In this post we will use 3850 (acting as MA) to communicate with centralized 5760 (acting as MC). Below diagram summarize overall mobility concept in Converged Access (CA) deployment.
• A Mobility Domain (MD) is the entire domain across which client roaming is supported. It is a collection of mobility groups. For example, a campus network can be considered as a mobility domain.
• A Mobility Group (MG) is a collection of mobility subdomains across which fast roaming is supported. The mobility group can be one or more buildings within a campus across which frequent roaming is supported.
• A Mobility Subdomain (MSD) is an autonomous portion of the mobility domain network. Each mobility subdomain contains one mobility controller (MC) and a collection of SPGs. A subdomain is equivalent to an 802.11r key domain.
• A Switch Peer Group (SPG) is a collection of mobility agents.
• The Mobility Oracle (MO) acts as the point of contact for mobility events that occur across mobility subdomains. The mobility oracle also maintains a local database of each client in the entire mobility domain, their home and current subdomain. There is only one MO for an entire mobility domain. The Cisco WLC 5700 Series Controllers or CUWN controller can act as MO.
• The Mobility Controller (MC) provides mobility management services for inter-SPG roaming events. The MC sends the configuration like SPG name and SPG peer member list to all of the mobility agents under its subdomain. The WLC 5700 , 3850 Switch, or CUWN controller can act as MC. The MC has MC functionality and MA functionality that is running internally into it.
• The Mobility Agent (MA) is the component that maintains client mobility state machine for a mobile client. All APs are connected to the mobility agent
In converged access, fast roaming is available within a Mobility Group (not like between mobility groups in Unified Wireless). If it is inter-mobility group roaming client has to full-authenticate. Within a mobility group you can have multiple sub-domain.Each sub-domain should have its own MC & that will keep the client database within that sub-domain. Within a sub-domain, you can create SPGs (Switch Peer Groups) to optimize roaming by constrain roaming traffic to small area (eg for a building). Below diagram represent this concept.
Next question is what is max SPG in a sub-domain ? max mobility sub-domain (MSD) per MG ? Max MC in a mobility domain (MD) ?. Below table summarize & keep these in mind when designing CA solutions.
So here is my test topology. Effectively it is within a single mobility sub-domain where 5760 acting as MC & two SPGs.
Let’s configure 3850-2 (MA) to communicate with 5760 (MC) to register L3602-1 AP.Here is the basic configuration on 3850
3850-2#sh archive config differences nvram:startup-config system:running-config interface GigabitEthernet1/0/1 +description L3602-1 +switchport access vlan 1610 +switchport mode access +spanning-tree portfast +interface Vlan1610 +ip address 10.161.33.22 255.255.254.0 +wireless management interface Vlan1610
Then you need to tell 3850 about its Mobility Controller (MC) as below. If firewall or NAT devices sitting between MA & MC then you need to use “public-ip” option as well. In my configuration it is not required.
3850-2(config)#wireless mobility controller ?
ip no description
peer-group Configures mobility peer groups
<cr>
3850-2(config)#wireless mobility controller ip ?
A.B.C.D IP address of mobility controller
3850-2(config)#wireless mobility controller ip 10.160.49.1 ?
public-ip no description
<cr>
3850-2(config)#wireless mobility controller ip 10.160.49.1
You can verify 3850 mobility configuration using “show wireless mobility summary” CLI command. As expected mobility is down since we haven’t configure the MC yet. Also SPG name is blank. MA will learn its SPG name via MC.
3850-2#show wireless mobility summary Mobility Agent Summary: Mobility Role : Mobility Agent Mobility Protocol Port : 16666 Mobility Switch Peer Group Name : Multicast IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 0 Switch Peer Group Members Configured : 0 Link Status is Control Link Status : Data Link Status The status of Mobility Controller: IP Public IP Link Status ------------------------------------------------ 10.160.49.1 10.160.49.1 DOWN : DOWN
Let’s move on to 5760(MC) & start configuring it. We will give “BUN-1” for the group-name & then will create a SPG called “SPG1” and add 3850-2 as member of that SPG.
