Foreign Mapping/ Auto Anchor Mobility

In this post we will learn about how to configure the foreign mapping between 2 controllers.

Auto-Anchor mobility, also known as Foreign Mapping, allows us to configure users that are on different foreign controllers from different physical location to obtain IP addresses from a subnet or group of subnets based on their physical location.

  1. First of all Both controller must have added each other in its mobility list.
  2. Auto anchoring must have conifgured.

How to Configure Mobility

How to Configure Auto Anchoring

Steps to conifgure Foreign Maping on Anchor ControllerL

***Make sure that it is only configured on Anchor Controller or where we want to terminate the client to get IP address.

Step1: Select the WLANs tab.

Step2: Click the Blue drop down arrow for the WLAN(iN my case RSCCIEW) and choose Foreign-Maps.

Step3: The foreign mappings page appears. This page also lists the MAC addresses of the foreign controllers that are in the mobility group and interfaces which are created on Anchor WLC.

Step4: Select the desired foreign controller MAC(WLC2 in my case) and the interface(rscciew) to which it must be mapped and click on Add Mapping.

Anchor WLC configuration:

Foreignmap1

Foreignmap2

Foreignmap3

Foreignmap4

Verification:

Anchor WLC:

(WLC1) >show client  summary
 Number of Clients................................ 2
 GLAN/
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6  Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------- ----------------
 48:43:7c:8b:c3:92 192.168.10.3         N/A Associated     3    Yes  Mobile           13   No    No      Export Anchor
(WLC1) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 AP radio slot Id................................. N/A
 Client State..................................... Associated
 Client User Group................................
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 3
 Wireless LAN Network Name (SSID)................. RSCCIEW
 Wireless LAN Profile Name........................ RSCCIEW
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 00:00:00:00:00:ff
 Connected For ................................... 133 secs
 Channel.......................................... N/A
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. 192.168.82.254
 Netmask.......................................... 255.255.255.0
 IPv6 Address..................................... fe80::
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Disabled
 Supported Rates..................................
 Mobility State................................... Export Anchor
 Mobility Foreign IP Address...................... 192.168.10.3
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500100000085546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... N/A
 Encryption Cipher................................ None
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ rscciew
 VLAN............................................. 82
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 82
 Local Bridging VLAN.............................. 10
 .
 .
 (WLC1) >

Foreign WLC:

(WLC2) >show client summary
 Number of Clients................................ 1
 RLAN/
 MAC Address       AP Name           Slot Status        WLAN  Auth Protocol         Port Wired PMIPV6 Role
 ----------------- ----------------- ---- ------------- ----- ---- ---------------- ---- ----- ------ ----------------
 48:43:7c:8b:c3:92 AP002             1   Associated     5    Yes  802.11n(5 GHz)   1    N/A   No     Export foreign
(WLC2) >show client detail 48:43:7c:8b:c3:92
 Client MAC Address............................... 48:43:7c:8b:c3:92
 Client Username ................................. N/A
 AP MAC Address................................... 84:80:2d:c3:6c:d0
 AP Name.......................................... AP002
 AP radio slot Id................................. 1
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 5
 Hotspot (802.11u)................................ Not Supported
 BSSID............................................ 84:80:2d:c3:6c:db
 Connected For ................................... 123 secs
 Channel.......................................... 64
 IP Address....................................... 192.168.82.11
 Gateway Address.................................. Unknown
 Netmask.......................................... Unknown
 IPv6 Address..................................... fe80::
 Association Id................................... 2
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 Avg data Rate.................................... 0
 Burst data Rate.................................. 0
 Avg Real time data Rate.......................... 0
 Burst Real Time data Rate........................ 0
 802.1P Priority Tag.............................. disabled
 CTS Security Group Tag........................... Not Applicable
 KTS CAC Capability............................... No
 WMM Support...................................... Enabled
 APSD ACs.......................................  BK  BE  VI  VO
 Power Save....................................... ON
 Current Rate..................................... m7
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,
 ............................................. 48.0,54.0
 Mobility State................................... Export Foreign
 Mobility Anchor IP Address....................... 192.168.10.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 Audit Session ID................................. 0a63500300000073546f33bd
 AAA Role Type.................................... none
 Local Policy Applied............................. none
 IPv4 ACL Name.................................... none
 FlexConnect ACL Applied Status................... Unavailable
 IPv4 ACL Applied Status.......................... Unavailable
 IPv6 ACL Name.................................... none
 IPv6 ACL Applied Status.......................... Unavailable
 Layer2 ACL Name.................................. none
 Layer2 ACL Applied Status........................ Unavailable
 mDNS Status...................................... Enabled
 mDNS Profile Name................................ default-mdns-profile
 No. of mDNS Services Advertised.................. 0
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Protected Management Frame ...................... No
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ management
 VLAN............................................. 10
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 10
 .
 .
 (WLC2) >

That’s all about Foreign Mapping 🙂

Auto-Anchor Mobility / Guest Tunneling

In this post we will learn how to use Auto Anchoring feature.

In simple words, Auto-anchoring is when we anchor a WLAN to a particular controller in the mobility domain or group.

