Auto-Anchor Mobility / Guest Tunneling

In this post we will learn how to use Auto Anchoring feature.

In simple words, Auto-anchoring is when we anchor a WLAN to a particular controller in the mobility domain or group.

It can be used for load balancing & Security. We can force clients to be on a particular controller regardless of the controller they access the wireless network from.

**The most common example/use for auto-anchor is with guest networking.

Let’s go into detail:

With auto-anchor, regardless of which controller’s APs a client associates with, the client traffic is anchored to this one controller. Auto-anchoring is basically symmetric tunneling using a fixed anchor. When a client first associates with a controller on an anchored WLAN, a Local Session entry is created for the client. The controller sends out a Mobile Announce message to the mobility group.

When that message is not answered, the foreign controller contacts the configured anchor controller and creates a foreign session for the client in its database. The anchor controller then creates an Anchor session for the client.

All traffic to and from the client associated with an anchored WLAN passes through the anchor controller. This is known as a bidirectional tunnel because the foreign controller encapsulates the client packets in EtherOverIP and sends them to the anchor. The anchor de-encapsulates the packets and delivers them to the wired network. Packets destined for the client are encapsulated in the EtherOverIP tunnel by the anchor and sent to the foreign controller. The foreign controller de-encapsulates the packets and forwards them to the client.

Guideline before Auto-Anchor configuration:

  1. We must add controllers to the mobility group member list before we can designate them as mobility anchors for a WLAN. How to Add, Check this post: Mobility Configuration on WLC
  2. We can configure multiple controllers as mobility anchors for a WLAN.
  3. We must disable the WLAN before configuring mobility anchors for it.
  4. Auto-anchor mobility supports web authorization but does not support other Layer 3 security types.
  5. We must configure the WLANs on both the foreign controller and the anchor controller with mobility anchors. On the anchor controller, configure the anchor controller itself as a mobility anchor. On the foreign controller, configure the anchor as a mobility anchor.
  6. Auto-anchor mobility is not supported for use with DHCP option 82.
  7. When using the mobility failover features with a firewall, make sure that the following ports are open:
  • UDP 16666 for tunnel control traffic
  • IP Protocol 97 for user data traffic
  1. To check the connectivity and peer kee-palive timers, use these CLI commands :
  • mping peer-ip-address – used to test the Control Path between mobility peers
  • eping peer-ip-address – used to test the Data Path between mobility peers
  • show mobility summary – used to view mobility configuration and timers

How to configure Auto-anchoring

Our main aim is to force clients to be on a particular controller regardless of the controller they access the wireless network from. As per my Topology client connects to AP001 which is connected to WLC2 and traffic is tunneled back to WLC1, client must get IP from VLAN 192.

Autoanchor1

WLC2 (Foreign) Configuration:

Step1: Create a WLAN (In my example: RSCCIEW)

Step2: Assign to Management interface and choose the security to webauth.

Autoanchor2

Step3: Add WLC1 to its mobility list

Autoanchor3

Step4: Go to WLAN tab and assign the ANCHOR WLC.

Autoanchor4

In this case we assign the ANCHOR WLC to WLC1:

Autoanchor5

WLC1 (ANCHOR) Configuration:

Step1: Create the same WLAN as we did for WLC2 (Foreign)

Step2: Assign the interface (guest), except this everything should be same as WLC2.

Autoanchor6

Step3: Add WLC2 to its mobility list

Autoanchor7

Step4: Go to WLAN tab and assign the ANCHOR WLC.

Autoanchor8

In this case we will assign the ANCHOW WLC IP to local.

Autoanchor9

That’s all about configuration, Lets jump for verification:

From WLC2 (Foreign WLC)

Autoanchor10

From WLC1 (ANCHOR WLC) before webauth authentication.

Autoanchor11

Now create a Local net user for testing

Autoanchor12

From WLC1 (ANCHOR WLC) After webauth authentication.