5760-1(config)#wireless mobility group ? keepalive Keepalive ping parameters to be configured member Add/Change a Mobility group member to the list multicast-address Configures the Multicast IP Address for a non-local mobility group name Configures the Mobility domain name 5760-1(config)#wireless mobility group name ? WORD Enter ASCII String up to 31 characters, case sensitive 5760-1(config)#wireless mobility group name BUN-1 5760-1(config)#wireless mobility ? controller Configures mobility controller settings dscp Configures the Mobility inter controller DSCP value group Configures the Mobility group parameters multicast Configures the Multicast Mode for mobility messages oracle Configures mobility oracle settings 5760-1(config)#wireless mobility controller ? peer-group Configures mobility peer groups 5760-1(config)#wireless mobility controller peer-group ? WORD Add or delete a peer group 5760-1(config)#wireless mobility controller peer-group SPG1 ? bridge-domain-id Configure bridge domain Id member Add or delete a peer group member multicast Configures multicast settings of a peer group <cr> 5760-1(config)#wireless mobility controller peer-group SPG1 5760-1(config)#wireless mobility controller peer-group SPG1 member ? ip IP address of a peer group member 5760-1(config)#wireless mobility controller peer-group SPG1 member ip ? A.B.C.D IP address of a peer group member 5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22 ? public-ip Public IP address of a peer group member <cr> 5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22
Once you do this, you can see mobility paths (control & data) are up
5760-1#show wireless mobility summary Mobility Controller Summary: Mobility Role : Mobility Controller Mobility Protocol Port : 16666 Mobility Group Name : BUN-1 Mobility Oracle : Disabled Mobility Oracle IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 48 Mobility Domain Member Count : 1 Link Status is Control Link Status : Data Link Status Controllers configured in the Mobility Domain: IP Public IP Group Name Multicast IP Link Status ------------------------------------------------------------------------------- 10.160.49.1 - BUN-1 0.0.0.0 UP : UP Switch Peer Group Name : SPG1 Switch Peer Group Member Count : 1 Bridge Domain ID : 0 Multicast IP Address : 0.0.0.0 IP Public IP Link Status -------------------------------------------------- 10.161.33.22 10.161.33.22 UP : UP
Now if you go to 3850-2 & check the mobility summary you should see the paths are UP & it is learning its SPG name as well.
3850-2#show wireless mobility summary Mobility Agent Summary: Mobility Role : Mobility Agent Mobility Protocol Port : 16666 Mobility Switch Peer Group Name : SPG1 Multicast IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 48 Switch Peer Group Members Configured : 1 Link Status is Control Link Status : Data Link Status The status of Mobility Controller: IP Public IP Link Status ------------------------------------------------ 10.160.49.1 10.160.49.1 UP : UP Switch Peer Group members: IP Public IP Data Link Status ----------------------------------------------------- 10.161.33.22 10.161.33.22 UP
Now let’s try to register the AP. Prior to that make sure your 5760/3850 is configured for the correct regulatory domain/country code. Keep in mind you need to disable the radio bands prior to change the country code.
5760-1#show wireless country configured Configured Country.............................: US - United States Configured Country Codes US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g 5760-1(config)#ap dot11 5ghz shutdown 5760-1(config)#ap dot11 24ghz shutdown 5760-1(config)#ap country AU Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n)[y]: y 5760-1(config)#no ap dot11 5ghz shutdown 5760-1(config)#no ap dot11 24ghz shutdown 5760-1# show wireless country configured Configured Country.............................: AU - Australia Configured Country Codes AU - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Make sure you have same configured on your MA as well.
3850-2#show wireless country configured Configured Country.............................: US - United States Configured Country Codes US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g 3850-2(config)#ap dot11 5ghz shutdown 3850-2(config)#ap dot11 24ghz shutdown 3850-2(config)#ap country AU Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n)[y]: y 3850-2(config)#no ap dot11 5ghz shutdown 3850-2(config)#no ap dot11 24ghz shutdown 3850-2(config)#do show wireless country configured Configured Country.............................: AU - Australia Configured Country Codes AU - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Here is the AP console output of successful registration.
*Mar 1 00:00:28.563: %SSH-5-ENABLED: SSH 2.0 has been enabled *Mar 1 00:00:29.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up *Mar 1 00:00:31.951: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed *Mar 1 00:00:31.951: DPAA Initialization Complete *Mar 1 00:00:31.951: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited *Mar 1 00:00:32.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance *Mar 1 00:00:56.927: Logging LWAPP message to 255.255.255.255. *Mar 1 00:01:01.667: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source *Mar 1 00:01:02.755: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:01:03.047: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.161.33.241, mask 255.255.254.0, hostname L3602-1 *Mar 1 00:01:03.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Mar 1 00:01:03.847: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 00:01:04.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up Translating "CISCO-CAPWAP-CONTROLLER.ltu.edu.au"...domain server (131.172.2.2) *Mar 1 00:01:12.967: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP. *Mar 1 00:01:12.967: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.ltu.edu.au *Mar 1 00:01:22.967: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Dec 12 22:15:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.161.33.22 peer_port: 5246 *Dec 12 22:15:40.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.161.33.22 peer_port: 5246 *Dec 12 22:15:40.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.161.33.22 *Dec 12 22:15:40.559: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Dec 12 22:15:40.567: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Dec 12 22:15:40.571: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 3850-2 *Dec 12 22:15:40.631: ac_first_hop_mac - IP:10.161.33.22 Hop IP:10.161.33.22 IDB:BVI1 *Dec 12 22:15:40.635: Setting AC first hop MAC: 7c95.f380.27e7
If you look at MA, you should see this L3602-1 is registered to it. If you look at the license, it does not have any license & it is always come from a MC.