It can be used for load balancing & Security. We can force clients to be on a particular controller regardless of the controller they access the wireless network from.

**The most common example/use for auto-anchor is with guest networking.

Let’s go into detail:

With auto-anchor, regardless of which controller’s APs a client associates with, the client traffic is anchored to this one controller. Auto-anchoring is basically symmetric tunneling using a fixed anchor. When a client first associates with a controller on an anchored WLAN, a Local Session entry is created for the client. The controller sends out a Mobile Announce message to the mobility group.

When that message is not answered, the foreign controller contacts the configured anchor controller and creates a foreign session for the client in its database. The anchor controller then creates an Anchor session for the client.

All traffic to and from the client associated with an anchored WLAN passes through the anchor controller. This is known as a bidirectional tunnel because the foreign controller encapsulates the client packets in EtherOverIP and sends them to the anchor. The anchor de-encapsulates the packets and delivers them to the wired network. Packets destined for the client are encapsulated in the EtherOverIP tunnel by the anchor and sent to the foreign controller. The foreign controller de-encapsulates the packets and forwards them to the client.

Guideline before Auto-Anchor configuration:

  1. We must add controllers to the mobility group member list before we can designate them as mobility anchors for a WLAN. How to Add, Check this post: Mobility Configuration on WLC
  2. We can configure multiple controllers as mobility anchors for a WLAN.
  3. We must disable the WLAN before configuring mobility anchors for it.
  4. Auto-anchor mobility supports web authorization but does not support other Layer 3 security types.
  5. We must configure the WLANs on both the foreign controller and the anchor controller with mobility anchors. On the anchor controller, configure the anchor controller itself as a mobility anchor. On the foreign controller, configure the anchor as a mobility anchor.
  6. Auto-anchor mobility is not supported for use with DHCP option 82.
  7. When using the mobility failover features with a firewall, make sure that the following ports are open:
  • UDP 16666 for tunnel control traffic
  • IP Protocol 97 for user data traffic
  1. To check the connectivity and peer kee-palive timers, use these CLI commands :
  • mping peer-ip-address – used to test the Control Path between mobility peers
  • eping peer-ip-address – used to test the Data Path between mobility peers
  • show mobility summary – used to view mobility configuration and timers

How to configure Auto-anchoring

Our main aim is to force clients to be on a particular controller regardless of the controller they access the wireless network from. As per my Topology client connects to AP001 which is connected to WLC2 and traffic is tunneled back to WLC1, client must get IP from VLAN 192.

Autoanchor1

WLC2 (Foreign) Configuration:

Step1: Create a WLAN (In my example: RSCCIEW)

Step2: Assign to Management interface and choose the security to webauth.

Autoanchor2

Step3: Add WLC1 to its mobility list

Autoanchor3

Step4: Go to WLAN tab and assign the ANCHOR WLC.

Autoanchor4

In this case we assign the ANCHOR WLC to WLC1:

Autoanchor5

WLC1 (ANCHOR) Configuration:

Step1: Create the same WLAN as we did for WLC2 (Foreign)

Step2: Assign the interface (guest), except this everything should be same as WLC2.

Autoanchor6

Step3: Add WLC2 to its mobility list

Autoanchor7

Step4: Go to WLAN tab and assign the ANCHOR WLC.

Autoanchor8

In this case we will assign the ANCHOW WLC IP to local.

Autoanchor9

That’s all about configuration, Lets jump for verification:

From WLC2 (Foreign WLC)

Autoanchor10

From WLC1 (ANCHOR WLC) before webauth authentication.

Autoanchor11

Now create a Local net user for testing

Autoanchor12

From WLC1 (ANCHOR WLC) After webauth authentication.

Autoanchor13

Here are the complete logs from WLC1 CLI:

