RRM (Radio Resource Management) Overview

The RRM feature is also known as Auto-RF or act as a built –in RF engineer in controller, uses the RF information gathered by the APs to make decisions on whether channel assignment or power levels need to be adjusted.

In other words: It uses the RF information gathered by the APs to make decisions on whether channel assignment or power levels need to be adjusted. Just because the RF environment has changed does not necessarily mean that the controller will change.

Before covering the intricacies of the RRM algorithm and RF grouping, following is a high-level overview of the basic workflow involved:

Step 1: The controllers and their APs use the configured RF group name to determine if other APs they hear are part of their RF group.

Step 2: The APs use neighbor messages (sent every 60 seconds) that are authenticated by other APs that hear them. The neighbor messages include information about the AP, the controller, and the configured RF group name.

Step 3: The APs that hear the neighbor message of another AP authenticate that message using the RF group name and pass it to their respective controller.

Step 4: The controllers use this information to determine what other controllers should be in their RF group, and then form logical groups to share the RF information from their respective APs, and elect an RF group leader.

Step 5: The RF group leader runs the RRM algorithm against the RF information from all the APs in the RF group. Depending on the outcome, a power level or channel change for an AP or group of APs might take place.

To know more details about RRM, check this previous post:

https://rscciew.wordpress.com/2013/12/04/radio-resource-management/

Also don’t forget to see these YouTube video by Jerome Henry:

  1. http://www.youtube.com/watch?v=gwCxVwmHnRw – describes RRM principles
  2. http://www.youtube.com/watch?v=XhmnXeeLQBc – goes deeper into RRM and provides useful information if you are to take a Cisco exam on Wireless related topics! 🙂
  3. http://www.youtube.com/watch?v=3EnvhxjzEWU – details how RRM controls the AP channel assignment with DCA (Dynamic Channel Assignment).
  4. http://www.youtube.com/watch?v=32YWzuXTg5M – explains how RRM dynamically reduces AP power with TPC (Transmit Power Control)
  5. http://www.youtube.com/watch?v=yot63RsKOCg – explains how the Radio Coverage Detection Algorithm works.

RRM feature enables controllers to continually monitor their associated LAP for the following information:

  • Traffic load: The total bandwidth used for transmitting and receiving traffic. It enables wireless LAN managers to track and plan network growth ahead of client demand.
  • Interference: The amount of traffic coming from other 802.11 sources.
  • Noise: The amount of non-802.11 traffic that is interfering with the currently assigned channel.
  • Coverage: The received signal strength (RSSI) and signal-to-noise ratio (SNR) for all connected clients.
  • Other: The number of nearby access points.

RRM performs these functions:

  • Radio resource monitoring
  • Transmit power control
  • Dynamic channel assignment
  • Coverage hole detection and correction

In this post we will see the configuration guide of RRM on WLC.

Configure an RF Group Name

Via GUI:

First step to configure RRM is to ensure WLC has the RF Group Name configured. This can be done through the controller web interface. Go to Controller > General and then type a RF Group Name value.

RRM1

Via CLI:

Create an RF group by entering the config network rf-network-name name command:

(WLAN1) >config network rf-network-name mywlc

Configuring the RF Group Mode:

Via GUI

Go to Wireless > 802.11a/n or 802.11b/g/n > RRM > RF Grouping

RRM2

Via CLI:

config advanced {802.11a | 802.11b} group-mode {auto | leader| off | restart}

(WLAN1) >config advanced 802.11a group-mode ?
 auto           Sets the 802.11a RF group selection to automatic update mode.
 leader         Sets the 802.11a RF group selection to static mode, and sets this controller as the group leader.
 off            Sets the 802.11a RF group selection off.
 restart        Restarts the 802.11a RF group selection.
(WLAN1) >config advanced 802.11a group-mode auto

On this screen we can see the details of RF group

Group Mode: Auto (It can be static or we can disable it)

Group Role: Auto Leader or Static Leader

Group Update Interval: The group update interval value indicates how often the RF Grouping algorithm is run and it cannot be modified.

Group Leader: This field displays the IP Address of the WLC that is currently the RF Group Leader.

Last Group Update: The RF Grouping algorithm runs every 600 seconds (10 minutes). This field indicates the time (in seconds) since the algorithm last ran.

RRM3

*** A configured static leader cannot become a member of another controller until its mode is set to “auto”.

No we will change the Group mode on Controller”WLAN1” as leader.