3850-2#show ap summary Number of APs: 1 Global AP User Name: Not configured Global AP Dot1x User Name: Not configured AP Name AP Model Ethernet MAC Radio MAC State ---------------------------------------------------------------------------------------- L3602-1 3602I 4c00.82df.a4c1 f84f.57e3.1460 Registered 3850-2#sh license right-to-use summary License Name Type Count Period left ----------------------------------------------- ipbase permanent N/A Lifetime apcount base 0 Lifetime apcount adder 0 Lifetime -------------------------------------------- License Level In Use: ipbase License Level on Reboot: ipbase Evaluation AP-Count: Disabled Total AP Count Licenses: 0 AP Count Licenses In-use: 0 AP Count Licenses Remaining: 0
On my 5760, I can see this AP
5760-1#show wireless mobility ap-list Number of AP entries in the mobility group : 2 Number of AP entries in the sub-domain : 2 AP name AP radio MAC Controller IP Learnt from -------------------------------------------------------------------------------------- APccef.4872.0fc3 2c3f.382b.5260 10.160.49.1 Self L3602-1 f84f.57e3.1460 10.161.33.22 Mobility Agent Controller IP AP Count ---------------------------- 10.160.49.1 1 10.161.33.22 1
Here is a CSC forum post listing all useful CA reference materials. Please read all of those if you are interested to learn.
https://supportforums.cisco.com/thread/2249117
mrn-cciew 
Hello Sir,
I like you blog and its good info 🙂 keep this up.
I have a small question i read somewhere that if 3850 is acting as MA then AP and Wireless management interface should be on same sub net.
But AP
interface Vlan1610
+ip address 10.161.33.22 255.255.254.0
+wireless management interface Vlan1610
and Controller
3850-2(config)#wireless mobility controller ip 10.160.49.1
That’s correct, in MA you have to use same vlan as wireless management & AP management. That’s why my APs are in vlan 1610 which is the wireless management interface as well.
MC can be anywhere in your network with L3 connectivity to MA. So in my case I have configured it using “wireless mobility controller ip x.x.x.x” command.
HTH
Rasika
Thanks for sharing all these good stuff, i have a question, can 3850 be both a MA to a centralised controller say 5508 in hq and be a MC to small office hosting 2-3 AP? what is the best practise?
3850 can be act as MC/MA together. In that scenario it won’t be a MA for another central controller.
It is similar to have a dedicated controller at branch & if you need you can configure mobility between that & your HQ controller.
HTH
Rasika
hi, i’m new in this wireless arquitecture so i’m sorry if my questions sounds stupid.
I have 3, 3650 switches working as MA in different locations and one 5760 working as MC in HQ office. if the 3650 ends the CAPWAP tunnel and all the WLAN config must be done in the switch, whats the 5760 funtion in this scenario?
can i manage and configure the AP’s (3702) from 5760 even is the AP’s are registered in the 3650’s?
I can see the AP from 5760 typing :
show wireless mobility ap-list
of course i can’t see anything if i type:
show ap summary
but what about WLAN’s? if i create a new wlan in the 5760 the AP’s registered in the MA switch doesn’t know about this WLAN.
other option is try to end the CAPWAP tunnel in 5760 and keep the traffic locally in the remote office (flexconnect) but i don’t see this option in this equipments, furthermore we want to use AVC, and i don’t know if we want to use it, the switch must ends the CAPWAP tunnel.
thank you very much for you time, and congrats for your great blog
Regards
Hi Juan,
See my responses within **** xxx *****
if the 3650 ends the CAPWAP tunnel and all the WLAN config must be done in the switch, whats the 5760 funtion in this scenario?
**** MC is handling functions such as RRM, Mobility (inter-SPG in this case), licensing,ect. ****
can i manage and configure the AP’s (3702) from 5760 even is the AP’s are registered in the 3650′s?
**** If you connect APs to 3650 & then you cannot register them to 5760 as long as you enable wireless management on 3650. If you use 3650 as pure L2 switch without wireless management then you can. In that way it is very similar to CUWN & not CA. *****
but what about WLAN’s? if i create a new wlan in the 5760 the AP’s registered in the MA switch doesn’t know about this WLAN.
