Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Community Tech-Talk: Converged Access Architecture and Mobility

Cisco Employee

I am Dhiresh Yadav and I work for the Cisco's High Touch Technical Support (HTTS) team, a team that provides reactive technical support to majority of Cisco’s premium customers.


My team and I have been providing support to large Wireless Service Providers and large Enterprise customers. Brahadesh Srinivasaraghavan and I have created this blog and a video discussing the Converged Access Architecture.

We have covered the following topics in both the blog and the video:

  1. Converged access Architecture –Hardware overview
  2. Software/Operating System Overview
  3. Licensing Overview
  4. Hierarchical Mobility Architecture and Physical Topology
  5. Basic Mobility Configuration
  6. Roaming across Converged access Wireless controllers.

Tech-Talk Video


Overview of Converged Access

Converged access Architecture brings both wired and wireless networks on a single Platform which in turn helps Customer to have similar and one set of tools and capabilities to design, configure and monitor the entire wired and wireless infrastructure. The new Cisco Catalyst 3850/5760 Series Switch provides this integration with integrated wired and wireless functionality through built-in Cisco IOS Software wireless LAN controller (WLC), the new Unified Access Data Plane (UADP) application-specific integrated circuit (ASIC), and enhanced hardware and operating system.


3850/5760 Physical specifications

The Cisco® Catalyst® 3850 Series Switches (Edison) are enterprise-class lines of stackable switches. They support Distributed forwarding across a stack of multiple member switches

These are the next generation of Catalyst 3k Switches that truly integrate wired and wireless over a single platform with unified configuration and management. In addition to this, the switches also provide high availability with improved high bandwidth stacking, scalability, security, ease of operation and innovative features such as Cisco StackPower, IEEE 802.3at Power over Ethernet Plus (PoE+) configurations, optional network modules, redundant power supplies. The Cisco Catalyst 3850 Series with improved 480 Gbps stacking technology provides scalability, ease of management and investment protection for the evolving business needs. The Cisco Catalyst 3850 enhances productivity by enabling applications such as IP Telephony, wireless, and video for borderless network experience. Cisco Catalyst 3850 Switch right-to-use (RTU) licensing model


The Cisco® 5760 Wireless LAN Controllers provide the scalability, IOS based services and high performance .The best-in-class 5760 Controller can scale up to 1000 Access Points and 12,000 clients to manage a large campus environment from a single 1 RU form-factor appliance. The 5760 is the first stand-alone Wireless LAN Controller to support Cisco IOS Command Line Interface, thereby enabling a rich and consistent set of services. Now IT administrators can enjoy the same IOS experience on their controllers as on the switches and routers, through prioritization of business class applications with advanced QOS, network wide consistent visibility with Flexible Netflow v9, enable scalable policies through downloadable ACLs, enhanced network resiliency through Multiple Link Aggregation(LAG), secured access through secure shell and automation through EEM/TCL scripting. Last but not the least, the 5760 is built to manage large scale networks at line rate performance providing an industry-leading 60 Gbps of bi-directional line-rate throughput. To enable business agility, the 5760 series Controller supports scaling with right to use honor-based Access Point Adder Licensing.


Software/Operating system Overview:

These products are based on Cisco IOS-XE Platform with Linux kernel which actually allows plugins to be added in parallel. 3850 has 4 core CPU to host services. It has Multiple Linux processes to support Stack, platform, asic etc . It allows other processing in parallel with IOS on multi-core CPUs. So for example it supports hosted applications like Wireshark.

Cisco IOS XE Software is delivered as a bundle that contains a set of packages and a provisioning file, called packages.conf that is created automatically during the install process. IOS-XE Version 3.3 and beyond we have fully functional GUI. 3.3 code supports all the common wireless stuff like MQC , AVC , Bonjour services directory , 802.11r , 802.11w , 802.11k , 802.11ac and wireshark. Both 3850/5760 right-to-use (RTU) licensing model .3.3 is based on 7.4 AireOs


Physical Topologies involving 3850/5760

APs connect directly to 3850 switch .Access Points connect on the Wireless management VLAN and they connect on Switch port configured as access. It is the only WLC seen by APs .Up to 50 APs per stack.3850 is MA by default, but can be MC in smaller deployments. While in the case of 5760 the Access Points can be anywhere, Any subnet Up to a maximum of 1000 APs. 5760 is MA/MC by default, can be MO 3850/5760 can communicate with each other, and CUWN controllers running 7.3 MR1 or later.


