In this post we will use 3850 (acting as MA) to communicate with centralized 5760 (acting as MC). Below diagram summarize overall mobility concept in Converged Access (CA) deployment.
• A Mobility Domain (MD) is the entire domain across which client roaming is supported. It is a collection of mobility groups. For example, a campus network can be considered as a mobility domain.
• A Mobility Group (MG) is a collection of mobility subdomains across which fast roaming is supported. The mobility group can be one or more buildings within a campus across which frequent roaming is supported.
• A Mobility Subdomain (MSD) is an autonomous portion of the mobility domain network. Each mobility subdomain contains one mobility controller (MC) and a collection of SPGs. A subdomain is equivalent to an 802.11r key domain.
• A Switch Peer Group (SPG) is a collection of mobility agents.
• The Mobility Oracle (MO) acts as the point of contact for mobility events that occur across mobility subdomains. The mobility oracle also maintains a local database of each client in the entire mobility domain, their home and current subdomain. There is only one MO for an entire mobility domain. The Cisco WLC 5700 Series Controllers or CUWN controller can act as MO.
• The Mobility Controller (MC) provides mobility management services for inter-SPG roaming events. The MC sends the configuration like SPG name and SPG peer member list to all of the mobility agents under its subdomain. The WLC 5700 , 3850 Switch, or CUWN controller can act as MC. The MC has MC functionality and MA functionality that is running internally into it.
• The Mobility Agent (MA) is the component that maintains client mobility state machine for a mobile client. All APs are connected to the mobility agent
In converged access, fast roaming is available within a Mobility Group (not like between mobility groups in Unified Wireless). If it is inter-mobility group roaming client has to full-authenticate. Within a mobility group you can have multiple sub-domain.Each sub-domain should have its own MC & that will keep the client database within that sub-domain. Within a sub-domain, you can create SPGs (Switch Peer Groups) to optimize roaming by constrain roaming traffic to small area (eg for a building). Below diagram represent this concept.
Next question is what is max SPG in a sub-domain ? max mobility sub-domain (MSD) per MG ? Max MC in a mobility domain (MD) ?. Below table summarize & keep these in mind when designing CA solutions.
So here is my test topology. Effectively it is within a single mobility sub-domain where 5760 acting as MC & two SPGs.
Let’s configure 3850-2 (MA) to communicate with 5760 (MC) to register L3602-1 AP.Here is the basic configuration on 3850
3850-2#sh archive config differences nvram:startup-config system:running-config interface GigabitEthernet1/0/1 +description L3602-1 +switchport access vlan 1610 +switchport mode access +spanning-tree portfast +interface Vlan1610 +ip address 10.161.33.22 255.255.254.0 +wireless management interface Vlan1610
Then you need to tell 3850 about its Mobility Controller (MC) as below. If firewall or NAT devices sitting between MA & MC then you need to use “public-ip” option as well. In my configuration it is not required.
3850-2(config)#wireless mobility controller ?
ip no description
peer-group Configures mobility peer groups
<cr>
3850-2(config)#wireless mobility controller ip ?
A.B.C.D IP address of mobility controller
3850-2(config)#wireless mobility controller ip 10.160.49.1 ?
public-ip no description
<cr>
3850-2(config)#wireless mobility controller ip 10.160.49.1
You can verify 3850 mobility configuration using “show wireless mobility summary” CLI command. As expected mobility is down since we haven’t configure the MC yet. Also SPG name is blank. MA will learn its SPG name via MC.
3850-2#show wireless mobility summary Mobility Agent Summary: Mobility Role : Mobility Agent Mobility Protocol Port : 16666 Mobility Switch Peer Group Name : Multicast IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 0 Switch Peer Group Members Configured : 0 Link Status is Control Link Status : Data Link Status The status of Mobility Controller: IP Public IP Link Status ------------------------------------------------ 10.160.49.1 10.160.49.1 DOWN : DOWN
Let’s move on to 5760(MC) & start configuring it. We will give “BUN-1″ for the group-name & then will create a SPG called “SPG1″ and add 3850-2 as member of that SPG.
