508-A to watch the failover process in real time.
I now power off 5508-A, and we can watch the client never loses a ping (Sometimes will
miss one or two), although the WLC GUI Monitor page stops refreshing.
March 10th, 2014
62
Almost immediately after 5508-A loses power, the message below is received on the
console of 5508-B.
In order to access the GUI of the now active controller, we will need to close the web
page and reopen it, as the https session has been lost.
When reconnecting to the active controller (now 5508-B), we will return to the same
address we used to connect to 5508-A. The reason for this is that with HA and SSO, the
secondary unit assumes the exact same configuration of the original unit, including IPs
as part of the transition.
March 10th, 2014
63
Again we receive the unsigned certificate warning message just as before.
On the following login page, we access the GUI just as before.
March 10th, 2014
64
Once logged into the WLC, we notice that the Monitor page looks just as it did moments
ago. This can be very deceiving. Note that as part of the configuration matching, even
the hostname is now the same (5508-A).
In order to know there was a failover, we need to navigate to Summary under

Redundancy.
March 10th, 2014
65
Here on the Redundancy Summery page, we can see that there is now an event under
Switchover History Table at the bottom.
Here we can find that the previously active controller (10.1.30.201 as they are referred
to by their redundancy management IPs as that is now the only differentiating factor as
far as configuration) was active, but now 10.1.30.202 aka 5508-B is the active controller.
The stated reason for the switchover is Active controller failed and the date and exact
time of the failure is listed to the right.
At this point, we have witnessed a successful switchover of clients and APs, almost
seamlessly in the event of a complete system failure (Power Loss) of the active
controller.
March 10th, 2014
66
Section 3.3 Test Manual Redundancy Switchover

This section will cover how to return the primary role to 5508-A, after it has regained
power and registered as the standby unit with 5508-B
In order to return 5508-A to active controller status, we must first power the device
back on, and allow it to register with the now active controller (5508-B). During the
process, we will watch the console of 5508-A as it boots and finds its peer.
The boot process begins as usual.
March 10th, 2014
67
At this point in the boot process, the unit looks for and finds its peer. It then takes the
standby role, as there is already an active unit (5508-B).
The unit now compares its configuration with that of the standby. After finding the
configurations do not match, this unit downloads the new XMLs and reboots.
March 10th, 2014
68
March 10th, 2014
69
Again the unit searches for its peer.
Again the controller finds its peer and takes the standby role.
This time the unit finds the XMLs match and continues the boot process.
March 10th, 2014
70
The controller completes the process and reaches the user prompt.
March 10th, 2014
71
In order to initiate a switchover, we will need to access the console of active controller
(5508-B) and issue the command below, to do so.
redundancy force-switchover
Above we can see that the system asks to save the configuration.
Once confirmed, the configuration is saved to flash.
Immediately after saving the configuration, the controller reboots.
March 10th, 2014
72
March 10th, 2014
73
At this point in the boot process, the controller looks for its peer.
The controller finds its peer and determines its role.
As commanded, the unit takes the standby role.
The controller now compares and finds the configuration matches, proceeding with the
boot process.
March 10th, 2014
74
And again, the process completes when the console reaches the user prompt.
Now we will return to the active controllers GUI. Again, we need to close the window
and reopen another.
March 10th, 2014
75
From the MONITOR page, we navigate to summary under redundancy.
On the resulting page, we can see there are now two items listed in the Switchover
History Table. The new item on the bottom shows that the switchover was user
initiated, as expected.
March 10th, 2014
76
At this point, we have completed our configuration and testing. High-Availability with
Stateful Switchover (SSO) has been configured and tested in both directions.
March 10th, 2014
77
Appendix A: Final Device Configurations

