SSID Spanning Multiple VLANs

  • 0
  • 1
  • Question
  • Updated 2 months ago
  • Answered

We are a small IT department, so I don't have anybody in the office to bounce ideas off of. On top of that, I'm just starting to get comfortable with wireless. I hope this is an appropriate place for this type of conversation.

There is some backstory but I'll try to keep out details that are not needed. I'm working on the first network redesign of our campus since it was first built 10 years ago with most everything (user devices, servers, printers, control systems, etc.) on one /16 network. There are two multiple-floor buildings with edge switches on each floor. They are divided up into 8 distribution areas. When we recently installed IP phones, our Extreme Partner and I designed separate voice VLANs for each of these areas. It has worked so well that they suggested doing the same with our end user data, and I have almost fully completed that project. I'd love to exterminate that VLAN from the vast majority, or even all, of our network.

I'm now looking at our authenticated WiFi and hoping to move that off of the same /16 VLAN that everything else was on. My initial thought was to drop authenticated users onto whatever data VLAN is applicable to area where the AP is located and I have been doing some testing. Everything works fairly well, but I'm concerned about some of our applications when roaming between APs that are on different VLANS. There are a handful of areas that come to mind where overaggressive roaming could be an issue if it occurred because it would cross VLANs.

This VNS is bridged at the AP. We have others that are bridged at the controller, which is a pair of C25s. It has occurred to me that maybe the simplest solution would be to just bridge at the controller, but I wonder if that may cause congestion at the controller as we rely more on WiFi.

We have had Extreme Control on our wish list since I started here, but I don't see it getting approved in the budget any time soon. I feel like that product might give us some better options.

At this point I'm looking at five possibilities.

  1. Continue with the plan and accept that there might be a few applications that don't preform well roaming between APs.
  2. Continue with the plan and find a configuration option that I'm not aware of (perhaps something with Inter WLAN Roaming?).
  3. Create a new VLAN and drop all authenticated WiFi  for the SSID on that. (bridge at AP or controller?)
  4. Some other option that I'm not thinking of.
  5. Leave it how it is. 

Does anyone have any suggestions on the best way to proceed? I could go any number of directions, but I am trying to be intentional about the direction things are moving instead of reactive. I'd like to get it right and have less to change later if we finally do get something like Extreme Control.

Thanks in advance for any suggestions you might have.

Photo of Rick Lester

Rick Lester

  • 282 Points 250 badge 2x thumb

Posted 2 months ago

  • 0
  • 1
Photo of Claudio D'Ascenzo

Claudio D'Ascenzo

  • 402 Points 250 badge 2x thumb
Hi Rick,

first of all I think tha could be better to put all APs and Controllers in the same Vlan, across the campus, untagged it on the switch port where are connect each AP, this permit to have a management Wifi Vlan, and use a DHCP server to distribute IP Addres for APs.
After that you can create a single Vlan for each SSID across the campus and configure a bridge AP topology for this Vlan, in this way when an enduser roams, he maintains the same IP Address across the campus. This resolve application problems.
I hope this could help you.
Photo of Stephen McGuire

Stephen McGuire

  • 904 Points 500 badge 2x thumb
We use one vlan for student wifi throughout the whole campus currently a /22.  So their IP never changes as they move.  Same for faculty wifi and guest.  So I'd be inclined to agree with Claudio.

I'd only add be careful with sizing and be aware of route summary if that applies.  Don't hurt yourself by making things to small or using networks that don't summarize well.  Our networks roll up to /16's pretty well and make things easy when setting up ACL's and traffic shaping.

As a side note, I have to increase our student wifi from a /22 to a /20.  We are a small school but I'm now planning for each student to have at least 2-3 wifi devices in the long run.  So a /20 of 4094 devices works.  We have both commuter and residential students and man they have lots of toys.
Photo of Claudio D'Ascenzo

Claudio D'Ascenzo

  • 402 Points 250 badge 2x thumb
I agree with Stephen, it's very important to understad how many devices could potentially connect to the wifi network, to correct define the subnet.

