×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Wireless LAN roaming question over Layer 3 LAN infrastructure

Unanswered Question
Nov 18th, 2013
User Badges:

Hi


My knowledge on WLAN is very limited so my question may sound very basic.


Layer 3 uplinks between collapsed core/distribution and access layer switches on each floor. Hence AP on each floor is on a different VLAN/subnet.


When a Client migrates between an AP, it retains the SSID and it also Retains its OLD DHCP address – it does not request a new one.  Therefore, when client moves from one floor  to another it keeps the IP from the previous floor.


Is it normal behavior that the client will maintain the same IP address when moving between floors (where the AP's are on different IP subnets) to maintian IP connectivity?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
devils_advocate Mon, 11/18/2013 - 07:32
User Badges:
  • Gold, 750 points or more
  • Community Spotlight Award,

    Small Business, November 2015

The short answer is Yes, thats fine.


The IP address on each AP is for 'management', it doesn't usually relate to the Client IP addresses.


Your AP would have its management address in VlanX and it could be broadcasting 3 SSID's which are for Vlans A,B and C respectively.


Are you using a Wireless LAN Controller or are the Access Points Autonomous?

TECH SUPPORT Mon, 11/18/2013 - 07:37
User Badges:

Thanks for the quick response


Using Wireless Controller 5508

Jon Marshall Mon, 11/18/2013 - 07:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It is a common approach to have the same WiFi vlan available on multiple floors just because of this very issue. The client then does what is called L2 roaming ie. it merely reassociates with the new AP but keeps it's IP etc.


However if you have your access switches connected via L3 uplinks then, as you say, you won't have the same IP subnet on multiple floors. However there is L3 roaming which basically creates a tunnel from the new WLC back to the WLC the client originally connected to.  The client keeps the same IP but the packets are tunnelled back to it's original WLC.


A lot more information is included here -


http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch.html#wp1028197


I should also say i have limited experience with wireless. So it may be that you need particular bits of kit etc. to implement L3 roaming. For example i don't how it would work or whether it could without WLCs in your network.


Perhaps if you need more specifics the Wireless forums would be a good place to post.


Jon

Leo Laohoo Mon, 11/18/2013 - 13:45
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

When a Client migrates between an AP, it retains the SSID and it also Retains its OLD DHCP address – it does not request a new one.  Therefore, when client moves from one floor  to another it keeps the IP from the previous floor.

Be aware that the "decision" of which AP the wireless will join has got NOTHING to do with an AP (regardless of manufacturer).  The decision rests solely on the wireless client itself.


This means that even though there's an AP directly above the wireless client, does not mean that the wireless client will join that AP.  I've seen wireless clients join APs one or two floors AWAY.

When a Client migrates between an AP, it retains the SSID and it also Retains its OLD DHCP address – it does not request a new one.  Therefore, when client moves from one floor  to another it keeps the IP from the previous floor.

Is it normal behavior that the client will maintain the same IP address when moving between floors (where the AP's are on different IP subnets) to maintian IP connectivity?

In my opinion, your wireless subnet should not be "broken up" on a per-floor basis.  If you do, you'll destroy your roaming ability because everytime a wireless client gets an IP address the wireless client will have to go through the entire wireless authentication process.

Jon Marshall Mon, 11/18/2013 - 13:51
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi Leo

In my opinion, your wireless subnet should not be "broken up" on a per-floor basis.  If you do, you'll destroy your roaming ability because everytime a wireless client gets an IP address the wireless client will have to go through the entire wireless authentication process

I kind of agree with the above but if the OP has a fully routed access-layer then it's not possible without a major redesign or using extra fibres for L2 WiFi vlans (if they have extra fibres).


But i thought that was what L3 roaming was for ie. the client doesn't change it's IP because it's packets are tunneled back to the original WLC which is still using the clients original subnet. Or have i got that all wrong which is quite possible as you know a whole lot more about wireless than i do.


Jon

Leo Laohoo Mon, 11/18/2013 - 14:25
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

I kind of agree with the above but if the OP has a fully routed access-layer then it's not possible without a major redesign or using extra fibres for L2 WiFi vlans (if they have extra fibres).

Oh no need to result like that. 


Ok, let's presume that the OP has two floors and each floor is on it's own subnet.