(WLC1) >debug client  54:26:96:3e:4b:ee
(WLC1) >*mmListen: Nov 07 10:05:04.763: 54:26:96:3e:4b:ee Adding mobile on Remote AP 00:00:00:00:00:00(0)
 *mmListen: Nov 07 10:05:04.763: 54:26:96:3e:4b:ee override for default ap group, marking intgrp NULL
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 0
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Re-applying interface policy for client
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee apfApplyWlanPolicy: Apply WLAN Policy over PMIPv6 Client Mobility Type
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee override from intf group to an intf for roamed client, removing intf group from mscb
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Applying Interface policy on Mobile, role Unassociated. Ms NAC State 2 Quarantine Vlan 0 Access Vlan 192
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Re-applying interface policy for client
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv4 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2219)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing IPv6 ACL 'none' (ACL ID 255) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:2240)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Initializing policy
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state START (0)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state AUTHCHECK (2)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state L2AUTHCOMPLETE (4)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Resetting web IPv4 acl from 255 to 255
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Resetting web IPv4 Flex acl from 65535 to 65535
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee Stopping deletion of Mobile Station: (callerId: 53)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpAnchor, client state=APF_MS_STATE_ASSOCIATED
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) pemAdvanceState2 5761, Adding TMP rule
 *mmListen: Nov 07 10:05:04.764: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Adding Fast Path rule
 type = Airespace AP - Learn IP address
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL ID = 255, IP
 *mmListen: Nov 07 10:05:04.765: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *mmListen: Nov 07 10:05:04.765: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee 0.0.0.0 Added NPU entry of type 9, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:04.767: 54:26:96:3e:4b:ee Sent an XID frame
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 13, encap 0xec05)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP (encap type 0xec05) mstype 3ff:ff:ff:ff:ff:ff
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selecting relay 1 - control block settings:
 dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
 dhcpGateway: 0.0.0.0, dhcpRelay: 0.0.0.0  VLAN: 0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selected relay 1 - 192.168.80.1 (local address 192.168.99.1, gateway 192.168.99.254, VLAN 192, port 13)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP transmitting DHCP REQUEST (3)
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 1
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 5, flags: 0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 192.168.99.1
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP   requested ip: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selecting relay 2 - control block settings:
 dhcpServer: 0.0.0.0, dhcpNetmask: 0.0.0.0,
 dhcpGateway: 0.0.0.0, dhcpRelay: 192.168.99.1  VLAN: 192
 *DHCP Socket Task: Nov 07 10:05:06.583: 54:26:96:3e:4b:ee DHCP selected relay 2 - NONE (server address 0.0.0.0,local address 0.0.0.0, gateway 192.168.99.254, VLAN 192, port 13)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP received op BOOTREPLY (2) (len 572,vlan 0, port 0, encap 0x0)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP setting server from ACK (server 192.168.80.1, yiaddr 192.168.99.5)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Static IP client associated to interface guest which can support client subnet.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 DHCP_REQD (7) Change state to WEBAUTH_REQD (8) last state DHCP_REQD (7)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) pemAdvanceState2 6671, Adding TMP rule
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Replacing Fast Path rule
 type = Airespace AP Client - ACL passthru
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Plumbing web-auth redirect rule due to user logout
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee Assigning Address 192.168.99.5 to mobile
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface guest.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface guest.
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP transmitting DHCP ACK (5)
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 0, flags: 0
 *DHCP Proxy Task: Nov 07 10:05:06.586: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.99.5
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Proxy Task: Nov 07 10:05:06.587: 54:26:96:3e:4b:ee DHCP   server id: 1.1.1.1  rcvd server id: 192.168.80.1
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee 192.168.99.5 Added NPU entry of type 2, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:06.589: 54:26:96:3e:4b:ee Sent an XID frame
 *ewmwebWebauth1: Nov 07 10:05:32.617: 54:26:96:3e:4b:ee Username entry (ttest) created for mobile, length = 5
 *ewmwebWebauth1: Nov 07 10:05:32.617: 54:26:96:3e:4b:ee Username entry (ttest) created in mscb for mobile, length = 5
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_REQD (8) Change state to WEBAUTH_NOL3SEC (14) last state WEBAUTH_REQD (8)
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee apfMsRunStateInc
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 WEBAUTH_NOL3SEC (14) Change state to RUN (20) last state WEBAUTH_NOL3SEC (14)
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee Session Timeout is 0 - not starting session timer for the mobile
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Reached PLUMBFASTPATH: from line 6559
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Replacing Fast Path rule
 type = Airespace AP Client
 on AP 00:00:00:00:00:00, slot 0, interface = 13, QOS = 0
 IPv4 ACL ID = 255, IPv6 ACL ID
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 15206  Local Bridging Vlan = 192, Local Bridging intf id = 13
 *ewmwebWebauth1: Nov 07 10:05:32.618: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) Successfully plumbed mobile rule (IPv4 ACL ID 255, IPv6 ACL ID 255, L2 ACL ID 255)
 *pemReceiveTask: Nov 07 10:05:32.626: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Anchor role
 *pemReceiveTask: Nov 07 10:05:32.626: 54:26:96:3e:4b:ee 192.168.99.5 Added NPU entry of type 1, dtlFlags 0x4
 *pemReceiveTask: Nov 07 10:05:32.627: 54:26:96:3e:4b:ee Sending a gratuitous ARP for 192.168.99.5, VLAN Id 192

Here are the complete logs from WLC2 CLI:

