Aruba Instant Layer 3 Mobility across different clusters

Layer 2 roaming is well known and implemented in many installations as it is much easier to deploy and troubleshoot. In some occasions, especially in large deployments, Layer 3 roaming might be the solution.

I implemented a couple of Aruba IAP clusters recently. In one of the installation, it was decided we split the building into 2 different clusters. Before the implementation of advanced features, it is a good idea to test it to understand the design, configuration, support commands in CLI for further troubleshooting if needed.

Layer 3 roaming occurs:

  1. when the user crosses Layer 3 boundaries, which means roam to the AP with a different client’s VLAN/subnet used comparing to the home AP client’s VLAN/subnet. Any TCP session will need to be re-establish after Layer 3 roaming, when the user leases from a different subnet.
  2. when the client roams to different AP, which has no home VLAN/subnet implemented from the home AP. The upper-layer communication is maintained by the Mobile IP standard. The user keeps the original IP address after moving to the other Layer 3 network. There is a tunnel created between controllers and/or APs to maintain the original connection with all opened TCP/UDP sessions.

For the end user, while roaming to a different subnet or different AP with home IP address , it is a seamless experience.

I will focus here on the 2nd scenario based on two Aruba IAP clusters with different client VLANs for the same SSID.

Both APs have been configured with a similar config as per manual:

home agent# show l3-mobility config 
Flags
-----
Type                       Value
----                       -----
Home Agent Load Balancing  enable
Virtual Controller Table
------------------------
Virtual Controller IP
---------------------
10.10.50.10
192.168.7.7
Subnet Table
------------
Subnet       Netmask        VLAN  Virtual Controller
------       -------        ----  ------------------
192.168.3.0  255.255.255.0  3     10.10.50.10
192.168.4.0  255.255.255.0  4     192.168.7.7
foreign agent# show l3-mobility config 
Flags
-----
Type                       Value
----                       -----
Home Agent Load Balancing  enable
Virtual Controller Table
------------------------
Virtual Controller IP
---------------------
10.10.50.10
192.168.7.7
Subnet Table
------------
Subnet       Netmask        VLAN  Virtual Controller
------       -------        ----  ------------------
192.168.3.0  255.255.255.0  3     10.10.50.10
192.168.4.0  255.255.255.0  4     192.168.7.7

 

The mobile client associated with the home agent AP with the IP address 192.168.3.110.

Drawing1

home agent# show clients 

Client List
-----------
Name     IP Address     MAC Address        OS  ESSID  Access Point  Channel  Type  Role  IPv6 Address  Signal    Speed (mbps) 
----     ----------     -----------        --  -----  ------------  -------  ----  ----  ------------  ------    ------------ 
Bullitt  192.168.3.110  cc:44:63:1b:2d:fa      test   home agent    44+      AC    test  --            54(good)  360(good)     
Number of Clients   :1
Info timestamp      :486

 

For testing I used an iPhone with NetAnalyzer app pinging IP address 8.8.8.8 with payload of 1500bytes every 0.2 second.

image1

After initial association, the mobile client roamed to the foreign agent AP:

Drawing2

 

foreign agent# show clients 

Client List
-----------
Name     IP Address     MAC Address        OS  ESSID  Access Point   Channel  Type  Role  IPv6 Address  Signal    Speed (mbps) 
----     ----------     -----------        --  -----  ------------   -------  ----  ----  ------------  ------    ------------ 
Bullitt  192.168.3.110  cc:44:63:1b:2d:fa      test   foreign agent  60+      AC    test  --            47(good)  400(good)     
Number of Clients   :1
Info timestamp      :859

 

