Wireless Clients Seamless Roaming Best Practices


This document explains Cambium Networks Access Points (APs) and external network recommended configuration to facilitate wireless clients’ seamless roaming across the APs. Additionally, network best practices recommended minimizing broadcast and multicast packets processing in the network.

External network recommendation

Cambium Access Points (APs) work in the distributed architecture mode. It is important to facilitate AP to AP communication for the wireless clients seamless roaming. Access Points uses Cambium propriety XRP protocol to exchange client’s information with the neighboring APs.

  • The intermediate network switches to which APs are connected shall not block XRP messages.

    XRP message packet information:

    • Source MAC: APs ethernet MAC
    • Destination MAC: Ethernet broadcast
    • Source IP Address: APs exit interface IP address.
    • Destination IP Address: Broadcast IP address
    • Protocol: UDP with the random Source Port and fixed Destination Port

    XRP message Wireshark snapshot:

  • APs send XRP messages on the ethernet port’s native VLAN.

  • All the APs need to be part of the same native VLAN.

  • It is important to ensure APs have the L3 interface for the native VLAN with the valid IP address.

Access Point WLAN profile configuration recommendation

If WLAN profile is configured with WPA2 and WPA3 security, it is recommended to enable.

  • 802.11r fast roaming and
  • OKC

Few clients make use of 802.11k and 802.11v protocols for fast roaming, we can enable the same.

Enable client isolation with the Network Wide option to prevent clients communicating with other clients on the same L2 network.

Note: From the AP firmware version onwards, AP drops the ARP packets when the client isolation feature is enabled. AP running with the firmware version lower than can make use of client-isolation dynamic drop-arp cli from the AP group User-Defined Overrides section.

AP group profile configuration recommendations

  • To avoid sticky client’s issue, enable Enhanced Roaming under AP group → RADIO configuration, set SNR threshold to 15 dBm

  • In large public Wi-Fi and campus deployment, it is very common to see large number of network discovery protocols like mDNS, LLMNR, SSDP and other service discovery packets coming from the wireless clients. It is recommended to disable these packets using “Access Control Policy.”

  • If IPv6 is not the requirement, it is recommended to disable IPv6 packets from the wireless clients using “Access Control Policy.”

  • It is recommended to use “Air Cleaner Rules.”

  • To prevent un-authorized rogue DHCP server from the wireless clients.

  • Unwanted DHCP client packets from wired network side.

  • Drop L2 broadcast packets.

  • Drop IPv4 and IPv6 multicast packets.

  • Drop ARP discovery packets from one SSID to another SSID interface.

  • It is recommended to disable mDNS packets in the default Air Cleaner rules

    Note: Allow the mDNS packet to enable bonjour discovery service to work

  • Sample AP group policy with the Air Cleaner Rules

    (cnMaestro screen shot for the Air-Cleaner rule with drop mDNS packets, add new rule to drop LLMNR, SSDP, DropBox, IPv6 and etc.)

User-defined rule for blocking IPV6 traffic & allowing rest traffic.

filter  global-filter
filter precedence 14
layer3-filter deny proto6 any  any any any any any //BLOCK IPv6 TRAFFIC
filter precedence 15
layer3-filter permit ip any/any any/any any  //ALLOW TRAFFIC
1 Like

does this recommendation also apply to old models E500, E510, E425, E430H?

hi alen,

applicable for wi-fi 6 aps running with the 6.x images.

Where are the air cleaner rules in cnmaestro?

Hi @Chris_Porosky and welcome to the community. The Air Cleaner rules are under Wi-Fi Profiles > Access Control Policies > AP Group Policy. Once created, add the AP Group Policy that you created to your AP Group under Access Control.

Can you clarify the “Native VLAN” requirement for Over-the-DS of Fast roaming. My AP’s are setup using a Tagged VLAN, the SSID’s are setup with thier own respective Tagged VLAN’s. To have have Over-the-DS to work, do I need to change my AP’s from thier Tagged VLAN to untagged?