**** You need to define WLANs in both MA & MC *****
other option is try to end the CAPWAP tunnel in 5760 and keep the traffic locally in the remote office (flexconnect) but i don’t see this option in this equipments,
**** 5760/3850 does not support FlexConnect AP deployments *****
furthermore we want to use AVC, and i don’t know if we want to use it, the switch must ends the CAPWAP tunnel
**** No, if you want you can terminate CAPWAP on your 5760 by disabling wireless management of 3650. AVC works either of those scenario *****
HTH
Rasika
Wow!!!! You are very fast answering my questions!!
Very good explanation. Thank you very much, now i understand how it works.
Your blog is helping me a lot, regards from spain!
Your article insights my wireless network design to go the next generations. My environment has multiple regions which have different regulatory demands. In higher version of IOS can support multiple country codes setup, referring to Cisco web site.
Do you know whether 5670 can do that as well ?
Additionally, I could not find the reason why Cisco says AP has to be directly connected to Cat3850, do you have any idea?
Thank you !
Hi,
Yes, you can configure multiple country codes in 5760. Makesure all countries are same regulatory domain
5760-1(config)#ap country ?
WORD Enter the country code (e.g. US,MX,IN) upto a maximum of 20 countries
Regarding AP direct connectivity, that is based on this new architecture. QoS & other policies applied to wireless ports (ie AP connected) assuming AP is directly connected & some of those policies are not configurable. Therefore Cisco will not support indirectly connected AP as those policy config is not valid in that scenario.
HTH
Rasika
hi,
i have cisco 3850 switch and Ap- AIR-CAP37021-D-K9. i have installed required license and configured MC in 3850 switch. now access point is registering and getting down. below are the logs
*Aug 23 16:27:04.165: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to down
*Aug 23 16:27:16.813: *%LOG-3-Q_IND: 1 wcm: Dropping discovery request from AP f40f.1b29.5f60 – cleanup process is in progress
*Aug 23 16:27:16.813: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:16.813: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:16.813: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:16.814: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:16.814: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:16.814: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:16.814: *%LWAPP-3-RD_ERR3: 1 wcm: Invalid regulatory domain (0) sent by AP f4:0f:1b:29:5f:60 (slot: 1 80211a)
*Aug 23 16:27:16.815: *%CAPWAP-3-POST_DECODE_ERR: 1 wcm: Post decode processing failed for Config status from AP f40f.1b29.5f60
*Aug 23 16:27:16.824: %LINK-3-UPDOWN: Interface Capwap0, changed state to up
*Aug 23 16:27:17.824: %LINEPROTO-5-UPDOWN: Line protocol on Interface Capwap0, changed state to up
*Aug 23 16:27:18.825: %LINK-3-UPDOWN: Interface Vlan12, changed state to up
*Aug 23 16:27:19.810: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:19.810: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:19.811: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:19.811: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:19.812: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:19.812: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:19.812: *%LWAPP-3-RD_ERR3: 1 wcm: Invalid regulatory domain (0) sent by AP f4:0f:1b:29:5f:60 (slot: 1 80211a)
*Aug 23 16:27:19.812: *%CAPWAP-3-POST_DECODE_ERR: 1 wcm: Post decode processing failed for Config status from AP f40f.1b29.5f60
*Aug 23 16:27:19.825: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan12, changed state to up
*Aug 23 16:27:22.810: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:22.810: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:22.811: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:22.811: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:22.811: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:22.811: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:22.811: *%LWAPP-3-RD_ERR3: 1 wcm: Invalid regulatory domain (0) sent by AP f4:0f:1b:29:5f:60 (slot: 1 80211a)
*Aug 23 16:27:22.812: *%CAPWAP-3-POST_DECODE_ERR: 1 wcm: Post decode processing failed for Config status from AP f40f.1b29.5f60
*Aug 23 16:27:25.810: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:25.810: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:25.811: *%LWAPP-3-RD_ERR7: 1 wcm: Invalid country code () for AP f4:0f:1b:29:5f:60
*Aug 23 16:27:25.811: *%LWAPP-3-RD_ERR9: 1 wcm: APs f4:0f:1b:29:5f:60 country code changed from () to (IN )
*Aug 23 16:27:25.812: *%LWAPP-3-VALIDATE_ERR: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:25.812: *%LOG-3-Q_IND: 1 wcm: Validation of SPAM Vendor Specific Payload failed – AP f4:0f:1b:29:5f:60
*Aug 23 16:27:25.812: *%LWAPP-3-RD_ERR3: 1 wcm: Invalid regulatory domain (0) sent by AP f4:0f:1b:29:5f:60 (slot: 1 80211a)
*Aug 23 16:27:25.812: *%CAPWAP-3-POST_DECODE_ERR: 1 wcm: Post decode processing failed for Config status from AP f40f.1b29.5f60
Pls help me to troubleshoot.
