cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3762
Views
20
Helpful
23
Replies

Wireless LAN roaming question over Layer 3 LAN infrastructure

gsidhu
Level 3
Level 3

Hi

My knowledge on WLAN is very limited so my question may sound very basic.

Layer 3 uplinks between collapsed core/distribution and access layer switches on each floor. Hence AP on each floor is on a different VLAN/subnet.

When a Client migrates between an AP, it retains the SSID and it also Retains its OLD DHCP address – it does not request a new one.  Therefore, when client moves from one floor  to another it keeps the IP from the previous floor.

Is it normal behavior that the client will maintain the same IP address when moving between floors (where the AP's are on different IP subnets) to maintian IP connectivity?

23 Replies 23

devils_advocate
Level 7
Level 7

The short answer is Yes, thats fine.

The IP address on each AP is for 'management', it doesn't usually relate to the Client IP addresses.

Your AP would have its management address in VlanX and it could be broadcasting 3 SSID's which are for Vlans A,B and C respectively.

Are you using a Wireless LAN Controller or are the Access Points Autonomous?

Thanks for the quick response

Using Wireless Controller 5508

Jon Marshall
Hall of Fame
Hall of Fame

It is a common approach to have the same WiFi vlan available on multiple floors just because of this very issue. The client then does what is called L2 roaming ie. it merely reassociates with the new AP but keeps it's IP etc.

However if you have your access switches connected via L3 uplinks then, as you say, you won't have the same IP subnet on multiple floors. However there is L3 roaming which basically creates a tunnel from the new WLC back to the WLC the client originally connected to.  The client keeps the same IP but the packets are tunnelled back to it's original WLC.

A lot more information is included here -

http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch2_Arch.html#wp1028197

I should also say i have limited experience with wireless. So it may be that you need particular bits of kit etc. to implement L3 roaming. For example i don't how it would work or whether it could without WLCs in your network.

Perhaps if you need more specifics the Wireless forums would be a good place to post.

Jon

Leo Laohoo
Hall of Fame
Hall of Fame
When a Client migrates between an AP, it retains the SSID and it also Retains its OLD DHCP address – it does not request a new one.  Therefore, when client moves from one floor  to another it keeps the IP from the previous floor.

Be aware that the "decision" of which AP the wireless will join has got NOTHING to do with an AP (regardless of manufacturer).  The decision rests solely on the wireless client itself.

This means that even though there's an AP directly above the wireless client, does not mean that the wireless client will join that AP.  I've seen wireless clients join APs one or two floors AWAY.

When a Client migrates between an AP, it retains the SSID and it also Retains its OLD DHCP address – it does not request a new one.  Therefore, when client moves from one floor  to another it keeps the IP from the previous floor.

Is it normal behavior that the client will maintain the same IP address when moving between floors (where the AP's are on different IP subnets) to maintian IP connectivity?

In my opinion, your wireless subnet should not be "broken up" on a per-floor basis.  If you do, you'll destroy your roaming ability because everytime a wireless client gets an IP address the wireless client will have to go through the entire wireless authentication process.

Hi Leo

In my opinion, your wireless subnet should not be "broken up" on a per-floor basis.  If you do, you'll destroy your roaming ability because everytime a wireless client gets an IP address the wireless client will have to go through the entire wireless authentication process

I kind of agree with the above but if the OP has a fully routed access-layer then it's not possible without a major redesign or using extra fibres for L2 WiFi vlans (if they have extra fibres).

But i thought that was what L3 roaming was for ie. the client doesn't change it's IP because it's packets are tunneled back to the original WLC which is still using the clients original subnet. Or have i got that all wrong which is quite possible as you know a whole lot more about wireless than i do.

Jon

I kind of agree with the above but if the OP has a fully routed access-layer then it's not possible without a major redesign or using extra fibres for L2 WiFi vlans (if they have extra fibres).

Oh no need to result like that. 

Ok, let's presume that the OP has two floors and each floor is on it's own subnet.

1.  The APs on each floor will get their own IP addresses subnet (this is understandable and do-able).

2.  The DHCP IP address for WIRELESS client ... This is the major issue because they are totally different to #1.  Now if they can slightly redesign their DHCP scope ...

The wireless client's IP addresses are based on the Dynamic Interface found in the WLC.  If, for example, someone says that the entire building has one Dynamic Interface, called "CORP" then everyone in the building will have one IP address.

The biggest challenge when you have multiple floor and the "wish" that each client found in each floor must be on different subnets will find out, horribly, how good plans can go bad.  This is because of the inherit behaviour of WIRELESS.  There is no physical boundry to wireless signal.  Your wireless client can potentially join an AP located one, two or more floors away (up or down) from your location.

This is one reason why I started the respond with "decision is with the wireless client" because a lot of people incorrectly assumes that APs decide which wireless clients to accept when, in reality, it's the other way around.

Leo

Okay, assume i'm an idiot when it comes to wireless and you won't be far wrong

In your first post you say the wireless vlans shouldn't be broken up per floor because it means when a client gets a new IP it has to reestablish all it's connections etc.

Then in your response to me you seem to be suggesting it's not that big a deal if i understand correctly ie. you don't need a vlan that spans across floors.

So i'm a bit confused.

Jon

So is there no way to have L3 from the access switches  and use WiFi sensibly ?  I ask because when i did L3 from the access about 5 years ago one of the main caveats was that if you needed WiFi vlans across multiple floors then L3 was not the way to go. We didn't need WiFi then so it wasn't an issue.

I'm just surprised that after 5 years and with Cisco using L3 from the access to distro in their Campus designs i would have thought a sensible solution for wireless roaming would have been available because wireless must be far more popular than it was so i would have thought people would have been hitting this problem all the time (funnily enough only last week i did actually answer a question on CSC about this very issue).

