Upgrading Cisco WLC Code in HA

Step 1: Evaluate the image that you wish to put on the WLC

Look for the Cisco suggested image

For the deployments which are not particular about availing the most recent features, its always a safer approach to look for Cisco suggest image. This is generally depicted by having a “star” beside the image on CCO page.

https://software.cisco.com/download/home/281189496

Evaluate the release notes to determine the image that has the features you require

https://www.cisco.com/c/en/us/support/wireless/wireless-lan-controller-software/products-release-notes-list.html

Step 2: Evaluate the WLC code compatibility matrix

The WLAN infrastructure traditionally comprises of Cisco WLC, Prime, CMX and MSE (wIPS). Thus while planning to upgrade the WLC code, it quite essential to evaluate the code compatibility matrix as you may be required to consider upgrading these components as well.

The compatibility matrix could be found at:

https://www.cisco.com/c/en/us/td/docs/wireless/compatibility/matrix/compatibility-matrix.html

Step 3: Identity the upgrade path

When ever we are trying to upgrade the WLC image to the latest available code, identifying the upgrade path is quite essential. If the WLC is running a very older code, then it may be required to proceed with step upgrade by moving to the intermediate image and then the image of interest.

The current Cisco WLC code available at the time of writing is 8.8.x and in order to have this code the minimum code, the WLC should be running is 8.5.x

Step 4: Preliminary tasks before the schedule of code upgrade

a. Make sure no firewall policies are changed.

Evaluate if there has been any changes to the firewall policies. When a network is being deployed, people generally prefer allowing communication between infrastructure devices. Once the network matures, deployments generally prefer introducing stringent firewall rules allowing communication between only specific devices and on specific ports.

The unique part is, these firewall policies would not immediately be seen taking into effect for the already established TCP sessions between the network devices. The moment we reset these TCP sessions (in our case the reload of WLC resulting from code upgrade), the existing TCP session would go down and firewall rules to only allow specific communication kicks in. If the firewall rules misses to have any communication between the networking equipment then they would not be able to communicate.

Following link from Cisco give an elaborative list of port communication that needs to be taken into consideration: https://www.cisco.com/c/en/us/support/docs/wireless/5500-series-wireless-controllers/113344-cuwn-ppm.html#anc8

b. Download a suitable TFTP / FTP server

c. Get the configuration back up

d. Get the cli output of “show run-config”, “show ap summary” & “show client summary”

Helps evaluate the state of AP and client association pre & post WLC code upgrade

(WLC1) >show ap summary

Number of APs……………………………… 341

Global AP User Name………………………… admin

Global AP Dot1x User Name…………………… Not Configured

Global AP Dot1x EAP Method………………….. EAP-FAST

(WLC1) >show client summary

Number of Clients………………………….. 2380

Number of PMIPV6 Clients……………………. 0

Number of EoGRE Clients…………………….. 0

e. Get the cli output of “show nmsp subscription detail”

Helps identify WLC communication with CMX, MSE and CMX connector before code upgrade

Step 5 : Plan for downtime

The code upgrade procedure will have the WLC and APs to reload and thus the adequately planned time has to be evaluated.

The downtime would be dependent on the number of APs in the network.

Step 6 : WLC and AP pre-image download

WLC image pre-download

Issue the “show boot” on primary WLC to obtain the current status of Active and standby image currently available on the WLC

Active WLC:

(WLC1) >show boot

Primary Boot Image…………………………. 8.8.111.0 (default) (active)

Backup Boot Image………………………….. 8.7.106.0

Standby WLC:

(WLC1-Standby) >show boot

Primary Boot Image…………………………. 8.8.111.0 (default) (active)

Backup Boot Image………………………….. 8.7.106.0

While the WLCs are operating in box to box HA, the code on them cannot be upgraded separately.

The code has to be first uploaded on the primary which automatically gets pushed on to the standby. Once the active WLC is successfully upgraded, the active WLC executes all the upgrade scripts and transfers the entire image to the Standby WLC using the Redundant Port.

Standby WLC starts executing the upgrade scripts upon receiving the entire image on the active WLC.

Verification of WLC image pre-download

On the WLC is uploaded with the desired image of interest, cross check from the

(WLC1) >show boot

Primary Boot Image…………………………. 8.8.120.0 (default) (active)

Backup Boot Image………………………….. 8.8.111.0

(WLC1-Standby) >show boot

Primary Boot Image…………………………. 8.8.120.0 (default) (active)

Backup Boot Image………………………….. 8.8.111.0

Ap Image pre-download

Verify the status of AP image before initiating AP image pre-download

Initiate AP image pre-download

Verify the AP pre-downloaded image is reflected

Swap the Primary and Backup image on the AP

Issue the command “Config ap image swap all”.

Swapping of image on AP further reduces the downtime because of the following sequence during code upgrade process:

WLC will be rebooted to come up with the new image from flash (marked as primary)
During the course of APs failing to find the WLC for it under reload process, will also undergo a reload and comes up with the preloaded image.
Once the APs send the join request, WLC responds with the image version that the WLC is running.
The APs compares its running image with the image version the WLC has responded with.
If the image is same, the AP reloads and joins the controller.