Hi
Post the output of “show wireless country configured”. Looks like you have regulatory domain config issue as per the below.
wcm: Invalid regulatory domain (0) sent by AP f4:0f:1b:29:5f:60 (slot: 1 80211a)
See this post as well
https://mrncciew.com/2013/09/29/getting-started-with-3850/
HTH
Rasika
I have setup the WLC-5760 as MC and the 3850 as MA. How do I check that the capwap has actually been terminated on the 3850 vs. the WLC-5760?
if you type “show ap summary” only 3850 MA should give an output specifying AP registered to 3850.
5760 output should be “blank”. But “show wireless mobility ap-list” on 5760 should show that licences are consumed from it based on the number of AP registered to 3850
HTH
Rasika
Here is the output on the WLC 5760. As you can see the AP is registering with WLC controller and not the 3850.
rheem#sh ap summary
Number of APs: 0
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
rheem#sh ap summary
Number of APs: 1
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
AP Name AP Model Ethernet MAC Radio MAC State
—————————————————————————————-
AP88f0.310a.c67c 3702I 88f0.310a.c67c 88f0.311e.b670 Registered
rheem#show wireless mobility ap-list
Number of AP entries in the mobility group : 1
Number of AP entries in the sub-domain : 1
AP name AP radio MAC Controller IP Learnt from
————————————————————————————–
AP88f0.310a.c67c 88f0.311e.b670 10.2.32.3 Self
Controller IP AP Count
—————————-
10.2.32.3 1
Here is the output on the 3850
GUQ-2D02-C3851#sh ap summary
Number of APs: 0
Global AP User Name: Not configured
Global AP Dot1x User Name: Not configured
Pls post “show wireless mobility summary” output from both devices.
HTH
Rasika
Here is the output on the WLC controller.
rheem#show wireless mobility summary
Mobility Controller Summary:
Mobility Role : Mobility Controller
Mobility Protocol Port : 16666
Mobility Group Name : xx-IE
Mobility Oracle Configured Mode : Disabled
Mobility Oracle Runtime Mode : Disabled
Mobility Oracle IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x3c86
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 20
Mobility Domain Member Count : 1
Link Status is Control Link Status : Data Link Status
Controllers configured in the Mobility Domain:
IP Public IP Group Name Multicast IP Link Status
——————————————————————————-
xx.2.32.3 N/A xx-IE 0.0.0.0 N/A
Switch Peer Group Name : xx-AP-GROUPS
Switch Peer Group Member Count : 1
Bridge Domain ID : 0
Multicast IP Address : 0.0.0.0
IP Public IP Link Status
————————————————–
xx.2.24.36 xx.2.24.36 UP : UP
On the 3850 where the AP is connected.
C3851#show wireless mobility summary
Mobility Agent Summary:
Mobility Role : Mobility Agent
Mobility Protocol Port : 16666
Mobility Switch Peer Group Name : xx-AP-GROUPS
Multicast IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0x3c86
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 20
Switch Peer Group Members Configured : 1
Link Status is Control Link Status : Data Link Status
The status of Mobility Controller:
IP Public IP Link Status
————————————————
xx.2.32.3 xx.2.32.3 UP : UP
Switch Peer Group members:
IP Public IP Data Link Status
—————————————————–
xx.2.24.36 xx.2.24.36 N/A
Reblogged this on quisherkhan.
Hello,
I have an architecture with 3850(MA) and 5508(MC), i can show that the txpower is configured on automatic mode in my 3850. But i need to known the exactly txpower of my AP. Where i can find this information ? on the AP, or on the 3850 ?
Thanks in advance
“show ap dot11 5ghz|24ghz summary” should gives you that info
HTH
Rasika
Hello,
I have a question of work SW 3850 (MA) with CAPWAP AP 3602 and WLC 5760 (MC). What happens with AP 3602 if the connection with WLC 5760 is lost? Continue wireless connection or link with the access point will be lost?
AP will work as normal, no impact for the Data traffic.
Hi. I have a question of work SW 3850 (MA) with CAPWAP AP 3602 and WLC 5760 (MC). What happens with AP 3602 if the connection with WLC 5760 is lost? Continue wireless connection or link with the access point will be lost?
Yes, even 5760 is down, your wireless will work.
Only impact is you cannot register new APs, no RRM related functions while MC is down.
HTH
Rasika
Hello. Thanks for the great article although I have a question. Sounds like you have to duplicate the wlans from the MC that you want to use on each switch that will act as MA. This means that you also have to trunk out the client vlans used for these wlans to each MA as well? Or do you assign the building data vlan to be used in the wlan?
Hi Trevor,
In my setup all user SVI defined on the distribution switch where MAs get connected.
MC is on separate L3 domain & no MA connected switch vlan extended over there.
