Layer 2 roaming is well known and implemented in many installations as it is much easier to deploy and troubleshoot. In some occasions, especially in large deployments, Layer 3 roaming might be the solution.
I implemented a couple of Aruba IAP clusters recently. In one of the installation, it was decided we split the building into 2 different clusters. Before the implementation of advanced features, it is a good idea to test it to understand the design, configuration, support commands in CLI for further troubleshooting if needed.
Layer 3 roaming occurs:
- when the user crosses Layer 3 boundaries, which means roam to the AP with a different client’s VLAN/subnet used comparing to the home AP client’s VLAN/subnet. Any TCP session will need to be re-establish after Layer 3 roaming, when the user leases from a different subnet.
- when the client roams to different AP, which has no home VLAN/subnet implemented from the home AP. The upper-layer communication is maintained by the Mobile IP standard. The user keeps the original IP address after moving to the other Layer 3 network. There is a tunnel created between controllers and/or APs to maintain the original connection with all opened TCP/UDP sessions.
For the end user, while roaming to a different subnet or different AP with home IP address , it is a seamless experience.
I will focus here on the 2nd scenario based on two Aruba IAP clusters with different client VLANs for the same SSID.
Both APs have been configured with a similar config as per manual:
home agent# show l3-mobility config Flags ----- Type Value ---- ----- Home Agent Load Balancing enable Virtual Controller Table ------------------------ Virtual Controller IP --------------------- 10.10.50.10 192.168.7.7 Subnet Table ------------ Subnet Netmask VLAN Virtual Controller ------ ------- ---- ------------------ 192.168.3.0 255.255.255.0 3 10.10.50.10 192.168.4.0 255.255.255.0 4 192.168.7.7
foreign agent# show l3-mobility config Flags ----- Type Value ---- ----- Home Agent Load Balancing enable Virtual Controller Table ------------------------ Virtual Controller IP --------------------- 10.10.50.10 192.168.7.7 Subnet Table ------------ Subnet Netmask VLAN Virtual Controller ------ ------- ---- ------------------ 192.168.3.0 255.255.255.0 3 10.10.50.10 192.168.4.0 255.255.255.0 4 192.168.7.7
The mobile client associated with the home agent AP with the IP address 192.168.3.110.
home agent# show clients Client List ----------- Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps) ---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------ Bullitt 192.168.3.110 cc:44:63:1b:2d:fa test home agent 44+ AC test -- 54(good) 360(good) Number of Clients :1 Info timestamp :486
For testing I used an iPhone with NetAnalyzer app pinging IP address 8.8.8.8 with payload of 1500bytes every 0.2 second.
After initial association, the mobile client roamed to the foreign agent AP:
foreign agent# show clients Client List ----------- Name IP Address MAC Address OS ESSID Access Point Channel Type Role IPv6 Address Signal Speed (mbps) ---- ---------- ----------- -- ----- ------------ ------- ---- ---- ------------ ------ ------------ Bullitt 192.168.3.110 cc:44:63:1b:2d:fa test foreign agent 60+ AC test -- 47(good) 400(good) Number of Clients :1 Info timestamp :859
The GRE tunnel has been created between home agent AP and foreign agent AP to maintain connectivity:
home agent# show l3-mobility events L3 Mobility Events ------------------ Time Client MAC Event IP Dir Peer IP Home Vlan VAP Vlan Tunnel ID Old AP IP FAP IP HAP IP VC IP Additional Info ---- ---------- ----- -- --- ------- --------- -------- --------- --------- ------ ------ ----- --------------- Feb 18 21:45:23 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 10.10.50.150 <- 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 phy=1,ht=1 Feb 18 21:45:21 cc:44:63:1b:2d:fa Sta ACL changed at Foreign network 10.10.50.150 <- 192.168.7.49 - - - - - - - role=test,ssid=test Feb 18 21:45:21 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 10.10.50.150 <- 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 phy=1,ht=1 Feb 18 21:45:20 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 10.10.50.150 <- 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 phy=1,ht=1 Feb 18 21:45:19 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 10.10.50.150 <- 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 phy=1,ht=1 Feb 18 21:45:19 cc:44:63:1b:2d:fa Sta ACL changed at Foreign network 10.10.50.150 <- 192.168.7.49 - - - - - - - role=test,ssid=test Feb 18 21:45:19 cc:44:63:1b:2d:fa Foreign Sta Info from Home Virtual Controller 10.10.50.150 -> 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 name=Bullitt,ip=192.168.3.110, Feb 18 21:45:19 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 10.10.50.150 <- 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 phy=1,ht=1 Feb 18 21:45:19 cc:44:63:1b:2d:fa Foreign Sta Info from Home Virtual Controller 10.10.50.150 -> 192.168.7.7 - - - - 192.168.7.49 10.10.50.150 192.168.7.7 name=Bullitt,ip=192.168.3.110, Feb 18 21:45:19 cc:44:63:1b:2d:fa HAP Acknowledgement to FAP 10.10.50.150 -> 192.168.7.49 3 4 0 - 192.168.7.49 10.10.50.150 192.168.7.7 Feb 18 21:45:19 cc:44:63:1b:2d:fa Become HAP for this Client 10.10.50.150 -> self 3 4 0 - 192.168.7.49 10.10.50.150 192.168.7.7 acl=130,rmt-tun-id=0,use-cnt=0 Feb 18 21:45:19 cc:44:63:1b:2d:fa **Create Tunnel 10.10.50.150 -> self 3 4 0 - 192.168.7.49 10.10.50.150 192.168.7.7 Feb 18 21:45:19 cc:44:63:1b:2d:fa **HAP Request from FAP 10.10.50.150 <- 192.168.7.49 3 4 0 - 192.168.7.49 10.10.50.150 192.168.7.7 test
