Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WLC] How should VLANs and VLAN Tunneling be designed and configured for use in a WLAN cluster?

0

0

Article ID: KB26854 KB Last Updated: 07 Mar 2013Version: 1.0
Summary:
This article provides information about the high level process that is used by WLAN Controllers (WLCs) to locate VLANs for Wi-Fi clients and how this process works in a WLC Cluster environment.
Symptoms:
In general, the Cluster feature is less specific for VLANs/tunneling and more focused on WLC-AP fault tolerance and central configuration. This means that the main benefit of Clustering is that you only need to configure your WLAN elements (APs, service-profiles, radio-profiles, and so on) on the Primary Seed and then the Primary Seed will dynamically push these settings to the members of the Cluster on as needed basis (versus a standard Mobility Domain that each of these WLAN elements need to be explicitly/manually configured on each Member). For WLC-AP fault tolerance, it means that each AP in the Cluster should have two connections back to WLCs, a Primary AP Manager (PAM) and a Secondary AP Manager (SAM). This allows for a fast transition from PAM-SAM, in the event that the PAM were to become unavailable (reboot, loss of network, and so on).

Now for VLANs and tunneling, this behavior is generally the same in a Cluster, as it is for a single WLC, Mobility Domain, and Network Domain. The main concept is that the WLC, which is managing the AP to which the client is associated (in a Cluster this would be both the PAM and SAM), is responsible for finding the VLAN that the user is to be placed on. There is a fair amount of logic that can go into where the VLAN attribute comes from (such as on the service-profile, AAA/RADIUS, location-policy, and so on); but the general idea is that in the AAA process, the WLC will determine the VLAN name for the user.

When the WLC knows the name of the VLAN for the user, the WLC then begins the process of determining where this VLAN exists and how to get to it. A good way to get an idea of how the WLC finds where the VLAN exists is to take a look at the output of show roaming vlan via the CLI of one of the WLC devices. This output is a table of all of the VLANs that are known (from this WLC, Mobility Domain, Cluster, Network Domain, and Local Switching VLAN Profiles), where they exist, their current load, and affinity (for example, the preference/cost of this VLAN).
Cause:
 
Solution:
The high level algorithm that the WLC uses to pick the VLAN from this list is as follows:

  • Check if the AP, to which the client is associated,  is configured for local-switching:

    If the AP is configured for local-switching, check if the VLAN for the user exists in this AP's VLAN profile (list of VLANs that are available on this AP's uplink port). If the VLAN exists in this APs VLAN profile, then the user will be locally switched, which means that post authentication all user traffic will directly exit the AP into that VLAN on the switch port and not be tunneled back to the WLC.

  • If the user's VLAN does not exist in this AP's vlan-profile, check if this AP has the 'ap-tunnel' feature enabled:

    If this AP has the ap-tunnel feature enabled, it means that this AP can then look at other APs, which have local-switching enabled, and see if any other AP locally hosts the user's VLAN.

    If this AP can find another AP that contains the user's VLAN in that AP's VLAN profile (and again, the user's AP has ap-tunnel enabled), then the user's AP will dynamically build a VLAN tunnel out to the AP that contains the VLAN locally, send user traffic to that AP via this tunnel, and then the receiving AP will directly place the user's traffic onto the switch port.

  • If the user's AP is not configured for local-switching, then the WLC that manages the AP will need to look for the VLAN:

    The WLC device will first check if it is locally configured with the VLAN (for example, if the VLAN exists on one of this WLC's ports); if yes, the user traffic is sent from the AP > managing WLC device and the managing WLC device places the user traffic onto the appropriate port.

    If the managing WLC does not have the VLAN locally, it will now need to look for the VLAN on other WLCs in the Cluster, Mobility Domain, other APs with local-switching enabled, or on a WLC device that is part of the Network Domain (if configured).

    When the WLC finds the VLAN, it will determine which is the best option (based on affinity/cost) and then create a tunnel out to this end point. This would mean that the user's traffic goes from AP > managing WLC device > VLAN end point (with the end point being another WLC device or AP).

All of the above steps takes place, when the client is going through the AAA process and must succeed for the client to get an Active session (for example, if the VLAN for the client can never be found, then user will not get a session).

Now for the query of fault tolerance, this too is an automatic process that takes place on the managing WLC device (the WLC device that is managing, PAM/SAM in cluster, and the client's AP). This means that if the VLAN end point for a client is ever lost (found to be down), the managing WLC will basically re-perform the above algorithm to find the new best location of the client's VLAN.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search