Regards Claudio
Photo of Claudio D'Ascenzo

Claudio D'Ascenzo

  • 402 Points 250 badge 2x thumb
Tag the SSID Vlan on APs switch ports
regards
CLaudio
Photo of Ostrovsky, Yury

Ostrovsky, Yury, Employee

  • 2,560 Points 2k badge 2x thumb
Hi Rich , there are multiple solutions for your requirements . 
1. If you using tunneled topologies (bridged back to controller) we have "VLAN pooling" feature where you can bring multiple VLANs into the same group . If you using default algorithm (MAC address hashing) , then the client will never change the IP address across the campus.
2. If you can to have one large subnet , it is also ok , just make sure (in case you using br@Access Point topology) you enable ARP proxy check box on the topology - in this case you will not see broadcasts/multicasts on the wireless .  Just FYI , we do have large amount of installations with  very-high-density deployments , and we are using one subnet (/16) and tunneled to controller topology)
3. If you using any sort of authentication (e.g. RADIUS) , you can send Filter-ID back to the controller which will be used to place users in different VLAN . In this case you can separate your users based on the roles they having in the network . Filter-ID should be the same as Role configured on the Controller , so you can have multiple Roles bounded to different VLAN's. 
4. If you have Extreme Access Contol in place , then you can leverage the location where the user/end-system coming from (the same SSID , but location can matter ). 
Photo of Rick Lester

Rick Lester

  • 282 Points 250 badge 2x thumb

Yury,

Can you point me to where I can find more information about VLAN Pooling? I've found a couple articles that says it is an option, but nothing saying how to use it or where to configure it.


Thanks

Photo of Joshua Puusep

Joshua Puusep

  • 2,254 Points 2k badge 2x thumb
We have 339 AP's bridged to a pair of 5210 controllers.  Until recently we had one wireless vlan (/19) across three campuses with a few thousand clients and never had any congestion issues on the controller.
Photo of Rick Lester

Rick Lester

  • 282 Points 250 badge 2x thumb

Thanks for the comments Claudio, Stephen, Joshua, and Yury. There is some good stuff to chew on. Your comments are very helpful.

I'll have to look into the VLAN Pooling option with a common wireless VLAN as Plan B. I'm bridging at controller for all of my other traffic anyway and my controller links are hitting less than 3%. I can set that up and do some testing.

All of our new location specific subnets are /20s that easily summarize into a /16. We could easily get by with /22s today with room to at least double, but I'm with Stephen and planning for the eventuality that we are only going to add more devices. 

I can easily put the general user Wi-Fi on one of the unused /20's that I have set aside for future use, if I go with one VLAN across the campus.

This project is making me think that I need to do some reading to understand how the controllers should be configured. I'm not sure they way they were originally setup was the optimal way, right down to the L2 ports, which might make life interesting moving forward.

Photo of Joshua Puusep

Joshua Puusep

  • 2,254 Points 2k badge 2x thumb
GTAC has always recommend that we disable the administrative L2 port on the controllers.  So currently we just have one physical interface. Controller and AP's live on 141 and the rest are wlan segments.  For reference:

(Edited)
Photo of Joshua Puusep

Joshua Puusep

  • 2,254 Points 2k badge 2x thumb
I can can give you other samples for comparison if there is something specific you're looking at.
Photo of Rick Lester

Rick Lester

  • 282 Points 250 badge 2x thumb

Thanks. Good to know on the Admin port.

I tend to overbuild. We already have 2 controllers in HA, so maybe going with a LAG is overkill and the equivalent of building a concrete outhouse. I would think we should at least be able to move everything to one link, like you have there, whether it is one physical L2 link or a single LAG. What we have now seems rather random, like there was a plan that wasn't completed. 

Photo of Stephen McGuire

Stephen McGuire

  • 904 Points 500 badge 2x thumb
I have a lag on both C35's, I've split them across my S4 blades.  The GTAK helped me set that up and correct the vlan's as the prior admin has quite a mess.  To the point where we were at a loss as to how it was working. 

I don't see a reason not to at least have a two port lag per controller.  The ports are there and available and in a pinch might bail you out.