Cisco Unified

Wireless Network
Administration:
Roaming and
Mobility

Cisco Unified Wireless Network

Administration: Roaming and
Mobility

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-1

Lesson Overview & Objectives

Overview This lesson provides a detailed discussion of client roaming
between APs and controllers in a Cisco Unified Wireless Network
environment.
Objectives - Upon completing this lesson, you will be able to establish and
configure mobility groups to support roaming. This ability includes being able
to meet these objectives:

List three of the Cisco Best Practices for roaming

Describe client roaming within a Layer 2 subnetwork
Describe client roaming within a Layer 3 subnetwork
Describe the configuration of the Mobility Group
Describe IRCM
Identify the two caveats to be aware when using IRCM
Explain how to configure Mobility Anchors

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-2

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Cisco Wireless Roaming
Roaming refers to movement of clients across Cisco APs, Cisco
REAPs, and third-party APs.
A mobility group is a group of WLAN controllers that are set up to
allow roaming amongst themselves.
The Cisco WLC can belong to only a single mobility group.
A maximum of 24 Cisco WLCs may belong to a single mobility
group.
Roaming supported across mobility groups.
Cisco wireless requires the following for mobility groups:
Consistent mobility group membership
Consistent ACLs configured on all member Controllers
Two types of roaming.
Layer 2 (intra-subnet) roaming
Layer 3 (inter-subnet) roaming
2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-3

Roaming Best Practices

All controllers in the mobility group should use the same IP
address for their virtual interface, and the virtual interface IP
address must not be routable.
IP connectivity must exist between the management interfaces of
all controllers in the mobility group.
In most situations, all controllers must be configured with the
same mobility group name.
You must have gathered the MAC and IP addresses for each
controller in a mobility group.
Do not create unnecessarily large mobility groups. Include only
controllers that are in the area in which a client can roam.
Try to accommodate the AP distribution across controllers in
the mobility group. Avoid salt-and-pepper AP placement.
If using version 5.x or later, take advantage of the multicast
mobility feature.
2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-4

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-5

Cisco Wireless Layer 2 Roaming

Single Cisco WLC or multiple Cisco WLCs are in the same
subnetwork.
Roaming is transparent to the client.
The session is sustained during connection to the new AP.
The client continues using the same DHCP-assigned or static IP
address.
Reauthentication is required if the client sends a DHCP discover
with a 0.0.0.0 client IP address or a 169.254.*.* client auto-IP
address or when the operator-set session timeout is exceeded.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-6

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Client Roaming within a Subnet
Layer 2 Roam
VLAN X
WLC-1 Client WLC-2 Client
Database Client Data Database
(MAC, IP, QoS,
Security)

WLC-1 Mobility Message Exchange WLC-2

Pre Roaming
Data Path

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-7

Client Roaming within a Subnet

Layer 2 Roam (Cont.)
VLAN X
WLC-1 Client WLC-2 Client
Database Database
Client Data
(MAC, IP, QoS,
Security)

WLC-1 Mobility Message Exchange WLC -2

Roaming
Data Path

Client roams to
different AP

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-8

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Cisco Wireless Layer 3 Roaming
Multiple Cisco WLCs in different subnetworks.
Transparent to the client.
The session is sustained during connection to the new AP.
Tunnel between the anchor Cisco WLC and foreign Cisco WLC
and special handling of the client traffic by both controllers allows
the client to continue using the same DHCP or client-assigned IP
address while the session remains active.
Reauthentication is required if the client sends a DHCP discover
with a 0.0.0.0 client IP address or a 169.254.*.* client auto-IP
address or when the operator-set session timeout is exceeded.
Set up via a symmetric tunnel between the anchor WLC and the
foreign WLC.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-9

Client Roaming Between Subnets

Layer 3 Roam
VLAN X VLAN Z
WLC-1 Client WLC-2 Client
Database Database
Client Data Client Data
(MAC, IP, QoS, (MAC, IP, QoS,
Security) Security)
WLC-1 WLC-2
Mobility Message Exchange

Pre Roaming
Data Path

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-10

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Client Roaming Between Subnets
Layer 3 Roam (Cont.)
VLAN X VLAN Z
WLC-1 Client WLC-2 Client
Database Database
Client Data Client Data
(MAC, IP, QoS, (MAC, IP, QoS,
Security) Security)

WLC-1 Mobility Message Exchange WLC-2

Anchor Foreign
Controller Encrypted Data Tunnel
Controller

Pre Roaming
Data Path

Client roams to
different AP

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-11

Mobility Group Configuration

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-12

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Creating and Managing Mobility Group
Members

Two methods for defining the mobility

groupadd a member using either the New
or Edit All option, in which all members are
represented in a text format.
2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-13

Mobility Group Communications

Whenever a new client joins a controller, the controller sends out
a message to all of the controllers in the mobility group.
In release 5.0 and later, this messaging can be setup to use
multicast, rather than unicast.
The controller to which the client was previously connected
passes on the status of the client.
All mobility message exchanges between controllers are carried
out using UDP packets on port 16666 (if using IPSec encryption,
port 16667).