Hope that clear
Rasika
Hi ,
Thanks for the reply. That makes perfect sense! It’s better to use the building svi for the client traffic anyway. From my understanding when a client roams from one building to another, if that building is in the same group then the client retains that previous building’s IP address which is tunneled to the new building unless the client disconnects which breaks the tunnel?
Hi,
In My setup for MC and MA . sh ap join stats summary shows different IP for AP and sh cdp nei show different IP for AP .why is this happening .
Hi All!
In my case my access point is connected to MA and is associated , registered too, the licenses is OK, peer group up everything OK, but my AP is not sharing any ssids.
PS.: The AP is associated to the correct AP Group.
That’s strange, if APs in right AP group and SSID already configured it should work.
Make sure all AP radios are operational
HTH
Rasika
Dear,
Give a look:
AP name AP radio MAC Controller IP Learnt from
————————————————————————————–
ciscollap-mfb-02 58f3.9c23.9320 10.234.238.3 Self
ciscollap-mfb-01 58f3.9c25.e6e0 10.234.238.3 Self
ciscollap-mfb-04 58f3.9c2d.6380 10.234.238.3 Self
ciscollap-mfb-03 58f3.9c2d.6460 10.234.238.3 Self
AP5c83.8f99.33e8 5c83.8f9c.2b40 10.234.238.4 Mobility Agent
ciscollap-mfb-06 5c83.8f9c.2c60 10.234.238.3 Self
ciscollap-mfb-05 d8b1.909e.dbf0 10.234.238.3 Self
Controller IP AP Count
—————————-
10.234.238.3 6
10.234.238.4 1
>>> I tried to create another AP-Group, insert the AP there but it does not work.
>>> I tried another radio, does not work.
>>> I tried to reload the switch, does not work.
What do you think ?
Quick question.
We has some a small environment consisting of 3 offices. Main office running Layer 3, and 2 remotes with the Vlan extended to them via fibre. We do not feel we need to deploy a 5760, instead we want to use a stack of 3 x 3850 (L3) in MC mode and the 2 remotes office having a 3850 each in MA mode. I will be distributing 4 AP in one office and 10 in the other, and 30 in the main office.
Is there an issue with this design, do we need to look at running each office switch in MC?
Thanks
Mike
Hi Mike, if you have 1G fibre between these sites, I do not think you require MC in each site.
HTH
Rasika
Hi
I have set up my 3 build environment. Made 1 3850 the MC, and the other 2 builds 3050 Stacks MA. I am running 3.6.4 recommended by Cisco, as Denali 16.1.2 had TACACS authentication issues and if still a bit flaky.
I created the SPG, and all units are talking, but my issues is I cannot see any clients on either office that is running the MA’s, but the MC has over a dozen connected.
What am i missing
Mike
HI, May I ask question?
Our WiFi quiet complicate, mixed between centralized controller and converge controller.
Our design, we have only one SSID shared for whole compound (we have three building).
Suppose, your 3850-4 broadcast SSID name as “WiFi”, client vlan is 5, network 192.168.1.0/24.
and 3850-3 broadcast SSID same name as “WiFi” but client is in different network, client vlan 10, network 10.10.1.0/24.
Our problem is mobility, it is not stable. Do you think mobility function work between 5760 and 3850?
Thanks,
Ben
In my case 5760 is purely MC role, no AP managed by that.
3 nearby buildings 3850MA stacks configured for same SPG. So roaming between those APs are seamless. MC is only actively involve, if you roam between two SPGs.
Pls go through below CL presentation for more details
Click to access BRKCRS-2888.pdf
HTH
Rasika
Thanks for documenting this subject so well. However, there is an aspect of the use of the switch as an MA that escapes ne…i understand mobility when using a WLC, the client’s traffic emerges into the wired network from the controller regardless of where it entered or what IP address the client leased on association with the AP. As a result, it will always be emerging from a known interface on a known, constant subnet, and traffic can be routed back to it simply.
What I’m struggling to understand is how mobility works with the 3850 or similar switch, where the CAPWAP tunnel terminates on the switch. That being the case, traffic from a client may emerge in different places/subnets on the wired network. The traffic will get to the wired network OK, but how does it return? The client, with its constant address will apparently pop up anywhere in the network, which may be managable in a L2 network, where VLANs can be trunked to all switches, but what happens in a routed network?
Even client moved to different AP(across routed network) still client keep the original IP & traffic is tunneled back.
Refer below CSC post, I have listed some references
https://supportforums.cisco.com/discussion/12933416/client-mobility-wlc3850-mcma-deployment
HTH
Rasika
We’ve a converged setup with 1xMC (5760) and 2xMA(3650)…
All the nodes can ping each other.