5760-1(config)#wireless mobility group ? keepalive Keepalive ping parameters to be configured member Add/Change a Mobility group member to the list multicast-address Configures the Multicast IP Address for a non-local mobility group name Configures the Mobility domain name 5760-1(config)#wireless mobility group name ? WORD Enter ASCII String up to 31 characters, case sensitive 5760-1(config)#wireless mobility group name BUN-1 5760-1(config)#wireless mobility ? controller Configures mobility controller settings dscp Configures the Mobility inter controller DSCP value group Configures the Mobility group parameters multicast Configures the Multicast Mode for mobility messages oracle Configures mobility oracle settings 5760-1(config)#wireless mobility controller ? peer-group Configures mobility peer groups 5760-1(config)#wireless mobility controller peer-group ? WORD Add or delete a peer group 5760-1(config)#wireless mobility controller peer-group SPG1 ? bridge-domain-id Configure bridge domain Id member Add or delete a peer group member multicast Configures multicast settings of a peer group <cr> 5760-1(config)#wireless mobility controller peer-group SPG1 5760-1(config)#wireless mobility controller peer-group SPG1 member ? ip IP address of a peer group member 5760-1(config)#wireless mobility controller peer-group SPG1 member ip ? A.B.C.D IP address of a peer group member 5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22 ? public-ip Public IP address of a peer group member <cr> 5760-1(config)#wireless mobility controller peer-group SPG1 member ip 10.161.33.22
Once you do this, you can see mobility paths (control & data) are up
5760-1#show wireless mobility summary Mobility Controller Summary: Mobility Role : Mobility Controller Mobility Protocol Port : 16666 Mobility Group Name : BUN-1 Mobility Oracle : Disabled Mobility Oracle IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 48 Mobility Domain Member Count : 1 Link Status is Control Link Status : Data Link Status Controllers configured in the Mobility Domain: IP Public IP Group Name Multicast IP Link Status ------------------------------------------------------------------------------- 10.160.49.1 - BUN-1 0.0.0.0 UP : UP Switch Peer Group Name : SPG1 Switch Peer Group Member Count : 1 Bridge Domain ID : 0 Multicast IP Address : 0.0.0.0 IP Public IP Link Status -------------------------------------------------- 10.161.33.22 10.161.33.22 UP : UP
Now if you go to 3850-2 & check the mobility summary you should see the paths are UP & it is learning its SPG name as well.
3850-2#show wireless mobility summary Mobility Agent Summary: Mobility Role : Mobility Agent Mobility Protocol Port : 16666 Mobility Switch Peer Group Name : SPG1 Multicast IP Address : 0.0.0.0 DTLS Mode : Enabled Mobility Domain ID for 802.11r : 0xac34 Mobility Keepalive Interval : 10 Mobility Keepalive Count : 3 Mobility Control Message DSCP Value : 48 Switch Peer Group Members Configured : 1 Link Status is Control Link Status : Data Link Status The status of Mobility Controller: IP Public IP Link Status ------------------------------------------------ 10.160.49.1 10.160.49.1 UP : UP Switch Peer Group members: IP Public IP Data Link Status ----------------------------------------------------- 10.161.33.22 10.161.33.22 UP
Now let’s try to register the AP. Prior to that make sure your 5760/3850 is configured for the correct regulatory domain/country code. Keep in mind you need to disable the radio bands prior to change the country code.
5760-1#show wireless country configured Configured Country.............................: US - United States Configured Country Codes US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g 5760-1(config)#ap dot11 5ghz shutdown 5760-1(config)#ap dot11 24ghz shutdown 5760-1(config)#ap country AU Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n)[y]: y 5760-1(config)#no ap dot11 5ghz shutdown 5760-1(config)#no ap dot11 24ghz shutdown 5760-1# show wireless country configured Configured Country.............................: AU - Australia Configured Country Codes AU - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Make sure you have same configured on your MA as well.
3850-2#show wireless country configured Configured Country.............................: US - United States Configured Country Codes US - United States : 802.11a Indoor,Outdoor/ 802.11b / 802.11g 3850-2(config)#ap dot11 5ghz shutdown 3850-2(config)#ap dot11 24ghz shutdown 3850-2(config)#ap country AU Changing country code could reset channel and RRM grouping configuration. If running in RRM One-Time mode, reassign channels after this command. Check customized APs for valid channel values after this command. Are you sure you want to continue? (y/n)[y]: y 3850-2(config)#no ap dot11 5ghz shutdown 3850-2(config)#no ap dot11 24ghz shutdown 3850-2(config)#do show wireless country configured Configured Country.............................: AU - Australia Configured Country Codes AU - Australia : 802.11a Indoor,Outdoor/ 802.11b / 802.11g
Here is the AP console output of successful registration.