From the foreign agent AP:
foreign agent# show l3-mobility events L3 Mobility Events ------------------ Time Client MAC Event IP Dir Peer IP Home Vlan VAP Vlan Tunnel ID Old AP IP FAP IP HAP IP VC IP Additional Info ---- ---------- ----- -- --- ------- --------- -------- --------- --------- ------ ------ ----- --------------- Feb 18 21:45:26 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 192.168.7.49 -> 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 phy=1,ht=1,mgrps=1 Feb 18 21:45:23 cc:44:63:1b:2d:fa Sta ACL changed at Foreign network 192.168.7.49 -> 10.10.50.150 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 role=test,ssid=test Feb 18 21:45:23 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 192.168.7.49 -> 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 phy=1,ht=1,mgrps=1 Feb 18 21:45:23 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 192.168.7.49 -> 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 phy=1,ht=1,mgrps=1 Feb 18 21:45:21 cc:44:63:1b:2d:fa Foreign Sta Info from Home Virtual Controller 192.168.7.49 <- 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 name=Bullitt,ip=192.168.3.110, Feb 18 21:45:21 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 192.168.7.49 -> 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 phy=1,ht=1,mgrps=0 Feb 18 21:45:21 cc:44:63:1b:2d:fa Foreign Sta Info from Home Virtual Controller 192.168.7.49 <- 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 name=Bullitt,ip=192.168.3.110, Feb 18 21:45:21 cc:44:63:1b:2d:fa Become FAP for this Client 192.168.7.49 -> self 3 4 0 10.10.50.150 192.168.7.49 10.10.50.150 10.10.50.10 rmt-tun-id=0,use-cnt=1 Feb 18 21:45:21 cc:44:63:1b:2d:fa Sta ACL changed at Foreign network 192.168.7.49 -> 10.10.50.150 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 role=test,ssid=test Feb 18 21:45:21 cc:44:63:1b:2d:fa Remote Sta Info from Foreign Virtual Controller 192.168.7.49 -> 10.10.50.10 - - - - 192.168.7.49 10.10.50.150 10.10.50.10 phy=1,ht=1,mgrps=0 Feb 18 21:45:21 cc:44:63:1b:2d:fa **Create Tunnel 192.168.7.49 -> self 3 4 0 10.10.50.150 192.168.7.49 10.10.50.150 10.10.50.10 Feb 18 21:45:21 cc:44:63:1b:2d:fa HAP Acknowledgement to FAP 192.168.7.49 <- 10.10.50.150 - - 0 - 192.168.7.49 10.10.50.150 - Feb 18 21:45:21 cc:44:63:1b:2d:fa **HAP Request from FAP 192.168.7.49 -> 10.10.50.150 3 4 0 10.10.50.150 192.168.7.49 10.10.50.150 10.10.50.10 retries=0 Feb 18 21:45:21 cc:44:63:1b:2d:fa Client found at Virtual Controller 192.168.7.49 <- 10.10.50.150 3 - - 10.10.50.150 192.168.7.49 10.10.50.150 10.10.50.10
The tunnel maintains connectivity for the mobile client between home agent AP and foreign agent AP:
Confirmation the mobile client still uses old IP address reaching 8.8.8.8:
L3Switch#service pktcap on interface vlan 3 Capturing up to 50 packets. Use Ctrl-C to abort. 1 21:55:37.708379 I ICMP: 192.168.3.110 > 8.8.8.8 echo request, id 60272, seq 3441, length 1480, IPv4 fragment id 11136, offset 0, DSCP 0 2 21:55:37.708379 I ICMP: 192.168.3.110 > 8.8.8.8 IPv4 fragment, IPv4 fragment id 11136, offset 1480, IPv4 length 48, DSCP 0 3 21:55:37.786795 O ICMP: 8.8.8.8 > 192.168.3.110 echo reply, id 60272, seq 3441, length 1424, IPv4 fragment id 407, offset 0, DSCP 0 4 21:55:37.786795 O ICMP: 8.8.8.8 > 192.168.3.110 IPv4 fragment, IPv4 fragment id 407, offset 1424, IPv4 length 104, DSCP 0 5 21:55:37.905651 I ICMP: 192.168.3.110 > 8.8.8.8 echo request, id 60272, seq 3442, length 1480, IPv4 fragment id 18973, offset 0, DSCP 0 6 21:55:37.905651 I ICMP: 192.168.3.110 > 8.8.8.8 IPv4 fragment, IPv4 fragment id 18973, offset 1480, IPv4 length 48, DSCP 0 7 21:55:37.967976 O ICMP: 8.8.8.8 > 192.168.3.110 echo reply, id 60272, seq 3442, length 1424, IPv4 fragment id 476, offset 0, DSCP 0 8 21:55:37.967976 O ICMP: 8.8.8.8 > 192.168.3.110 IPv4 fragment, IPv4 fragment id 476, offset 1424, IPv4 length 104, DSCP 0 9 21:55:38.109588 I ICMP: 192.168.3.110 > 8.8.8.8 echo request, id 60272, seq 3443, length 1480, IPv4 fragment id 29157, offset 0, DSCP 0 10 21:55:38.109588 I ICMP: 192.168.3.110 > 8.8.8.8 IPv4 fragment, IPv4 fragment id 29157, offset 1480, IPv4 length 48, DSCP 0 11 21:55:38.177392 O ICMP: 8.8.8.8 > 192.168.3.110 echo reply, id 60272, seq 3443, length 1424, IPv4 fragment id 592, offset 0, DSCP 0 12 21:55:38.177392 O ICMP: 8.8.8.8 > 192.168.3.110 IPv4 fragment, IPv4 fragment id 592, offset 1424, IPv4 length 104, DSCP 0
dot11stream.com 