RRM4

Add a controller as member:

RRM5

Via CLI:

Add a controller as a static member of the RF group (if the mode is set to “leader”) by entering this command:

config advanced {802.11a | 802.11b} group-mode {auto | leader| off | restart}

(WLAN1) >config advanced 802.11agroup-mode leader

config advanced 802.11a | 802. group-member add controller_name controller_ip_address

(WLAN1) >config advanced 802.11a | 802. group-member add WLAN2 10.35.80.3

To see RF grouping status

(WLAN1) >show advanced 802.11a group
 Radio RF Grouping
 802.11a Group Mode............................. STATIC
 802.11a Group Update Interval.................. 600 seconds
 802.11a Group Leader........................... WLAN1 (10.35.80.1)
 802.11a Group Member......................... WLAN1 (10.35.80.1)
 802.11a Group Member......................... WLAN2 (10.35.80.3)
 802.11a Last Run............................... 17 seconds ago
 * indicates member has not joined the group.
 (WLAN1) >

*** Same procedure for 802.11b network

***Info:

There are few things we must take care before forcing a WLC to be a RF leader:

  1. All WLC members must have the same mobility and RF group name.
  2. All WLCs AP must be in the range of each other.

In next post we will learn TPC, DCA and CHD.

Foreign Mapping/ Auto Anchor Mobility

In this post we will learn about how to configure the foreign mapping between 2 controllers.

Auto-Anchor mobility, also known as Foreign Mapping, allows us to configure users that are on different foreign controllers from different physical location to obtain IP addresses from a subnet or group of subnets based on their physical location.

  1. First of all Both controller must have added each other in its mobility list.
  2. Auto anchoring must have conifgured.

How to Configure Mobility

How to Configure Auto Anchoring

Steps to conifgure Foreign Maping on Anchor ControllerL

***Make sure that it is only configured on Anchor Controller or where we want to terminate the client to get IP address.

Step1: Select the WLANs tab.

Step2: Click the Blue drop down arrow for the WLAN(iN my case RSCCIEW) and choose Foreign-Maps.

Step3: The foreign mappings page appears. This page also lists the MAC addresses of the foreign controllers that are in the mobility group and interfaces which are created on Anchor WLC.

Step4: Select the desired foreign controller MAC(WLC2 in my case) and the interface(rscciew) to which it must be mapped and click on Add Mapping.

Anchor WLC configuration:

Foreignmap1

Foreignmap2

Foreignmap3

Foreignmap4

Verification:

Anchor WLC:

(WLC1) >show client  summary
 Number of Clients................................ 2
 GLAN/
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6  Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------- ----------------
 48:43:7c:8b:c3:92 192.168.10.3         N/A Associated     3    Yes  Mobile           13   No    No      Export Anchor
(WLC1) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 AP radio slot Id................................. N/A
 Client State..................................... Associated
 Client User Group................................
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 3
 Wireless LAN Network Name (SSID)................. RSCCIEW
 Wireless LAN Profile Name........................ RSCCIEW
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 00:00:00:00:00:ff
 Connected For ................................... 133 secs
 Channel.......................................... N/A
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. 192.168.82.254
 Netmask.......................................... 255.255.255.0
 IPv6 Address..................................... fe80::
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Disabled
 Supported Rates..................................
 Mobility State................................... Export Anchor
 Mobility Foreign IP Address...................... 192.168.10.3
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500100000085546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... N/A
 Encryption Cipher................................ None
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ rscciew
 VLAN............................................. 82
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 82
 Local Bridging VLAN.............................. 10
 .
 .
 (WLC1) >

Foreign WLC:

(WLC2) >show client summary
 Number of Clients................................ 1
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6 Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------ ----------------
 48:43:7c:8b:c3:92 AP002             1   Associated     5    Yes  802.11n(5 GHz)   1    N/A   No     Export foreign
(WLC2) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 84:80:2d:c3:6c:d0
 AP Name.......................................... AP002
 AP radio slot Id................................. 1
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 5
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 84:80:2d:c3:6c:db
 Connected For ................................... 123 secs
 Channel.......................................... 64
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. Unknown
 Netmask.......................................... Unknown
 IPv6 Address..................................... fe80::
 Association Id................................... 2
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Enabled
 APSD ACs.......................................  BK  BE  VI  VO
 Power Save....................................... ON
 Current Rate..................................... m7
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Export Foreign
 Mobility Anchor IP Address....................... 192.168.10.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500300000073546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 10
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 10
 .
 .
 (WLC2) >

That’s all about Foreign Mapping 🙂

WGB Roaming

In this post we will try to understand how WGB scan the parent channels or try to roam from one parent to other. It is really important to implement roaming commands on WGB to keep the session alive.

Basic Info:

  • WGB is mobile device
  • Normally Companies uses WGB in Production and it’s mounted on forklift or on a cart with their device. Roaming is very critical part of it and it must be smooth otherwise it disconnects frequently and try to reconnect to other AP.
  • As roaming needs a change from the current AP to the next, there is a resultant disconnection or time without service. This disconnection can be small.
  • Roaming is needed WGB find an AP which has better signal then the current one, and it can continue to access the network infrastructure properly.
  • Too many roams can cause disconnections (it’s not acceptable in especially in production or may be in hospital), which affects access.
  • It is really important for a WGB, to have a good roaming algorithm with enough configuration capabilities to adapt to different RF environments and data needs.

