Support Layer 3 roaming for bridge mode 7.2.1
|
Support for Layer 3 roaming with tunnel mode SSIDs was added in FortiOS 7.2.0. FortiOS 7.2.1 expands support to bridge mode SSIDs. For more information on Layer 3 roaming and supported topologies, see Support Layer 3 roaming for tunnel mode. |
A client connected to the bridge mode SSID on one FortiAP can roam to the same SSID on another FortiAP managed by the same or different FortiGate Wireless Controller, and continue to use the same IP. When the client idles longer than the client-idle-rehome-timeout, then the client will rehome and receive an address on the new subnet from the new FortiAP.
For the L3 roaming inter-controller topology, bridge mode SSIDs support two Layer 3 roaming modes: indirect and direct.
-
Indirect Mode
In indirect mode, the L3 handoff is handled by the mobility tunnel between the FortiGate Wireless Controllers.
-
Direct Mode
In direct mode, the two FortiAPs must be able to reach each other with no NAT in the path and the L3 handoff occurs between the FortiAPs directly.
Note: Direct mode is preferred when feasible.
Configuring L3 Roaming for Bridge Mode SSIDs
The following configurations require dynamic user VLAN assignment by RADIUS to be configured for RADIUS users per the steps in VLAN assignment by RADIUS in the FortiWiFi and FortiAP Configuration Guide, specifically, configuring RADIUS user attributes that are used for the VLAN ID assignment.
To configure Intra-Controller L3 roaming for a bridge mode SSID - CLI:
-
Configure the
client-idle-rehome-timeout(default is 20 seconds):config wireless-controller timers set client-idle-rehome-timeout 20 end
-
configure the L3 roaming support bridge mode SSID and related VLAN interface:
config wireless-controller vap edit "l3_br1" set ssid "L3Roaming_br1" set security wpa2-only-enterprise set auth radius set radius-server "wifi-radius" set local-bridging enable set schedule "always" set dynamic-vlan enable set l3-roaming enable next end config system interface edit "lan" set vdom "root" set ip 10.40.0.1 255.255.255.0 set allowaccess ping https ssh http fabric set type hard-switch set stp enable set role lan set snmp-index 4 next end config system interface edit "lan_100" set vdom "root" set ip 10.43.100.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 10 set interface "lan" set vlanid 100 next end -
Assign L3 roaming VAP to FAP433F:
config wireless-controller wtp-profile edit "433F" config platform set type 433F set ddscan enable end set handoff-sta-thresh 55 config radio-1 set mode disabled end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "l3_br1" set channel "36" end config radio-3 set mode disabled end next end config wireless-controller wtp edit "FP433FXX00000000" set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179 set admin enable set wtp-profile "433F" config radio-2 end next end -
Assign L3 roaming VAP to FAP831F:
config wireless-controller wtp-profile edit "831F.1" config platform set type 831F set ddscan enable end set handoff-sta-thresh 55 set allowaccess https ssh config radio-1 set mode disabled end config radio-2 set band 802.11ax-5G set power-level 99 set vap-all manual set vaps "l3_br1" set channel "36" "40" end config radio-3 set mode disabled end next end config wireless-controller wtp edit "FP831FXX00000000" set uuid b867ca7c-cbc5-51ec-d5ac-4a395282be68 set admin enable set wtp-profile "831F.1" config radio-2 end next end
To configure Inter-Controller L3 roaming for a bridge mode SSID - CLI:
This configuration requires two FortiGate units. In order to enable L3 roaming supported VAP, both FortiGate units must have the same SSID, security, and passphrase.
The following example uses:
-
AC1 as FGT40F
-
FAP1 as FAP433E
-
-
AC2 as FGT81EP
-
FAP2 as FAP831F
-
-
Configure the L3 roaming peer IP for AC1 (FGT-40F):
config system interface edit "wan" set vdom "root" set ip 10.43.1.40 255.255.255.0 set allowaccess ping https ssh http fabric set type physical set role wan set snmp-index 1 next end config wireless-controller inter-controller set l3-roaming enable config inter-controller-peer edit 1 set peer-ip 10.43.1.81 next end end-
Configure the
client-idle-rehome-timeout(default is 20 seconds):config wireless-controller timers set client-idle-rehome-timeout 20 end
-
Configure the L3 roaming support bridge mode SSID and related VLAN interface:
config wireless-controller vap edit "l3_br1" set ssid "L3Roaming_br1" set security wpa2-only-enterprise set auth radius set radius-server "wifi-radius" set local-bridging enable set schedule "always" set dynamic-vlan enable set l3-roaming enable set l3-roaming-mode indirect next end config system interface edit "lan" set vdom "root" set ip 10.40.0.1 255.255.255.0 set allowaccess ping https ssh http fabric set type hard-switch set stp enable set role lan set snmp-index 4 next end config system interface edit "lan_100" set vdom "root" set ip 10.43.100.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 10 set interface "lan" set vlanid 100 next end -