Autoanchor13

Here are the complete logs from WLC1 CLI:

(WLC1) >debug client  54:26:96:3e:4b:ee
(WLC1) >*mmListen: Nov 07 10:05:04.763: 54:26:96:3e:4b:ee Adding mobile on Remote AP 00:00:00:00:00:00(0)
 *mmListen: Nov 07 10:05:04.763: 54:26:96:3e:4b:ee override for default ap group, marking intgrp NULL
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Re-applying interface policy for client
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee override from intf group to an intf for roamed client, removing intf group from mscb
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 192
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Re-applying interface policy for client
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Initializing policy
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Resetting web IPv4 acl from 255 to 255
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Resetting web IPv4 Flex acl from 65535 to 65535
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Stopping deletion of Mobile Station: (callerId: 53)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5761, Adding TMP rule
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
 type = Airespace AP - Learn IP address
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL ID = 255, IP
 *mmListen: Nov 07 10:05:04.765: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *mmListen: Nov 07 10:05:04.765: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee Sent an XID frame
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 13, encap 0xec05)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP (encap type 0xec05) mstype 3ff:ff:ff:ff:ff:ff
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selecting relay 1 - control block settings:
 dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
 dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selected relay 1 - 192.168.80.1 (local address 192.168.99.1, gateway 192.168.99.254, VLAN 192, port 13)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP transmitting DHCP REQUEST (3)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 5, flags: 0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 192.168.99.1
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   requested ip: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selecting relay 2 - control block settings:
 dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
 dhcpGateway: 0.0.0.0, dhcpRelay: 192.168.99.1  VLAN: 192
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selected relay 2 - NONE (server address 0.0.0.0,local address 0.0.0.0, gateway 192.168.99.254, VLAN 192, port 13)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP setting server from ACK (server 192.168.80.1, yiaddr 192.168.99.5)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Static IP client associated to interface guest which can support client subnet.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) pemAdvanceState2 6671, Adding TMP rule
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Replacing Fast Path rule
 type = Airespace AP Client - ACL passthru
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Plumbing web-auth redirect rule due to user logout
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Assigning Address 192.168.99.5 to mobile
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface guest.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface guest.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP transmitting DHCP ACK (5)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 0, flags: 0
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.99.5
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   server id: 1.1.1.1  rcvd server id: 192.168.80.1
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee 192.168.99.5 Added NPU entry of type 2, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee Sent an XID frame
 *ewmwebWebauth1: Nov 07 10:05:32.617: 54:26:96:3e:4b:ee Username entry (ttest) created for mobile, length = 5
 *ewmwebWebauth1: Nov 07 10:05:32.617: 54:26:96:3e:4b:ee Username entry (ttest) created in mscb for mobile, length = 5
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_REQD (8)
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee apfMsRunStateInc
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state WEBAUTH_NOL3SEC (14)
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee Session Timeout is 0 - not starting session timer for the mobile
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Reached PLUMBFASTPATH: from line 6559
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Replacing Fast Path rule
 type = Airespace AP Client
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL ID = 255, IPv6 ACL ID
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *pemReceiveTask: Nov 07 10:05:32.626: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:32.626: 54:26:96:3e:4b:ee 192.168.99.5 Added NPU entry of type 1, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:32.627: 54:26:96:3e:4b:ee Sending a gratuitous ARP for 192.168.99.5, VLAN Id 192

Here are the complete logs from WLC2 CLI:

