L3 – Inter Controller Roaming

Tags

In this post we will see how L3 – Inter Controller Mobility works. I have slightly change my topology to test that. Notice that I have assigned different interfaces (Vlan 12 & Vlan 14) for “guest” WLAN in two different controller. Therefore in this instance when client move from LWAP-02 to LWAP-03 Anchor-Foreign mobility relationship to be maintained to keep the original IP of the client.

First will ensure my C7925 client is on WLC1 with vlan 14 IP. You can check client details as shown here. Not complete output shown & filtered for required information.

(WLC1) >show client summary 
Number of Clients................................ 2
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:1b:d4:58:e6:1a LWAP-02           Associated    4              Yes  802.11a          1    No
04:f7:e4:ea:5b:66 LWAP-02           Associated    4              Yes  802.11n(5 GHz)   1    No

(WLC1) >show client detail 00:1b:d4:58:e6:1a
Client MAC Address............................... 00:1b:d4:58:e6:1a
Client Username ................................. user2
AP MAC Address................................... 54:75:d0:3e:80:b0
AP Name.......................................... LWAP-02           
Client State..................................... Associated     
Wireless LAN Id.................................. 4  
.
IP Address....................................... 10.10.14.54
Association Id................................... 3  
.
QoS Level........................................ Platinum
802.1P Priority Tag.............................. 6
WMM Support...................................... Enabled
  APSD ACs.......................................  BK(T/D)  BE(T/D)  VI(T/D)  VO(T/D) 
Power Save....................................... ON
Current Rate..................................... 54.0
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
.
Policy Type...................................... WPA2
Authentication Key Management.................... CCKM
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan14
VLAN............................................. 14
Quarantine VLAN.................................. 0
Access VLAN...................................... 14

Now will remove this client from WLC1. In this case client will de-authenticate from LWAP-02 & associate to LWAP-03, but because of different subnet (Vlan 12) in WLC2 for “guest” WLAN, WLCs has to have Anchor-Foreign set up. In this way WLC1 send a copy of client database entry to WLC2 where WLC1 mark entry as “Anchor” & WLC2 mark entry as “Foreign”.

Once client moved, still you see entry in WLC1 & marked as “Anchor”

(WLC1) >show client summary 
Number of Clients................................ 2
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:1b:d4:58:e6:1a 10.10.112.10      Associated    4              Yes  Mobile           1    No
04:f7:e4:ea:5b:66 10.10.112.10      Associated    4              Yes  Mobile           1    No

(WLC1) >show client detail 00:1b:d4:58:e6:1a
Client MAC Address............................... 00:1b:d4:58:e6:1a
Client Username ................................. user2
AP MAC Address................................... 00:00:00:00:00:00
AP Name.......................................... N/A               
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 4  
BSSID............................................ 00:00:00:00:00:03  
Connected For ................................... 315 secs
Channel.......................................... N/A
IP Address....................................... 10.10.14.54
Association Id................................... 0  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... 5  
Client E2E version............................... No E2E support
Diagnostics Capability........................... Not Supported
S69 Capability................................... Not Supported
Re-Authentication Timeout........................ 86114
Mirroring........................................ Disabled
QoS Level........................................ Platinum
802.1P Priority Tag.............................. 6
WMM Support...................................... Enabled
  APSD ACs.......................................  BK(T/D)  BE(T/D)  VI(T/D)  VO(T/D) 
Power Save....................................... ON
Current Rate..................................... 54.0
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Anchor
Mobility Foreign IP Address...................... 10.10.112.10
Mobility Move Count.............................. 0
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2
Authentication Key Management.................... CCKM
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... PEAP
Interface........................................ vlan14
VLAN............................................. 14

If you go to WLC2 you can see the client entry marked as “Foreign”

(WLC2) >show client summary 
Number of Clients................................ 2
MAC Address       AP Name           Status        WLAN/GLAN      Auth Protocol         Port Wired
----------------- ----------------- ------------- -------------- ---- ---------------- ---- -----
00:1b:d4:58:e6:1a LWAP-03           Associated    4              Yes  802.11a          29   No
04:f7:e4:ea:5b:66 LWAP-03           Associated    4              Yes  802.11n(5 GHz)   29   No

