Multiple Anchor to multiple Foreign(Mobility Anchored SSID Roaming)

MBasal111 · ‎05-12-2025

Hello Team,

We have a design of Multiple anchors to multiple foreign,

Foreign and anchor WLCs are in different Mobility groups.

All foreign WLCs are in the same Mobility groups.

Anchors-WLC1 and Anchors-WLC2 are in the same Mobility groups.

Anchors-WLC3 and Anchors-WLC4 are in the same Mobility groups.

There is a mobility tunnel between Foreign -WLC1 and Foreign -WLC2.

Foreign -WLC1 builds mobility for both Anchor-WLC1 and Anchor-WLC2.

Foreign -WLC2 build mobility for both Anchor-WLC 3 and Anchor-WLC 4.

Foreign-WLC1 5508 8.0.152

Foreign-WLC2 5520 8.10.185

Anchor-WLC 1 5508 8.5.176

Anchor-WLC 2 5508 8.5.176

Anchor-WLC 3 9K 17.12.4

Anchor-WLC 4 9K 17.12.4

Same SSID created in all anchors with the same interface group, returned by ISE, security is EAP-TLS, DHCP required Disabled:

Foreign -WLC1 anchored to Anchor-WLC1 && Anchor-WLC2

Foreign -WLC2 anchored to Anchor-WLC3 && Anchor-WLC4

We need to know how the roaming is work while the client is roam between Foreign -WLC1 to Foreign -WLC2, while each foreign mapped to different anchor but the same interface group mapped. as we have an issue Entry not removed in Anchor-WLC1 && Anchor-WLC2 while the client roam between Foreign -WLC1 to Foreign -WLC2.

Rich R · ‎05-13-2025

Sorry you lost me in all your explanations!

What I can say though is that this is thoroughly documented so best to read through the guides carefully:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/ConfiguringIRCM/b-configuring-inter-release-controller-mobility-in-wireless-deployments-supporting-aireos-and-catalyst-9800-controllers/m-overview-of-ircm.html
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-8/b_c9800_wireless_controller-aireos_ircm_dg.html
That should answer most of your questions. And if you search you'll find plenty more examples and videos.

And pay close attention to the TAC recommended versions of code (link below) because some of your code versions are out of date!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Scott Fella · ‎05-14-2025

What will happen in your scenario is, since anchor sessions are not shared, it will be a new authentication because the anchor controllers are not sharing this information. What will work is multiple foreign controller tied to a single anchor controller.

-Scott
*** Please rate helpful posts ***