Configure Roaming:

***By default it acts a normal client and it scans another parent after continuous 8 beacon loss.

But in case of WGB we have few other methods on top of this default setting.

Let’s see these in details:

Mobile station:

This commands mark the unit as Mobile to speed up roaming

WGB# conf t
WGB(config-if)#mobile station

When we enable this WGB scans for a new parent when the RSSI to its AP gets too poor or when it has too many retransmits. This makes that the WGB will roam. When the mobile station setting is disabled (the default setting) the workgroup bridge does not search for a new AP until it loses its current association.

Scanning Channels:

WGB(config-if)#mobile station scan 1 6 11

mobile station scan <set of channels> command  is used to invoke scanning to specified channels.

By default there is no limitation of channels that can be configured. When we run this command, the WGB only scans these channels.

In our case, we configured our WGB to only scan these channels, instead of scanning all channels.

***Mobile station only shows up when using the WGB role on the radio.

*** Make sure our WGB scan list matches our infrastructure channel list. If not, the WGB will not find our available APs.

RSSI Monitoring:

WGB(config-if)#mobile station period 4 threshold 70

WGB can have a pro-active signal scan for the current parent and start a new roaming process when the signal falls below an expected level.

This has two parameters:

  • A timer, which wakes up the check process every X seconds
  • RSSI level, which is used to start a roaming process if the current signal is bellow it.

Minimum Data Rate:

WGB(config-if)#mobile station minimum-rate 18.0

This command states that WGB must trigger a new roaming event, if the current data rate to parent is bellow a given value.

*** This is too aggressive, and normally, the only solution was to configure a single data rate both in WGB and on parent APs.

By using this command, the new roaming process is only starts when the current rate is lower than the 18Mb/s. This reduces unnecessary roaming.

CCX Neighbors:

WGB(config-if)#mobile station ignore neighbor-list

Normally when WGB scan the channels, it prepares the list of available APs. This is a CCX mechanism by which the WGB can transmit to its AP the details of the others APs the WGB heard. But if we configured WGB for only specific channels scanning then it does not need to process the CCX reports to update its known channel list.

*** We use the mobile station ignore neighbor-list command to disable processing of CCX neighbor list reports

Packet retries:

WGB(config-if)#packet retries 128

By default, the WGB re-transmits a frame 64 times. (1- 128 range can be configured)

If it is not acknowledged by a parent AP then it starts roaming process.

Drop-Packet:

If after 128 tries WGB don’t find any ACK from parent AP then WGB starts a roaming. But when parent is present, the WGB does not start new roaming and uses other triggers, such as beacon loss and signal.

So the complete command is:

WGB(config-if)#packet retries 128 drop-packet

*** This command must be configured on both side(on WGB as well as on Parent AP under radio interface).

WGB(config-if)#mobile ?
 station  Mark the unit as mobile to speed up roaming
WGB(config-if)#mobile station ?
 ignore        ignore CCX reports
 minimum-rate  Minimum rate below which the AP is rejected
 period        Minimum time between scans when the connection deteriorates
 scan          Scan the following channels only
 <cr>
WGB(config)#int d0
WGB(config-if)#packet retries 128 drop-packet
RootAP#debug dot11 dot11radio 0 trace print uplink
RootAP#debug dot11 dot11radio 0 trace print rates
WGB(config-if)#
 *Mar  1 19:27:56.501: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset
 *Mar  1 19:27:56.502: FAD9916A-0 Uplink: Stop
 *Mar  1 19:27:56.502: FAD991BA-0 Interface down
 *Mar  1 19:27:56.521: %LINK-3-UPDOWN: Interface Dot11Radio0, changed state to up
 *Mar  1 19:27:56.522: FAD9E7DA-0 Interface up
 *Mar  1 19:27:56.523: FAD9E82B-0 Uplink: Wait for driver to stop
 *Mar  1 19:27:56.523: FAD9E8A4-0 Uplink: Enabling active scan
 *Mar  1 19:27:56.523: FAD9E8B7-0 Uplink: Not busy, scan all channels
 *Mar  1 19:27:56.523: FAD9E8C7-0 Uplink: Scanning
 *Mar  1 19:27:56.584: FADAE016-0 Uplink: Rcvd response from 003a.9a3e.a380 channel 11 10283
 *Mar  1 19:27:56.589: FADAF3F1-0 Uplink: dot11_uplink_scan_done: rsnie_accept returns 0x0 key_mgmt 0xFAC01 encrypt_type 0x200
 *Mar  1 19:27:56.589: FADAF42C-0 Uplink: ssid RSCCIEW auth leap
 *Mar  1 19:27:56.589: FADAF43F-0 Uplink: try 003a.9a3e.a380, enc 200 key 3, priv 1, eap 11
 *Mar  1 19:27:56.590: FADAF45E-0 Uplink: Authenticating
 *Mar  1 19:27:56.599: FADB19F9-0 Uplink: Associating
 *Mar  1 19:27:56.608: FADB2EBC-0 3EA380 - Set rate:    54.0  54 Mbps ( 6C), Rssi 24 dBm
 *Mar  1 19:27:56.609: FADB3018-0 Uplink: EAP authenticating
 *Mar  1 19:27:56.668: %DOT11-4-UPLINK_ESTABLISHED: Interface Dot11Radio0, Associated To AP RootAP 003a.9a3e.a380 [LEAP WPAv2]
 *Mar  1 19:27:56.670: FADC277E-0 Uplink: Done