(WLC2) >show client detail 00:1b:d4:58:e6:1a
Client MAC Address............................... 00:1b:d4:58:e6:1a
Client Username ................................. user2
AP MAC Address................................... 64:a0:e7:af:47:40
AP Name.......................................... LWAP-03           
Client State..................................... Associated     
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 4  
BSSID............................................ 64:a0:e7:af:47:4c  
Connected For ................................... 59 secs
Channel.......................................... 40 
IP Address....................................... 10.10.14.54
Association Id................................... 1  
Authentication Algorithm......................... Open System
Reason Code...................................... 1  
Status Code...................................... 0  
Client CCX version............................... 5  
Client E2E version............................... No E2E support
Diagnostics Capability........................... Not Supported
S69 Capability................................... Not Supported
Re-Authentication Timeout........................ 86070
Mirroring........................................ Disabled
QoS Level........................................ Platinum
802.1P Priority Tag.............................. 6
WMM Support...................................... Enabled
  APSD ACs.......................................  BK(T/D)  BE(T/D)  VI(T/D)  VO(T/D) 
Power Save....................................... ON
Current Rate..................................... 54.0
Supported Rates.................................. 24.0,36.0,48.0,54.0
Mobility State................................... Foreign
Mobility Anchor IP Address....................... 10.10.111.10
Mobility Move Count.............................. 1
Security Policy Completed........................ Yes
Policy Manager State............................. RUN
Policy Manager Rule Created...................... Yes
ACL Name......................................... none
ACL Applied Status............................... Unavailable
NPU Fast Fast Notified........................... Yes
Policy Type...................................... WPA2
Authentication Key Management.................... CCKM
Encryption Cipher................................ CCMP (AES)
Management Frame Protection...................... No
EAP Type......................................... 0
Interface........................................ vlan12
VLAN............................................. 12

Note that even though client in WLC2 on vlan 12, still keeping the previous IP of vlan 14. Also note the difference in client association protocol detail for two different controller. In Anchor it is shown as “mobile” where as in foreign it show “802.11a” for my client. In this roaming scenario PoA (Point of Association) moved to WLC2 – Foreign where as PoP (Point of Presence) still in WLC1 -Anchor. Therefore client traffic will go to Foreign->Anchor->Wired Network.

If you want to understand this in great details you can run debug commands to verify the exact process of L3 client roaming. Here is the debug output on WLC2 (when client roam from WLC2 to WLC1). I do not think I have time to go into that level 😀 & my objective is pass CCIE lab.