AP Count Licenses

AP count licenses are applied at the MC, and are automatically provisioned and enforced at the MA. 3850 acting as MC can support up to 50 APs. In fact the complete stack would support up to a maximum of 50 Access Points whereas the 5760 acting as MC can support up to 1000 AP. There are no licenses on the MA, the license is deployed on the MC only.MA inherits licenses from the MC , MC licenses are split as needed between the MC itself (if it has APs) and the Mas. Customers usually buy the switch with no license, then add licenses for Wireless features. Licenses are transferable between CA controllers (from 3850 to 3850 or to 5760, from 5760 to 5760 or 3850). Because licenses are on MC, you can’t have APs join a MA without a MC configured (licenses will still stay at 0)


Mobility Architecture Overview, Mobility Configuration/Verification and Roaming

Mobility Agent or MA : The wireless component that maintains client mobility state machine for a client that is connected via an AP to the device that the MA is running on.In other words, it is simply the controller to which the client is connected to directly.

Switch Peer Group: A statically created list of neighboring CA switches between which fast mobility services need to be provided. A peer group is intended to limit the scope of interactions between switches during handoffs to only those that are geographically proximate. For example, a switch Group of multiple MA will be formed in a large floor with several Access points in which the possibility of client roaming is high. MA in SPG constantly talks to each other and exchange client contexts so if a client needs to roam the roaming is seamless and rapid.

Mobility Controller (MC) takes care of the client contexts and Client details will be moved by the MC from one sub domain to another or along the peer groups when a client roams. MC manages the MA and Provides MAs their peer group information. Maintains a database of each client station on MAs in that sub domain and   MC Talks to MO and keeps it updated about the clients

Mobility Tunnel Endpoint : In some cases When a client roams between peer groups, the data needs to go through the MC. MTE is the function that handles the data plane when a client roams. One MTE per sub-domain and it runs in the same box as the MC

Mobility Oracle: is a higher hierarchical function to manage MCs. MO maintains details of all the clients in the WLAN network.


3850 can be MA/MC but cannot be an MO. 5760 can be MA/MC/MO. So basically it is a three-level hierarchy with mobility agent being the closest to the access point and the oracle being the furthest away. Mobility agent is a controller to which access points directly attach to or where the capwap tunnel from the Access Point Terminates and hence mobility agent converts wireless frames to Ethernet and forwards it to the wired network. 

Mobility controller is a mandatory element in design. It can be hosted on a MA on smaller deployments. It manages mobility-related configuration. It also   Maintains Client DB within a Sub-Domain and Handles RF functions  within that domain(including RRM).Supported platforms are Catalyst 3850, WiSM2, 5508, and 5760. So Mobility Controller managing a mobility sub-domain comprises of a set of CA switches and associated Access Points, across which fast roaming is required.

Let us define Mobility Group now .It is a collection of mobility controllers (MCs) across which fast roaming needs to be supported. The term mobility group may be the same as a collection of buildings in a campus across which roams are expected to happen more often. Each mobility group contains MCs that know each other, each MC regulating fast roaming within a sub-domain. If you have two mobility Groups, you will most likely want a Mobility Oracle that each of these MCs can talk to.