1.png

The GRE tunnel has been created between home agent AP and foreign agent AP to maintain connectivity:

home agent# show l3-mobility events 

L3 Mobility Events
------------------
Time             Client MAC         Event                                            IP            Dir  Peer IP       Home Vlan  VAP Vlan  Tunnel ID  Old AP IP     FAP IP        HAP IP        VC IP        Additional Info
----             ----------         -----                                            --            ---  -------       ---------  --------  ---------  ---------     ------        ------        -----        ---------------
Feb 18 21:45:23  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  10.10.50.150  <-   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  phy=1,ht=1
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Sta ACL changed at Foreign network               10.10.50.150  <-   192.168.7.49  -          -         -          -             -             -             -            role=test,ssid=test
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  10.10.50.150  <-   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  phy=1,ht=1
Feb 18 21:45:20  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  10.10.50.150  <-   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  phy=1,ht=1
Feb 18 21:45:19  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  10.10.50.150  <-   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  phy=1,ht=1
Feb 18 21:45:19  cc:44:63:1b:2d:fa  Sta ACL changed at Foreign network               10.10.50.150  <-   192.168.7.49  -          -         -          -             -             -             -            role=test,ssid=test
Feb 18 21:45:19  cc:44:63:1b:2d:fa  Foreign Sta Info from Home Virtual Controller    10.10.50.150  ->   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  name=Bullitt,ip=192.168.3.110,
Feb 18 21:45:19  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  10.10.50.150  <-   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  phy=1,ht=1
Feb 18 21:45:19  cc:44:63:1b:2d:fa  Foreign Sta Info from Home Virtual Controller    10.10.50.150  ->   192.168.7.7   -          -         -          -             192.168.7.49  10.10.50.150  192.168.7.7  name=Bullitt,ip=192.168.3.110,
Feb 18 21:45:19  cc:44:63:1b:2d:fa  HAP Acknowledgement to FAP                       10.10.50.150  ->   192.168.7.49  3          4         0          -             192.168.7.49  10.10.50.150  192.168.7.7 
Feb 18 21:45:19  cc:44:63:1b:2d:fa  Become HAP for this Client                       10.10.50.150  ->   self          3          4         0          -             192.168.7.49  10.10.50.150  192.168.7.7  acl=130,rmt-tun-id=0,use-cnt=0
Feb 18 21:45:19  cc:44:63:1b:2d:fa  **Create Tunnel                                  10.10.50.150  ->   self          3          4         0          -             192.168.7.49  10.10.50.150  192.168.7.7 
Feb 18 21:45:19  cc:44:63:1b:2d:fa  **HAP Request from FAP                           10.10.50.150  <-   192.168.7.49  3          4         0          -             192.168.7.49  10.10.50.150  192.168.7.7  test

 

From the foreign agent AP:

foreign agent# show l3-mobility events 

L3 Mobility Events
------------------
Time             Client MAC         Event                                            IP            Dir  Peer IP       Home Vlan  VAP Vlan  Tunnel ID  Old AP IP     FAP IP        HAP IP        VC IP        Additional Info
----             ----------         -----                                            --            ---  -------       ---------  --------  ---------  ---------     ------        ------        -----        ---------------
Feb 18 21:45:26  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  192.168.7.49  ->   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  phy=1,ht=1,mgrps=1
Feb 18 21:45:23  cc:44:63:1b:2d:fa  Sta ACL changed at Foreign network               192.168.7.49  ->   10.10.50.150  -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  role=test,ssid=test
Feb 18 21:45:23  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  192.168.7.49  ->   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  phy=1,ht=1,mgrps=1
Feb 18 21:45:23  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  192.168.7.49  ->   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  phy=1,ht=1,mgrps=1
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Foreign Sta Info from Home Virtual Controller    192.168.7.49  <-   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  name=Bullitt,ip=192.168.3.110,
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  192.168.7.49  ->   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  phy=1,ht=1,mgrps=0
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Foreign Sta Info from Home Virtual Controller    192.168.7.49  <-   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  name=Bullitt,ip=192.168.3.110,
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Become FAP for this Client                       192.168.7.49  ->   self          3          4         0          10.10.50.150  192.168.7.49  10.10.50.150  10.10.50.10  rmt-tun-id=0,use-cnt=1
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Sta ACL changed at Foreign network               192.168.7.49  ->   10.10.50.150  -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  role=test,ssid=test
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Remote Sta Info from Foreign Virtual Controller  192.168.7.49  ->   10.10.50.10   -          -         -          -             192.168.7.49  10.10.50.150  10.10.50.10  phy=1,ht=1,mgrps=0
Feb 18 21:45:21  cc:44:63:1b:2d:fa  **Create Tunnel                                  192.168.7.49  ->   self          3          4         0          10.10.50.150  192.168.7.49  10.10.50.150  10.10.50.10 
Feb 18 21:45:21  cc:44:63:1b:2d:fa  HAP Acknowledgement to FAP                       192.168.7.49  <-   10.10.50.150  -          -         0          -             192.168.7.49  10.10.50.150  -            
Feb 18 21:45:21  cc:44:63:1b:2d:fa  **HAP Request from FAP                           192.168.7.49  ->   10.10.50.150  3          4         0          10.10.50.150  192.168.7.49  10.10.50.150  10.10.50.10  retries=0
Feb 18 21:45:21  cc:44:63:1b:2d:fa  Client found at Virtual Controller               192.168.7.49  <-   10.10.50.150  3          -         -          10.10.50.150  192.168.7.49  10.10.50.150  10.10.50.10 