(WLC2) >debug client 00:1b:d4:58:e6:1a
(WLC2) >debug mobility handoff enable 

(WLC2) >*mmListen: Mar 17 00:05:53.182: Mobility packet received from:
*mmListen: Mar 17 00:05:53.183:   10.10.111.10, port 16666
*mmListen: Mar 17 00:05:53.183:   type: 12(PMK-Update)  subtype: 0  version: 1  xid: 53  seq: 884  len 461 flags 0
*mmListen: Mar 17 00:05:53.183:   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: Mar 17 00:05:53.183: Switch IP: 10.10.111.10 
*mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a Received PMK-update from 10.10.111.10 for station 
*mmListen: Mar 17 00:05:53.183: CCKM: Creating CCKM cache entry(version 2) on receiving message from mobility
*mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a Updating userName from 10.10.111.10
*mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a Updating CCKM Cache  from 10.10.111.10 
*mmListen: Mar 17 00:05:53.183: 00:1b:d4:58:e6:1a CCKM: Sending cache add
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a Mobility packet received from:
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   10.10.111.10, port 16666
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 54  seq: 885  len 116 flags 0
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 0
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   VLAN IP: 10.10.14.10, netmask: 255.255.255.0
*mmListen: Mar 17 00:05:53.194: Switch IP: 10.10.111.10 
*mmListen: Mar 17 00:05:53.194: Vlan List payload not found, ignoring ...
*mmListen: Mar 17 00:05:53.194: IP Address don't compare for client 00:1b:d4:58:e6:1a is 0
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a Anchored to Local Handoff as Foreign(3), Client IP: 10.10.14.54 Anchor IP: 0.0.0.0
*mmListen: Mar 17 00:05:53.194: Anchor Mac : 00.00.00.00.00.00
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a Mobility packet sent to:
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   10.10.111.10, port 16666
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 54  seq: 97  len 618 flags 0
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 1
*mmListen: Mar 17 00:05:53.194: 00:1b:d4:58:e6:1a   VLAN IP: 10.10.12.15, netmask: 255.255.255.0
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) State Update from Mobility-Complete to Mobility-Incomplete
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a Mobile 00:1b:d4:58:e6:1a associated with another AP elsewhere, delete mobile
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) mobility role update request from Foreign to Handoff
  Peer = 10.10.111.10, Old Anchor = 10.10.111.10, New Anchor = 0.0.0.0
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a Clearing Address 10.10.14.54 on mobile 
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsRunStateDec
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Change state to DHCP_REQD (7) last state RUN (20)
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMmProcessDeleteMobile (apf_mm.c:548) Expiring Mobile!
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a Mobility Response: IP 0.0.0.0 code Handoff Indication (2), reason Client handoff successful - anchor retained (0), PEM State DHCP_REQD, Role Handoff(6)
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:1b:d4:58:e6:1a on AP 64:a0:e7:af:47:40 from Associated to Disassociated
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsAssoStateDec
*apfReceiveTask: Mar 17 00:05:53.195: 00:1b:d4:58:e6:1a apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:1b:d4:58:e6:1a on AP 64:a0:e7:af:47:40 from Disassociated to Idle
*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [64:a0:e7:af:47:40]
*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a Username entry deleted for mobile 
*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a apfMs1xStateDec
*apfReceiveTask: Mar 17 00:05:53.196: 00:1b:d4:58:e6:1a Deleting mobile on AP 64:a0:e7:af:47:40(1) 
*pemReceiveTask: Mar 17 00:05:53.203: 00:1b:d4:58:e6:1a 0.0.0.0 Removed NPU entry.
*mmListen: Mar 17 00:05:53.681: Switch IP: 10.10.111.10 
*mmListen: Mar 17 00:05:53.681: Vlan List payload not found, ignoring ...
*mmListen: Mar 17 00:05:53.681: IP Address don't compare for client 04:f7:e4:ea:5b:66 is 0
*mmListen: Mar 17 00:05:53.681: Anchor Mac : 00.00.00.00.00.00
*spamReceiveTask: Mar 17 00:06:11.148: Mobility packet sent to:
*spamReceiveTask: Mar 17 00:06:11.148:   10.10.111.10, port 16666
*spamReceiveTask: Mar 17 00:06:11.148:   type: 19(ApListUpdate)  subtype: 0  version: 1  xid: 96  seq: 100  len 52 flags 0
*spamReceiveTask: Mar 17 00:06:11.148:   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*spamReceiveTask: Mar 17 00:06:11.149: 1 ap-list-update groupcast messages sent
*spamReceiveTask: Mar 17 00:08:03.478: Mobility packet sent to:
*spamReceiveTask: Mar 17 00:08:03.478:   10.10.111.10, port 16666
*spamReceiveTask: Mar 17 00:08:03.478:   type: 19(ApListUpdate)  subtype: 0  version: 1  xid: 101  seq: 105  len 52 flags 0
*spamReceiveTask: Mar 17 00:08:03.478:   group id: fe2f34f3 9b7a7cea 68f48181 316db999

here is the debug output form WLC1 where client moved to.