We’ve completed the configuration on the MC:
1) Wireless Mobility Grp Name
2) Wireless management interface
3) Peer-group & its members
On MA side:
1) Wireless management interface
2) wireless mobility controller ip x.x.x.x
But MC and MA links stay down.. Hence the APs never register with MA or MC.
How we should debug this issue, please advice..
Thanks,
John Lee
Hi John,
If you still have this issue I would suggest to start a thread with “show wireless mobility summary” output from both devices. Also list what software code you use
https://supportforums.cisco.com/community/5921/other-wireless-mobility-subjects
HTH
Rasika
One more think to mention here is that.. BTW the MC(5760) and the MA(3650).. we’re using a 3850 just as a switch.. But somehow I’m not able to disable Mobility from the 3850… it always shows as a MA… though there is No Wireless Mgmt on it..
Would you be knowing how we can convert a 3850 to just a switch and disable mobility completely from it..?
If three is no wireless management interface then that’s it. In that case switch does not act as MA.
But somehow the connection btw the MC and MA through this 3850 are not working, because 3850 stays as MA, though it doesn’t have the Wireless Mgmt provisioned..
3850-1#show wirel mob summary
Mobility Agent Summary:
Mobility Role : Mobility Agent
Mobility Protocol Port : 16666
Mobility Switch Peer Group Name :
Multicast IP Address : 0.0.0.0
DTLS Mode : Enabled
Mobility Domain ID for 802.11r : 0xac34
Mobility Keepalive Interval : 10
Mobility Keepalive Count : 3
Mobility Control Message DSCP Value : 0
Switch Peer Group Members Configured : 0
Link Status is Control Link Status : Data Link Status
The status of Mobility Controller:
IP Public IP Link Status
————————————————
0.0.0.0 0.0.0.0 – : –
As always great article. I am however trying to understand what are some really solid benefits and differences with this new CA. So far every where I have read it just seems like CA ads a whole buncha new fancy words and additional configuration but it really is doing the same thing as before such as someone taking two controllers creating a CAPWAP tunnel between them and setup mobility groups. What am I missing here?
This is The best of BESTs Forum !
Thanks
Hi,
thank you for this great article, it is very useful.
I have a campus networks which consists of 5 buldings, which have respectively 9 MAs, 6 MAs, 8 MAs, 5 MAs, 1 MA. all are Cisco 3850 switches.
I also have 2 WLC5760 that will be installed only in one of the building.
the buildings are connected together over an IP MPLS cloud.
is it possible to deploy a solution in which I use cisco 3850 MA in the branches and WLC5760 as the MC? meaning, I will not use cisco3850 MC at the branch side.
I read somewhere that it is not recommended for the MAs and MCs to be connected over WAN.
Can you please clarify this for me, and if you have any advice on how to design my setup kindly let me know.
Thanks,
Haitham Jneid
I responded to this in CSC forum
HTH
Rasika
Hi,
thank you for this wonderful and useful article.
I have a campus networks which consists of 5 buldings, which have respectively 9 MAs, 6 MAs, 8 MAs, 5 MAs, 1 MA. all MAs are Cisco 3850 switches.
I also have 2 WLC5760 that will be installed only in one of the building.
the buildings are connected together over an IP MPLS cloud.
is it possible to deploy a solution in which I use cisco 3850 MA in the branches and WLC5760 as the MC? meaning, I will not use cisco3850 as MC at the branch side.
I read somewhere that it is not recommended for the MAs and MCs to be connected over WAN. as per the below link.
https://blogs.cisco.com/enterprise/converged-access-branch-design-mc-over-wan
please advise me on how to build my setup. what is the correct design in my case.
thanks,
Haitham Jneid
How far apart these buildings are ? What is the delay between each site across this MPLS WAN ?
Cisco recommendation is each sites should have own MC rather having centralized MC.
HTH
Rasika
Hi Rasika,
Thank you for your quick reply,
these buildings are over cities. what to do in this case? and if I make one 3850 in each building to be an MC for that building, is it possible to connect Access Points to that MC??
and what about the WLC5760 that I have, all remote MCs should be registered with it? and also the MAs, or the MAs will be registered to their local MC, local to the building.
please clarify this to me as am confused.
thanks,
Haitham
Hi Rasika,
If I use an MC (3850) in each branch, the customer asking me that they need to authenticatate corporate users (Corporate SSID) via active directory and Guest users (GUEST SSID) via Local database on the MC (3850).
is it possible to integrate the MC (3850) with active directory?
how I can configure authentication on MC (3850) to accomplish customer requests?
is this a valid design?
please need your support on this.
Thanks,
Haitham Jneid
can you use current cuwn 5508 with converged access..? can they both work together? will it affect anything on the current 5508 which is in cuwn ?
You can if 5508 running 8.0.x code. Beyond that release it is not supported.
