Image may be NSFW.
Clik here to view.
WLC – Monitor VLANs and tunnels in a Mobility Domain,Tunnels connect MX switches across a network. Tunnels are formed automatically in a Mobility Domain to extend a VLAN to the MX with an associated roaming station. A single tunnel can carry traffic for many users and many VLANs. The tunnel port can carry traffic for multiple VLANs by means of multiple virtual ports.
MSS automatically adds virtual ports to VLANs as needed to preserve the associations of users to the correct subnet or broadcast domain as they roam across the Mobility Domain. Although tunnels are formed by IP between MX switches, the tunnels can carry user traffic of any protocol type.
MSS provides the following commands to display the roaming and tunneling of users within Mobility Domain groups:
- show roaming station
- show roaming vlan
- show tunnel
Displaying Roaming Stations
The command show roaming station displays a list of the stations roaming to the MX through a VLAN tunnel. To display roaming stations (clients), type the following command:
MX# show roaming station
User Name Station Address VLAN State
---------------------- ----------------- --------------- -----
example\geetha 192.168.15.104 vlan-am Up
nh@example.com 192.168.15.1990 vlan-am Up
example\tamara 192.168.11.200 vlan-ds Up
example\jose 192.168.14.200 vlan-et Up
hh@example.com 192.168.15.194 vlan-am Up
Displaying Roaming VLANs and Affinities
The command show roaming vlan displays all VLANs in the Mobility Domain, the MX switches configured for the VLANs, and the tunnel affinity values configured on each MX.
The member MX that offers the requested VLAN reports the affinity number. If multiple MX switches have native attachments to the VLAN, the advertised affinity values attract tunneled traffic to a particular MX for that VLAN. A higher value represents a preferred connection to the VLAN.
To display roaming VLANs, type the following command:MX# show roaming vlanVLAN MX Affinity
---------------- --------------- --------
vlan-eng 192.168.12.7 5
vlan-fin 192.168.15.5 5
vlan-pm 192.168.15.5 5
vlan-wep 192.168.12.7 5
vlan-wep 192.168.15.5 5
Displaying Tunnel Information
The command show tunnel displays the tunnels hosted on the MX and distributes to a locally attached VLAN. To display tunnel information, type the following command:
MX# show tunnel
VLAN Local Address Remote Address State Port LVID RVID
---------------- --------------- --------------- ------- ----- ----- -----
vlan-eng 192.168.12.7 192.168.15.5 UP 1024 130 4103
vlan-eng 192.168.12.7 192.168.14.6 DORMANT 1026 130 4097
vlan-pm 192.168.12.7 192.168.15.5 UP 1024 4096 160
Understanding the Sessions of Roaming Users
When a wireless client successfully roams from one MP to another, the sessions are affected in the following ways:
- The MX treats this client session as a roaming session and not a new session.
- RADIUS accounting is handled as a continuation of an existing session.
- The session with the roamed-from MP is cleared from the MX, even if the client does not explicitly disassociate from the MP and the IEEE 802.1X reauthentication period has not expired.
Roaming requires certain conditions and can be affected by some of the MX timers. You can monitor a wireless client roaming sessions with the show sessions network verbose command.
Requirements for Roaming to Succeed
For roaming to take place, the roaming client must associate or reassociate with another MP in the Mobility Domain after leaving an existing session on an MP in the Mobility Domain in one of the following states:
ACTIVE: The normal state for a client leaving radio range without sending a request to disassociate.
DEASSOCIATED: The state of a client sending an 802.11 disassociate message, but has not roamed or aged out yet.In addition, the following conditions must exist for roaming to succeed:
- Mobility Domain communications must be stable.
Generally, the communications required for roaming are the same as those required for VLAN tunneling. A client can also roam among ports on an MX when a Mobility Domain is inaccessible or not configured.
- Client authentication and authorization on the roamed-to MP must be successful on the first attempt.
If authentication or authorization fails, MSS clears the client session. If the failure occurs, roaming can be disqualified or delayed.
- The client must use the same authorization parameters for the roamed-to MP as for the roamed-from MP.
If the client changes the encryption type or VLAN name, MSS might record a new session rather than a roamed session.
Effects of Timers on Roaming
An unsuccessful roaming attempt might be caused by the following timers. You cannot configure either timer.
- Grace period. A disassociated session has a grace period of 5 seconds during which MSS can retrieve and forward the session history. After 5 seconds, MSS clears the session, and the accounting is stopped.
- MAC address search. If MSS cannot find the client MAC address in a Mobility Domain within 5 seconds, the session is treated as a new session rather than a roaming session.
In contrast, the 802.1X reauthentication timeout period has little effect on roaming. If the timeout expires, MSS performs 802.1X processing on the existing association. Accounting and roaming history are unaffected when reauthentication is successful, because the client is still associated with the same MP. If reauthentication fails, MSS clears the session so it is not eligible for roaming.
If the client associates with the same MP, the session is recorded as a new session.
Monitoring Roaming Sessions
To monitor the state of roaming clients, use the show sessions network verbose command. For example, the following command displays information about the sessions of a wireless client who roamed between ports on an MX.
The output shows that the client
SHUTTLE\2\exmplroamed from the MP connected to port 3 to the MP connected to port 6 on the same MX, and then roamed back to the MP connected to port 3.MX> show sessions network verbose
User Sess IP or MAC VLAN Port/
Name ID Address Name Radio
------------------------------ ---- ----------------- --------------- -------
SHUTTLE2\exmpl 6* 10.3.8.55 default 3/1
Client MAC: 00:06:25:13:08:33 GID: SESS-4-000404-98441-c807c14b
State: ACTIVE (prev AUTHORIZED)
now on: MX 10.3.8.103,AP/radio 3/1, AP 00:0b:0e:ff:00:3a, as of
00:00:24 ago
from: MX 10.3.8.103, AP/radio 6/1, AP 00:0b:0e:00:05:d7, as of
00:01:07 ago
from: MX 10.3.8.103, AP/radio 3/1, AP 00:0b:0e:ff:00:3a, as of
00:01:53 ago
1 sessions totalHope you will like my post.WLC – Monitor VLANs and tunnels in a Mobility Domain.Please share with others.
The post WLC – Monitor VLANs and tunnels in a Mobility Domain appeared first on eBrahma.