These are the other timers on WGB:

WGB(config)#workgroup-bridge timeouts ?
 assoc-response  Association Response time-out value
 auth-response   Authentication Response time-out value
 client-add      client-add time-out value
 eap-timeout     EAP Timeout value
 iapp-refresh    IAPP Refresh time-out value

Auto-Anchor Mobility / Guest Tunneling

In this post we will learn how to use Auto Anchoring feature.

In simple words, Auto-anchoring is when we anchor a WLAN to a particular controller in the mobility domain or group.

It can be used for load balancing & Security. We can force clients to be on a particular controller regardless of the controller they access the wireless network from.

**The most common example/use for auto-anchor is with guest networking.

Let’s go into detail:

With auto-anchor, regardless of which controller’s APs a client associates with, the client traffic is anchored to this one controller. Auto-anchoring is basically symmetric tunneling using a fixed anchor. When a client first associates with a controller on an anchored WLAN, a Local Session entry is created for the client. The controller sends out a Mobile Announce message to the mobility group.

When that message is not answered, the foreign controller contacts the configured anchor controller and creates a foreign session for the client in its database. The anchor controller then creates an Anchor session for the client.

All traffic to and from the client associated with an anchored WLAN passes through the anchor controller. This is known as a bidirectional tunnel because the foreign controller encapsulates the client packets in EtherOverIP and sends them to the anchor. The anchor de-encapsulates the packets and delivers them to the wired network. Packets destined for the client are encapsulated in the EtherOverIP tunnel by the anchor and sent to the foreign controller. The foreign controller de-encapsulates the packets and forwards them to the client.

Guideline before Auto-Anchor configuration:

  1. We must add controllers to the mobility group member list before we can designate them as mobility anchors for a WLAN. How to Add, Check this post: Mobility Configuration on WLC
  2. We can configure multiple controllers as mobility anchors for a WLAN.
  3. We must disable the WLAN before configuring mobility anchors for it.
  4. Auto-anchor mobility supports web authorization but does not support other Layer 3 security types.
  5. We must configure the WLANs on both the foreign controller and the anchor controller with mobility anchors. On the anchor controller, configure the anchor controller itself as a mobility anchor. On the foreign controller, configure the anchor as a mobility anchor.
  6. Auto-anchor mobility is not supported for use with DHCP option 82.
  7. When using the mobility failover features with a firewall, make sure that the following ports are open:
  • UDP 16666 for tunnel control traffic
  • IP Protocol 97 for user data traffic
  1. To check the connectivity and peer kee-palive timers, use these CLI commands :
  • mping peer-ip-address – used to test the Control Path between mobility peers
  • eping peer-ip-address – used to test the Data Path between mobility peers
  • show mobility summary – used to view mobility configuration and timers

How to configure Auto-anchoring

Our main aim is to force clients to be on a particular controller regardless of the controller they access the wireless network from. As per my Topology client connects to AP001 which is connected to WLC2 and traffic is tunneled back to WLC1, client must get IP from VLAN 192.

Autoanchor1

WLC2 (Foreign) Configuration:

Step1: Create a WLAN (In my example: RSCCIEW)

Step2: Assign to Management interface and choose the security to webauth.

Autoanchor2

Step3: Add WLC1 to its mobility list

Autoanchor3

Step4: Go to WLAN tab and assign the ANCHOR WLC.

Autoanchor4

In this case we assign the ANCHOR WLC to WLC1:

Autoanchor5

WLC1 (ANCHOR) Configuration:

Step1: Create the same WLAN as we did for WLC2 (Foreign)

Step2: Assign the interface (guest), except this everything should be same as WLC2.

Autoanchor6

Step3: Add WLC2 to its mobility list

Autoanchor7

Step4: Go to WLAN tab and assign the ANCHOR WLC.

Autoanchor8

In this case we will assign the ANCHOW WLC IP to local.

Autoanchor9

That’s all about configuration, Lets jump for verification:

From WLC2 (Foreign WLC)

Autoanchor10

From WLC1 (ANCHOR WLC) before webauth authentication.

Autoanchor11

Now create a Local net user for testing

Autoanchor12

From WLC1 (ANCHOR WLC) After webauth authentication.