(WLC2) >debug client  54:26:96:3e:4b:ee
(WLC2) >*pemReceiveTask: Nov 07 10:00:16.787: 54:26:96:3e:4b:ee 0.0.0.0 Removed NPU entry.
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Adding mobile on LWAPP AP 00:22:bd:98:3a:30(1)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Association received from mobile on AP 00:22:bd:98:3a:30
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1633)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Applying site-specific IPv6 override for station 54:26:96:3e:4b:ee - vapId 4, site 'default-group', interface 'management'
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee Applying IPv6 Interface Policy for station 54:26:96:3e:4b:ee - vlan 80, interface id 0, interface 'management'
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee STA - rates (8): 140 18 152 36 176 72 96 108 0 0 0 0 0 0 0 0
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Initializing policy
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
 *apfMsConnTask_0: Nov 07 10:04:31.368: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 00:22:bd:98:3a:30 vapId 4 apVapId 4for this client
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Not Using WMM Compliance code qosCap 00
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 00:22:bd:98:3a:30 vapId 4 apVapId 4
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfMsAssoStateInc
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 54:26:96:3e:4b:ee on AP 00:22:bd:98:3a:30 from Idle to Associated
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Stopping deletion of Mobile Station: (callerId: 48)
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee Sending Assoc Response to station on BSSID 00:22:bd:98:3a:30 (status 0) ApVapId 4 Slot 1
 *apfMsConnTask_0: Nov 07 10:04:31.369: 54:26:96:3e:4b:ee apfProcessAssocReq (apf_80211.c:5276) Changing state for mobile 54:26:96:3e:4b:ee on AP 00:22:bd:98:3a:30 from Associated to Associated
 *DHCP Socket Task: Nov 07 10:04:31.722: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:31.723: 54:26:96:3e:4b:ee DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
 *DHCP Socket Task: Nov 07 10:04:33.461: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:33.461: 54:26:96:3e:4b:ee DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0,  mobility state = 'apfMsMmQueryRequested'
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=ExpForeign, client state=APF_MS_STATE_ASSOCIATED
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee apfMsRunStateInc
 *apfReceiveTask: Nov 07 10:04:34.238: 54:26:96:3e:4b:ee 0.0.0.0 DHCP_REQD (7) Change state to RUN (20) last state RUN (20)
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Reached PLUMBFASTPATH: from line 4563
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Adding Fast Path rule
 type = Airespace AP Client
 on AP 00:22:bd:98:3a:30, slot 1, interface = 1, QOS = 0
 ACL Id = 255, Jumbo Frames = NO
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Fast Path rule (contd...) 802.1P = 0, DSCP = 0, TokenID = 1506  IPv6 Vlan = 80, IPv6 intf id = 0
 *apfReceiveTask: Nov 07 10:04:34.240: 54:26:96:3e:4b:ee 0.0.0.0 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
 *pemReceiveTask: Nov 07 10:04:34.243: 54:26:96:3e:4b:ee Set bi-dir guest tunnel for 54:26:96:3e:4b:ee as in Export Foreign role
 *pemReceiveTask: Nov 07 10:04:34.256: 54:26:96:3e:4b:ee 0.0.0.0 Added NPU entry of type 1, dtlFlags 0x4
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP received op BOOTREQUEST (1) (len 308,vlan 80, port 1, encap 0xec03)
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP processing DHCP REQUEST (3)
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   op: BOOTREQUEST, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 1280, flags: 0
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:04:36.055: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP   requested ip: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:04:36.056: 54:26:96:3e:4b:ee DHCP successfully bridged packet to EoIP tunnel
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP received op BOOTREPLY (2) (len 312,vlan 80, port 1, encap 0xec05)
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP processing DHCP ACK (5)
 *DHCP Socket Task: Nov 07 10:04:36.060: 54:26:96:3e:4b:ee DHCP   op: BOOTREPLY, htype: Ethernet, hlen: 6, hops: 0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   xid: 0x761692a1 (1981190817), secs: 0, flags: 0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   chaddr: 54:26:96:3e:4b:ee
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   ciaddr: 0.0.0.0,  yiaddr: 192.168.99.5
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   siaddr: 0.0.0.0,  giaddr: 0.0.0.0
 *DHCP Socket Task: Nov 07 10:04:36.061: 54:26:96:3e:4b:ee DHCP   server id: 1.1.1.1  rcvd server id: 1.1.1.1
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee 192.168.99.5 RUN (20) DHCP Address Re-established
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee Assigning Address 192.168.99.5 to mobile
 *DHCP Socket Task: Nov 07 10:04:36.062: 54:26:96:3e:4b:ee DHCP success event for client. Clearing dhcp failure count for interface management.

WDS(Wireless Domain Service) Overview

In this post we will learn how to use AP as WDS device and what are the benefits of using WDS in autonomous environment.

In the next post we will learn how to configure the AP with WDS as local AAA server.

WDS is a part of the Cisco Structured Wireless Aware Network (SWAN). WDS is cisco IOS Software features that enhance WLAN client mobility, and simplify WLAN deployment and management. This is very useful when we don’t have Controller in our campus and still want to use RRM and roaming then it’s the best choice. WDS offer these features:

  • Fast secure roaming(CCKM)

CCKM (Cisco Centralized Key Management) enables clients and access points to cache and re-use keying material derived from a full 802.1x/EAP authentication. This enables clients to roam between access points faster without the need to perform a full re-authentication.

The WDS device maintains a cache of credentials for CCKM-capable client devices on our wireless LAN. When a CCKM-capable client roams from one AP to another, the client sends a re-association request to the new AP, and the new AP relays the request to the WDS device. The WDS device forwards the client’s credentials to the new AP, and the new access point sends the re-association response to the client. Only two packets pass between the client and the new AP, greatly reducing the re-association time. The client also uses the re-association response to generate the unicast key.

  • Radio management

APs forward radio management information such as rogue Aps, client associations and Signal Strength to the WDS device. The WDS device aggregates this information and forwards it to the Wireless LAN Solution Engine (WLSE) network management device for centralized logging and alerting. WDS also enables 802.11w management frame protection capability by providing a central point for key distribution and management across autonomous access points.