It is not advisable to use 5508 as MC. Cisco’s recommendation is 3850 stack become MC for a given building (Note that 5760 EoL/EoS is announced, so do not think about any centralized MC)
HTH
Rasika
In response to your last comment I want to confirm:
1) So if someone has a 5508 and they upgrade the code to 8.2 or 8.3 they can’t do converged access and use the 5508 as the MC?
2) You mentioned Cisco’s recommendation is to use 3850 stack for MC. But if it is big enough building can’t we utilize a different controller (converged access enabled) and 3650 switches to keep the cost down as MA’s? Since all APs’ will need to connect to these switches if I have a single stack of 3850 in the MDF and I can’t connect some AP’s to it then I can’t get those AP’s to join the 3850 controller. Unless you mean use 3850 as the MC and then use additional 3850’s or 3650’s as MA’s for rest of the building?
3) What do you mean by do not think about any centralized MC? I was looking at the 5760 site and it isn’t so far showing eol/eos.
I know lot of questions but just trying to clarify and get better understanding of this converged access.
Please see the response to your 3 queries
1. Yes, you can’t use 5508 with 8.2 or 8.3 as MC
2. There is no other platform supports MC role as centralized controller. You have to use existing 3850/3650 as MC in a given building.
3. Cisco announced EoL/EoS for 5760. see below
https://mrncciew.com/2016/10/19/be-ready-for-your-wlc-refresh/
HTH
Rasika
Thank you so much for the replies. So basically if anyone wants to do converged access they will need to deploy multiple 3850/3650 as multiple MC’s in a given building for instance:
Floor 1 MC1
Floor 2 MC2, Floor 2 MC2A
Floor 3 MC3 …. and so on
Typically single MC for a given building (unless you have very large number of floors).
Refer this post for some useful references
https://supportforums.cisco.com/document/12526921/best-practices-and-golden-configs-converged-access-branch-deployment
HTH
Rasika
Also I have a 2504 in a lab and with 8.0 code it does give me an option to “Enable New Mobility (Converged Access). Does that mean I can use it as a MC?
Yes you can use it with 8.0 code
Thanks again. I love Cisco but some times with the way they introduce features and licensing it gives me a headache :).
Hi Nayarasi,
We have deployed converged Wireless at our office. We have configured Cisco 3650 and 3850 Switches as Mobility Controllers and Agents. Now we are configuring Wireless Anchor to move the guest traffic out to DMZ. We have noticed that the switches configured as Mobility Agent can’t be configured to anchor the traffic. Do we need to change the role of Mobility Agent to MC and if so then what will be the impact on users and what we have to consider technically before doing this?
Regards,
Inam
Hi Inam,
You only need to configure peering between MC and Guest Anchor controller.(no peering between MA & Guest Anchor WLC)
on MA, when defining guest wlan, you can configure mobilty anchor as MC under WLAN config.
“mobility anchor ”
HTH
Rasika
Thanks, I will test it and let you know if it worked.
Hi Rasika,
Let’s imagine that I have use Cisco Cat 3650/3850 as a collapsed core/distribution switch at Branch office and there should be a couple of 2960-X access layer switches directly connected to the core. Different model of WAPs(1850/2600/2700/2800/3600/3700/3800) are currently connected to access layer switches. I’m sure that 3650/3850 switches can be used as MC and that should be my initial deployment. But what if on later stage I would like to introduce 5760 WLC as MC and would like to convert existing core switches to MAs. Am I able to keep existing topology without reconnecting all the WAPs directly to the core/distr. switches? I’ve heard that link between MA and remote switch MUST be configured as access port?! What if I have bunch of existing VLANs on access switch? What if I have a couple of existing WAPs directly connected to the same access switch?
Thank you.
Nikolay
Few points to remember.
1. your APs need to conncet 3650/3850 directly in order to register to WLC running on that platform. (ie you can’t have AP connect to 2960 & then register them to 3650/3850 WLC)
2. 5760 is already EoS/EoL, so do not plan to have it in your network.
3. 3650 & 2960 links should be trunk port if you have multiple vlans on your 2960 (note that your AP can’t be in this switch, if you want to use 3650/3850 as WLC)
HTH
Rasika
Hi Rasika,
Thank you for your time and explanations.
Thanks and regards,
Nikolay
Thanks for this blog – here’s one for you, within each LAP via WLC Appliances (eg: 5508), there’s a “High Availability” tab where you’re allowed to configure up Primary, Secondary, Tiertiary, etc… have you come across a requirement (and appropriate config/topology) to deploy the WLC Appliance as primary, but then the 3850s as a secondary? There’s probably a dozen reasons against this, but ones that comes to mind quickly would be the LAPs firmware and the AP Pass Thru – your thoughts?