Wireless plan segmentation design

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hi!

I need to setup a wireless network with one SSID and around 3000 clients. The topology will be bridged@controller.
I found this example in a internet document that sums it all nicely:

"Company A decides to follow its desktop subnet model and use a single subnet per floor for the WLAN. This setup introduces complications because now the roaming domains are restricted to a floor, not the entire building as before. With the new subnet model in place, application persistence when roaming across floors is lost. The application most impacted is Company A's wireless VoIP devices. As users move between the floors (and subnets) on their wireless phones, they drop their calls when they roam. Figure 5-8 illustrates this scenario. In this figure, an 802.11 VoIP phone is connected to a wired VoIP phone. As the user roams from AP1 on Subnet 10 to AP2 on Subnet 20, the session drops because the roaming user is now on a different subnet.”

"The scenario described for Company A is common. Many applications require persistent connections and drop their sessions as a result of inter-VLAN roaming. To provide session persistence, you need a mechanism to allow a station to maintain the same Layer 3 address while roaming throughout a multi-VLAN network. Mobile IP provides such a mechanism, and it is the standards-based, vendor-interoperable solution to Layer 3 roaming for WLANs.

That's when they introduce the Mobile IP standard.

Since we are planning for 3000 clients I would never consider a single network to service them. I was planning to create several /24 IP networks, and assign them to the same SSID, distributed by AP groups (geographically close).

Is this the right approach?
Will the controller apply the described mechanism of mobility?

Thank you!

TM 
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
Extreme Networks made your job easier with the introduction of the new V9.21 feature "Topology Pool/Groups".

You just setup a topology group which consist of some bridge@applicance toplogies.

You'd select from different modes how the clients should be distributed to this differnet topologies like MAC, round robin, random, least used.

So just configure one WLAN Service/SSID and one topology group and you are done.
The clients keep the IP if the roam between the APs.

-Ron
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
What kind of security will you use on the WLAN ?
NAC could also help you to distribute the clients to different roles/VLANs with different access levels (ACLs).
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hi Ronald! That's great news!

I will definitly use the new feature. Anyway I will have NAC installed also.
Prior to v9.21 would it work? How would you do it without the new feature? 
Can you please consider a scenario without the NAC?

Thanks a lot!

TM
 
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 45,306 Points 20k badge 2x thumb
So let's go thru the scenario.. prior to 9.21 & no NAC

You'd use the "Inter-WLAN Service Roaming" feature,
Let's assume you've a 10 floor building - you divide up the clients per floor = one VLAN/subnet / floor.
Configure 10x SSIDs with the same name, config 10x VNS, role, topology....
Tx WLAN#1 on floor#1, WLAN#2 on floor#2 and so on.

Clients on floor#1 will get the VLAN#1/topology#1/IP#1 and keep that even if they roam to another floor.

The difference to the new function is that you can't distribute clients that equally- they will use the VLAN/subnet which the first connect to.
So in case for mobiles that would mean that as everyone is entering the building via the main entrance all mobiles will connect to this AP first and end up in this VLAN/subnet (if auto-connect is enabled on the phones).


With a NAC:
I'd setup different roles and let the NAC put the in different VLANs/subnets.
So i.e. put the mobiles in a VLAN with only INet access as they don't need to access internal resources = higher security.
Put Admins in a mgmt VLAN to access ALL internal infrastructure.

You'd do a lot with NAC - in my own network I only have one SSID and my NAC takes care which user/role is getting which access level and what the client could do in the network.

-Ron
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
Hey nice answer! Thank you very much.

You said that:

"Clients on floor#1 will get the VLAN#1/topology#1/IP#1 and keep that even if they roam to another floor."

Do you know this from experience? I'd like to read a bit about how this processes. Can you point out a good document?

NAC it's going to be the challenge in this deployment. Any pitfall you remember so I don't go that way?

Best regards!
Photo of Tiago Molinos

Tiago Molinos

  • 370 Points 250 badge 2x thumb
I found the documentation using your answer! Thanks again!