Requirements for WDS and Fast Secure Roaming

We must have these items:

  • At least one AP configure as the WDS device
  • An authentication server or an AP configured as a local authenticator.
  • Rest of other AP must configure as iNfrastructure device to use WDS.

Remembering Points:

  • If we are using AP as WDS then either disable the radio interfaces or use an access point that does not serve a large number of client devices. If client devices associate to the WDS access point when it starts up, the clients might wait up to 10 minutes to be authenticated.
  • A WDS access point that also serves client devices supports up to 30 participating access points, but a WDS access point with radios disabled supports up to 60 participating access points.
  • Repeater AP does not support WDS. Do not configure a repeater access point as a WDS candidate, and do not configure a WDS access point to return (fall back) to repeater mode in case of Ethernet failure.

Communication and Tasks:

The WDS and the infrastructure APs communicate over a multicast protocol WLCCP. These multicast messages cannot be routed. Therefore, a WDS and the associated infrastructure APs must be in the same IP subnetwork and on the same LAN segment.

The WDS AP performs these tasks:

  • Advertises WDS capability and participates in an election of the best WDS device for our WLAN.
  • When we configure our WLAN for WDS, we set up one device as the main WDS candidate and one or more additional devices as backup WDS candidates. If the main WDS device goes offline, one of the backup WDS devices takes the place of the main device.
  • Authenticates all APs in the subnetwork and establishes a secure communication channel with each of the APs.
  • Registers all client devices in the subnetwork, establishes session keys for the client devices, and caches the client security credentials.
  • When a client roams to another AP, the WDS device forwards the client security credentials to the new AP.
  • Main task of WDS is to cache the user credentials as soon as the authentication server authenticates the client for the first time. On subsequent attempts, WDS authenticates the client on the basis of the cached information.

Note: A single WDS AP can support a maximum of 60 infrastructure APs when the radio interface is disabled. The number drops to 30 if the AP that acts as the WDS AP also accepts client associations.

Note: A Wireless LAN Services Module (WLSM)-equipped switch supports up to 300 APs.

Note: WDS can perform authentication but not accounting.

Note: We cannot configure a 350 series AP as a WDS device but, we can configure 350 series AP to use the WDS device.

Note: Make sure that the AP and the WDS are located at the same subnet otherwise it’s not possible to have it working. (In case of Local AP as WDS).

Note: If we are using WLSM then we can install our AP at any location in plant for layer 3 mobility.(I don’t have WLSM in my test lab so can’t say more about this)

Make sure:

  • Backup WDS devices must exist in case of primary fails.
  • WDS clients authenticate to the WDS Primary using LEAP. Therefore, LEAP must be enabled in the AAA server performing authentication for WDS devices.
  • All wireless client authentications are performed by the WDS Primary when active.
  • WDS clients will revert to standalone mode if the WDS master fails and CCKM fast roaming will not be available.
  • If a secondary WDS exists, then WDS clients will re-join the new WDS device and begin forwarding wireless client authentications again.
  • Network-EAP (LEAP) must be enabled on SSIDs performing CCKM fast roaming; even if wireless clients are authenticated using another EAP type.

 

More info regarding WDS:

Configuring WDS

WDS on Cisco Autonomous AP

Mobility Test between Controllers

In this post we will test the mobility ping between 2 controllers.

You can check here : How to Configure Mobility on WLC

Controllers in a mobility list communicate with each other by controlling information over a well-known UDP port and exchanging data traffic through an Ethernet-over-IP (EoIP) tunnel. Because UDP and EoIP are not reliable transport mechanisms, there is no guarantee that a mobility control packet or data packet will be delivered to a mobility peer. Mobility packets may be lost in transit due to a firewall filtering the UDP port or EoIP packets or due to routing issues.

We can test the mobility communication environment by performing mobility ping tests. These tests may be used to validate connectivity between members of a mobility group.

Two are two types of ping test:

Mobility ping over UDP: This test runs over mobility UDP port 16666. It tests whether the mobility control packet can be reached over the management interface.

Mobility ping over EoIP: This test runs over EoIP(Port 97). It tests the mobility data traffic over the management interface.

*** Only one mobility ping test per controller can be run at a given time.

These ping tests are not Internet Control Message Protocol (ICMP) based. The term “ping” is used to indicate an echo request and an echo reply message.