I thought L3 roaming was meant to solve that but i have to admit i am not familiar with WLC setup so perhaps it is not applicable ?

In my personal opinion, no.

I believe it is not possible to "separate" wireless client IP address based on different floor.  You can, however, separate them if you have a complete wireless separation, meaning wireless clients found in one floor cannot "see" wireless signal from another floor.   The main issue is that you can't (or there is NO FOOLPROOF way to) instruct wireless NOT to penetrate obstacles (such as floors and walls) unless you line each obstacle with Faraday mesh (extreme).

So let's go back to my above example.  You are in 1st floor but you are getting the IP address from another floor.  How will you control that?   People might say, "sure you can.  Just create DIFFERENT SSID."  All I can say is it won't work either.  Say you go back to the above example and you have 1st floor have one SSID and 2nd floor has another.  What makes you think, unless you intervene, that you are in the 1st floor and the wireless client will join the 1st floor SSID?

Besides, I really don't see the benefit of separating wireless clients by "floors".

So what is the solution if you have L3 access to distro and you want your wireless clients to keep the same IP ie. span a vlan across floors.

You seem to be suggesting a redesign or using extra fibres is unnecessary, so how do you make it work properly ?

Sorry if i'm being a bit slow but it would help the OP and only last week i answered a question for a poster with the same problem ie he needed a WiFi vlan across multiple switches with routed links from access switches.

Jon

You seem to be suggesting a redesign or using extra fibres is unnecessary, so how do you make it work properly ?

Let's say you have three SSIDs:  CORP, Guest and Voice.  I'm going to presume you have one building only.

On your WLC, you create a three SSIDs.  Each SSID is mapped to a specific dynamic interface.

You create three dynamic interface (aka VLANs in WLC).  Each dynamic interface you assign a distinct IP subnet, a VLAN number and you assign a DHCP server.  This means that clients connecting to the SSID will get "plumbed" into the correct dynamic interface.  The dynamic interface will contact the DHCP server and get the IP address (for the client) based on the subnet of the dynamic interface.

The WLC physcially connecting to the core switch is on a 802.1q trunking and all the dynamic interface's VLAN numbers allowed.

So if you log in as CORP, then you get a CORP IP address.

Does this make sense? 

Okay, assume i'm an idiot when it comes to wireless

We are all idiots.  We just learn from our mistakes. 

Here is what i don't understand. Lets say you have a CORP SSID. Now presumably that client can connect to CORP from any floor and i'm assuming that the traffic is sent from the wireless client to the AP. The AP is presumably connected to the access switch. So the CORP vlan must exist on all access switches - is this correct ?

If so this won't work with L3 routed uplinks from the access switches because each access switch is responsiible for routing it's own vlans. So you couldn't route to another CORP client because the local access switch couldn't route the traffic off the switch ie. you can't route to the same subnet you can only L2 switch.

And from the distro switches it wouldn't be possible either because if each access switch advertised the CORP vlan via a routing protocol how would it know which access switch to route the traffic back to.

So this is why i'm getting confused. I suspect it may be my understanding of the wireless traffic flow but i thought the traffic went through the AP and the AP was connected to the local access switch on each floor.

Jon

So the CORP vlan must exist on all access switches - is this correct ?

Trust me.  It is confusing.  Confuses me regularly.

Answer:  No.

Explaination:  The VLAN that exists on all access switches (including the core) is the MANAGEMENT VLAN of each AP.   Your and/or the WLC needs to contact the AP, right?  So you need to get the AP an IP address.  IP Address of the clients connected to the AP get their IP address from another VLAN.  This is how and why you can't give them seperate subnet block.

Leo

You're not wrong about it being confusing.

IP Address of the clients connected to the AP get their IP address from another VLAN.

Right, but does that vlan need to exist on the access switches. What is the traffic flow from a wireless client. Is it that  the traffic goes from the wireless client to the AP. The AP then transfers the packet from wireless to wired and the packet is then sent over the wired network to either another wireless client or a server etc.

If so what vlan is the packet in when it transferred from wireless to wired on the AP. Because that vlan must exist on the switch and if so it has to be routed locally on the switch which brings us back to the points in my last post ie. that vlan cannot exist anywhere but the local access switch if you have L3 routed uplinks.  Note when i say vlan i really mean the subnet rather than the specific vlan ID as with this design you can reuse vlan IDs if you want to on each access switch.

Just to be clear, i am not trying to prove anyone wrong, i hope you know me well enough to know that Leo. I'm just a bit worried that last week i gave advice to a person who had the same problem and my advice was if he needed to span a vlan across all switches then he needed to change his L3 routed uplinks to L2 trunks and now i'm wondering if this was really bad advice and there was a simpler way of achieving what he needed.

Jon

Right, but does that vlan need to exist on the access switches.

Nope.  The VLAN for the wireless clients can only be found in the core switch.  This VLAN is also your default gateway for your clients.

Just to be clear, i am not trying to prove anyone wrong, i hope you know me well enough to know that Leo. I'm just a bit worried that last week i gave advice to a person who had the same problem and my advice was if he needed to span a vlan across all switches then he needed to change his L3 routed uplinks to L2 trunks and now i'm wondering if this was really bad advice and there was a simpler way of achieving what he needed.

Can be done.  I haven't read your post, but I believe this response means this scenario will work with the IP addressing for the APs as well as wireless clients.

It'll work with the clients because wireless clients' traffic go through a LWAPP/CAPWAP tunnel and doesn't pop out until it reaches the WLC.

Now, I can make you MORE confused if I start adding Cisco's new Converged Access.  But because I've got respect to you (and a few others), I will hold my tongue. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco