Cisco Mobility Express - HA Controller Configuration

Introduction

In my lab, there are 2 access points currently connected to the network: one AP-2802 acting as the Mobility Express Controller (which I will refer to as a "ME-Controller" from now on) and one AP-2702 acting as regular access points (CAPWAP mode).

The software version being run in this deployment is 8.10.130.0.

We are now going to add another AP-2802 access point to the deployment and convert it to Mobility Express Controller mode, which means it will act as a backup Controller in case the first one fails.

Add the new Access Point to the deployment

Start by adding the access point you want to become an ME-Controller to your deployment as a regular (“subordinate”) access point. Connect it to the network, let it download the correct version image via the current active ME-controller (do note that you must have a TFTP-server with access point images accessible from your ME-Controller or have your ME-Controller connected to Cisco.com for on-demand image downloading).

After receiving the correct image version, the new access points reboot and join the deployment as a CAPWAP access point. If you are not sure how to set up a TFTP-server for access point image distribution, please take a look at this article.

Cisco Mobility Express High Availability HA Topology

Optional: Change VRRP VRID of Mobility Express deployment

If you are sure you are not using VRRP on the same network as the access points are connected to, you can skip this configuration.

Virtual Router Redundancy Protocol, more commonly known as VRRP, is going to be the protocol used between the two (or more) designated access points configured for Mobility Express Controller mode. This allows the management IP address of the Mobility Controller to jump between different access points in case the current Mobility Express controller fails.

If you are already using VRRP in some other fashion on the same local network as your access points are deployed on, you might need to change the so-called VRID of the VRRP instance being run on the Mobility Express deployment. This is because the VRID is used to create a virtual MAC address that is tied to the management IP address (which is also “virtual”) and the MAC address will follow whichever access point is the current active Mobility Controller.

If you have two instances of VRRP running on the same IP network and using the same VRID, you are going to have a MAC-address conflict and your network will break down.

The last part of the virtual MAC address is based on the Virtual Router ID, also called the VRID. By default, the VRID is set to "1", which would create the MAC-address 00:00:5e:00:01:01 to be used together with your management IP address. You can SSH to the ME-Controller’s IP address and use the command show mob-exp vrrp vrid to see the currently configured VRRP VRID, as seen below.

Cisco Mobility Express High Availability VRRP ID

If needed, change the VRID using the command config mob-exp vrid <VRID>. In my case, I chose VRID 55, which will create the virtual MAC-address 00:00:5e:00:01:37. This is because “55" converted to hexadecimal is "37", which you can see in the last part of the virtual MAC address.

Cisco Mobility Express High Availability VRRP ID Configuration

Change Access Point to Mobility Express mode (GUI)

Log into the management web-GUI of your ME-Controller. In my case, it’s 192.168.1.210, with IP address 192.168.1.209 being the access point portion of the hardware in this AP-2802 (AP-01).

Navigate to Wireless Settings > Access Points to see all of the access points currently connected in your deployment. The Type of the access point you want to convert to Mobility Express should currently say CAPWAP. We are now going to change the Type to ME Capable by selecting the access point that you want to convert to controller mode by checking the box next to it and then clicking on Convert to ME.

Cisco Mobility Express Convert to ME WLC

Click Yes to the pop-up question that follows.

Cisco Mobility Express Convert to ME WLC Warning

Change Access Point to Mobility Express mode (CLI)

If you instead want to use CLI to convert the access point to Mobility Express mode, either use the console port or SSH to access the CLI. You can set up SSH access to all access points connected to a Mobility Express deployment under Wireless Settings > Access Points > Global AP Configuration or by using the command below on the current active ME-Controller.

(Cisco Controller) > config ap ssh enable all

(Cisco Controller) > config ap mgmtuser add username <myAdmin> password <password> secret <Enable> all

After accessing the CLI of the access point, use the command below to convert it to Mobility Express mode.