Check which WLCs are in mobility list:

(WLC1) >show mobility summary
 Symmetric Mobility Tunneling (current) .......... Enabled
 Symmetric Mobility Tunneling (after reboot) ..... Enabled
 Mobility Protocol Port........................... 16666
 Default Mobility Domain.......................... Test
 Multicast Mode .................................. Disabled
 Mobility Domain ID for 802.11r................... 0x840e
 Mobility Keepalive Interval...................... 10
 Mobility Keepalive Count......................... 3
 Mobility Group Members Configured................ 2
 Mobility Control Message DSCP Value.............. 0
 Controllers configured in the Mobility Group
 MAC Address        IP Address       Group Name                        Multicast IP     Status
 00:21:d8:fa:66:00  192.168.80.1       Test                              0.0.0.0          Up
 00:21:d8:fa:fd:a0  192.168.82.1       Test                              0.0.0.0          Up

 

To test the mobility UDP control packet communication between two controllers, enter this command: mping mobility_peer_IP_address

(WLC1) >mping 192.168.82.1
 Send count=3, Receive count=3 from 192.168.82.1
(WLC1) >

To test the mobility EoIP data packet communication between two controllers, enter this command: eping mobility_peer_IP_address

(WLC1) >eping 192.168.82.1
 Send count=3, Receive count=3 from 192.168.82.1
(WLC1) >

Layer 3- Inter Controller Roaming

In this post we will see how the Layer 3 Roaming( inter subnet controller) roaming works on Controller.

Here is my topology:

L3Inter1

WLC1: 10.99.80.1, AP001 is connected to it
WLC2: 10.99.82.1, AP002 is connected to it.

If the client roams between APs registered to different controllers and the client WLAN on the two controllers is on different subnets, then an inter-subnet roam, or Layer 3 mobility event, takes place. For example, if a client is on WLAN-X on Controller-1 using VLANx and the client roams to WLAN-X on Controller-2, but WLAN-X on controller-2 is using VLANy, then an inter-subnet roam for that client occurs.

Inter-subnet roaming is similar to inter-controller roaming in that the controllers exchange mobility messages on the client roam. However, instead of moving the client database entry to the new controller, the original controller marks the client with an “Anchor” entry in its own client database. The database entry is copied to the new controller client database and marked with a “Foreign” entry in the new controller. The roam remains transparent to the wireless client, and the client maintains its original IP address.

In inter-subnet roaming, WLANs on both anchor and foreign controllers need to have the same network access privileges and no source-based routing or source-based firewalls in place. Otherwise, the clients may have network connectivity issues after the handoff.

Or

When the client roams between them, the controllers still exchange mobility messages, but they handle the client database entry in a completely different manner. The original controller marks the client entry as Anchor, whereas the new controller marks the client entry as Foreign. The two controllers are now referred to as anchor and foreign, respectively. The client has no knowledge of this and retains its original IP address on the new controller. Traffic flow to and from the client on the network becomes asymmetrical. Traffic from the client is bridged directly to the wired network by the foreign controller. The foreign controller spoofs the IP and MAC address of the client. Traffic from the wired network to the client, however, is received by the original controller and sent to the new controller through an Ethernet over IP (EtherIP) tunnel to the new controller. The new controller then passes that traffic to the client.

If the client roams back to the original controller, the Anchor and Foreign markings are removed and the client database entry is deleted from the foreign controller. If the client should roam to a different foreign controller, the original anchor controller is maintained, and the foreign client entry is transferred to the new foreign controller.

First my client is already connected to AP001.

See the summary:

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP001          Associated    8              Yes  802.11a          1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... ab:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:22:bd:98:3a:38
 Connected For ................................... 22 secs
 Channel.......................................... 36
 IP Address....................................... 10.99.81.40
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intanchor
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 .
 (WLC1) >

Now to remove the client form WLC1, I will reset the AP001 because we want to see if client can roam to AP002 or not with keeping the same IP.

*** But make sure that WLC must have Anchor-Foreign setup.

L3Inter2

So now our client moved to AP002.

***It is important to remember that a Layer 3 mobility event occurs only when the interface assigned to the WLAN between the controllers is not the same. Whether or not the management interfaces of each controller are in the same subnet has no bearing on a client Layer 3 roaming event.

In a Layer 3 roaming scenario, traffic returning to the wireless client goes through the anchor WLC. The anchor WLC establishes an Ethernet-over-IP (EoIP) tunnel to forward client traffic to the foreign WLC where it is then delivered to the client. All traffic originated by the client is forwarded out the corresponding VLAN interface to which the WLAN is mapped to at foreign WLC. The client’s original IP address and default gateway IP (MAC) address remain the same. All traffic, other than that which is destined for the local subnet, is forwarded to the default router where the foreign WLC substitutes the client’s default gateway MAC address with the MAC address of the default gateway associated with dynamic interface/VLAN at the foreign controller.

The following occurs when a client roams across a Layer 3 boundary:

  1. The client begins with a connection to AP001 on WLC 1.
  2. This creates an ANCHORentry in WLC 1’s client database.
  3. As the client moves away from AP001 and begins association with AP002, WLC 2 sends a mobility announcement to its peers in the mobility group looking for the WLC with information for the client MAC address.
  4. WLC 1 responds to the announcement, handshakes, and ACKs.
  5. The client database entry for the roaming client is copied to WLC 2, and marked as FOREIGN.
  6. A simple key exchange is made between the client and AP, the client is added to WLC 2’s database, which is similar to the anchor controller’s entry, except that the client entry is marked as FOREIGN.
  7. Data being sent to the WLAN client is now EoIP tunneled from the anchor WLC to the foreign WLC.
  8. Data sent by the WLAN client is sent out a local interface VLAN at the foreign controller.