Autoanchor13

Here are the complete logs from WLC1 CLI:

(WLC1) >debug client  54:26:96:3e:4b:ee
(WLC1) >*mmListen: Nov 07 10:05:04.763: 54:26:96:3e:4b:ee Adding mobile on Remote AP 00:00:00:00:00:00(0)
 *mmListen: Nov 07 10:05:04.763: 54:26:96:3e:4b:ee override for default ap group, marking intgrp NULL
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Re-applying interface policy for client
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee override from intf group to an intf for roamed client, removing intf group from mscb
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 192
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Re-applying interface policy for client
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Initializing policy
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Resetting web IPv4 acl from 255 to 255
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Resetting web IPv4 Flex acl from 65535 to 65535
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Stopping deletion of Mobile Station: (callerId: 53)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5761, Adding TMP rule
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
 type = Airespace AP - Learn IP address
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL ID = 255, IP
 *mmListen: Nov 07 10:05:04.765: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *mmListen: Nov 07 10:05:04.765: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee Sent an XID frame
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 13, encap 0xec05)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP (encap type 0xec05) mstype 3ff:ff:ff:ff:ff:ff
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selecting relay 1 - control block settings:
 dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
 dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selected relay 1 - 192.168.80.1 (local address 192.168.99.1, gateway 192.168.99.254, VLAN 192, port 13)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP transmitting DHCP REQUEST (3)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 5, flags: 0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 192.168.99.1
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   requested ip: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selecting relay 2 - control block settings:
 dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
 dhcpGateway: 0.0.0.0, dhcpRelay: 192.168.99.1  VLAN: 192
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selected relay 2 - NONE (server address 0.0.0.0,local address 0.0.0.0, gateway 192.168.99.254, VLAN 192, port 13)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP setting server from ACK (server 192.168.80.1, yiaddr 192.168.99.5)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Static IP client associated to interface guest which can support client subnet.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) pemAdvanceState2 6671, Adding TMP rule
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Replacing Fast Path rule
 type = Airespace AP Client - ACL passthru
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Plumbing web-auth redirect rule due to user logout
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Assigning Address 192.168.99.5 to mobile
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface guest.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface guest.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP transmitting DHCP ACK (5)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 0, flags: 0
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.99.5
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   server id: 1.1.1.1  rcvd server id: 192.168.80.1
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee 192.168.99.5 Added NPU entry of type 2, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee Sent an XID frame
 *ewmwebWebauth1: Nov 07 10:05:32.617: 54:26:96:3e:4b:ee Username entry (ttest) created for mobile, length = 5
 *ewmwebWebauth1: Nov 07 10:05:32.617: 54:26:96:3e:4b:ee Username entry (ttest) created in mscb for mobile, length = 5
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_REQD (8)
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee apfMsRunStateInc
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state WEBAUTH_NOL3SEC (14)
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee Session Timeout is 0 - not starting session timer for the mobile
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Reached PLUMBFASTPATH: from line 6559
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Replacing Fast Path rule
 type = Airespace AP Client
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL ID = 255, IPv6 ACL ID
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *pemReceiveTask: Nov 07 10:05:32.626: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:32.626: 54:26:96:3e:4b:ee 192.168.99.5 Added NPU entry of type 1, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:32.627: 54:26:96:3e:4b:ee Sending a gratuitous ARP for 192.168.99.5, VLAN Id 192

Here are the complete logs from WLC2 CLI:

(WLC2) >debug client  54:26:96:3e:4b:ee
(WLC2) >*pemReceiveTask: Nov 07 10:00:16.787: 54:26:96:3e:4b:ee 0.0.0.0 Removed NPU entry.
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Adding mobile on LWAPP AP 00:22:bd:98:3a:30(1)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Association received from mobile on AP 00:22:bd:98:3a:30
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Applying site-specific IPv6 override for station 54:26:96:3e:4b:ee - vapId 4, site 'default-group', interface 'management'
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Applying IPv6 Interface Policy for station 54:26:96:3e:4b:ee - vlan 80, interface id 0, interface 'management'
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Initializing policy
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:22:bd:98:3a:30 vapId 4 apVapId 4for this client
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Not Using WMM Compliance code qosCap 00
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:22:bd:98:3a:30 vapId 4 apVapId 4
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfMsAssoStateInc
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 54:26:96:3e:4b:ee on AP 00:22:bd:98:3a:30 from Idle to Associated
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Stopping deletion of Mobile Station: (callerId: 48)
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Sending Assoc Response to station on BSSID 00:22:bd:98:3a:30 (status 0) ApVapId 4 Slot 1
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 54:26:96:3e:4b:ee on AP 00:22:bd:98:3a:30 from Associated to Associated
 *DHCP Socket Task: Nov 07 10:04:31.722: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:31.723: 54:26:96:3e:4b:ee DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
 *DHCP Socket Task: Nov 07 10:04:33.461: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:33.461: 54:26:96:3e:4b:ee DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee apfMsRunStateInc
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4563
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Adding Fast Path rule
 type = Airespace AP Client
 on AP 00:22:bd:98:3a:30, slot 1, interface = 1, QOS = 0
 ACL Id = 255, Jumbo Frames = NO
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506  IPv6 Vlan = 80, IPv6 intf id = 0
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
 *pemReceiveTask: Nov 07 10:04:34.243: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Foreign role
 *pemReceiveTask: Nov 07 10:04:34.256: 54:26:96:3e:4b:ee 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP processing DHCP REQUEST (3)
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 1280, flags: 0
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP   requested ip: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP successfully bridged packet to EoIP tunnel
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP received op BOOTREPLY (2) (len 312,vlan 80, port 1, encap 0xec05)
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP processing DHCP ACK (5)
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 0, flags: 0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   server id: 1.1.1.1  rcvd server id: 1.1.1.1
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) DHCP Address Re-established
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee Assigning Address 192.168.99.5 to mobile
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface management.