Cisco 3850-A Final Device Configuration
!
! Last configuration change at 01:03:05 UTC Sun Mar 2 2014 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname 3850-Switch-A
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
username admin privilege 15 password 0 cisco123
no aaa new-model
switch 1 provision ws-c3850-24p
ip routing
!
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-1481846860
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1481846860
revocation-check none
rsakeypair TP-self-signed-1481846860
March 10th, 2014
78
!
!
crypto pki certificate chain TP-self-signed-1481846860
certificate self-signed 02
30820245 308201AE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31343831 38343638 3630301E 170D3134 30333031 32303437
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34383138
34363836 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A570 200F5D58 2E34B152 119EC8A4 B39AF748 1141EE93 5ED5C245 0904BA25
A0C83EB1 97E5766B B8C28B07 03A5BB3D 941B772F C86951E0 1984C8E0 C257BD29
93505FA5 CA6E4618 0918D887 0764879F 285D2EC8 69323BA9 87EDF5FA 7DDF706A
F97DBD64 9618287C BCE62C9B 0998434F E759430E 3E42B499 DB10370C 8C757530
21CF0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D333835 302D5377 69746368 2D41301F 0603551D 23041830
1680141E F4E30FB0 1DCB9DE8 009B2867 480CB559 AD12A230 1D060355 1D0E0416
04141EF4 E30FB01D CB9DE800 9B286748 0CB559AD 12A2300D 06092A86 4886F70D
01010405 00038181 0053F432 9EE2C515 82175F9C 0B12C287 12B3BEB9 FADA93F5
6E4177C0 1EC3C46A 4E537144 27CAE4AD 91CD63E2 BF272806 CA62C362 94474459
3D7E4F43 F441065E 5DA53A0C 74084F33 EACACFD9 18A8E4B5 4792E5EE AEF2E6C9
05EEBD1A 75750B6B 11CC7AD1 007BF78E AD43A5AD 5D8D21FC 274971B9 44D039BC
B14074A2 833AC3BC 4A
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
!
!
!
March 10th, 2014
79
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
negotiation auto
!
interface GigabitEthernet1/0/1
!
switchport trunk allowed vlan 2-4
switchport mode trunk
!
!
!
!
!
!
!
!
!
March 10th, 2014
80
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface TenGigabitEthernet1/1/1
!
March 10th, 2014
81
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 10.1.20.1 255.255.255.0
ip helper-address 10.1.40.200
!
interface Vlan3
ip address 10.1.30.1 255.255.255.0
ip helper-address 10.1.40.200
!
interface Vlan4
ip address 10.1.40.1 255.255.255.0
!
interface Vlan5
ip address 192.168.1.254 255.255.255.0
!
ip default-gateway 192.168.1.1
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
!
!
!
!
line con 0
session-timeout 999
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 900
logging synchronous
March 10th, 2014
82
login local
line vty 5 15
session-timeout 900
logging synchronous
login local
!
wsma agent exec
profile httplistener
profile httpslistener
wsma agent config
wsma agent filesys
wsma agent notify
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap dot11 24ghz rrm channel dca add 1
ap group default-group
end
Cisco 3850-B Final Device Configuration
March 10th, 2014
83
!
! Last configuration change at 12:03:02 UTC Fri Mar 7 2014 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname 3850-Switch-B
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
!
username admin privilege 15 password 0 cisco123
no aaa new-model
switch 1 provision ws-c3850-24p
ip routing
!
!
!
qos wireless-default-untrust
!
crypto pki trustpoint TP-self-signed-3436934103
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3436934103
revocation-check none
rsakeypair TP-self-signed-3436934103
!
!
crypto pki certificate chain TP-self-signed-3436934103
certificate self-signed 02
30820245 308201AE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
March 10th, 2014
84
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343336 39333431 3033301E 170D3134 30333037 31313231