(WLC2) >debug client  54:26:96:3e:4b:ee
(WLC2) >*pemReceiveTask: Nov 07 10:00:16.787: 54:26:96:3e:4b:ee 0.0.0.0 Removed NPU entry.
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Adding mobile on LWAPP AP 00:22:bd:98:3a:30(1)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Association received from mobile on AP 00:22:bd:98:3a:30
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Applying site-specific IPv6 override for station 54:26:96:3e:4b:ee - vapId 4, site 'default-group', interface 'management'
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Applying IPv6 Interface Policy for station 54:26:96:3e:4b:ee - vlan 80, interface id 0, interface 'management'
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Initializing policy
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:22:bd:98:3a:30 vapId 4 apVapId 4for this client
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Not Using WMM Compliance code qosCap 00
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:22:bd:98:3a:30 vapId 4 apVapId 4
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfMsAssoStateInc
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 54:26:96:3e:4b:ee on AP 00:22:bd:98:3a:30 from Idle to Associated
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Stopping deletion of Mobile Station: (callerId: 48)
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Sending Assoc Response to station on BSSID 00:22:bd:98:3a:30 (status 0) ApVapId 4 Slot 1
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 54:26:96:3e:4b:ee on AP 00:22:bd:98:3a:30 from Associated to Associated
 *DHCP Socket Task: Nov 07 10:04:31.722: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:31.723: 54:26:96:3e:4b:ee DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
 *DHCP Socket Task: Nov 07 10:04:33.461: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:33.461: 54:26:96:3e:4b:ee DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee apfMsRunStateInc
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4563
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Adding Fast Path rule
 type = Airespace AP Client
 on AP 00:22:bd:98:3a:30, slot 1, interface = 1, QOS = 0
 ACL Id = 255, Jumbo Frames = NO
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506  IPv6 Vlan = 80, IPv6 intf id = 0
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
 *pemReceiveTask: Nov 07 10:04:34.243: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Foreign role
 *pemReceiveTask: Nov 07 10:04:34.256: 54:26:96:3e:4b:ee 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP processing DHCP REQUEST (3)
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 1280, flags: 0
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP   requested ip: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP successfully bridged packet to EoIP tunnel
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP received op BOOTREPLY (2) (len 312,vlan 80, port 1, encap 0xec05)
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP processing DHCP ACK (5)
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 0, flags: 0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   server id: 1.1.1.1  rcvd server id: 1.1.1.1
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) DHCP Address Re-established
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee Assigning Address 192.168.99.5 to mobile
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface management.

Mobility Test between Controllers

In this post we will test the mobility ping between 2 controllers.

You can check here : How to Configure Mobility on WLC

Controllers in a mobility list communicate with each other by controlling information over a well-known UDP port and exchanging data traffic through an Ethernet-over-IP (EoIP) tunnel. Because UDP and EoIP are not reliable transport mechanisms, there is no guarantee that a mobility control packet or data packet will be delivered to a mobility peer. Mobility packets may be lost in transit due to a firewall filtering the UDP port or EoIP packets or due to routing issues.

We can test the mobility communication environment by performing mobility ping tests. These tests may be used to validate connectivity between members of a mobility group.

Two are two types of ping test:

Mobility ping over UDP: This test runs over mobility UDP port 16666. It tests whether the mobility control packet can be reached over the management interface.

Mobility ping over EoIP: This test runs over EoIP(Port 97). It tests the mobility data traffic over the management interface.

*** Only one mobility ping test per controller can be run at a given time.

These ping tests are not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.

Check which WLCs are in mobility list:

(WLC1) >show mobility summary
 Symmetric Mobility Tunneling (current) .......... Enabled
 Symmetric Mobility Tunneling (after reboot) ..... Enabled
 Mobility Protocol Port........................... 16666
 Default Mobility Domain.......................... Test
 Multicast Mode .................................. Disabled
 Mobility Domain ID for 802.11r................... 0x840e
 Mobility Keepalive Interval...................... 10
 Mobility Keepalive Count......................... 3
 Mobility Group Members Configured................ 2
 Mobility Control Message DSCP Value.............. 0
 Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:21:d8:fa:66:00  192.168.80.1       Test                              0.0.0.0          Up
 00:21:d8:fa:fd:a0  192.168.82.1       Test                              0.0.0.0          Up

 

To test the mobility UDP control packet communication between two controllers, enter this command: mping mobility_peer_IP_address

(WLC1) >mping 192.168.82.1
 Send count=3, Receive count=3 from 192.168.82.1
(WLC1) >

To test the mobility EoIP data packet communication between two controllers, enter this command: eping mobility_peer_IP_address

(WLC1) >eping 192.168.82.1
 Send count=3, Receive count=3 from 192.168.82.1
(WLC1) >

Layer 3- Inter Controller Roaming

In this post we will see how the Layer 3 Roaming( inter subnet controller) roaming works on Controller.