Mobility Test between Controllers

In this post we will test the mobility ping between 2 controllers.

You can check here : How to Configure Mobility on WLC

Controllers in a mobility list communicate with each other by controlling information over a well-known UDP port and exchanging data traffic through an Ethernet-over-IP (EoIP) tunnel. Because UDP and EoIP are not reliable transport mechanisms, there is no guarantee that a mobility control packet or data packet will be delivered to a mobility peer. Mobility packets may be lost in transit due to a firewall filtering the UDP port or EoIP packets or due to routing issues.

We can test the mobility communication environment by performing mobility ping tests. These tests may be used to validate connectivity between members of a mobility group.

Two are two types of ping test:

Mobility ping over UDP: This test runs over mobility UDP port 16666. It tests whether the mobility control packet can be reached over the management interface.

Mobility ping over EoIP: This test runs over EoIP(Port 97). It tests the mobility data traffic over the management interface.

*** Only one mobility ping test per controller can be run at a given time.

These ping tests are not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.

Check which WLCs are in mobility list:

(WLC1) >show mobility summary
 Symmetric Mobility Tunneling (current) .......... Enabled
 Symmetric Mobility Tunneling (after reboot) ..... Enabled
 Mobility Protocol Port........................... 16666
 Default Mobility Domain.......................... Test
 Multicast Mode .................................. Disabled
 Mobility Domain ID for 802.11r................... 0x840e
 Mobility Keepalive Interval...................... 10
 Mobility Keepalive Count......................... 3
 Mobility Group Members Configured................ 2
 Mobility Control Message DSCP Value.............. 0
 Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:21:d8:fa:66:00  192.168.80.1       Test                              0.0.0.0          Up
 00:21:d8:fa:fd:a0  192.168.82.1       Test                              0.0.0.0          Up

 

To test the mobility UDP control packet communication between two controllers, enter this command: mping mobility_peer_IP_address

(WLC1) >mping 192.168.82.1
 Send count=3, Receive count=3 from 192.168.82.1
(WLC1) >

To test the mobility EoIP data packet communication between two controllers, enter this command: eping mobility_peer_IP_address

(WLC1) >eping 192.168.82.1
 Send count=3, Receive count=3 from 192.168.82.1
(WLC1) >

Layer 3- Inter Controller Roaming

In this post we will see how the Layer 3 Roaming( inter subnet controller) roaming works on Controller.

Here is my topology:

L3Inter1

WLC1: 10.99.80.1, AP001 is connected to it
WLC2: 10.99.82.1, AP002 is connected to it.

If the client roams between APs registered to different controllers and the client WLAN on the two controllers is on different subnets, then an inter-subnet roam, or Layer 3 mobility event, takes place. For example, if a client is on WLAN-X on Controller-1 using VLANx and the client roams to WLAN-X on Controller-2, but WLAN-X on controller-2 is using VLANy, then an inter-subnet roam for that client occurs.

Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The roam remains transparent to the wireless client, and the client maintains its original IP address.

In inter-subnet roaming, WLANs on both anchor and foreign controllers need to have the same network access privileges and no source-based routing or source-based firewalls in place. Otherwise, the clients may have network connectivity issues after the handoff.

Or

When the client roams between them, the controllers still exchange mobility messages, but they handle the client database entry in a completely different manner. The original controller marks the client entry as Anchor, whereas the new controller marks the client entry as Foreign. The two controllers are now referred to as anchor and foreign, respectively. The client has no knowledge of this and retains its original IP address on the new controller. Traffic flow to and from the client on the network becomes asymmetrical. Traffic from the client is bridged directly to the wired network by the foreign controller. The foreign controller spoofs the IP and MAC address of the client. Traffic from the wired network to the client, however, is received by the original controller and sent to the new controller through an Ethernet over IP (EtherIP) tunnel to the new controller. The new controller then passes that traffic to the client.