Assign L3 roaming VAP to FAP433F:
config wireless-controller wtp-profile edit "433F" config platform set type 433F set ddscan enable end set handoff-sta-thresh 55 config radio-1 set mode disabled end config radio-2 set band 802.11ax-5G set vap-all manual set vaps "l3_br1" set channel "36" end config radio-3 set mode disabled end next end config wireless-controller wtp edit "FP433FXX00000000" set uuid b04f1cca-8528-51ec-2dc0-c744cbef4179 set admin enable set wtp-profile "433F" config radio-2 end next end
-
-
Configure the L3 roaming peer IP for AC2 (FGT-81EP):
config system interface edit "wan1" set vdom "root" set ip 10.43.1.81 255.255.255.0 set allowaccess ping https ssh http fabric set type physical set role wan set snmp-index 1 next end config wireless-controller inter-controller set l3-roaming enable config inter-controller-peer edit 1 set peer-ip 10.43.1.40 next end end-
Configure the
client-idle-rehome-timeout(default is 20 seconds):config wireless-controller timers set client-idle-rehome-timeout 20 end
-
Configure the L3 roaming support bridge mode SSID and related VLAN interface:
config wireless-controller vap edit "l3_br1" set ssid "L3Roaming_br1" set security wpa2-only-enterprise set auth radius set radius-server "wifi-radius" set local-bridging enable set schedule "always" set dynamic-vlan enable set l3-roaming enable set l3-roaming-mode indirect next end config system interface edit "lan_hw" set vdom "root" set ip 10.81.0.129 255.255.255.0 set allowaccess ping https ssh http fabric set type hard-switch set stp enable set role lan set snmp-index 52 next end config system interface edit "lan_100" set vdom "root" set ip 10.81.100.1 255.255.255.0 set allowaccess ping set device-identification enable set role lan set snmp-index 34 set interface "lan_hw" set vlanid 100 next end -
Assign L3 roaming VAP to FAP831F:
config wireless-controller wtp-profile edit "831F.1" config platform set type 831F set ddscan enable end set handoff-sta-thresh 55 set allowaccess https ssh config radio-1 set mode disabled end config radio-2 set band 802.11ax-5G set power-level 99 set vap-all manual set vaps "l3_br1" set channel "36" "40" end config radio-3 set mode disabled end next end config wireless-controller wtp edit "FP831FXX00000000" set uuid b867ca7c-cbc5-51ec-d5ac-4a395282be68 set admin enable set wtp-profile "831F.1" config radio-2 end next end
-
-
Check the peer status from AC1 (FGT-40F):
FortiGate-40F # diagnose wireless-controller wlac -c ha WC fast failover info mode : disabled l3r : enabled peer cnt: 1 FG81EPXX00000000 10.43.1.81:5246 UP 0 -
Check the peer status from AC2 (FGT-81EP):
FortiGate-81E-POE # diagnose wireless-controller wlac -c ha WC fast failover info mode : disabled l3r : enabled peer cnt: 1 FGT40FXX00000000 10.43.1.40:5246 UP 0
Understanding L3 roaming events for inter-controller L3 roaming for a bridge mode SSID
When the wireless client is connected with "L3Roaming_br1" on AP1 in AC1, the client receives IP 10.43.100.2 from AP1 in AC1, bridged to “lan_100” VLAN interface:
FortiGate-40F # diagnose wireless-controller wlac -d sta online vf=0 wtp=2 rId=2 wlan=l3_br1 vlan_id=100 ip=10.43.100.2 ip6=fe80::c84:737e:2ba0:7ae2 mac=22:cf:0e:1a:7f:d2 vci= host= user=vlan0100 group=wifi-radius signal=-67 noise=-95 idle=6 bw=0 use=6 chan=36 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
When the client leaves AP1 and roams towards AP2, it connects with the same SSID "L3Roaming_br1" on AP2. Wireless traffic passes from AP2 and is sent to AC2. Eventually the wireless traffic is transferred from AC2 to AC1 and traffic is maintained from AC1. The wireless client maintains the original IP of 10.43.100.2:
FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online vf=0 wtp=10 rId=2 wlan=l3_br1 vlan_id=0 ip=10.43.100.2 ip6=:: mac=22:cf:0e:1a:7f:d2 vci= host= user=vlan0100 group=wifi-radius signal=-58 noise=-95 idle=1 bw=5 use=7 chan=36 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=0,1 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2
If the wireless client idle time exceeds client-idle-rehome-timeout, it triggers the rehome event. The wireless client will send a DHCP request and obtain a new IP address from AC2 (10.81.100.2). Now the wireless client traffic is maintained from AC2:
FortiGate-81E-POE # diagnose wireless-controller wlac -d sta online L vf=0 wtp=10 rId=2 wlan=l3_br1 vlan_id=100 ip=10.81.100.2 ip6=fe80::c84:737e:2ba0:7ae2 mac=22:cf:0e:1a:7f:d2 vci= host= user=vlan0100 group=wifi-radius signal=-55 noise=-95 idle=3 bw=0 use=6 chan=36 radio_type=11AC security=wpa2_only_enterprise mpsk= encrypt=aes cp_authed=no l3r=1,0 G=0.0.0.0:0,0.0.0.0:0-0-0 -- 0.0.0.0:0 0,0 online=yes mimo=2