At times you may want to configure static IP addresses for wireless clients. When these wireless clients move about in a network, they could try associating with other controllers. If the clients try to associate with a controller that does not support the same subnet as static IP, the clients fail to connect to the network. With WLC 7.0.116.0 you can enable dynamic tunneling of clients with static IP addresses.
Here is the my topology to test this out. Static client is roaming towards LWAP2 where it associated WLC3 which does not have a dynamic interface on the same subnet as static of the client. Under normal circumstance this roam would fail.
You can configure the “Static IP Tunneling” feature under Advanced Settings of the WLAN as shown in the below.
You can configure the same with CLI command ” config wlan static-ip-tunneling {enable|disable} <wlan_id> “. Show wlan command can be used to verify this feature is enabled or disabled.
(WLC3) >show wlan 5 WLAN Identifier.................................. 5 Profile Name..................................... data1 Network Name (SSID).............................. data1 Status........................................... Enabled MAC Filtering.................................... Disabled Broadcast SSID................................... Enabled AAA Policy Override.............................. Disabled Network Admission Control Radius-NAC State............................... Disabled SNMP-NAC State................................. Disabled Quarantine VLAN................................ 0 Maximum number of Associated Clients............. 0 Number of Active Clients......................... 1 Exclusionlist Timeout............................ 60 seconds Session Timeout.................................. 1800 seconds CHD per WLAN..................................... Enabled Webauth DHCP exclusion........................... Disabled Interface........................................ data1 Multicast Interface.............................. Not Configured WLAN ACL......................................... unconfigured DHCP Server...................................... Default DHCP Address Assignment Required................. Disabled Static IP client tunneling....................... Enabled
Once Static client associate to LWAP2 , you can check client association details from both controllers. Here is the details as shown in WLC3. Few key points to remember here. WLC3 mobility state is “Export Foreign” . In normal layer3 roaming WLC3 state would be “Foreign“
(WLC3) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:22:fa:94:68:58 LWAP-02 Associated 5 Yes 802.11a 1 N/A (WLC3) >show client detail 00:22:fa:94:68:58 Client MAC Address............................... 00:22:fa:94:68:58 Client Username ................................. user1 AP MAC Address................................... a0:cf:5b:9e:e8:20 AP Name.......................................... LWAP-02 Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 5 BSSID............................................ a0:cf:5b:9e:e8:2b Connected For ................................... 168 secs Channel.......................................... 149 IP Address....................................... 10.10.14.60 Association Id................................... 1 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... 4 Client E2E version............................... 1 Re-Authentication Timeout........................ 1631 QoS Level........................................ Platinum 802.1P Priority Tag.............................. disabled WMM Support...................................... Enabled Power Save....................................... ON Current Rate..................................... 54.0 Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0, ............................................. 54.0 Mobility State................................... Export Foreign Mobility Anchor IP Address....................... 10.10.112.10 Mobility Move Count.............................. 0 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable Policy Type...................................... WPA2 Authentication Key Management.................... 802.1x Encryption Cipher................................ CCMP (AES) Management Frame Protection...................... No EAP Type......................................... EAP-FAST Interface........................................ data1 VLAN............................................. 22 Quarantine VLAN.................................. 0 Access VLAN...................................... 22
Here is the details as shown in WLC2. In here as well WLC2 mobility state is shown as ” Export Anchor” where as in normal layer 3 roam mobility state is “Anchor“.