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-14

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Seamless Roaming Between Mobility
Groups
Controllers can communicate and clients can roam between
mobility groups.
Release 5.1 or later supports up to 24 controllers in a mobility
group and up to 72 controllers in the mobility list.
When a client crosses a mobility group boundary, the client is fully
authenticated, but the IP address is maintained, and Ethernet IP
tunnel is initiated for Layer 3 roaming.
Cisco Centralized Key Management and PKC are supported only
for intra-mobility-group roaming.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-15

Client Roaming Between Subnets

Layer 3 Roam Different Mobility Groups
VLAN X VLAN Z
WLC-1 Client WLC-2 Client
Mobility Database Database Mobility
Client Data Client Data
Group (MAC, IP, QoS, (MAC, IP, QoS, Group
1 Security) Security) 2
WLC-1 Mobility Message Exchange WLC-2

Anchor Encrypted Data Tunnel Foreign

Controller Controller

Pre Roaming
Data Path

Client roams to Controller in a different

different AP mobility group, client
reauthentication required
2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-16

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Inter-release Controller Mobility
Available in release 6.0
Supports seamless mobility and Cisco Unified wireless network
services across controllers with different software versions.
Allows features such as mobility (Layer2/Layer3 roaming, CCKM
Fast Roaming), RRM, AP Fallback, Guest Access, WCS, MFP,
and Rogue Detection.
For example, two controllersone running version 4.2.x and
another controller running version 6.0.x codewill be able to
support roaming and AP Fallback across the two controllers.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-17

Scenarios Where IRCM Would Be Used

During controller upgradewhere certain sections of the network
may still be on old code
End of Life support for APscertain sections of the network
cannot be upgraded until the older EoL APs are replaced
Guest Access across geographical locationsremote and anchor
controllers may be running on different code version

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-18

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Mobility Features Affected By IRCM
Layer 2 and Layer 3 roaming
Supported between 4.2.207 and 6.0.188 code.
Version number of the mobility packet was incremented in 5.2
and later releases.
Controller will keep track of the mobility version number of
other controllers in its mobility list and communicate
accordingly.
Feature support across controllers in the mobility list would be
of the lowest common denominator.
Guest access termination
Ether-over-IP (EoIP) tunnels for guest access will be supported
between 4.2.x and 6.0.x controllers.
Anchor and remote controller can have different software
versions.
2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-19

Caveats For IRCM

Controllers on version 5.1 or earlier code support both symmetric
tunneling and asymmetric tunneling. Controllers on version 5.2 or
later code support only symmetric tunneling.
Version 5.1 and earlier controllers need to be configured for
symmetric tunneling to support layer 3 roaming with controllers
running 5.2 or later code.
Controllers on version 5.0 or later code support mobility multicast,
but controllers on 4.2.207 (4.2.MR4) do not support mobility
multicast.
Version 4.2 controllers cannot be in a mobility group that is
using mobility multicast.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-20

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Cisco Wireless Mobility Anchor
C

cc 3.3.3.3

Anchor bb dd ee Foreign
Controller Controller

4.4.4.2 5.5.5.2

A
Client traffic travels a symmetric path.

aa 4.4.4.4

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-21

Cisco Wireless Mobility Anchor

Guest Tunneling Example
C

Internet
Foreign
Controller
Anchor
Controller

4.4.4.2 SSID: Internal

SSID: GUEST

Guest
Tunnels are not per user but per SSID Client
(for the inside Controller), which requires
a mobility anchor Controller. 4.4.4.4

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-22

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Cisco Wireless Mobility Anchor
Message Flow
Normal Mobility Event

Client Announce

Foreign No Handoff Anchor

Controller Controller
Client Announce

No Handoff

Client Announce

No Handoff
Timeout; Foreign Now
Becomes Anchor for Client Mobility Anchor Event
(Guest Tunneling Example)

Export Anchor Request

Foreign Export Anchor Request ACK

Anchor
Controller
Export Foreign Controller

Export Anchor

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-23

Cisco Wireless Mobility Anchor

Considerations
Initial contact Controller may receive a handoff for the client
during the client announce.
If the handoff does not specify a configured anchor Controller,
the handoff will be discarded.
A foreign session to the anchor is set up ahead of client IP
address determination.
The foreign Controller will have no knowledge of Layer 3 client
information.
Web Authentication is supported, but authentication will occur on
the mobility anchor as opposed to the local Controller.
Not supported on 2xxx Series Controllers or Cisco WLCM.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-24

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Configuring Mobility Anchors in WLANs

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-25

Controller > Mobility Management >

Mobility Statistics
Viewing Mobility Statistics

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-26

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.

 Summary
The Cisco Unified Wireless Network environment allows for
roaming between APs.
Layer 2 roaming occurs whenever a client roams between APs on
the same Controller.
A Layer 3 roam event requires more processing power and
controller coordination than a Layer 2 roam event.
All controllers that will be part of the same mobility group must be
configured to have the same default mobility domain name.
Inter-release Controller Mobility (IRCM) is a new feature that
allows seamless roaming.
There are two caveats to be aware of when taking advantage of
the IRCM feature.
Mobility anchors in WLANs need to be configured.

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-27

2010 Cisco Systems, Inc. All rights reserved. CUWN v7.03-28

2008, Cisco Systems, Inc. All rights reserved. Printed in USA.