***It is important to remember that a Layer 3 mobility event occurs only when the interface assigned to the WLAN between the controllers is not the same. Whether or not the management interfaces of each controller are in the same subnet has no bearing on a client Layer 3 roaming event

Once client moved, we see entry in WLC1 & marked as “Anchor”

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee 10.99.82.1        Associated    8              Yes  Mobile           1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:00:00:00:00:00
 AP Name.......................................... N/A
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:00:00:00:00:07
 Connected For ................................... 140 secs
 Channel.......................................... N/A
 IP Address....................................... 10.99.81.40
 Association Id................................... 0
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Anchor
 Mobility Foreign IP Address...................... 10.99.82.1
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intanchor
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC1) >

 

Check the client entry as Foreign on WLC2:

(WLC2) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP002            Associated    8              Yes  802.11g          1    N/A
(WLC2) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:3a:99:14:13:70
 AP Name.......................................... AP002
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:3a:99:14:13:77
 Connected For ................................... 8 secs
 Channel.......................................... 1
 IP Address....................................... 10.99.81.40
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Foreign
 Mobility Anchor IP Address....................... 10.99.80.1
 Mobility Move Count.............................. 1
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ intforeign
 VLAN............................................. 84
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC2) >

 Basic Workflow for Inter Subnet Roaming:

L3 - Inter Controller Roaming

L3Inter3

Asymmetric Tunneling

 To know more about handoff we must see the logs from both WLC:

 Handoff logs from WLC1:

(WLC1) > debug mobility handoff enable
 (WLC1) >*mmListen: Jul 09 09:21:21.315: ab:26:96:3e:4b:ee Mobility packet received from:
 *mmListen: Jul 09 09:21:21.315: ab:26:96:3e:4b:ee   10.99.82.1, port 16666
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 25  seq: 101  len 116 flags 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 0.0.0.0, instance: 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   VLAN IP: 10.99.84.3, netmask: 255.255.255.0
 *mmListen: Jul 09 09:21:21.316: Switch IP: 10.99.82.1
 *mmListen: Jul 09 09:21:21.316: Vlan List payload not found, ignoring ...
 *mmListen: Jul 09 09:21:21.316: IP Address don't compare for client ab:26:96:3e:4b:ee is 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee Handoff as Local, Client IP: 10.99.81.40 Anchor IP: 10.99.80.1
 *mmListen: Jul 09 09:21:21.316: Anchor Mac : 00.21.d8.fa.66.00
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee Mobility packet sent to:
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   10.99.82.1, port 16666
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 25  seq: 132  len 546 flags 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 10.99.81.40, instance: 0
 *mmListen: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee   VLAN IP: 10.99.81.1, netmask: 255.255.255.0
 *apfReceiveTask: Jul 09 09:21:21.316: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) mobility role update request from Local to Anchor Peer = 10.99.82.1, Old Anchor = 10.99.80.1, New Anchor = 10.99.80.1
 *apfReceiveTask: Jul 09 09:21:21.318: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) Plumbing duplex mobility tunnel to 10.99.82.1 as Anchor (VLAN 81)
 *apfReceiveTask: Jul 09 09:21:21.318: ab:26:96:3e:4b:ee Mobility Response: IP 10.99.81.40 code Handoff Indication (2), reason Client handoff successful - anchor released (1), PEM State RUN, Role Anchor(2)

Handoff logs from WLC2:

(WLC2) >debug mobility handoff enable
 (WLC2) >*Dot1x_NW_MsgTask_0: Jul 09 09:39:02.572: ab:26:96:3e:4b:ee Mobility query, PEM State: L2AUTHCOMPLETE
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee Mobility packet sent to:
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   10.99.80.1, port 16666
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 22  seq: 89  len 116 flags 0
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.573: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 0.0.0.0, instance: 0
 *Dot1x_NW_MsgTask_0: Jul 09 09:39:02.574: ab:26:96:3e:4b:ee   VLAN IP: 10.99.84.3, netmask: 255.255.255.0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee Mobility packet received from:
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   10.99.80.1, port 16666
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 22  seq: 118  len 546 flags 0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   group id: d7f8a4f2 cb038b78 641818bb a26869b4
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   mobile MAC: ab:26:96:3e:4b:ee, IP: 10.99.81.40, instance: 0
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee   VLAN IP: 10.99.81.1, netmask: 255.255.255.0
 *mmListen: Jul 09 09:39:02.575: Switch IP: 10.99.80.1
 *mmListen: Jul 09 09:39:02.575: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 81 ]
 *mmListen: Jul 09 09:39:02.575: ab:26:96:3e:4b:ee Mobility handoff for client:Ip: 10.99.81.40 Anchor IP: 10.99.80.1, Peer IP: 10.99.80.1
 *apfReceiveTask: Jul 09 09:39:02.579: ab:26:96:3e:4b:ee Handoff confirm: Pre Handoff PEM State: RUN
 *apfReceiveTask: Jul 09 09:39:02.579: ab:26:96:3e:4b:ee   Pem State update: RUN(20), VAP Security mask 40004000,        IPsec len: 0, ACL Name: ''
 *apfReceiveTask: Jul 09 09:39:02.581: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) mobility role update request from Unassociated to Foreign Peer = 10.99.80.1, Old Anchor = 10.99.80.1, New Anchor = 10.99.80.1
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee 10.99.81.40 RUN (20) Plumbing duplex mobility tunnel to 10.99.80.1 as Foreign, (VLAN 84)
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee Configured Anchor for mobile ab:26:96:3e:4b:ee. Sending Igmp query
 *apfReceiveTask: Jul 09 09:39:02.583: ab:26:96:3e:4b:ee Mobility Response: IP 10.99.81.40 code Handoff (1), reason Handoff success (0), PEM State RUN, Role Foreign(3)
 *bcastReceiveTask: Jul 09 09:39:02.598: Sending IGMP query First Time to 00:3a:99:14:13:70 ap for mgid 5
 *bcastReceiveTask: Jul 09 09:39:02.598: Entry for ap  00:3a:99:14:13:70, IGMP query packet not queued for mgid 5... Enquing the Query packet...
 *bcastReceiveTask: Jul 09 09:39:03.456: Sending IGMP query to 00:3a:99:14:13:70 ap for mgid 5, Query count: 2
 *bcastReceiveTask: Jul 09 09:39:04.456: Sending IGMP query to 00:3a:99:14:13:70 ap for mgid 5, Query count: 1