 

The tunnel maintains connectivity for the mobile client between home agent AP and foreign agent AP:

2

3.png

4

Confirmation the mobile client still uses old IP address reaching 8.8.8.8:

L3Switch#service pktcap on interface vlan 3

Capturing up to 50 packets. Use Ctrl-C to abort.
1 21:55:37.708379 I ICMP: 192.168.3.110 > 8.8.8.8 echo request, id 60272, seq 3441, length 1480, IPv4 fragment id 11136, offset 0, DSCP 0
2 21:55:37.708379 I ICMP: 192.168.3.110 > 8.8.8.8 IPv4 fragment, IPv4 fragment id 11136, offset 1480, IPv4 length 48, DSCP 0
3 21:55:37.786795 O ICMP: 8.8.8.8 > 192.168.3.110 echo reply, id 60272, seq 3441, length 1424, IPv4 fragment id 407, offset 0, DSCP 0
4 21:55:37.786795 O ICMP: 8.8.8.8 > 192.168.3.110 IPv4 fragment, IPv4 fragment id 407, offset 1424, IPv4 length 104, DSCP 0
5 21:55:37.905651 I ICMP: 192.168.3.110 > 8.8.8.8 echo request, id 60272, seq 3442, length 1480, IPv4 fragment id 18973, offset 0, DSCP 0
6 21:55:37.905651 I ICMP: 192.168.3.110 > 8.8.8.8 IPv4 fragment, IPv4 fragment id 18973, offset 1480, IPv4 length 48, DSCP 0
7 21:55:37.967976 O ICMP: 8.8.8.8 > 192.168.3.110 echo reply, id 60272, seq 3442, length 1424, IPv4 fragment id 476, offset 0, DSCP 0
8 21:55:37.967976 O ICMP: 8.8.8.8 > 192.168.3.110 IPv4 fragment, IPv4 fragment id 476, offset 1424, IPv4 length 104, DSCP 0
9 21:55:38.109588 I ICMP: 192.168.3.110 > 8.8.8.8 echo request, id 60272, seq 3443, length 1480, IPv4 fragment id 29157, offset 0, DSCP 0
10 21:55:38.109588 I ICMP: 192.168.3.110 > 8.8.8.8 IPv4 fragment, IPv4 fragment id 29157, offset 1480, IPv4 length 48, DSCP 0
11 21:55:38.177392 O ICMP: 8.8.8.8 > 192.168.3.110 echo reply, id 60272, seq 3443, length 1424, IPv4 fragment id 592, offset 0, DSCP 0
12 21:55:38.177392 O ICMP: 8.8.8.8 > 192.168.3.110 IPv4 fragment, IPv4 fragment id 592, offset 1424, IPv4 length 104, DSCP 0

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s