AP-02# ap-type mobility-express

Changing AP Type to Mobility Express

AP-02#

Converting the AP from one Type to another takes a few minutes or so as the access point will have to reboot. After the access point, AP-02 is back online it should now be of the Type called ME Capable, which is the same type as our current active ME-Controller.

Cisco Mobility Express Convert to ME Capable

Additional Settings

When an active ME-Controller goes offline, there are two ways for the deployment to select who will become the new active ME Controller:

You can select an access point to be the so-called Preferred Master, which means it will assume the ME-Controller mode in case something happens to the original active ME-Controller (Option 1).
The other way to select a new ME-Controller in case of a controller failure is to let the ME Capable access points decide it among themselves. There is a hardcoded logic to this election process which you can read more about down below (Option 2).

Option 1 ) Configure a Preferred Master (GUI or CLI)

Click on the Edit button next to the access point, go to the General tab, and check Set as Preferred Master. You will need to save the configuration and restart your current ME-Controller for this to take effect.

Cisco Mobility Express Preferred Master Configuration

Both before and after the restart you can see that the ME Capable access point has a grey icon added to it, which according to the legend above means that it is the Preferred Master.

The wording here is a bit strange here, in my opinion, because it sounds like you are selecting the new ME Capable access point to primary be in charge of this deployment, but if you do the configuration through CLI it is a bit more clear.

The equivalent command used in CLI is config ap next-preferred-master <AP-name>

The “next” portion of this command tells us that what is configured here is instead the next ME-Controller (or “Master AP”).

Cisco Mobility Express Preferred Master CLI Configuration

After running this command you will be told you need to save config and reload the currently active ME-Controller for this configuration to take effect. Before you do this you can first use the show ap next-preferred-master command below to confirm your configuration.

Cisco Mobility Express Preferred Master CLI Show Verification

Confirm configuration is synced to the new Mobility Express Controller

You can also confirm that configuration for the current active ME-Controller has been synced to the new ME Capacle access point using the command show mob-exp config-sync status

For some reason, the output of this show seems to lack structure, to say the least, but you can work out what is going on. We can see that AP-02 has successfully gotten a copy of the configuration synced to it.

To my knowledge, there is no way to view this information using the management web-GUI.
It is now time to reboot the current active ME-Controller, which you can do in the web-GUI under Advanced > Controller Tools > Restart Controller or using the commands below.

(Cisco Controller) > save config

(Cisco Controller) > reset system

As soon as you enter reset system, your current active ME-Controller will reload and the new ME Capable access point will take over the role as active ME-Controller. If you are looking at the console output of the new ME Capable access point you can see it launching the controller mode and starting all the services needed. It took around 1 minute for the new ME Controller to launch the controller mode and the web-GUI was up and running after this minute as well.

The regular CAPWAP access points in your deployment should keep serving connected clients during this time as if nothing has happened. Since you are a bit in the dark after a switchover because you don't have access to any ME-Controller for about a minute, it's good to know that currently connected clients are not affected.

Option 2 ) Let Master Election process decide

If you do not wish to set a Preferred Master to take over in the event of an active ME-Controller failure, this is the election process for the access points to decide amongst themselves which one of the ME Capable access points should become the new active ME-Controller.

Most Capable Access Point - simply put, the access point with the best hardware will be elected for the ME-Controller role. All-in-all, this is the order of operations (first to last): AP-model 4800 > 3802 > 2802 > 1850 > 1830 > 1815
Least Client Load - if there are is a tie in Most Capable access point, the one with the least clients will be elected for the ME-Controller role.
Lowest MAC Address - if the two points above fail to elect a new ME-Controller, the ME Capable access point with the lowest MAC address be elected for the ME-Controller role. Since MAC addresses are device unique (in general), this step should be able to be completed without issues.

Do note that the election process takes place 5 minutes after an active Mobility Controller has failed and when there is no Preferred Master configured. This means that for these 5 minutes you are going to be blind about what is going on with your wireless network. Once a new ME-Controller has been selected it will take another 1-2 minutes for that access point to launch the controller mode.