Layer2- Inter Controller Roaming

In this post we will see the roaming between inter controllers.

Inter-controller roaming occurs when a client roams between two APs registered to two different controllers, where each controller has an interface in the client subnet. When a client roams between controllers on the same subnet, the controllers exchange mobility messages, and the client database entry is transferred from the original controller to the new controller. Client traffic then flows through the new controller on to the network just like it did on the original controller.

My Topology

L2Inter1

Basic Workflow of inter controller roaming:

L2 - Inter Controller Roaming

L2Inter2

My client already connected to WLC1: See the output from WLC1

(WLC1) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP001             Associated    8              Yes   802.11a          1    N/A
(WLC1) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:22:bd:98:3a:30
 AP Name.......................................... AP001
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:22:bd:98:3a:38
 Connected For ................................... 12 secs
 Channel.......................................... 36
 IP Address....................................... 10.99.81.22
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ interwlc
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 .
 (WLC1) >
  

Now I will reset AP001 to disconnect my client forcefully to check the roaming.

Go to Wireless > All AP and then click on AP001 > Reset AP Now.

L2Inter3

Once AP001 will reset after that our client will roam to another AP(AP002).

See the logs for client which moved to WLC2.

(WLC2) >show client summary
 Number of Clients................................ 1
 MAC Address       AP Name           Status        WLAN           Auth Protocol         Port Wired
 ----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
 ab:26:96:3e:4b:ee AP002             Associated    8              Yes  802.11g          1    N/A
(99CWLAN2) >show client detail ab:26:96:3e:4b:ee
 Client MAC Address............................... ab:26:96:3e:4b:ee
 Client Username ................................. N/A
 AP MAC Address................................... 00:3a:99:14:13:70
 AP Name.......................................... AP002
 Client State..................................... Associated
 Client NAC OOB State............................. Access
 Wireless LAN Id.................................. 8
 BSSID............................................ 00:3a:99:14:13:77
 Connected For ................................... 21 secs
 Channel.......................................... 1
 IP Address....................................... 10.99.81.22
 Association Id................................... 1
 Authentication Algorithm......................... Open System
 Reason Code...................................... 1
 Status Code...................................... 0
 Session Timeout.................................. 0
 Client CCX version............................... No CCX support
 QoS Level........................................ Silver
 802.1P Priority Tag.............................. disabled
 WMM Support...................................... Enabled
 Power Save....................................... OFF
 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,12.0,18.0,24.0,36.0,48.0,54.0
 Mobility State................................... Local
 Mobility Move Count.............................. 0
 Security Policy Completed........................ Yes
 Policy Manager State............................. RUN
 Policy Manager Rule Created...................... Yes
 ACL Name......................................... none
 ACL Applied Status............................... Unavailable
 Policy Type...................................... WPA2
 Authentication Key Management.................... PSK
 Encryption Cipher................................ CCMP (AES)
 Management Frame Protection...................... No
 EAP Type......................................... Unknown
 Interface........................................ interwlc
 VLAN............................................. 81
 Quarantine VLAN.................................. 0
 Access VLAN...................................... 81
 Client Capabilities:
 .
 .
 (WLC2) >

 

Intra-Controller Roaming

If a client roams between APs on the same controller, it is called an intra-controller mobility event. Intra-controller roaming is the most simplistic in that all the controller needs to do is update the database with the AP association and establish new security contexts if necessary. Basically, the Layer 3–related mobility is handled by the controller, and the link layer mobility is handled by the AP. As the client roams, the controller updates the client state. The client traffic then flows through the new AP LWAPP/CAPWAP tunnel to the controller and out on the network. Figure 9-1 illustrates an intra-controller roam

Intra Controller Roaming

I will not go in details for these because it is the simplest Roaming 🙂

More info about Roaming, please visit this post: Mobility Basics