1.  The APs on each floor will get their own IP addresses subnet (this is understandable and do-able).

2.  The DHCP IP address for WIRELESS client ... This is the major issue because they are totally different to #1.  Now if they can slightly redesign their DHCP scope ...


The wireless client's IP addresses are based on the Dynamic Interface found in the WLC.  If, for example, someone says that the entire building has one Dynamic Interface, called "CORP" then everyone in the building will have one IP address.


The biggest challenge when you have multiple floor and the "wish" that each client found in each floor must be on different subnets will find out, horribly, how good plans can go bad.  This is because of the inherit behaviour of WIRELESS.  There is no physical boundry to wireless signal.  Your wireless client can potentially join an AP located one, two or more floors away (up or down) from your location.


This is one reason why I started the respond with "decision is with the wireless client" because a lot of people incorrectly assumes that APs decide which wireless clients to accept when, in reality, it's the other way around.

Jon Marshall Mon, 11/18/2013 - 14:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leo


Okay, assume i'm an idiot when it comes to wireless and you won't be far wrong


In your first post you say the wireless vlans shouldn't be broken up per floor because it means when a client gets a new IP it has to reestablish all it's connections etc.


Then in your response to me you seem to be suggesting it's not that big a deal if i understand correctly ie. you don't need a vlan that spans across floors.


So i'm a bit confused.


Jon

Leo Laohoo Mon, 11/18/2013 - 14:48
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

So is there no way to have L3 from the access switches  and use WiFi sensibly ?  I ask because when i did L3 from the access about 5 years ago one of the main caveats was that if you needed WiFi vlans across multiple floors then L3 was not the way to go. We didn't need WiFi then so it wasn't an issue.

I'm just surprised that after 5 years and with Cisco using L3 from the access to distro in their Campus designs i would have thought a sensible solution for wireless roaming would have been available because wireless must be far more popular than it was so i would have thought people would have been hitting this problem all the time (funnily enough only last week i did actually answer a question on CSC about this very issue).


I thought L3 roaming was meant to solve that but i have to admit i am not familiar with WLC setup so perhaps it is not applicable ?

In my personal opinion, no.


I believe it is not possible to "separate" wireless client IP address based on different floor.  You can, however, separate them if you have a complete wireless separation, meaning wireless clients found in one floor cannot "see" wireless signal from another floor.   The main issue is that you can't (or there is NO FOOLPROOF way to) instruct wireless NOT to penetrate obstacles (such as floors and walls) unless you line each obstacle with Faraday mesh (extreme).


So let's go back to my above example.  You are in 1st floor but you are getting the IP address from another floor.  How will you control that?   People might say, "sure you can.  Just create DIFFERENT SSID."  All I can say is it won't work either.  Say you go back to the above example and you have 1st floor have one SSID and 2nd floor has another.  What makes you think, unless you intervene, that you are in the 1st floor and the wireless client will join the 1st floor SSID?


Besides, I really don't see the benefit of separating wireless clients by "floors".

Jon Marshall Mon, 11/18/2013 - 14:59
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

So what is the solution if you have L3 access to distro and you want your wireless clients to keep the same IP ie. span a vlan across floors.


You seem to be suggesting a redesign or using extra fibres is unnecessary, so how do you make it work properly ?


Sorry if i'm being a bit slow but it would help the OP and only last week i answered a question for a poster with the same problem ie he needed a WiFi vlan across multiple switches with routed links from access switches.


Jon

Leo Laohoo Mon, 11/18/2013 - 15:20
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

You seem to be suggesting a redesign or using extra fibres is unnecessary, so how do you make it work properly ?

Let's say you have three SSIDs:  CORP, Guest and Voice.  I'm going to presume you have one building only.


On your WLC, you create a three SSIDs.  Each SSID is mapped to a specific dynamic interface.


You create three dynamic interface (aka VLANs in WLC).  Each dynamic interface you assign a distinct IP subnet, a VLAN number and you assign a DHCP server.  This means that clients connecting to the SSID will get "plumbed" into the correct dynamic interface.  The dynamic interface will contact the DHCP server and get the IP address (for the client) based on the subnet of the dynamic interface.


The WLC physcially connecting to the core switch is on a 802.1q trunking and all the dynamic interface's VLAN numbers allowed.


So if you log in as CORP, then you get a CORP IP address.


Does this make sense? 