Here is my topology:

L3Inter1

WLC1: 10.99.80.1, AP001 is connected to it
WLC2: 10.99.82.1, AP002 is connected to it.

If the client roams between APs registered to different controllers and the client WLAN on the two controllers is on different subnets, then an inter-subnet roam, or Layer 3 mobility event, takes place. For example, if a client is on WLAN-X on Controller-1 using VLANx and the client roams to WLAN-X on Controller-2, but WLAN-X on controller-2 is using VLANy, then an inter-subnet roam for that client occurs.

Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The roam remains transparent to the wireless client, and the client maintains its original IP address.

In inter-subnet roaming, WLANs on both anchor and foreign controllers need to have the same network access privileges and no source-based routing or source-based firewalls in place. Otherwise, the clients may have network connectivity issues after the handoff.

Or

When the client roams between them, the controllers still exchange mobility messages, but they handle the client database entry in a completely different manner. The original controller marks the client entry as Anchor, whereas the new controller marks the client entry as Foreign. The two controllers are now referred to as anchor and foreign, respectively. The client has no knowledge of this and retains its original IP address on the new controller. Traffic flow to and from the client on the network becomes asymmetrical. Traffic from the client is bridged directly to the wired network by the foreign controller. The foreign controller spoofs the IP and MAC address of the client. Traffic from the wired network to the client, however, is received by the original controller and sent to the new controller through an Ethernet over IP (EtherIP) tunnel to the new controller. The new controller then passes that traffic to the client.

If the client roams back to the original controller, the Anchor and Foreign markings are removed and the client database entry is deleted from the foreign controller. If the client should roam to a different foreign controller, the original anchor controller is maintained, and the foreign client entry is transferred to the new foreign controller.

First my client is already connected to AP001.

See the summary:

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP001          Associated    8              Yes  802.11a          1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... ab:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:22:bd:98:3a:38
 Connected For ................................... 22 secs
 Channel.......................................... 36
 IP Address....................................... 10.99.81.40
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intanchor
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 .
 (WLC1) >

Now to remove the client form WLC1, I will reset the AP001 because we want to see if client can roam to AP002 or not with keeping the same IP.

*** But make sure that WLC must have Anchor-Foreign setup.

L3Inter2

So now our client moved to AP002.

***It is important to remember that a Layer 3 mobility event occurs only when the interface assigned to the WLAN between the controllers is not the same. Whether or not the management interfaces of each controller are in the same subnet has no bearing on a client Layer 3 roaming event.

In a Layer 3 roaming scenario, traffic returning to the wireless client goes through the anchor WLC. The anchor WLC establishes an Ethernet-over-IP (EoIP) tunnel to forward client traffic to the foreign WLC where it is then delivered to the client. All traffic originated by the client is forwarded out the corresponding VLAN interface to which the WLAN is mapped to at foreign WLC. The client’s original IP address and default gateway IP (MAC) address remain the same. All traffic, other than that which is destined for the local subnet, is forwarded to the default router where the foreign WLC substitutes the client’s default gateway MAC address with the MAC address of the default gateway associated with dynamic interface/VLAN at the foreign controller.

The following occurs when a client roams across a Layer 3 boundary:

  1. The client begins with a connection to AP001 on WLC 1.
  2. This creates an ANCHORentry in WLC 1’s client database.
  3. As the client moves away from AP001 and begins association with AP002, WLC 2 sends a mobility announcement to its peers in the mobility group looking for the WLC with information for the client MAC address.
  4. WLC 1 responds to the announcement, handshakes, and ACKs.
  5. The client database entry for the roaming client is copied to WLC 2, and marked as FOREIGN.
  6. A simple key exchange is made between the client and AP, the client is added to WLC 2’s database, which is similar to the anchor controller’s entry, except that the client entry is marked as FOREIGN.
  7. Data being sent to the WLAN client is now EoIP tunneled from the anchor WLC to the foreign WLC.
  8. Data sent by the WLAN client is sent out a local interface VLAN at the foreign controller.