(WLC1) >debug client 00:1b:d4:58:e6:1a
(WLC1) >debug mobility handoff enable

*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Starting key exchange to mobile 00:1b:d4:58:e6:1a, data packets will be dropped
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Sending EAPOL-Key Message to mobile 00:1b:d4:58:e6:1a
   state INITPMK (message 1), replay counter 00.00.00.00.00.00.00.00
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Entering Backend Auth Success state (id=171) for mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a Received Auth Success while in Authenticating state for mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.252: 00:1b:d4:58:e6:1a dot1x - moving mobile 00:1b:d4:58:e6:1a into Authenticated state
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a Received EAPOL-Key from mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a Received EAPOL-key in PTK_START state (message 2) from mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a CCKM: Sending cache add
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: CCKM: Sending CCKM PMK (Version_1) information to mobility group
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: 00:1b:d4:58:e6:1a 0 PMK-update groupcast messages sent 
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: CCKM: Sending CCKM PMK (Version_2) information to mobility group
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.268: Mobility packet sent to:
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269:   10.10.112.10, port 16666
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269:   type: 12(PMK-Update)  subtype: 0  version: 1  xid: 53  seq: 884  len 461 flags 0
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269:   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 00:1b:d4:58:e6:1a 1 PMK-update groupcast messages sent 
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 00:1b:d4:58:e6:1a Stopping retransmission timer for mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.269: 00:1b:d4:58:e6:1a Sending EAPOL-Key Message to mobile 00:1b:d4:58:e6:1a
   state PTKINITNEGOTIATING (message 3), replay counter 00.00.00.00.00.00.00.01
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Received EAPOL-Key from mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Received EAPOL-key in PTKINITNEGOTIATING state (message 4) from mobile 00:1b:d4:58:e6:1a
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a apfMs1xStateInc
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.14.54 8021X_REQD (3) Change state to L2AUTHCOMPLETE (4) last state RUN (20)
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Mobility query, PEM State: L2AUTHCOMPLETE
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) State Update from Mobility-Complete to Mobility-Incomplete
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: Unicast MWAR IP: 10.10.112.10: intra-group
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Mobility packet sent to:
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a   10.10.112.10, port 16666
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a   type: 3(MobileAnnounce)  subtype: 0  version: 1  xid: 54  seq: 885  len 116 flags 0
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a   mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 0
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a   VLAN IP: 10.10.14.10, netmask: 255.255.255.0
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) DHCP required on AP 54:75:d0:3e:80:b0 vapId 4 apVapId 4for this client
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.280: 00:1b:d4:58:e6:1a Not Using WMM Compliance code qosCap 0f
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 54:75:d0:3e:80:b0 vapId 4 apVapId 4
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a apfMsRunStateInc
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a 10.10.14.54 L2AUTHCOMPLETE (4) Change state to RUN (20) last state RUN (20)
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a Mobility packet received from:
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a   10.10.112.10, port 16666
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a   type: 5(MobileHandoff)  subtype: 0  version: 1  xid: 54  seq: 97  len 618 flags 0
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a   mobile MAC: 00:1b:d4:58:e6:1a, IP: 10.10.14.54, instance: 1
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a   VLAN IP: 10.10.12.15, netmask: 255.255.255.0
*mmListen: Mar 17 11:03:18.281: Switch IP: 10.10.112.10 
*mmListen: Mar 17 11:03:18.281: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 14 ]
*mmListen: Mar 17 11:03:18.281: 00:1b:d4:58:e6:1a Mobility handoff for client:
  Ip: 10.10.14.54
  Anchor IP: 0.0.0.0, Peer IP: 10.10.112.10
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Reached PLUMBFASTPATH: from line 4864
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Change state to RUN (20) last state RUN (20)
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Stopping retransmission timer for mobile 00:1b:d4:58:e6:1a
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Handoff confirm: Pre Handoff PEM State: RUN
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a   Pem State update: RUN(20), VAP Security mask 4000,    IPsec len: 0, ACL Name: ''
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Applying post-handoff policy for station 00:1b:d4:58:e6:1a - valid mask 0x0
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a     QOS Level: -1, DSCP: -1, dot1p: -1,
    Data Avg: -1, realtime Avg: -1, Data Burst -1, Realtime Burst -1
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a     Session: -1, User session: -1, User elapsed -1
    Interface: N/A ACL: N/A
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Change state to RUN (20) last state RUN (20)
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Stopping deletion of Mobile Station: (callerId: 55)
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 
 Delete the client from prev. foreign : 10.10.112.10
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) mobility role update request from Anchor to Local
  Peer = 10.10.112.10, Old Anchor = 10.10.111.10, New Anchor = 10.10.111.10
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) State Update from Mobility-Incomplete to Mobility-Complete, mobility role=Local, client state=APF_MS_STATE_ASSOCIATED
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Reached PLUMBFASTPATH: from line 4495
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Replacing Fast Path rule
  type = Airespace AP Client
  on AP 54:75:d0:3e:80:b0, slot 1, interface = 1, QOS = 2
  ACL Id = 255, Jumbo Frames = NO
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Fast Path rule (contd...) 802.1P = 6, DSCP = 0, TokenID = 5006  IPv6 Vlan = 14, IPv6 intf id = 11
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a 10.10.14.54 RUN (20) Successfully plumbed mobile rule (ACL ID 255)
*apfReceiveTask: Mar 17 11:03:18.282: 00:1b:d4:58:e6:1a Configured Anchor for mobile 00:1b:d4:58:e6:1a. Sending Igmp query
*apfReceiveTask: Mar 17 11:03:18.283: 00:1b:d4:58:e6:1a Mobility Response: IP 10.10.14.54 code Handoff (1), reason Anchor is local (2), PEM State RUN, Role Local(1)
*bcastReceiveTask: Mar 17 11:03:18.283: Sending IGMP query First Time to 54:75:d0:3e:80:b0 ap for mgid 11 
*bcastReceiveTask: Mar 17 11:03:18.283: Entry for ap  54:75:d0:3e:80:b0, IGMP query packet not queued for mgid 11... Enquing the Query packet... 
*pemReceiveTask: Mar 17 11:03:18.287: 00:1b:d4:58:e6:1a 10.10.14.54 Added NPU entry of type 1, dtlFlags 0x0
*pemReceiveTask: Mar 17 11:03:18.289: 00:1b:d4:58:e6:1a Sending a gratuitous ARP for 10.10.14.54, VLAN Id 53262
*Dot1x_NW_MsgTask_0: Mar 17 11:03:18.767: Unicast MWAR IP: 10.10.112.10: intra-group
*mmListen: Mar 17 11:03:18.768: Switch IP: 10.10.112.10 
*mmListen: Mar 17 11:03:18.768: Mobility handoff, NAC State Payload [ Client's NAC OOB State : Access, Quarantine VLAN :0, Access VLAN : 14 ]
*bcastReceiveTask: Mar 17 11:03:18.775: Sending IGMP query First Time to 54:75:d0:3e:80:b0 ap for mgid 11 
*bcastReceiveTask: Mar 17 11:03:18.775: Entry for ap  54:75:d0:3e:80:b0, mgid 11 already exists 
*bcastReceiveTask: Mar 17 11:03:19.272: Sending IGMP query to 54:75:d0:3e:80:b0 ap for mgid 11, Query count: 2 
*bcastReceiveTask: Mar 17 11:03:20.272: Sending IGMP query to 54:75:d0:3e:80:b0 ap for mgid 11, Query count: 1 
*bcastReceiveTask: Mar 17 11:03:20.272: All Queries sent ... Removing entry  for 54:75:d0:3e:80:b0 ap for mgid 11  from queue 
*mmListen: Mar 17 11:03:36.236: Mobility packet received from:
*mmListen: Mar 17 11:03:36.236:   10.10.112.10, port 16666
*mmListen: Mar 17 11:03:36.236:   type: 19(ApListUpdate)  subtype: 0  version: 1  xid: 96  seq: 100  len 52 flags 0
*mmListen: Mar 17 11:03:36.236:   group id: fe2f34f3 9b7a7cea 68f48181 316db999
*mmListen: Mar 17 11:03:36.236: Switch IP: 10.10.112.10