Okay, assume i'm an idiot when it comes to wireless

We are all idiots.  We just learn from our mistakes. 

Jon Marshall Mon, 11/18/2013 - 15:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Here is what i don't understand. Lets say you have a CORP SSID. Now presumably that client can connect to CORP from any floor and i'm assuming that the traffic is sent from the wireless client to the AP. The AP is presumably connected to the access switch. So the CORP vlan must exist on all access switches - is this correct ?


If so this won't work with L3 routed uplinks from the access switches because each access switch is responsiible for routing it's own vlans. So you couldn't route to another CORP client because the local access switch couldn't route the traffic off the switch ie. you can't route to the same subnet you can only L2 switch.


And from the distro switches it wouldn't be possible either because if each access switch advertised the CORP vlan via a routing protocol how would it know which access switch to route the traffic back to.


So this is why i'm getting confused. I suspect it may be my understanding of the wireless traffic flow but i thought the traffic went through the AP and the AP was connected to the local access switch on each floor.


Jon

Leo Laohoo Mon, 11/18/2013 - 15:47
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

So the CORP vlan must exist on all access switches - is this correct ?

Trust me.  It is confusing.  Confuses me regularly.


Answer:  No.

Explaination:  The VLAN that exists on all access switches (including the core) is the MANAGEMENT VLAN of each AP.   Your and/or the WLC needs to contact the AP, right?  So you need to get the AP an IP address.  IP Address of the clients connected to the AP get their IP address from another VLAN.  This is how and why you can't give them seperate subnet block.

Jon Marshall Mon, 11/18/2013 - 15:58
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leo


You're not wrong about it being confusing.


IP Address of the clients connected to the AP get their IP address from another VLAN.

Right, but does that vlan need to exist on the access switches. What is the traffic flow from a wireless client. Is it that  the traffic goes from the wireless client to the AP. The AP then transfers the packet from wireless to wired and the packet is then sent over the wired network to either another wireless client or a server etc.


If so what vlan is the packet in when it transferred from wireless to wired on the AP. Because that vlan must exist on the switch and if so it has to be routed locally on the switch which brings us back to the points in my last post ie. that vlan cannot exist anywhere but the local access switch if you have L3 routed uplinks.  Note when i say vlan i really mean the subnet rather than the specific vlan ID as with this design you can reuse vlan IDs if you want to on each access switch.


Just to be clear, i am not trying to prove anyone wrong, i hope you know me well enough to know that Leo. I'm just a bit worried that last week i gave advice to a person who had the same problem and my advice was if he needed to span a vlan across all switches then he needed to change his L3 routed uplinks to L2 trunks and now i'm wondering if this was really bad advice and there was a simpler way of achieving what he needed.


Jon

Leo Laohoo Mon, 11/18/2013 - 16:33
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Right, but does that vlan need to exist on the access switches.

Nope.  The VLAN for the wireless clients can only be found in the core switch.  This VLAN is also your default gateway for your clients.

Just to be clear, i am not trying to prove anyone wrong, i hope you know me well enough to know that Leo. I'm just a bit worried that last week i gave advice to a person who had the same problem and my advice was if he needed to span a vlan across all switches then he needed to change his L3 routed uplinks to L2 trunks and now i'm wondering if this was really bad advice and there was a simpler way of achieving what he needed.

Can be done.  I haven't read your post, but I believe this response means this scenario will work with the IP addressing for the APs as well as wireless clients.


It'll work with the clients because wireless clients' traffic go through a LWAPP/CAPWAP tunnel and doesn't pop out until it reaches the WLC.


Now, I can make you MORE confused if I start adding Cisco's new Converged Access.  But because I've got respect to you (and a few others), I will hold my tongue. 

Jon Marshall Mon, 11/18/2013 - 16:44
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It'll work with the clients because wireless clients' traffic go through a LWAPP/CAPWAP tunnel and doesn't pop out until it reaches the WLC.

Now if you had just said that in the first place i would have stopped posting ages ago.

Thanks for the explanation.  And i think i've had enough confusion for one day thanks


Jon

Leo Laohoo Mon, 11/18/2013 - 16:50
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Now if you had just said that in the first place i would have stopped posting ages ago.

Yes.  So did I, come to think of it.