***It is important to remember that a Layer 3 mobility event occurs only when the interface assigned to the WLAN between the controllers is not the same. Whether or not the management interfaces of each controller are in the same subnet has no bearing on a client Layer 3 roaming event

Once client moved, we see entry in WLC1 & marked as “Anchor”

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee 10.99.82.1        Associated    8              Yes  Mobile           1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:00:00:00:00:07
 Connected For ................................... 140 secs
 Channel.......................................... N/A
 IP Address....................................... 10.99.81.40
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Anchor
 Mobility Foreign IP Address...................... 10.99.82.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intanchor
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC1) >

 

Check the client entry as Foreign on WLC2:

(WLC2) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP002            Associated    8              Yes  802.11g          1    N/A
(WLC2) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:3a:99:14:13:70
 AP Name.......................................... AP002
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:3a:99:14:13:77
 Connected For ................................... 8 secs
 Channel.......................................... 1
 IP Address....................................... 10.99.81.40
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Foreign
 Mobility Anchor IP Address....................... 10.99.80.1
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intforeign
 VLAN............................................. 84
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC2) >

 Basic Workflow for Inter Subnet Roaming:

L3 - Inter Controller Roaming

L3Inter3

Asymmetric Tunneling

 To know more about handoff we must see the logs from both WLC:

 Handoff logs from WLC1:

(WLC1) > debug mobility handoff enable
 (WLC1) >*mmListen: Jul 09 09:21:21.315: ab:26:96:3e:4b:ee Mobility packet received from:
 *mmListen: Jul 09 09:21:21.315: ab:26:96:3e:4b:ee   10.99.82.1, port 16666
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 25  seq: 101  len 116 flags 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 0.0.0.0, instance: 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   VLAN IP: 10.99.84.3, netmask: 255.255.255.0
 *mmListen: Jul 09 09:21:21.316: Switch IP: 10.99.82.1
 *mmListen: Jul 09 09:21:21.316: Vlan List payload not found, ignoring ...
 *mmListen: Jul 09 09:21:21.316: IP Address don't compare for client ab:26:96:3e:4b:ee is 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee Handoff as Local, Client IP: 10.99.81.40 Anchor IP: 10.99.80.1
 *mmListen: Jul 09 09:21:21.316: Anchor Mac : 00.21.d8.fa.66.00
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee Mobility packet sent to:
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   10.99.82.1, port 16666
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 25  seq: 132  len 546 flags 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 10.99.81.40, instance: 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   VLAN IP: 10.99.81.1, netmask: 255.255.255.0
 *apfReceiveTask: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) mobility role update request from Local to Anchor Peer = 10.99.82.1, Old Anchor = 10.99.80.1, New Anchor = 10.99.80.1
 *apfReceiveTask: Jul 09 09:21:21.318: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) Plumbing duplex mobility tunnel to 10.99.82.1 as Anchor (VLAN 81)
 *apfReceiveTask: Jul 09 09:21:21.318: ab:26:96:3e:4b:ee Mobility Response: IP 10.99.81.40 code Handoff Indication (2), reason Client handoff successful - anchor released (1), PEM State RUN, Role Anchor(2)

Handoff logs from WLC2:

(WLC2) >debug mobility handoff enable
 (WLC2) >*Dot1x_NW_MsgTask_0: Jul 09 09:39:02.572: ab:26:96:3e:4b:ee Mobility query, PEM State: L2AUTHCOMPLETE
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee Mobility packet sent to:
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   10.99.80.1, port 16666
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 22  seq: 89  len 116 flags 0
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 0.0.0.0, instance: 0
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.574: ab:26:96:3e:4b:ee   VLAN IP: 10.99.84.3, netmask: 255.255.255.0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee Mobility packet received from:
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   10.99.80.1, port 16666
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 22  seq: 118  len 546 flags 0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 10.99.81.40, instance: 0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   VLAN IP: 10.99.81.1, netmask: 255.255.255.0
 *mmListen: Jul 09 09:39:02.575: Switch IP: 10.99.80.1
 *mmListen: Jul 09 09:39:02.575: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 81 ]
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee Mobility handoff for client:Ip: 10.99.81.40 Anchor IP: 10.99.80.1, Peer IP: 10.99.80.1
 *apfReceiveTask: Jul 09 09:39:02.579: ab:26:96:3e:4b:ee Handoff confirm: Pre Handoff PEM State: RUN
 *apfReceiveTask: Jul 09 09:39:02.579: ab:26:96:3e:4b:ee   Pem State update: RUN(20), VAP Security mask 40004000,        IPsec len: 0, ACL Name: ''
 *apfReceiveTask: Jul 09 09:39:02.581: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) mobility role update request from Unassociated to Foreign Peer = 10.99.80.1, Old Anchor = 10.99.80.1, New Anchor = 10.99.80.1
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) Plumbing duplex mobility tunnel to 10.99.80.1 as Foreign, (VLAN 84)
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee Configured Anchor for mobile ab:26:96:3e:4b:ee. Sending Igmp query
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee Mobility Response: IP 10.99.81.40 code Handoff (1), reason Handoff success (0), PEM State RUN, Role Foreign(3)
 *bcastReceiveTask: Jul 09 09:39:02.598: Sending IGMP query First Time to 00:3a:99:14:13:70 ap for mgid 5
 *bcastReceiveTask: Jul 09 09:39:02.598: Entry for ap  00:3a:99:14:13:70, IGMP query packet not queued for mgid 5... Enquing the Query packet...
 *bcastReceiveTask: Jul 09 09:39:03.456: Sending IGMP query to 00:3a:99:14:13:70 ap for mgid 5, Query count: 2
 *bcastReceiveTask: Jul 09 09:39:04.456: Sending IGMP query to 00:3a:99:14:13:70 ap for mgid 5, Query count: 1

Layer2- Inter Controller Roaming

In this post we will see the roaming between inter controllers.

Inter-controller roaming occurs when a client roams between two APs registered to two different controllers, where each controller has an interface in the client subnet. When a client roams between controllers on the same subnet, the controllers exchange mobility messages, and the client database entry is transferred from the original controller to the new controller. Client traffic then flows through the new controller on to the network just like it did on the original controller.

My Topology

L2Inter1

Basic Workflow of inter controller roaming:

L2 - Inter Controller Roaming

L2Inter2

My client already connected to WLC1: See the output from WLC1

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP001             Associated    8              Yes   802.11a          1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:22:bd:98:3a:38
 Connected For ................................... 12 secs
 Channel.......................................... 36
 IP Address....................................... 10.99.81.22
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ interwlc
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 .
 (WLC1) >
  

Now I will reset AP001 to disconnect my client forcefully to check the roaming.

Go to Wireless > All AP and then click on AP001 > Reset AP Now.

L2Inter3

Once AP001 will reset after that our client will roam to another AP(AP002).

See the logs for client which moved to WLC2.

(WLC2) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP002             Associated    8              Yes  802.11g          1    N/A
(99CWLAN2) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:3a:99:14:13:70
 AP Name.......................................... AP002
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:3a:99:14:13:77
 Connected For ................................... 21 secs
 Channel.......................................... 1
 IP Address....................................... 10.99.81.22
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ interwlc
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC2) >

 

Intra-Controller Roaming

If a client roams between APs on the same controller, it is called an intra-controller mobility event. Intra-controller roaming is the most simplistic in that all the controller needs to do is update the database with the AP association and establish new security contexts if necessary. Basically, the Layer 3–related mobility is handled by the controller, and the link layer mobility is handled by the AP. As the client roams, the controller updates the client state. The client traffic then flows through the new AP LWAPP/CAPWAP tunnel to the controller and out on the network. Figure 9-1 illustrates an intra-controller roam

Intra Controller Roaming

I will not go in details for these because it is the simplest Roaming 🙂

More info about Roaming, please visit this post: Mobility Basics

Mobility Configuring on WLC

In this post we will learn how to configure WLC mobility on Cisco Controllers.