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333639
33343130 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AA99 E72F38C5 BD01EDB6 D6F06A74 7C2B48B0 6063F8D7 F0143789 E3FE07EE
D56E22EE FB6F8EDB D30C5B7C 169E3F31 71FD0E53 A7A2E697 C390F10B 68BFB673
1335BD50 564148BA 5CB7C2A2 DCBAD460 229A176A D22BD128 5DDABE84
6411A510
E7F35D9E 9A59CF57 22425326 4C3EC262 D02DAC09 47EE95BD 8ABB817C 8FB0031E
AC6F0203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D333835 302D5377 69746368 2D42301F 0603551D 23041830
16801437 70450336 2D8E2C46 0577B956 73327CE6 EDD8F030 1D060355 1D0E0416
04143770 4503362D 8E2C4605 77B95673 327CE6ED D8F0300D 06092A86 4886F70D
01010405 00038181 00190279 E835A80D 8F2B52E4 BB642DE9 2B904A38 A8FEFC08
2868B208 BFC29F68 5F1AE7AC DF2D1B07 D534CC18 6F3487B9 C4E30135 C9C63CF7
26FF2CD5 97772E7D 35B9CA17 CC9CFF39 E38ECBAD D14AA560 403617E0 ACB120D2
04BE4B1E 3E73B224 434375FE 99B11883 6ADA9D61 7039FAE6 D78D0BFF 00F6D746
D87420B8 8545784B 9B
quit
!
!
!
!
!
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
mode sso
!
!
!
class-map match-any non-client-nrt-class
match non-client-nrt
!
!
!
!
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
no ip address
March 10th, 2014
85
negotiation auto
!
!
switchport trunk allowed vlan 2-4
switchport mode trunk
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
March 10th, 2014
86
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Vlan1
no ip address
shutdown
!
interface Vlan2
ip address 10.1.20.2 255.255.255.0
!
March 10th, 2014
87
interface Vlan3
ip address 10.1.30.2 255.255.255.0
!
interface Vlan4
ip address 10.1.40.2 255.255.255.0
!
ip default-gateway 10.1.40.1
no ip http server
ip http authentication local
ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.40.1
!
!
!
!
!
line con 0
session-timeout 999
logging synchronous
login local
stopbits 1
line aux 0
stopbits 1
line vty 0 4
session-timeout 900
logging synchronous
login local
line vty 5 15
session-timeout 900
logging synchronous
login local
!
wsma agent exec
wsma agent config
wsma agent filesys
wsma agent notify
March 10th, 2014
88
!
wsma profile listener httplistener
transport http
!
wsma profile listener httpslistener
transport https
ap group default-group
end
Cisco 5508-A Final Device Configuration
!
config 802.11a cac voice sip bandwidth 64 sample-interval 20
config 802.11a cac voice sip codec g711 sample-interval 20
config advanced probe limit 2 500
config advanced 802.11a channel add 36
config advanced probe-limit 2 500
config advanced 802.11b channel add 1
March 10th, 2014
89
config country US
config switchconfig strong-pwd lockout attempts mgmtuser 3
config switchconfig strong-pwd lockout time mgmtuser 5
config interface port management 1
config interface address management 10.1.30.254 255.255.255.0 10.1.30.1
config interface address virtual 1.1.1.1
config interface port corporate 7
config interface address dynamic-interface corporate 10.1.20.254 255.255.255.0
10.1.20.1
config interface dhcp management primary 10.1.40.200
config interface dhcp service-port enable
config interface create corporate 0
config interface dhcp dynamic-interface corporate primary 10.1.40.200
config interface vlan corporate 0
config license boot base
config time ntp interval 5400
config time ntp server 1 206.246.122.250
config time timezone location 8
config wlan broadcast-ssid enable 1
config wlan wmm allow 1
config wlan exclusionlist 1 60
config wlan interface 1 corporate
config wlan mfp client enable 1
config wlan create 1 Example-Corp Example-Corp
config wlan session-timeout 1 1800
config wlan security wpa akm psk set-key hex encrypt 1
9feedb82de8b56de6b2ad2f6d3353593 35ba68e372e507606cf645dec83c0f3119739ea5
48
ce3011918b51cef71b35bc07d767f1422fe59cba6bcde85a8e0d5885cad8ad45ce4d7abae
d36ed6f35b293a4d7c46451000000000000000000000001000000004892e4c800000000