(WLC2) >show client summary Number of Clients................................ 1 MAC Address AP Name Status WLAN/GLAN Auth Protocol Port Wired ----------------- ----------------- ------------- -------------- ---- ---------------- ---- ----- 00:22:fa:94:68:58 10.10.120.140 Associated 5 Yes Mobile 29 No (WLC2) >show client detail 00:22:fa:94:68:58 Client MAC Address............................... 00:22:fa:94:68:58 Client Username ................................. N/A AP MAC Address................................... 00:00:00:00:00:00 AP Name.......................................... N/A Client State..................................... Associated Client NAC OOB State............................. Access Wireless LAN Id.................................. 5 BSSID............................................ 00:00:00:00:00:ff Connected For ................................... 207 secs Channel.......................................... N/A IP Address....................................... 10.10.14.60 Association Id................................... 0 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Client CCX version............................... No CCX support Mirroring........................................ Disabled QoS Level........................................ Platinum 802.1P Priority Tag.............................. 6 WMM Support...................................... Disabled Supported Rates.................................. Mobility State................................... Export Anchor Mobility Foreign IP Address...................... 10.10.120.140 Mobility Move Count.............................. 1 Security Policy Completed........................ Yes Policy Manager State............................. RUN Policy Manager Rule Created...................... Yes ACL Name......................................... none ACL Applied Status............................... Unavailable NPU Fast Fast Notified........................... Yes Policy Type...................................... N/A Encryption Cipher................................ None Management Frame Protection...................... No EAP Type......................................... 0 Interface........................................ data1 VLAN............................................. 14 Quarantine VLAN.................................. 0 Access VLAN...................................... 14
Here is the exact process of Static client roaming.
1. When Client moved to AP2, client IP address is updated either through an orphan packet handling or an ARP request processing by WLC3.
2. Since client IP subnet is not supported in WLC3, WLC3 send static IP mobile announcement to the rest of controllers in mobility list.
3. Since WLC2 support this client subnet it will respond to that announcement by WLC3.
4. As a result WLC3 becomes “Export Foreign” controller where as WLC2 becomes “Export Anchor” Controller.
5. Once WLC2 send acknowledgment client traffic is tunneled to WLC2.
There are few restrictions apply when configuring static IP tunneling with other features on the same WLAN.
1. Auto Anchoring Mobility (Guest Tunneling) cannot be configured for the same WLAN
2. H-REAP local Authentication cannot be configured for the same WLAN.
3. DHCP Required option cannot be configured for the same WLAN.
If you enable “debug mobility handoff” you can see these WLC state changes during client association. Here is the debug output of WLC3.(Export Foreign)
(WLC3) >debug mobility handoff enable (WLC3) >*Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: 00:22:fa:94:68:58 Zeroize AAA Overrides from local for station *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: Sending 802.11i PMK (Version_1) information to mobility group *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: 00:22:fa:94:68:58 0 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: Sending 802.11i PMK (Version_2) information to mobility group *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.993: 00:22:fa:94:68:58 0 PMK-update groupcast messages sent *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.998: 00:22:fa:94:68:58 Mobility query, PEM State: L2AUTHCOMPLETE *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 Anchor Export: Client IP: 10.10.14.60, Anchor IP: 10.10.112.10 *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 Mobility packet sent to: *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 10.10.112.10, port 16666 *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 16 seq: 139 len 250 flags 0 *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61 *Dot1x_NW_MsgTask_0: Mar 25 06:34:53.999: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 0 *Dot1x_NW_MsgTask_0: Mar 25 06:34:54.000: 00:22:fa:94:68:58 VLAN IP: 10.10.22.130, netmask: 255.255.255.128 *Dot1x_NW_MsgTask_0: Mar 25 06:34:54.000: 00:22:fa:94:68:58 10.10.14.60 DHCP_REQD (7) Warning!: export foreign state set on client of non-export anchor wlan anchor switch: 10.10.112.10 *Dot1x_NW_MsgTask_0: Mar 25 06:34:54.001: 00:22:fa:94:68:58 10.10.14.60 DHCP_REQD (7) Plumbing duplex mobility tunnel to 10.10.112.10 as Export Foreign (VLAN 22) *mmListen: Mar 25 06:34:54.001: 00:22:fa:94:68:58 Mobility packet received from: *mmListen: Mar 25 06:34:54.001: 00:22:fa:94:68:58 10.10.112.10, port 16666 *mmListen: Mar 25 06:34:54.001: 00:22:fa:94:68:58 type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 16 seq: 265 len 275 flags 0 *mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 group id: fe2f34f3 9b7a7cea 68f48181 316db999 *mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 1 *mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 VLAN IP: 10.10.14.10, netmask: 255.255.255.0 *mmListen: Mar 25 06:34:54.002: Switch IP: 10.10.112.10 *mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 Received Anchor Export Ack for client from Switch IP: 10.10.112.10 *mmListen: Mar 25 06:34:54.002: 00:22:fa:94:68:58 Anchor Mac: 00:0b:85:40:a1:c0, Old Foreign Mac: 00:1b:d5:cf:e6:00 New Foreign Mac: 00:1b:d5:cf:e6:00 *apfReceiveTask: Mar 25 06:34:54.003: 00:22:fa:94:68:58 10.10.14.60 DHCP_REQD (7) mobility role update request from Export Foreign to Export Foreign Peer = 10.10.112.10, Old Anchor = 10.10.112.10, New Anchor = 10.10.112.10 *apfReceiveTask: Mar 25 06:34:54.005: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Warning!: export foreign state set on client of non-export anchor wlan anchor switch: 10.10.112.10 *apfReceiveTask: Mar 25 06:34:54.005: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Plumbing duplex mobility tunnel to 10.10.112.10 as Export Foreign (VLAN 22) *apfReceiveTask: Mar 25 06:34:54.005: 00:22:fa:94:68:58 Mobility Response: IP 10.10.14.60 code Anchor Grant (4), reason Anchor exported (4), PEM State RUN, Role Export Foreign(5)
Here is the debut output of WLC2 (Export Anchor)
(WLC2) >debug mobility handoff enable (WLC2) >*mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Mobility packet received from: *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.120.140, port 16666 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 type: 16(MobileAnchorExport) subtype: 0 version: 1 xid: 16 seq: 139 len 250 flags 0 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 group id: d8475d5f c64367e3 4d21c8d6 ef580f61 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 0 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 VLAN IP: 10.10.22.130, netmask: 255.255.255.128 *mmListen: Mar 24 19:37:39.966: Switch IP: 10.10.120.140 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Received Anchor Export request: from Switch IP: 10.10.120.140 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Anchor request for static IP client tunneling. *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 mmAnchorExportRcv:, Mobility role is ExpAnchor. *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Received Anchor Export policy update, valid mask 0x0: Qos Level: 2, DSCP: 0, dot1p: 0 Interface Name: , ACL Name: *mmListen: Mar 24 19:37:39.966: Anchor Mac : 00.0b.85.40.a1.c0 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 Mobility packet sent to: *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.120.140, port 16666 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 type: 17(MobileAnchorExportAck) subtype: 0 version: 1 xid: 16 seq: 265 len 275 flags 0 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 group id: fe2f34f3 9b7a7cea 68f48181 316db999 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 mobile MAC: 00:22:fa:94:68:58, IP: 10.10.14.60, instance: 1 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 VLAN IP: 10.10.14.10, netmask: 255.255.255.0 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Warning!: export anchor state set on client of non-export anchor wlan foreign switch: 10.10.120.140 *mmListen: Mar 24 19:37:39.966: 00:22:fa:94:68:58 10.10.14.60 RUN (20) Plumbing duplex mobility tunnel to 10.10.120.140 as Export Anchor (VLAN 14) *spamReceiveTask: Mar 24 19:37:48.685: Mobility packet sent to: *spamReceiveTask: Mar 24 19:37:48.685: 10.10.111.10, port 16666 *spamReceiveTask: Mar 24 19:37:48.685: type: 19(ApListUpdate) subtype: 0 version: 1 xid: 261 seq: 266 len 52 flags 0 *spamReceiveTask: Mar 24 19:37:48.685: group id: fe2f34f3 9b7a7cea 68f48181 316db999
Refer WLC 7.0.116.0 configuration guide (pages 14-30) for more details
Related Posts
1. Wireless Mobility Basics
2. Configuring Mobility on WLC
3. L2-Inter Controller Roaming
4. L3-Inter Controller Roaming
5. WLC – Web Authentication
6. Configuring Auto Anchor
7. Auto-Anchor Foreign Mapping
8. Mobility Ping Tests
9. Configuring Wired Guest
10.