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible.

More Info about Mobility/Roamin please visit This Section : Mobility Basics

A mobility group is a set of controllers, identified by the same mobility group name that make seamless roaming for wireless clients. By creating a mobility group, we can enable multiple controllers in a network to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers in the same mobility group can share the context and state of client devices as well as their list of access points so that they do not consider each other’s access points as rogue devices.

First of All we need to configure Mobility Group name on each controller while setting up (Initial Config) the controller.

Virtual Gateway IP Address: 1.1.1.1
Multicast IP Address: 239.255.255.1 / 3
Mobility/RF Group Name: Test
Network Name (SSID): Test
 

Via GUI:

To add an entry to a controller mobility configuration using the GUI, go to CONTROLLER > Mobility Management > Mobility Groups and click on New.

Untitled

 

Here we enter the MAC address and IP address of the controller management interface we are adding along with the mobility group name of that controller.

In WLC1 we will add WLC2 mac and IP address.
In WLC2 we will add WLC1 mac and IP address.

Here I will posts the screenshot from WLC1, we also need to add same in WLC2.

Untitled

 

Once we add the WLC MAC & management interface IP address the status will shows us as UP (Be aware sometime it take 20-30 seconds):

Untitled

 

Note: For controllers to be in the same mobility group, they need to meet the following criteria:

Identical mobility group names: The mobility group name is case sensitive. A mobility group name of ABC is not the same as abc from the controller perspective.

Same virtual interface IP address: If the virtual IPs are not the same between the controllers, the handoff of the client database entry will not take place and the client will be disconnected for a short period.

Same version of code: This is true for supporting normal client mobility. Starting with the 5.2 release, a 5.2 or 6.0 controller supports auto-anchoring with 4.2 and higher code running on the anchor controller.

Network connectivity between the controller in the mobility group: We should be able to mping and eping between the controllers. These special pings will be discussed in other post.

Remembering points in brief before configuring Mobility:

  • IP connectivity must exist between the management interfaces of all controllers.
  • All controllers must be configured with the same mobility group name.
  • All controllers must be configured with the same virtual interface IP address.
  • We must have gathered the MAC address and IP address of every controller that is to be included in the mobility group. This information is necessary because we will be configuring all controllers with the MAC address and IP address of all the other mobility group members.
  • When we configure mobility groups using a firewall, for example, Cisco ASA, we must open port 16666, and IP protocol 97.

We have only 2 WLC so we will not configure Multicast Group IP address in this post.

If we have multiple controllers in Mobility Group then we must configure Multicast Group IP address on each controller.

Mobility4

Via CLI:

config mobility group domain domain_name

(WLC1) > config mobility group domain Test

config mobility group member add mac_address ip_address

(WLC1) > config mobility group member add 00:21:d8:fa:fd:a0 192.168.82.1

config mobility multicast-mode {enable | disable} local_group_multicast_address

(WLC1) > config mobility multicast-mode enable 239.255.255.254

config mobility group multicast-address group_name IP_address

(WLC1) > config mobility group multicast-address Test 239.255.255.254

See the verification of Mobility Summary by using this command:

Show mobility Summary

(WLC1) >show mobility summary
 Symmetric Mobility Tunneling (current) .......... Enabled
 Symmetric Mobility Tunneling (after reboot) ..... Enabled
 Mobility Protocol Port........................... 16666
 Default Mobility Domain.......................... Test
 Multicast Mode .................................. Disabled
 Mobility Domain ID for 802.11r................... 0x840e
 Mobility Keepalive Interval...................... 10
 Mobility Keepalive Count......................... 3
 Mobility Group Members Configured................ 2
 Mobility Control Message DSCP Value.............. 0
 Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:21:d8:fa:66:00  192.168.80.1       Test                              0.0.0.0          Up
 00:21:d8:fa:fd:a0  192.168.82.1       Test                              0.0.0.0          Up
 (WLC1) >

 

Roaming / Mobility Basics

Mobility, or roaming, is a wireless LAN client’s ability to maintain its association seamlessly from one access point to another securely and with as little latency as possible. In This post I will try to elaborate how mobility works when controllers are included in a wireless network.

