In the High Availability SSO configuration, there are two WLC (Wireless LAN Controller) at the site, at a time only one WLC will be active, and the other will be in standby mode. All configurations can only do on the Active Wireless controller, and it will share the mirror copy to the standby wireless controller and Access Points. In this mode, only minor fluctuation can happen at failover. So, this mode is most popular and gives the customer satisfaction with all requirements.

1. HA pair can only form between the same Hardware and software controllers.
2. Minimum bandwidth should 60 Mbps and MTU size 1500.
3. Redundancy port (RP) latency maximum of 80 ms RTT.
4. If we use the authentication method Dot1X, we need a radius server that is reachable from the site.
5. If any DHCP, DNS, LDAP/AD, etc, servers should be reachable.

Management & High Availability SSO Deployment

First of all, on both local and remote locations, the IP address subnet should be the same. In the WLC controller, there are two Management options- One is in-band and another one is Out of Band management. OOB interface in Wireless known as Service Port, Both IP subnet must be different. Suggested subnet for HA 169.254.X.X/16, the last two-octet can be derived from Management interface IP address.

Enterprise Network

There are two methods to configure HA in WLC 9800 Model.
1. Method 1: Single VSS switch (or stack/VSL pair/modular switch) with Redundancy port back-to-back connectivity.
2. Method 2: Single VSS switch (or stack/VSL pair/modular switch) with Redundancy port via upstream connectivity.

WLC (HA SSO) Terminology And Traffic Flow

With this SSO functionality, we have two WLC same model in one Site. In this scenario, we will configure both WLC in HA with SSO (Stateful Switch Over) and AP (Access Point) can be either Local or FlexConnect mode, prefer Local in this scenario. In this design, one WLC will be Active and the other will be in standby mode. All configurations only can be made on active WLC, and it will sync automatically in Secondary WLC.

To understand the wireless terminology and workflow, we must know all connectivity and traffic flow, CAPWAP (Control and Provisioning of Wireless Access Point) tunnel, Switching (Local/Central) & authentication (Local/Central) process. Between WLC and APs has logical CAPWAP tunneling connection, any user’s authentication traffic, Data traffic (In local Mode) will flow via this tunnel. WLC is responsible to redirect the user’s traffic to appropriate servers or destinations.

Gateway Firewell

Whereas, In the Authentication scenario, we can use Central Authentication (If the Radius server in the environment we can use 802.1x for user’s authentication). All APs will be in Local mode, so authentication and user’s data traffic will flow through WLC. Users will send authentication requests to WLC, and WLC will redirect the traffic to the appropriate Radius server for authentication.

Failover/Switchover Functionality

At the time of failover, the Active WLC, Standby WLC will be made Active which already has all configuration synchronized and handle the user’s authentication request. The big advantage of this scenario is that it has very minimal fluctuation at the time of failover. During the failover joining of APs, client association, authentication, and the session will continue.

We can manually perform the failover to execute the redundancy force-switchover command. This command will initiate the graceful switch-over of the WLC from Active to standby.  

Wireless solution with HA SSO mode is extremely popular and the big advantage is users’ traffic failover time should be very minimal, with this technology it is possible. Because of the all-new configuration mirror copy auto-sync with standby WLC. Wireless LAN controller configuration in HA (SSO) is quite easy to design, configure and manage. There are many other methods to deploy a Wireless solution and for that, we have our engineers at Zindagi Technology or call us on +919773973971

Brijesh Yadav
Network Consultant Engineer