139822900000000010c827640000000010c8190c000000004892e4c0000000000000001
100000000139822900000000010c842a000000000139822900000000010c84c08000000
00 1
config wlan security wpa akm psk enable 1
config wlan security wpa akm 802.1x disable 1
config wlan security wpa enable 1
config wlan security web-auth server-precedence 1 local radius ldap
config wlan security wapi akm psk set-key hex encrypt 1
9feedb82de8b56de6b2ad2f6d3353593 35ba68e372e507606cf645dec83c0f3119739ea5
48
ce3011918b51cef71b35bc07d767f1422fe59cba6bcde85a8e0d5885cad8ad45ce4d7abae
d36ed6f35b293a4d7c46451000000000000000000000001000000004892e4c800000000
March 10th, 2014
90
139822900000000010c827640000000010c8190c000000004892e4c0000000000000001
100000000139822900000000010c842a000000000139822900000000010c84c08000000
00 1
config wlan enable 1
config mobility group domain Example
config certificate generate webadmin
config redundancy mobilitymac c4:71:fe:97:86:e0
config radius callstationidtype ipaddr
config network rf-network-name Example
config network multicast l2mcast disable service-port
config network multicast l2mcast disable virtual
config database size 2048
config 802.11b 11gsupport enable
config 802.11b cac voice sip bandwidth 64 sample-interval 20
config 802.11b cac voice sip codec g711 sample-interval 20
config ap packet-dump truncate 0
config ap packet-dump capture-time 10
config ap packet-dump buffer-size 2048
config mgmtuser add encrypt admin 1 b4bab9e80e7e8846841e157a0f8434c3
bea96787ca614f179382b3a74c0dee641a9734a6 16
3e8f0fcc7e5b34a0f8279c03e14cae8100000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000 read-write
config mdns profile service add default-mdns-profile AirPrint
config mdns profile service add default-mdns-profile AirTunes
config mdns profile service add default-mdns-profile AppleTV
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_1
config mdns profile service add default-mdns-profile HP_Photosmart_Printer_2
config mdns profile service add default-mdns-profile Printer
config mdns profile create default-mdns-profile
config mdns service origin all AirPrint
config mdns service query enable AirPrint
config mdns service create AirPrint _ipp._tcp.local. origin all lss disable query enable
config mdns service origin all AirTunes
config mdns service query enable AirTunes
config mdns service create AirTunes _raop._tcp.local. origin all lss disable query enable
config mdns service origin all AppleTV
config mdns service query enable AppleTV
config mdns service create AppleTV _airplay._tcp.local. origin all lss disable query enable
config mdns service origin all HP_Photosmart_Printer_1
config mdns service query enable HP_Photosmart_Printer_1
config mdns service create HP_Photosmart_Printer_1 _universal._sub._ipp._tcp.local.
origin all lss disable query enable
config mdns service origin all HP_Photosmart_Printer_2
config mdns service query enable HP_Photosmart_Printer_2
March 10th, 2014
91
config mdns service create HP_Photosmart_Printer_2 _cups._sub._ipp._tcp.local. origin
all lss disable query enable
config mdns service origin all Printer
config mdns service query enable Printer
config mdns service create Printer _printer._tcp.local. origin all lss disable query enable
config sysname 5508-A
transfer upload path /
transfer upload filename FCW1452L0CU-confg
transfer upload serverip 192.168.1.110
transfer upload datatype config
transfer download path /
transfer download filename FCW1452L0CU-confg
transfer download serverip 192.168.1.110
transfer download datatype config
March 10th, 2014

WLC 5508 HA With SSO - Setup Guide - V1.1

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

WLC 5508 HA With SSO - Setup Guide - V1.1

Enviado por

Direitos autorais:

Formatos disponíveis

Another offering from team MIDAS

March 10th, 2014