*Mar 1 00:00:28.563: %SSH-5-ENABLED: SSH 2.0 has been enabled *Mar 1 00:00:29.039: %LINEPROTO-5-UPDOWN: Line protocol on Interface BVI1, changed state to up *Mar 1 00:00:31.951: %SOAP_FIPS-2-SELF_TEST_HW_SUCCESS: HW crypto FIPS self test passed *Mar 1 00:00:31.951: DPAA Initialization Complete *Mar 1 00:00:31.951: %SYS-3-HARIKARI: Process DPAA INIT top-level routine exited *Mar 1 00:00:32.951: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0, changed state to up%Default route without gateway, if not a point-to-point interface, may impact performance *Mar 1 00:00:56.927: Logging LWAPP message to 255.255.255.255. *Mar 1 00:01:01.667: %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source *Mar 1 00:01:02.755: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to up *Mar 1 00:01:03.047: %DHCP-6-ADDRESS_ASSIGN: Interface BVI1 assigned DHCP address 10.161.33.241, mask 255.255.254.0, hostname L3602-1 *Mar 1 00:01:03.755: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio0, changed state to up *Mar 1 00:01:03.847: %LINK-6-UPDOWN: Interface Dot11Radio1, changed state to up *Mar 1 00:01:04.847: %LINEPROTO-5-UPDOWN: Line protocol on Interface Dot11Radio1, changed state to up Translating "CISCO-CAPWAP-CONTROLLER.ltu.edu.au"...domain server (131.172.2.2) *Mar 1 00:01:12.967: %CAPWAP-3-ERRORLOG: Did not get log server settings from DHCP. *Mar 1 00:01:12.967: %CAPWAP-3-ERRORLOG: Could Not resolve CISCO-CAPWAP-CONTROLLER.ltu.edu.au *Mar 1 00:01:22.967: %CAPWAP-3-ERRORLOG: Go join a capwap controller *Dec 12 22:15:38.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: 10.161.33.22 peer_port: 5246 *Dec 12 22:15:40.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: 10.161.33.22 peer_port: 5246 *Dec 12 22:15:40.223: %CAPWAP-5-SENDJOIN: sending Join Request to 10.161.33.22 *Dec 12 22:15:40.559: %LINK-6-UPDOWN: Interface Dot11Radio0, changed state to down *Dec 12 22:15:40.567: %LINK-5-CHANGED: Interface Dot11Radio0, changed state to reset *Dec 12 22:15:40.571: %CAPWAP-5-JOINEDCONTROLLER: AP has joined controller 3850-2 *Dec 12 22:15:40.631: ac_first_hop_mac - IP:10.161.33.22 Hop IP:10.161.33.22 IDB:BVI1 *Dec 12 22:15:40.635: Setting AC first hop MAC: 7c95.f380.27e7
If you look at MA, you should see this L3602-1 is registered to it. If you look at the license, it does not have any license & it is always come from a MC.
3850-2#show ap summary Number of APs: 1 Global AP User Name: Not configured Global AP Dot1x User Name: Not configured AP Name AP Model Ethernet MAC Radio MAC State ---------------------------------------------------------------------------------------- L3602-1 3602I 4c00.82df.a4c1 f84f.57e3.1460 Registered 3850-2#sh license right-to-use summary License Name Type Count Period left ----------------------------------------------- ipbase permanent N/A Lifetime apcount base 0 Lifetime apcount adder 0 Lifetime -------------------------------------------- License Level In Use: ipbase License Level on Reboot: ipbase Evaluation AP-Count: Disabled Total AP Count Licenses: 0 AP Count Licenses In-use: 0 AP Count Licenses Remaining: 0
On my 5760, I can see this AP
5760-1#show wireless mobility ap-list Number of AP entries in the mobility group : 2 Number of AP entries in the sub-domain : 2 AP name AP radio MAC Controller IP Learnt from -------------------------------------------------------------------------------------- APccef.4872.0fc3 2c3f.382b.5260 10.160.49.1 Self L3602-1 f84f.57e3.1460 10.161.33.22 Mobility Agent Controller IP AP Count ---------------------------- 10.160.49.1 1 10.161.33.22 1
Here is a CSC forum post listing all useful CA reference materials. Please read all of those if you are interested to learn.
https://supportforums.cisco.com/thread/2249117
Related Posts
1. Getting Started with 3850
2. Getting Started with 5760