Jon Marshall Mon, 11/18/2013 - 16:52
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If you get the time can you have a look at this thread and see if there is a better way of doing things in terms of wireless. The question asks how to extend a vlan across multiple switches and i was so focussed on that it never occured to me there may be a better solution without having to redesign things. It's not clear whether he has a WLC or not and i suppose you need one for the tunnels but it may still be that you have a better solution than i gave.


https://supportforums.cisco.com/thread/2251546?tstart=60


Jon

Leo Laohoo Mon, 11/18/2013 - 16:58
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Jon,


PM sent regarding this thread.

Leo Laohoo Mon, 11/18/2013 - 15:41
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

So what is the solution if you have L3 access to distro and you want your wireless clients to keep the same IP ie. span a vlan across floors.

You seem to be suggesting a redesign or using extra fibres is unnecessary, so how do you make it work properly ?


Sorry if i'm being a bit slow but it would help the OP and only last week i answered a question for a poster with the same problem ie he needed a WiFi vlan across multiple switches with routed links from access switches.

Ok, ok, ok ... There is another way.


Let say you have a multi-floor building and you have TWO SSID:  CORP and Voice.


Notice that there is no "Guest" SSID.   Let's say you created, say, FOUR dynamic interfaces:  DI_CORP (stands for Dynamic Interface_CORP), DI_Guest, DI_VOICE and DI_Developers.   Each Dynamic Interface has their own IP Subnet.  We also create a GENERIC Dynamic Interface and our CORP SSID is plumbed that way.  The GENERIC DI has some funky private IP address.


No brainer:  VOICE SSID maps to DI_VOICE.


Let's say you want a single-sign-on.   You want a developer to sign in to CORP and gets thrown into DI_Developers IP address, Guest login details gets DI_Guest IP address and regular users get thrown into DI_CORP IP address.


If this is what the OP wants, this can be done and uses 802.1x.  We are not using Cisco ISE but using FreeRADIUS.  Each site we have has about 10 Dynamic Interfaces but we only have a single SSID for CORP.   So, like I've explained above, everyone goes into the Generic DI and based on your login details, the wireless clients gets "thrown into" the correct IP subnet.


Don't ask me the details about what they've done (to FreeRADIUS and 802.1x) because it's all French to me. 

Jon Marshall Mon, 11/18/2013 - 15:50
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

removed while i read last post

gsidhu Mon, 11/18/2013 - 13:55
User Badges:

Hi Leo


Thank you for your advice.


There are a few other things that I found out about:


They have 2 x Cisco 5508 Wireless Controllers configured for redundancy and 3600 clean air Access Points over five floors in one building. In the future the APs will be rolled out over four more buildings.


The 5508 Wireless Controllers are located on a different site at the customers new Data Center. The wireless AP’s are configured for FlexConnect and local switching of traffic. 



Questions


1)      One option being considered is to create a single Layer 2 VLAN that spans all of the floors (eventually all of the floors across all six buildings. I have concerns about this approach as it does not fit in with Cisco best practise Campus design. Please could you let me have your thoughts


2)     The 2 x 5508 Wireless Controllers are not on the Campus LAN. They are located at the customers new Data Center site which connects to the Campus of 10 Gbps WAN links. Is there any benefit in having the Wireless Controllers at a Data Center as opposed to connecting them on the Campus LAN?

Leo Laohoo Mon, 11/18/2013 - 15:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

1)      One option being considered is to create a single Layer 2 VLAN that spans all of the floors (eventually all of the floors across all six buildings. I have concerns about this approach as it does not fit in with Cisco best practise Campus design. Please could you let me have your thoughts

One subnet per building and NOT per campus.   Different buildings in a campus means multiple subnets.

2)     The 2 x 5508 Wireless Controllers are not on the Campus LAN. They are located at the customers new Data Center site which connects to the Campus of 10 Gbps WAN links. Is there any benefit in having the Wireless Controllers at a Data Center as opposed to connecting them on the Campus LAN?

Yes.  Your WAN link.  If your WAN link goes down (let's presume you don't have H-REAP/FlexConnect enabled), what do you think is going to happen? 

Leo Laohoo Mon, 11/18/2013 - 18:02
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Forgot one thing:  The size of your wireless client subnet.


Say you have 100 staff in each building, allocate three times the amount of available IP address.  Why three?  Studies have shown that each individual will have at least THREE wireless devices at any given time. 

Actions

This Discussion