If the client roams back to the original controller, the Anchor and Foreign markings are removed and the client database entry is deleted from the foreign controller. If the client should roam to a different foreign controller, the original anchor controller is maintained, and the foreign client entry is transferred to the new foreign controller.

First my client is already connected to AP001.

See the summary:

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP001          Associated    8              Yes  802.11a          1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... ab:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:22:bd:98:3a:38
 Connected For ................................... 22 secs
 Channel.......................................... 36
 IP Address....................................... 10.99.81.40
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intanchor
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 .
 (WLC1) >

Now to remove the client form WLC1, I will reset the AP001 because we want to see if client can roam to AP002 or not with keeping the same IP.

*** But make sure that WLC must have Anchor-Foreign setup.

L3Inter2

So now our client moved to AP002.

***It is important to remember that a Layer 3 mobility event occurs only when the interface assigned to the WLAN between the controllers is not the same. Whether or not the management interfaces of each controller are in the same subnet has no bearing on a client Layer 3 roaming event.

In a Layer 3 roaming scenario, traffic returning to the wireless client goes through the anchor WLC. The anchor WLC establishes an Ethernet-over-IP (EoIP) tunnel to forward client traffic to the foreign WLC where it is then delivered to the client. All traffic originated by the client is forwarded out the corresponding VLAN interface to which the WLAN is mapped to at foreign WLC. The client’s original IP address and default gateway IP (MAC) address remain the same. All traffic, other than that which is destined for the local subnet, is forwarded to the default router where the foreign WLC substitutes the client’s default gateway MAC address with the MAC address of the default gateway associated with dynamic interface/VLAN at the foreign controller.

The following occurs when a client roams across a Layer 3 boundary:

  1. The client begins with a connection to AP001 on WLC 1.
  2. This creates an ANCHORentry in WLC 1’s client database.
  3. As the client moves away from AP001 and begins association with AP002, WLC 2 sends a mobility announcement to its peers in the mobility group looking for the WLC with information for the client MAC address.
  4. WLC 1 responds to the announcement, handshakes, and ACKs.
  5. The client database entry for the roaming client is copied to WLC 2, and marked as FOREIGN.
  6. A simple key exchange is made between the client and AP, the client is added to WLC 2’s database, which is similar to the anchor controller’s entry, except that the client entry is marked as FOREIGN.
  7. Data being sent to the WLAN client is now EoIP tunneled from the anchor WLC to the foreign WLC.
  8. Data sent by the WLAN client is sent out a local interface VLAN at the foreign controller.

***It is important to remember that a Layer 3 mobility event occurs only when the interface assigned to the WLAN between the controllers is not the same. Whether or not the management interfaces of each controller are in the same subnet has no bearing on a client Layer 3 roaming event

Once client moved, we see entry in WLC1 & marked as “Anchor”

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee 10.99.82.1        Associated    8              Yes  Mobile           1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:00:00:00:00:07
 Connected For ................................... 140 secs
 Channel.......................................... N/A
 IP Address....................................... 10.99.81.40
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Anchor
 Mobility Foreign IP Address...................... 10.99.82.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intanchor
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC1) >

 

Check the client entry as Foreign on WLC2:

(WLC2) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP002            Associated    8              Yes  802.11g          1    N/A
(WLC2) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:3a:99:14:13:70
 AP Name.......................................... AP002
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:3a:99:14:13:77
 Connected For ................................... 8 secs
 Channel.......................................... 1
 IP Address....................................... 10.99.81.40
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Foreign
 Mobility Anchor IP Address....................... 10.99.80.1
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intforeign
 VLAN............................................. 84
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC2) >

 Basic Workflow for Inter Subnet Roaming:

L3 - Inter Controller Roaming

L3Inter3

Asymmetric Tunneling

 To know more about handoff we must see the logs from both WLC:

 Handoff logs from WLC1:

(WLC1) > debug mobility handoff enable
 (WLC1) >*mmListen: Jul 09 09:21:21.315: ab:26:96:3e:4b:ee Mobility packet received from:
 *mmListen: Jul 09 09:21:21.315: ab:26:96:3e:4b:ee   10.99.82.1, port 16666
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 25  seq: 101  len 116 flags 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 0.0.0.0, instance: 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   VLAN IP: 10.99.84.3, netmask: 255.255.255.0
 *mmListen: Jul 09 09:21:21.316: Switch IP: 10.99.82.1
 *mmListen: Jul 09 09:21:21.316: Vlan List payload not found, ignoring ...
 *mmListen: Jul 09 09:21:21.316: IP Address don't compare for client ab:26:96:3e:4b:ee is 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee Handoff as Local, Client IP: 10.99.81.40 Anchor IP: 10.99.80.1
 *mmListen: Jul 09 09:21:21.316: Anchor Mac : 00.21.d8.fa.66.00
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee Mobility packet sent to:
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   10.99.82.1, port 16666
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 25  seq: 132  len 546 flags 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 10.99.81.40, instance: 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   VLAN IP: 10.99.81.1, netmask: 255.255.255.0
 *apfReceiveTask: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) mobility role update request from Local to Anchor Peer = 10.99.82.1, Old Anchor = 10.99.80.1, New Anchor = 10.99.80.1
 *apfReceiveTask: Jul 09 09:21:21.318: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) Plumbing duplex mobility tunnel to 10.99.82.1 as Anchor (VLAN 81)
 *apfReceiveTask: Jul 09 09:21:21.318: ab:26:96:3e:4b:ee Mobility Response: IP 10.99.81.40 code Handoff Indication (2), reason Client handoff successful - anchor released (1), PEM State RUN, Role Anchor(2)

