12-20
Cisco Wireless LAN Controller Configuration Guide
OL-17037-01
Chapter 12 Configuring Mobility GroupsWireless Device Access
Configuring Auto-Anchor Mobility
Configuring Auto-Anchor Mobility
You can use auto-anchor mobility (also called
guest
tunneling
) to improve load balancing and security
for roaming clients on your wireless LANs. Under normal roaming conditions, client devices join a
wireless LAN and are anchored to the first controller that they contact. If a client roams to a different
subnet, the controller to which the client roamed sets up a foreign session for the client with the anchor
controller. However, using the auto-anchor mobility feature, you can specify a controller or set of
controllers as the anchor points for clients on a wireless LAN.
In auto-anchor mobility mode, a subset of a mobility group is specified as the anchor controllers for a
WLAN. You can use this feature to restrict a WLAN to a single subnet, regardless of a client’s entry
point into the network. Clients can then access a guest WLAN throughout an enterprise but still be
restricted to a specific subnet. Auto-anchor mobility can also provide geographic load balancing because
the WLANs can represent a particular section of a building (such as a lobby, a restaurant, and so on),
effectively creating a set of home controllers for a WLAN. Instead of being anchored to the first
controller that they happen to contact, mobile clients can be anchored to controllers that control access
points in a particular vicinity.
When a client first associates to a controller of a mobility group that has been preconfigured as a mobility
anchor for a WLAN, the client associates to the controller locally, and a local session is created for the
client. Clients can be anchored only to preconfigured anchor controllers of the WLAN. For a given
WLAN, you should configure the same set of anchor controllers on all controllers in the mobility group.
When a client first associates to a controller of a mobility group that has not been configured as a
mobility anchor for a WLAN, the client associates to the controller locally, a local session is created for
the client, and the client is announced to the other controllers in the mobility list. If the announcement
is not answered, the controller contacts one of the anchor controllers configured for the WLAN and
creates a foreign session for the client on the local switch. Packets from the client are encapsulated
through a mobility tunnel using EtherIP and sent to the anchor controller, where they are decapsulated
and delivered to the wired network. Packets to the client are received by the anchor controller and
forwarded to the foreign controller through a mobility tunnel using EtherIP. The foreign controller
decapsulates the packets and forwards them to the client.
In controller software releases prior to 4.1, there is no automatic way of determining if a particular
controller in a mobility group is unreachable. As a result, the foreign controller may continually send all
new client requests to a failed anchor controller, and the clients remain connected to this failed controller
until a session timeout occurs. In controller software release 4.1 or later, mobility list members can send
ping requests to one another to check the data and control paths among them to find failed members and
reroute clients. You can configure the number and interval of ping requests sent to each anchor
controller. This functionality provides guest N+1 redundancy for guest tunneling and mobility failover
for regular mobility.
Guest N+1 redundancy allows detection of failed anchors. Once a failed anchor controller is detected,
all of the clients anchored to this controller are deauthenticated so that they can quickly become
anchored to another controller. This same functionality is also extended to regular mobility clients
through mobility failover. This feature enables mobility group members to detect failed members and
reroute clients.
Note
A 2100 series controller cannot be designated as an anchor for a WLAN. However, a WLAN created on
a 2100 series controller can have a 4400 series controller as its anchor.