Or

In wireless networiking , roaming means to the ability to move from one AP coverage area to another without interruption in service or loss in connectivity. This is the key component in wireless network deployment.

Mobility Groups:

A mobility group is a set of Wireless LAN Controllers, by the same mobility group name, that defines of seamless roaming for wireless clients. By creating a mobility group, we can enable multiple WLCs in a network to dynamically share information and forward data traffic when inter-controller or inter-subnet roaming occurs. Controllers in the same mobility group can share the context and state of client devices as well as their list of access points so that they do not consider each other’s access points as rogue devices. With this information, the network can support inter-controller wireless LAN roaming and controller redundancy.

Roaming is the action for a Wireless client to move from one AP to another AP while actively transmitting data without any interruption.

For Voice WLAN: It very common to have roaming.

For Data WLAN: For data deployment, it can be nomadic; user can get slight interruption while moving from one coverage area to another without impacting the user experience.

When a wireless client connects and authenticates to an AP, the AP´s controller (where AP is connected) put an entry for that client in its database, which contains the information of client like: Mac address, IP address, WLAN associate with and the AP where client is connected…etc.

If we have the controller based deployments then Roaming can be of three types.

  1. Intra(All AP on same controller)
  2. Inter or layer 2(Different controller with same network means same subnet)
  3. Layer 3 (Different controller with totally different subnets)

 

 Intra Controller Roaming:

Intra Controller Roaming

  • Intra controller roaming is the roaming between LAP’s managed by the same WLC, obviously in the same IP subnet.
  • It is necessarily about the subnets that the clients are using that are serviced by the APs.  So, let’s say we have 2 APs, both of which are servicing a specific IP subnet.  When client roam from one AP to the other, which is layer 2 roaming.  The client still maintains its IP address.
  • Wireless Clients move from one AP to another AP in same controller.
  • When client moves its association from one access point to another, the controller simply updates the client database with the newly associated access point.
  • This entry includes the client’s MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLAN, and the associated AP.
  • Sometimes it does also establish the new security context means if during roaming a clients session timeout or key change occurs then this information should pass to WLC. If we have open authentication then WLC don’t need to establish or update security Context.

AP: Encryption and Decryption

WLC: Mobility, QoS and Security Management

  • This Roaming process take less then 10ms (It almost seamless).

Lab result and logs will follow soon……………………………………………..

Layer 2 – Inter Controller Roaming:

 L2 - Inter Controller Roaming

Now when we do a layer to roam and multiple controllers are involved, then both controllers need to service the same subnet.  This would mean that we have a dynamic interface in subnet x configured on WLC1 and another interface that is also configured on subnet x on WLC2.  This would be Inter controller roaming (Layer 2).

  •  The wireless user moves from one AP to another AP connected to another controller in the same subnet (as the first controller).
  • It means that the client is roaming between two different controllers, but, these controllers can be part of the same Mobility Group and the same subnet.
  • When the client tries to join the new AP, both controllers exchange the client details (database entry and credentials).
  • The new WLC exchange mobility message with the original WLC and the client entry is moved to new WLC.  This entry includes the client’s MAC and IP addresses, security context and associations, quality of service (QoS) contexts, the WLAN, and the associated AP.
  • Client database entry is updated for the new access point. This process takes less then 20ms and remains transparent to the user.

Lab result and logs will follow soon……………………………………………

Layer 3 – Inter Controller Roaming:

 L3 - Inter Controller Roaming

The wireless user moves from one AP to another AP connected to another controller in a different subnet or if the clients roam between APs registered to different controllers and the client WLAN on the two controllers is on different subnet, then it is called inter-controller L3 roam.

  • It’s similar to inter subnet roaming.
  • Controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database.
  • The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller.
  • The main advantage is clients maintain its original IP address even after changing the controller.
  • The process takes less than 30 ms.
  • The roam remains transparent to the wireless client. 

Lab result and logs will follow soon……………………………………………