Handoff logs from WLC2:

(WLC2) >debug mobility handoff enable
 (WLC2) >*Dot1x_NW_MsgTask_0: Jul 09 09:39:02.572: ab:26:96:3e:4b:ee Mobility query, PEM State: L2AUTHCOMPLETE
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee Mobility packet sent to:
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   10.99.80.1, port 16666
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 22  seq: 89  len 116 flags 0
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 0.0.0.0, instance: 0
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.574: ab:26:96:3e:4b:ee   VLAN IP: 10.99.84.3, netmask: 255.255.255.0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee Mobility packet received from:
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   10.99.80.1, port 16666
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 22  seq: 118  len 546 flags 0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 10.99.81.40, instance: 0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   VLAN IP: 10.99.81.1, netmask: 255.255.255.0
 *mmListen: Jul 09 09:39:02.575: Switch IP: 10.99.80.1
 *mmListen: Jul 09 09:39:02.575: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 81 ]
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee Mobility handoff for client:Ip: 10.99.81.40 Anchor IP: 10.99.80.1, Peer IP: 10.99.80.1
 *apfReceiveTask: Jul 09 09:39:02.579: ab:26:96:3e:4b:ee Handoff confirm: Pre Handoff PEM State: RUN
 *apfReceiveTask: Jul 09 09:39:02.579: ab:26:96:3e:4b:ee   Pem State update: RUN(20), VAP Security mask 40004000,        IPsec len: 0, ACL Name: ''
 *apfReceiveTask: Jul 09 09:39:02.581: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) mobility role update request from Unassociated to Foreign Peer = 10.99.80.1, Old Anchor = 10.99.80.1, New Anchor = 10.99.80.1
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) Plumbing duplex mobility tunnel to 10.99.80.1 as Foreign, (VLAN 84)
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee Configured Anchor for mobile ab:26:96:3e:4b:ee. Sending Igmp query
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee Mobility Response: IP 10.99.81.40 code Handoff (1), reason Handoff success (0), PEM State RUN, Role Foreign(3)
 *bcastReceiveTask: Jul 09 09:39:02.598: Sending IGMP query First Time to 00:3a:99:14:13:70 ap for mgid 5
 *bcastReceiveTask: Jul 09 09:39:02.598: Entry for ap  00:3a:99:14:13:70, IGMP query packet not queued for mgid 5... Enquing the Query packet...
 *bcastReceiveTask: Jul 09 09:39:03.456: Sending IGMP query to 00:3a:99:14:13:70 ap for mgid 5, Query count: 2
 *bcastReceiveTask: Jul 09 09:39:04.456: Sending IGMP query to 00:3a:99:14:13:70 ap for mgid 5, Query count: 1

Layer2- Inter Controller Roaming

In this post we will see the roaming between inter controllers.

Inter-controller roaming occurs when a client roams between two APs registered to two different controllers, where each controller has an interface in the client subnet. When a client roams between controllers on the same subnet, the controllers exchange mobility messages, and the client database entry is transferred from the original controller to the new controller. Client traffic then flows through the new controller on to the network just like it did on the original controller.

My Topology

L2Inter1

Basic Workflow of inter controller roaming:

L2 - Inter Controller Roaming

L2Inter2

My client already connected to WLC1: See the output from WLC1

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP001             Associated    8              Yes   802.11a          1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:22:bd:98:3a:38
 Connected For ................................... 12 secs
 Channel.......................................... 36
 IP Address....................................... 10.99.81.22
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ interwlc
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 .
 (WLC1) >
  

Now I will reset AP001 to disconnect my client forcefully to check the roaming.

Go to Wireless > All AP and then click on AP001 > Reset AP Now.

L2Inter3

Once AP001 will reset after that our client will roam to another AP(AP002).

See the logs for client which moved to WLC2.

(WLC2) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP002             Associated    8              Yes  802.11g          1    N/A
(99CWLAN2) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:3a:99:14:13:70
 AP Name.......................................... AP002
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:3a:99:14:13:77
 Connected For ................................... 21 secs
 Channel.......................................... 1
 IP Address....................................... 10.99.81.22
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ interwlc
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC2) >