Again these debugs are to troubleshoot client roaming issues & if you understand the roaming process you can understand these debug outputs (I think I am not in that level yet & show these debugs as example)

You can read “Deploying & Troubleshooting Cisco Wireless LAN Controllers” by Mark Gress, Lee Johnson to go in depth about Mobility.

1. Wireless Mobility Basics
2. Configuring Mobility on WLC
3. L2-Inter Controller Roaming
4. WLC – Web Authentication
5. Configuring Auto Anchor
6. Auto-Anchor Foreign Mapping
7. Mobility Ping Tests
8. Configuring Wired Guest
9. Static IP Clients Mobility

6 thoughts on “L3 – Inter Controller Roaming”

Christos said:

November 25, 2013 at 4:15 am

Hi Rasika,

I’m trying to simulate inter-controller L3 in my lab.
The topology is WLC1-LWAP1 and ssid mapped to interface vlan11 / WLC4-LWAP2 and ssid mapped to interface vlan12.Mobility is up in both WLCs.
The problem is that when i deauthenticate the client from LWAP1 and roams to LWAP2 it doesn’t keep the original IP (vlan11) and acquires new ip from vlan12.
In both controllers mobility state is local.
Do i miss something obvious?

By the way, i have created a blog “chriscciew.blogpress.com”.
I have used as reference your blog,in every article i mention the sources i use.
Hope there is no problem.

Best Regards.

Santhosh said:

December 15, 2015 at 8:50 am

Hi Rasik, does inter-L3 roaming also works in “new mobility” across 5508/5760 WLC’s setup with same SSID and different IP subnets?

Santhosh

- nayarasi said:
  
  December 15, 2015 at 9:18 am
  
  It works, but inter-operability between these two will not test thoroughly when future code releases. As of 8.1 MC function is not supported in AireOS for the same reason.
  
  As you know it is very hard to troubleshoot CA, if you mix AireOS in to this, it will get more complex.
  
  HTH
  Rasika
  
San said:

December 17, 2015 at 6:06 pm

Thanks Raisk for your information, yesterday I got call from Cisco wireless system engineer – he expressed interoperability between 5760/5508 centralized wireless is not advisable. Cisco is also looking into making official statement. For now I choose I looking for 5520 controllers

When I drafting the wireless setup with 5760/5508 already half way of topology became complicated to handle.

- nayarasi said:
  
  December 18, 2015 at 6:16 am
  
  Pls share the link if you get official note from Cisco.
  
  Thanks for sharing info
  
  Rasika
  
Khawar said:

September 10, 2019 at 8:28 am

Hi Rasika,

For Inter-Controller L3 roam to work (maintaining the same IP), is there any additional configuration besides adding both controllers to each other in mobility groups as per your previous blog?
https://mrncciew.com/2013/03/16/configuring-mobility-on-wlc/