Basic MA Configuration:

You need at least one MC. You cannot configure mobility from the MA. On the MA,just configure the MC ip address

MA (config)#wireless mobility controller ip 10.10.x

Basic MC Configuration:

On the MC, define each Peer Group, and each peer group member IP address:

MC (config) #wireless mobility controller peer-group SPG1 member ip 10.10.20.x public-ip 10.10.20.y

MC (config)#wireless mobility controller peer-group SPG1 member ip 10.10.20.z public-ip 10.10.20.a

Mobility Configuration Verification

MC#show wireless mobility summary

Mobility Controller Summary:

Mobility Role                                   : Mobility Controller

Mobility Protocol Port                          : 16666


MA#show wireless mobility summary

Mobility Agent Summary:

Mobility Role                                   : Mobility Agent

Mobility Protocol Port                          : 16666

Mobility Switch Peer Group Name                 : SPG1



Sticky Anchoring (default behavior)

PoP does not move with the user .PoA moves with the user. So even for Layer 2 roams, the data is tunneled back to the Anchor controller .This is done in order to ensure lower roaming latency. Anchor switch is where security policies are applied (AAA ACLs for ex.), without sticky anchoring the new anchor switch would have to obtain then apply the security policies to the client.

Sticky Anchoring can be disabled on a per wlan basis: 3850(config-wlan)# no mobility anchor

StickyWithout Sticky Anchoring, you go back to Anchor/Foreign standard roaming




CA Client Initial Association

When client first joins CA switch that is MA , If no keying information is available  (station first appears in the network), the switch requires the device to authenticate and obtains the Pairwise Master Key (PMK) and CA  access switch sends the PMK key to Mobility controller . The Mobility Controller performs a lookup in its database,  and determines it has no state for the station. If Mobility Controller has detected a Mobility Oracle, it forwards the Mobile Announce to it. Since the station is new to the network, the Mobility Oracle would return a negative response (NACK).  If no Mobility Oracle was present, the Mobility Controller would be responsible for creating the negative response.


CA Switch (MA) informs the MC about the station’s new point of attachment (containing client IP address, SSID, security policy, DHCP server address,ACL, QoS policy, Multicast groups this client has joined and other policies). Mobility controller will push the PMK to all CA switches within the mobility sub-domain, and other MCs it the complete sub-domain will have that PMK. 

CA Switch (MA) informs its peer group peers about the station’s new point of attachment via the Handoff Notification message (so as to allow for local handoffs without needing to interact with the MC).


Intra PG Roaming

If the Client moves from one MA to another MA in the same SPG, the new CA switch  sends Unicast  message to the old switch asking for client context for example  security context. The old switch responds with a Handoff. The Handoff includes the station’s context information (with all client policies). Once the handoff is complete, the new switch transmits a Handoff Complete to the MC. The new switch transmits a Notification to all switches within its own peer group.


Inter PG Roaming

New switch knows client key, transmits the Mobile Announce to the sub-domain’s MC Mobility Controller performs a lookup in its database, and forwards the request to the  switch that was previously providing service to the station. The old switch transmits a Handoff message directly to the new switch, which also causes the station’s context to be transferred. The old switch notifies the switches within its peer group of the fact that the station has left the group. New switch transmits the Handoff Complete message in a reliable fashion to the Mobility Controller .New switch transmits the Handoff Notification to the switches within its peer group.


Inter Sub-domain Roaming

Case 1: you configured mobility groups and MCs in the mobility group know each other.  PMKs are sent to other MCs in the mobility group, and roaming is similar to inter-PG roaming, with an additional MC involved.

Case2-PMKs are not propagated across mobility groups and 802.11r domain names are mobility group-specific, which require that stations re-authenticate when they cross mobility group boundaries.


I hope this has been an informative session and proves useful for you and please do share your feedback and opinion via the comments session below.

You can also view the TechTalk video and download the presentation for more information.

Thank you for reading & watching!

Cisco Employee

If You are not able to play the video in Firefox , Please disable the Protection on the Webpage as shown below:

Firefox-Disable Protection.jpg



Cisco Employee

Hi Folks,

If you are not able to play this video in Google Chrome , Please click on "Load unsafe script" as shown belowChrome-Load unsafe script.jpg



Cisco Employee

Nice video with a lot of information.

New Member

Very informative. Good work dhiresh & team!

New Member

Very informative and well explained...Actually i am planning to implement to converged Arch in my network and lot of my queries got answered here. Thanks for sharing the info.